Chapter 3 - Secure Software Design Flashcards
What causes the majority of software security issues?
Insecure or incomplete design.
What methods can be used for attack surface evaluation?
Threat models and misuse case modeling
What are the benefits to designing security into software?
- Resiliency and recoverability
- Quality, maintainability, less prone to errors
- Minimal redesign and consistency
- Addressed business logic flaws
What is a business logic flaw?
A flaw where the software is operating as designed, but the design itself makes circumventing the security policy possible.
What is the difference between a flaw and a bug?
Flaws are design or architectural defects. Coding or implementation constructs that can cause a breach in security are bugs.
What is a semantic issue?
A logic flaw.
What are the core security elements?
Confidentiality, Integrity, Availability, Authentication, Authorization, and Auditing.
What are the types of cryptography?
Covert and Overt
What are the types of covert cryptography?
Steganography and digital watermarking
What are the types of overt cryptography?
Hashing and encryption
What are the types of encryption?
Symmetric and asymmetric
What is “work factor”?
In cryptanalysis, the amount of work required to defeat an algorithm.
What is the only provably unbreakable encryption?
The one time pad
Describe symmetric encryption
It’s characterized by using a single key for encryption and decryption that must be shared between the sender and receiver.
What is the benefit to symmetric key encrryption?
It’s fast and efficient.
What are the challenges to symmetric key encryption?
- Key exchange and management require a secure, out-of-band mechanism.
- Scalability. Need a unique key for each pair of sender/recipient
- No nonrepudiation
What kind of algorithm is RC-2?
Symmetric
What kind of algorithm is RC-4?
Symmetric
What kind of algorithm is RC-5?
Symmetric
What is the key size of DES?
56 bits
What is the key size of skipjack?
80 bits
What is the key size of IDEA?
128 bits
What is the key size of blowfish
128 bits
What is the key size of 3DES?
168 bits
What is the key size of twofish?
256 bits
What is the key size of RC6?
256 bits
What is the key size of AES/Rijndael?
256 bits
What other term is used for nonrepudiation protection?
Proof-of-origin protection
What advantages does public key crypto have?
- Key exhange is easier.
- Scalability. Each user only needs 2 keys (public/private)
- Addresses nonrepudiation
What is the disadvantage of public key crypto?
It’s computationally intensive, so slower.
List common public key crypto algorithms.
RSA
El Gamal
Diffie-Hellman
Elliptic Curve Cryptosystem
What is Elliptic Curve Cryptosystem ideal for?
Small hardware devices such as smart cards and mobile devices.
What does a digital certificate include?
Public keys, algorithm information, owner and subject data, digital signature of the CA, and a validity date range.
What are the types of digital certificates.
Personal
Server
Software publisher
What hsould you use when copyright and IP protection are an issue?
Digital watermarking
What should you use if data confidentiality in processing, transit, storage, and archiving need to be assured?
Hashing or encryption.
What features can be used to assure integirty?
Hashing
Referential integrity
Resource locking
Code signing
What is a message digest (according to the book)?
The original message and its hash value.
What is collision free or collision resistance?
A property of hash functions where it is computationally infeasible to find two inputs that hash to the same value.
What does salting a hash do (according to the book)?
Improve collision resistance