Exam 1 Flashcards

1
Q

Security Attack

A

Any action that compromises the security of information

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Security Mechanism

A

A mechanism that is designed to detect, prevent, or recover from a security attack

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Security Service

A

A service that enhances the security of data processing systems and information transfers. A security service makes use of one or more security mechanisms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are some examples of Passive Threats?

A
  • Release of message content

- Traffic analysis

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What are some examples of Active Threats?

A
  • Masquerade
  • Replay
  • Modification of message contents
  • Denial of service
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Name some security services

A
  • Confidentiality (privacy)
  • Authentication (who created or sent the data)
  • Integrity (has not been altered)
  • Non-repudiation (the order is final)
  • Access control (prevent misuse of resources)
  • Availability (permanence, non-erasure)
    • Denial of service attack
    • Virus that deletes files
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Methods of Defense

A
  • Encryption
  • Software control (access limitations in a data base, in operating system protect each user from other users)
  • Hardware Controls (smartcard)
  • Policies (frequent changes of passwords)
  • Physical Controls
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What are Specific Security Mechanisms?

A
  • May be incorporated into the appropriate protocol layer in order to provide some of the OSI security services
  • Encipherment
  • Digital Signature
  • Access Control
  • Data Integrity
  • Authentication Exchange
  • Traffic Padding
  • Routing Control
  • Notarization
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Encipherment

A

The use of mathematical algorithms to transform data into a form that is not readily intelligible. The transformation and subsequent recovery of the data depend on an algorithm and zero or more encryption keys.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Digital Signature

A

Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source of integrity of that data unit and protect against forgery (e.g. by the recipient)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Access Control

A

A variety of mechanisms that enforce access rights to resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Data Integrity

A

A variety of mechanisms used to assure the integrity of a data unit or stream of data units.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Authentication Exchange

A

A mechanism intended to ensure the identity of an entity be means of information exchange

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Traffic Padding

A

The insertion of bits into gaps in a data stream of frustrate traffic analysis attempts

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Routing Control

A

Enables selection of particular physically secure routes for certain data and allows routing changes, especially when a breach of security is suspected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Notarization

A

The use of a trusted third party to assure certain properties of a data exchange

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Conventional Encryption Principles

A
  • An encryption scheme has five ingredients:
    • Plaintext
    • Encryption algorithm
    • Secret Key
    • Ciphertext
    • Decryption algorithm
  • Security depends on the secrecy of the key, not the secrecy of the algorithm
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Cryptography

A
  • Classified along three independent dimensions:
    • The type of operations used for transforming plaintext to ciphertext
      • Substitution: Each element (bit, letter) in the plaintext is mapped to another element (e.g., B -> F)
      • Transposition: Elements in the plaintext are re-arranged (change locations)
  • The number of keys used
    • Symmetric (singe key)
    • Asymmetric (two keys, or public-key encryption)
  • The way in which the plaintext is processed
    • One block at a time - block cipher
    • Element by element, continuously - stream cipher
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Feistel Cipher Structure: Block Size

A

Larger block sized means greater security

20
Q

Feistel Cipher Structure: Key Size

A

Larger key size means greater security

21
Q

Feistel Cipher Structure: Number of Rounds

A

Multiple rounds offer increasing security

22
Q

Feistel Cipher Structure: Subkey Generation Algorithm

A

Greater complexity will lead to greater difficulty of cryptanalysis

23
Q

Feistel Cipher Structure: Fast Software Encryption/Decryption

A

The speed of the execution of the algorithm becomes a concern

24
Q

XOR

A

0 XOR 0 = 0
0 XOR 1 = 1
1 XOR 0 = 1
1 XOR 1 = 0

25
DES
- Data Encryption Standard - Block cipher - Plaintext is processed in 64-bit blocks - The key is 56-bits in length - When following the Fesitel structure it is 16 rounds
26
DES Process
- L[i] = R[i-1] | - R[i] - L[i-1] XOR F(R[i-1], K[i])
27
Cipher Block Chaining (CBC) Mode
- Message is divided into several blocks - The input to the encryption algorithm is the XOR of the current plaintext block and the preceding ciphertext block - Repeating pattern of the 64-bits are not exposed MAKE SURE TO INCLUDE EQUATIONS AND DIAGRAM ON CHEAT SHEET
28
Location of Encryption Devices
- Link encryption - End-to-end encryption - High Security
29
Link Encryption
- A lot of encryption devices - High level of security - Decrypt each packet at every switch
30
End-to-End Encryption
- The source of encrypt and the receiver decrypts - Payload encrypted - Header in the clear
31
High Security
Both link and end-to-end encryption are needed
32
Authentication - Requirements
Must be able to verify that - Message came from apparent source or author - Contents have not been altered - Sometimes, it was sent at a certain time or sequence - Offer protection against active attack (falsification of data or transactions)
33
Approaches to Message Authentication - Authentication Using Conventional Encryption
Only the sender and receiver should know the shared key
34
Approaches to Message Authentication - Message Authentication without Message Encryption
An authentication tag us generated and appended to each message - e.g. Hash without encryption
35
Approaches to Message Authentication - Message Authentication Code (MAC)
- Calculate the MAC as a function of the message and the key. MAC = F(K,M)
36
Properties of a Secure HASH Function
To produce a "fingerprint"
37
Properties of a Secure HASH Function H
- H can be applied to any block of data at any size - H produces a fixed length output - H(x) is easy to compute for any given x - For any given h, it is computationally infeasible to find x such that H(x) = h (one way property) - For any given x, it is computationally infeasible to find y not equal to x with H(y) = H(x) (weak collision property) - It is computationally infeasible to find any pair (x,y) such that H(x) = H(y) (strong collision property)
38
SHA-1 Steps
1. Append padding bits - the length is 64-bits less than a multiple of 512-bits 2. Append message length field (64-bits) - The total length is Lx512 bits 3. Initialize message digest (MD) buffer - A 160-bit buffer is used to hold intermediate and final results of the hash function. The buffer can be represented as five 32-bit registers (A,B,C,D,E), which are initialized to some constant (32-bit integers) 4. Process message in 512-bit blocks. The heart of the algorithm is a module - compression function, that consists of four rounds of processing, and each round has 20 steps.
39
HMAC (Hash MAC)
- Instead of using encryption algorithms, one may develop a MAC derived from a hash function, such as SHA-1 - A hash function was note designed for use as a MAC and can not be used directly to create a MAC since it does not rely on a secret key - HMAC was proposed, which can create a MAC using a hash function and a secret key - HMAC has been used in IP-Security, SSL/TLS, etc.
40
HMAC Motivations
- Faster in software than encryption algorithms such as DES - Library code for has functions is widely available - No export restrictions on hash functions from the US
41
HMAC Design Objectives
- To use available hash functions - To allow for easy replace-ability if the embedded hash function - To preserve the original performance of the hash function - To use and handle keys in a simple way - To have a well-understood cryptographic analysis of the strength of the authorization mechanism
42
Categories of Applications for Public-Key Cryptosystems
- Encryption/decryption: The sender encrypts a message with the recipient's public key - Digital Signature: The sender's "signs" a message with its private key - Key Exchange: Two sides cooperate to exchange a session key
43
RSA Encryption Overview
- Plaintext: M < n | - Ciphertext: C = M^e(mod(n))
44
RSA Decryption Overview
- Ciphertext: C | - Plaintext: M = C^d(mod(n)) = M^ed(mod(n))
45
Requirements for KERBEROS
- Secure: An eavesdropper should not be able to obtain the necessary information to impersonate a user - Reliable: Kerberos should be highly reliable and should employ a distributed architecture - When Kerberos system itself is under attack, it can still provide authentication service - Transparent: Ideally, the user should not be aware that authentication is taking place - Scalable: The system should be capable of supporting the large number of clients and servers
46
KERBEROS Realm Requirements
- A server - A number of clients - A few application servers
47
Purpose of X.509
X.509 defines a framework (certificate structure) for authentication services by the X.500 directory to its users - The directory may serve as a database of public-key certificate - Each certificate contains the public key of a user and is signed with the private key of a trusted Certificate Authority (CA) - The heart of X.509 is the public-key certificate associated with each user