Lecture 5,8,9 Flashcards
What is cryptography?
Cryptography is the practice of securing information by transforming it into an unreadable format to protect it from unauthorized access. It ensures data confidentiality, integrity, authentication, and non-repudiation using techniques like encryption, hashing, and digital signatures
Mention three security goals that cryptography can protect
- Confidentiality – Ensures that only authorized users can access the data (e.g., encryption).
- Integrity – Ensures data is not altered during transmission or storage (e.g., hashing).
- Authentication – Confirms the identity of users or systems (e.g., digital signatures, certificates)
Discuss the difference between a public and a private key
Cryptography often uses asymmetric encryption, which relies on public and private key pairs
Public key Private key
Can be shared openly Must be kept secret
Used for encryption (in most cases) Used for decryption (in most cases)
In RSA, used to encrypt a message In RSA, used to decrypt a message
Example - When visiting an HTTPS website, the public key encrypts data, and only the server with the private key can decrypt it.
Briefly discuss what you understand by a known plaintext attack
- A Known Plaintext Attack (KPA) is a cryptanalysis technique where an attacker has access to both the plaintext and its corresponding encrypted ciphertext. The attacker analyzes patterns to determine the encryption key or algorithm used.
Example: - If an attacker knows that “Hello” encrypts to “Xyz123”, they might use this to decrypt other messages using the same encryption method.
- KPA is less effective against modern encryption like AES but was a serious threat to older ciphers (e.g., Enigma).
What is the difference between stream and block ciphers
Both are types of symmetric encryption, but they operate differently:
Stream cipher Block cipher
Encrypts data one bit or byte at a time Encrypts data in fixed-size blocks (e.g., 128-bit)
Faster and more efficient for real-time communication More secure and resistant to attacks
Used in Wi-Fi (WEP), real-time encryption Used in banking, file encryption (AES-256)
Discuss the concept of a digital certificate
A digital certificate is an electronic document issued by a Certificate Authority (CA) to verify the identity of an entity (e.g., website, organization, person). It ensures secure communication.
Contents of a Digital Certificate:
✔ Public key of the entity
✔ Entity’s identity (name, domain, etc.)
✔ Issuing CA’s digital signature
✔ Expiration date
🔹 Example Use Case:
Used in SSL/TLS certificates for secure websites (HTTPS).
Prevents man-in-the-middle attacks by verifying a website’s authenticity
What are the properties of a hash function?
A hash function is a one-way function that converts input data into a fixed-length hash value.
✅ Deterministic: Same input always produces the same output.
✅ Pre-image Resistance: Cannot reverse-engineer the original input.
✅ Collision Resistance: No two different inputs should produce the same hash.
✅ Avalanche Effect: A small input change causes a large output change.
✅ Fast Computation: Should compute hashes efficiently.
What do you understand by Authenticated Encryption and Associated Data (AEAD)?
Authenticated Encryption with Associated Data (AEAD) is an encryption method that provides both confidentiality and integrity. It ensures that encrypted data has not been tampered with.
🔹 How It Works:
* Encrypts plaintext using a secure cipher (e.g., AES-GCM).
* Generates an authentication tag to verify data integrity.
* Allows associated data (e.g., headers) to be authenticated but not encrypted.
Discuss any three Internet security protocols for securing data on the Internet.
- Transport Layer Security (TLS) – TLS ensures secure communication over a network by encrypting data and authenticating parties. It is widely used in HTTPS for secure web browsing.
- Internet Protocol Security (IPSec) – IPSec secures network traffic at the IP layer through encryption and authentication, commonly used in VPNs.
- Secure/Multipurpose Internet Mail Extensions (S/MIME) – S/MIME provides encryption and digital signatures for email security, ensuring confidentiality and integrity.
What is an envelope data in S/MIME?
Envelope data in S/MIME refers to encrypted email content and encryption keys. It consists of:
The encrypted message body
* A session key encrypted with the recipient’s public key
* This ensures that only the recipient with the corresponding private key can decrypt the message.
Discuss the architecture of a simplified S/MIME functional flow.
- Message Creation – The sender composes an email.
- Signing & Encryption – The email is digitally signed using the sender’s private key and encrypted with the recipient’s public key.
- Transmission – The email is sent over the network.
- Decryption & Verification – The recipient decrypts the message with their private key and verifies the sender’s signature using the sender’s public key.
Discuss the three main functions provided by the TLS protocol
- Encryption – Secures data transmission between client and server, preventing eavesdropping.
- Authentication – Uses digital certificates to verify the identity of parties in communication.
- Integrity – Ensures data is not altered during transmission using cryptographic hashing.
What are the applications of IPSec protocol?
- VPN Security – Provides encrypted and authenticated communication for virtual private networks.
- Secure Remote Access – Ensures secure connections between remote users and corporate networks.
- End-to-End Data Protection – Protects sensitive data by securing traffic at the IP layer.
- Firewall Protection – Enhances security by blocking unauthorized traffic.
What is Kerberos protocol? Discuss the function of a Kerberos server.
Kerberos is a network authentication protocol that uses tickets to enable secure authentication over an untrusted network.
Function of a Kerberos Server:
* Authentication Service (AS) – Verifies user credentials and issues a Ticket Granting Ticket (TGT).
* Ticket Granting Service (TGS) – Issues service tickets for accessing network resources.
* Key Distribution Center (KDC) – Manages encryption keys and tickets for secure communication.
What is a reference monitor?
A reference monitor is a security component that enforces access control policies by mediating all access requests between subjects (users, processes) and objects (files, resources). It must be:
* Tamper-proof – Cannot be modified by unauthorized entities.
* Always invoked – Mediates every access attempt.
* Small and verifiable – Should be simple enough for formal verification.
Mention examples of different access rights used in an information system?
- Read – Allows a user to view the contents of a file or resource.
- Write – Grants permission to modify or add content.
- Execute – Allows execution of a program or script.
- Delete – Enables the removal of a file or resource.
- Modify – A combination of read and write access.
- Full Control – Grants all possible permissions, including modifying access rights.
Describe an Access Control Matrix.
An Access Control Matrix is a tabular representation of access rights, where:
* Rows represent subjects (users, processes).
* Columns represent objects (files, databases, devices).
* Cells contain access rights defining what operations a subject can perform on an object.
Subject/Object File A File B Printer
User 1 Read Write Print
User 2 Write - Print
Admin Full Full Full
What are the disadvantages of Access Control Lists?
- Scalability Issues – As the number of users increases, ACLs become difficult to manage.
- Performance Overhead – Checking ACLs for every access request can slow down the system.
- Hard to Maintain – Updating access rights for multiple users requires modifying each object’s ACL individually.
- No Delegation of Rights – Users cannot easily transfer permissions without admin intervention.
Identify an application that is advantageous to use a capability list.
Distributed Systems – Capability lists are useful in cloud computing or microservices architectures, where processes and services need to grant and revoke access dynamically without relying on a central authority.
* Example: A cloud-based file-sharing service like Google Drive, where capability-based URLs (links) grant temporary access to users without modifying the file’s ACL.
Discuss three examples of access control security models.
Discretionary Access Control (DAC)
* Users control access to their own resources.
* Example: File permissions in Windows & Linux (read, write, execute).
Mandatory Access Control (MAC)
* Access is controlled by a central authority based on security classifications.
* Example: Military or government systems where files are labeled as “Top Secret” and only authorized users can access them.
Role-Based Access Control (RBAC)
* Access is assigned based on organizational roles rather than individual users.
* Example: In a hospital system, doctors can access patient records while receptionists can only view appointment schedules.
