Lesson 4 (Security basics & TLS)

Question 1

What does TLS stand for?

Answer 1

Transport Layer Security

Question 2

Where is the TLS encryption used for?

Answer 2

Authorisation, Authentication, Confidentiality (information only for intented users), Integrety (information not changed)

Question 3

At what layer position is TLS between: Application layer, TCP layer and IP layer?

Answer 3

Between Application and TCP

Question 4

What is the new name for SSL?

Answer 4

TLS

Question 5

What is HTTPS?

Answer 5

HTTPS is HTTP-within-SSL/TLS. SSL (TLS) establishes a secured, bidirectional tunnel for arbitrary binary data between two hosts.

Question 6

How does HTTP run over HTTPS?

Answer 6

HTTPS is a tunnel/connection, which is encrypted. The HTTP traffic runs over this collection. Its also referred as SSL/TLS

Question 7

At what layer position is TLS in network apps? Between Application, http and tcp

Answer 7

Between Application and HTTP.

Question 8

Name 4 of commonly used programs which usually make use of a TLS connection/encryption

Answer 8

HTTPS (websites), VOIP, VPN and Email

Question 9

What is the latest stable released version of TLS and in what year?

Answer 9

TLS 1.2, in 2008.

Question 10

What is the new upcoming version of TLS?

Answer 10

1.3

Question 11

What is a cipher suite?

Answer 11

Is a named combination os authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a SSL/TLS connection.

Question 12

Name some examples of Authentication encryption algorithms

Answer 12

RSA, DSA, ECDSA

Question 13

Name some examples of key exchange algorithms

Answer 13

RSA, Diffie-Hellman, ECDH, SRP, PSK

Question 14

Name some examples of bulk encryption algorithms

Answer 14

RC4, Triple DES, AES, IDEA, DES, or Camellia. In older versions of SSL, RC2 was also used.

Question 15

Name some examples of message authentication code algorithms

Answer 15

for TLS, a Hash-based Message Authentication Code using MD5 or one of the SHA hash functions is used. For SSL, SHA, MD5, MD4, and MD2 are used.

Question 16

In which type of encryption algorithms is the encryption key the same as the decryption key?

Answer 16

In Symmetric key cyptography like AES. Its a key used to encrypt AND decrypt data, with this specific key.

Question 17

What is the most common used algorithm for public and private key pairs?

Answer 17

RSA. Named after researchers: Rivest, Shamir and Adleman

Question 18

Hows does RSA work with public-private key encryption?

Answer 18

Data gets encrypted with the public key. The encrypted data can only be decrypted by using the private key AND the public key.

Question 19

What standard certificates are used for TLS?

Answer 19

X509 certificates

Question 20

How are certificates checked?

Answer 20

They can be checked on domain and organization level. The company that provides the certificate and the browsers have a database of trusted sites.

Question 21

What three levels of CA trustchains are there (above an implemented certificate on a website)

Answer 21

First the ROOT CA of the origanization. Then the Intermediate CA and finally the Leaf CA. Then comes the real end certificates for domains.

Question 22

What types of Hash methods are there?

Answer 22

SHA1 to SHA3 and MD5.

Question 23

Wat are vonurabilities of hash functions?

Answer 23

You can predict the outcome, because the hash value can be the same. Which could also result in a collision.

Question 24

What is a man in the middle (attack) ?

Answer 24

They can manipulate encrypted data by replacing hash functions/value or certificate verifiying

Question 25

Where can hash functions be used for?

Answer 25

For encrypting passwords (one way), checking unique files or to generate random data.

Question 26

What is the difference between HASH and MAC?

Answer 26

Hashes are used to garantuee the integrity of data. MAC garuantees the integrety and authetication as well, because MAC is generated using a KEY (apart from the value)

Question 27

How is it possible to verify a certificate?

Answer 27

By decrypting the certs signature with the public key of the issuer. Then generate the MD5 hash of the certificate and check the outcome of both.

Question 28

Where is the record protocol used for?

Answer 28

Encryption and data integrity. As a part of the TLS/SSL connection.

Question 29

How can you harden your Glassfish server with safety stuff?

Answer 29

realms, groups and roles for proper rights. Or by adding security constraints/allowance annotation tag in the code.
JaxRS: Jersery oauth libs, role annotation and security context interface.

Question 30

Where are the symmetric keys generated that are used to encrypt/decrypt data over TLS/SSL?

Answer 30

In the handshake protocol before this.

Question 31

What is the diff between Authentication and Authoriation?

Answer 31

Authentication is to verify the user. Authorization is tocheck if the user has the proper rights to do something.

Question 32

What is message integrity?

Answer 32

Reliable data, which is not just randomly encrypted, but by a key which only a original user could have for example.

Question 33

Which key is included in a digital certificate?

Answer 33

public key

Question 34

Private and public key are not asymmetric because?

Answer 34

They are not the same, you need them both separately to decrypt the data.

Question 35

What are the 3 most common errors made when it comes to checking certificates in mobile apps?

Answer 35

Dont verify host names. Ignore ssl errors and dont check the server certificates.

Question 36

How does a CA (Certificate Authority) certificate work with verifying your cert?

Answer 36

The whole thing is signed by a trusted authority. The trusted authority, aka certificate authority (CA) also has a private/public key pair. You give them your certificate, they verify that the information in the container are correct and sign it by their private key, only they have access to.

The public key of the CA is installed on the user system by default, most well known CAs are included already in the default installation of your favorite OS or browser.

When now a user connects to your server, your server uses the private key to sign some data, packs that signed data together with its public key and sends everything to the client.