Lesson 4 (Security basics & TLS) Flashcards
What does TLS stand for?
Transport Layer Security
Where is the TLS encryption used for?
Authorisation, Authentication, Confidentiality (information only for intented users), Integrety (information not changed)
At what layer position is TLS between: Application layer, TCP layer and IP layer?
Between Application and TCP
What is the new name for SSL?
TLS
What is HTTPS?
HTTPS is HTTP-within-SSL/TLS. SSL (TLS) establishes a secured, bidirectional tunnel for arbitrary binary data between two hosts.
How does HTTP run over HTTPS?
HTTPS is a tunnel/connection, which is encrypted. The HTTP traffic runs over this collection. Its also referred as SSL/TLS
At what layer position is TLS in network apps? Between Application, http and tcp
Between Application and HTTP.
Name 4 of commonly used programs which usually make use of a TLS connection/encryption
HTTPS (websites), VOIP, VPN and Email
What is the latest stable released version of TLS and in what year?
TLS 1.2, in 2008.
What is the new upcoming version of TLS?
1.3
What is a cipher suite?
Is a named combination os authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings for a SSL/TLS connection.
Name some examples of Authentication encryption algorithms
RSA, DSA, ECDSA
Name some examples of key exchange algorithms
RSA, Diffie-Hellman, ECDH, SRP, PSK
Name some examples of bulk encryption algorithms
RC4, Triple DES, AES, IDEA, DES, or Camellia. In older versions of SSL, RC2 was also used.
Name some examples of message authentication code algorithms
for TLS, a Hash-based Message Authentication Code using MD5 or one of the SHA hash functions is used. For SSL, SHA, MD5, MD4, and MD2 are used.
In which type of encryption algorithms is the encryption key the same as the decryption key?
In Symmetric key cyptography like AES. Its a key used to encrypt AND decrypt data, with this specific key.
What is the most common used algorithm for public and private key pairs?
RSA. Named after researchers: Rivest, Shamir and Adleman
Hows does RSA work with public-private key encryption?
Data gets encrypted with the public key. The encrypted data can only be decrypted by using the private key AND the public key.
What standard certificates are used for TLS?
X509 certificates
How are certificates checked?
They can be checked on domain and organization level. The company that provides the certificate and the browsers have a database of trusted sites.
What three levels of CA trustchains are there (above an implemented certificate on a website)
First the ROOT CA of the origanization. Then the Intermediate CA and finally the Leaf CA. Then comes the real end certificates for domains.
What types of Hash methods are there?
SHA1 to SHA3 and MD5.
Wat are vonurabilities of hash functions?
You can predict the outcome, because the hash value can be the same. Which could also result in a collision.
What is a man in the middle (attack) ?
They can manipulate encrypted data by replacing hash functions/value or certificate verifiying
Where can hash functions be used for?
For encrypting passwords (one way), checking unique files or to generate random data.
What is the difference between HASH and MAC?
Hashes are used to garantuee the integrity of data. MAC garuantees the integrety and authetication as well, because MAC is generated using a KEY (apart from the value)
How is it possible to verify a certificate?
By decrypting the certs signature with the public key of the issuer. Then generate the MD5 hash of the certificate and check the outcome of both.
Where is the record protocol used for?
Encryption and data integrity. As a part of the TLS/SSL connection.
How can you harden your Glassfish server with safety stuff?
realms, groups and roles for proper rights. Or by adding security constraints/allowance annotation tag in the code.
JaxRS: Jersery oauth libs, role annotation and security context interface.
Where are the symmetric keys generated that are used to encrypt/decrypt data over TLS/SSL?
In the handshake protocol before this.
What is the diff between Authentication and Authoriation?
Authentication is to verify the user. Authorization is tocheck if the user has the proper rights to do something.
What is message integrity?
Reliable data, which is not just randomly encrypted, but by a key which only a original user could have for example.
Which key is included in a digital certificate?
public key
Private and public key are not asymmetric because?
They are not the same, you need them both separately to decrypt the data.
What are the 3 most common errors made when it comes to checking certificates in mobile apps?
Dont verify host names. Ignore ssl errors and dont check the server certificates.
How does a CA (Certificate Authority) certificate work with verifying your cert?
The whole thing is signed by a trusted authority. The trusted authority, aka certificate authority (CA) also has a private/public key pair. You give them your certificate, they verify that the information in the container are correct and sign it by their private key, only they have access to.
The public key of the CA is installed on the user system by default, most well known CAs are included already in the default installation of your favorite OS or browser.
When now a user connects to your server, your server uses the private key to sign some data, packs that signed data together with its public key and sends everything to the client.
