Network and Computer Security Flashcards
What does CIA stand for?
Confidentiality
Integrity
Availability
Define Identification
Associating an identity with a subject
Define Authentication
Verifying the validity of something
Define Authorization
Granting (or denying) the right or permission of a system entity to access an object
Define Access Control
Controlling the access of system entities (on behalf of subjects) to objects based on an access control policy
What are four widely used mechanisms for authentication?
- Something you know - Password/PIN
- Something you have - Smart card or one-time password
- Something you are - Biometric Characteristics/Facial Scan/Photograph
- Location
What do good systems include?
Allow for passwords and validate passwords securely
How to access systems securely that require a password
Allow passwords of arbitrary length
Store passwords hashed
Define Social Engineering
Tricking people into giving up private information or doing things they shouldn’t, usually by pretending to be someone they trust.
Define a Soft Token
A one-time use password
What is a bad example of a Hard Token?
UniCard as it could easily be duplicated
What is a Biometric Scan?
Uses characteristics of your body
- Fingerprint
- Retina scan
- Face scan
To authenticate your identity
What do Typical Access Control models focus on?
Authorization
- Specification of who is allowed to do what
- How to update/change permissions
Give an example of a simple access control model.
AC = Subject x Object x Request
List 4 key factors of access control models.
- Often depend on system state
- Subjects and permissions change over time
- Access rights might require completion of certain tasks or conditions
- Prone to implementation and configuration mistakes (bugs)
What does a security policy do?
Defines what is allowed (and/or forbidden)
- It is comparable to a set of laws
- Defined in terms of rules and/or requirements
What is a security model?
A framework that defines rules and guidelines for protecting data and resources in a system.
It helps ensure confidentiality, integrity, and availability by describing how users, processes, and systems interact securely. Examples include Bell-LaPadula.
What is a Role-based Access Control used for?
- Create roles for job functions in enterprises
- Assign users to roles
- Assign a set of permissions for each role
How is a RBAC formalized?
- A set ROLES
- A set USERS
- A relation UA ⊂ USER x ROLES
- A relation PA ⊂ ROLES x PERMISSION
What are key factors of a RBAC when it comes to changing/removing roles?
It uncommon to add/remove roles in organizations - they are more static
If people leave/change roles only one smaller, simpler table/relationship to update
- Employees leaving the company are much more in focus - don’t want them having permissions
What should be considered in a simple RBAC
- Role Hierarchies
- Who can change permission
- Context information
- User switching roles
What do most pratical RBAC applications use?
Extended/modified versions
- Role hierarchies
- Access control constraints (attributes)
What is widely used with RBAC?
XACML (attribute-based access control, very flexible)
What is a Hierarchical RBAC?
Extends RBAC with role hierarchy:
- A relation RH ⊂ ROLES x ROLES
- Describing the role hierarchy
What is Mandatory Access Control (MAC)?
Controls access to resources based on predefined policies.
Access is determined by a central authority, not by the owner or user of the data.
Used often in government or military systems.
How does MAC work?
Specifies system-wide access restriction to objects
- Mandatory because subjects may not transfer their access rights
- Shift power from users to system owner
What are the 4 security clearance levels?
Top secret
- Comprehensive backgrounc check, highly-trusted individual
Secret
- Routine background check, trust individual
Confidential/Sensitive
- No background check. Limited distribution, minimally trusted individuals
Unclassified
- Unlimited distribution and untrusted individuals
Define a compartment
A way to divide resources, data and systems into separate groups to control access and limit exposure to risks.
Each compartment has its own sets of rules, permissions and protections.
Define a partially ordered set
A set that is: Reflexive, Transitive, Anti-symmetric
What is a Reflexive set?
A reflexive set is a set in which every element is related to itself under a given relation.
What is a Transitive set?
A transitive set is a set where everything inside the set also has all of its “parts” included in the set.
(If a→b and b→c then a→c)
What is an Anti-symmetric set?
An antisymmetric relation means that if two things are related in both directions, they must actually be the same thing.
What is a Lattice?
A mathematical structure used to model relationships between security levels, access controls, or permissions.
Why use Lattices?
Recall all pairs of lattice elements have a least upper bound and a greatest lower bound
If labels form a lattice, we can uniquely answer questions like:
Given 2 objects with different labels, what is the minimal label a subject requires to be allowed to read both objects?
Given 2 subjects with different labels, what is the maximal label an object can have that can still be read by both subjects?
Well-suited for need-to-know policies, where each subject is assigned a label reflecting least privilege required for this function.
What is the Bell-LaPadula Model (BLP) ?
A security model used to protect classified information and control access to it. Considers cross-level communication where subjects may interact below their level of clearance
Main insight: prohibiting write-down is essential for confidentiality as otherwise information can effectively be reclassified.
Conclude the BLP model.
No information leakage possible (if implementation is secure)
Prevents “legitimate” communication from high-level subjects to low-level ones.
What is the Discretionary Access Control (DAC)?
Owners can change permissions
What is the Break-Glass Access Control?
Allows to override the access control in “emergencies”
What is Usage Control?
Controlling the use of documents
For example:
- You aren’t allowed to share files but you can use them yourself
- You can watch a film 3 times in the next 2 weeks
What are 2 techniques used for usage control/DRM?
Watermarking
Monitoring
What are the Usage Control challenges and open questions?
Technical - how to implement usage control iin an open environment
Ethical - The right to read
How does the Bell-LaPadula Model (BLP) work?
No Read Up - A user cannot read information that is classified higher than their clearance
No Write Down - A user cannot write information to a lower security level
What is Cryptography, Steganography and Cryptanalysis in simple terms?
Cryptography - Secret Writing
Steganography - Concealed Writing
Cryptanalysis - Secret Analysis
What is the main difference between Symmetric and Asymmetric Encrpytion?
Symmetric Encryption - Same key is used to encrypt/decrypt
Asymmetric Encryption - Different keys used to encrypt/decrypt (a public and private key)
Define a Bijection
One-to-one relationship between items in sets
What is a Code-book?
A guide that explains how data or information is encoded or translated. It lists codes and their corresponding meanings or values, helping to decode or interpret the data
What is a Mono-Alphabetic Cipher?
Each letter in the plaintext is replaced with a different one, but the substitution pattern stays the same throughout the message.
What is some key information about the Mono-Alphabetic Cipher?
Key-length: 26 letters
Key Space: total number of possible keys - 26!
What is true about the security of Substitution Ciphers?
- Brute-forcing a key is difficult
- Trivial to crack using frequency analysis
What is a Polyalphabetic Cipher?
A polyalphabetic cipher is a type of cipher where each letter in the plaintext can be encrypted using different alphabets at different points in the message. This means that the same letter may be replaced by different letters at different times.
What is a One-Time pad (OTP) ?
Uses random key that is the same length as the message, each bit is encrypted with corresponding pad using XOR
What is a Transposition (Permutation) Cipher?
Where the positions of the letters in the plaintext are rearranged according to a specific system, but the actual letters themselves remain unchanged.
What is a Composite Cipher?
Combines two or more encryption methods, such as substitution and transposition, to make the encryption stronger and harder to break.
What is a Feistel Cipher?
Splits data into two halves and repeatedly applies a series of operations, where one half is transformed using a function and then combined with the other half. The halves are swapped after each round. This process is repeated several times, creating strong encryption. The key idea is that decryption works by reversing the steps with the same key.
What is the Data Encryption Standard (DES) ?
- First cryptographic standard
- 16 round Feistel cipher and key-scheduler
- A block cipher, encrypting 64-bit blocks
- Was extended to triple-DES to overcome key length problem
- Now replaced by AES
What is the security of DES?
Main attack: exhaustive search
- took 7 hours with $1M pc (1993)
- took 7 days with $10,000 FGPA-based machine (2006)
No mathematical attacks (but reduced key space from 2^56 to 2^43)
No known attacks on triple DES
Define a One way function
Easy to compute in done direction but difficult (or pratically impossible) to reverse
Define a Trapdoor One-Way function?
Easy to compute in one directrion but exteremely difficult to reverse unless you have special information
What is RSA?
An expanded public-key encryption concept into encryption system
What does RSA depend on?
RSA depends on the difficulty of factoring large prime numbers
- Breaking down a prime into its factors - (because factoring numbers over 2048 bits
is computationally infeasible
What is congruent modulo n?
Two numbers are congruent modulo n if they have the same remainder when divided by n
(for example 10 and 7 are congruent modulo 3, as 10 mod 3 = 7 mod 3 = 1)
What is GCD?
GCD of 2 numbers is the greatest common divider
What is Relatively (Co-) Prime?
Two numbers are relavitely prime if their gcd is 1 (don’t share any factors except 1)
What is Multiplicative Inverse?
The multiplicative inverse of a number is a value that, when multiplied by original number, results in 1.
What are the steps on Key Generation in RSA?
- Find two (pretty large) prime numbers p & q
- Compute n & Φ(n)
- Choose public key (e)
- Compute (d)
What is the symbol for Euler Quotient?
Φ(n)
What is Euler’s Quotient?
A way of evaluating the performance or efficiency of an algorithm, particularly in the context of computational complexity.
It can be understood as the ratio of the actual performance of an algorithm to its theoretical performance.
In Key management, what can be used for the maximum number of keys among a group on N users?
N ( N - 1) / 2
In Asymmetric Cryptography what are the public and private key used for?
Public - encryption
Private - decryption
What is a digital signature used for?
Proving Identity
What is the use of MDC?
Modification Detection Code provides a checkable fingerprint
(also known as hash, message digest, MAC, MDC, fingerprint)
What is are the key details of a Hash Function?
Used to check if data has been altered does not encrypt the data
Hashing is a pure one-way function
Generates a unique hash for a piece of data
- changing the data, changes the hash
What are two properties of a Hash Function h(x)?
- Compression: h maps an input x of an arbitrary bit length to an output h(x) of fixed bit length n
- Polynomial time computable
When is a Hash Function cryptographic?
If it is additionally:
- One way (Pre-image Resistance)
- And usually either:
- 2nd Pre-image Resistance
- Collision Restistance
What is One way (Pre-image Resistance) on a Hash Function?
Given a hash output y=h(x), it is computationally hard to find the original input x
What is 2nd Pre-image Resistance on a Hash Function?
Given an input x, it is computationally infeasible to find another x’ (x!=x’) such that both inputs produce the same hash output –> h(x) = h(x’) (its very hard to find another input that produces the same output hash)
What is Collision Resistance on a Hash Function?
It is difficult to find any two distinct inputs x and x’, such that h(x) = h(x’)
How could you construct Cryptographic Hashes?
Block Chaining techniques can be used:
- Divide message M into fixed size blocks b1,…bn
- Use symmetric encryption algorithm (such as DES)
What is the Application of Hashing Passwords?
Instead of storing passwords in plaintext, we store only its cryptographic hash:
- For password p, store h(p) in password file
- Requires only pre-image resistance
What is the purpose of a cryptographic hash function?
To provide data integrity
How is symmetric encryption different from a cryptographic hash function?
Symmetric encryption is reversible, while hash functions are not
Which algorithm is used to provide confidentiality, not integrity?
AES (Advanced Encrpytion Standard)
Which of the following is NOT a use case for hash functions?
1. Verifying data integrity
2. Password hashing for secure storage
3. Securing communication between two parties
4.Digital signatures for message verification
- Securing communication between two parties
What is Public Key Infrastructure (PKI) used for?
To know if the private/public key pair belongs to the right person