Network and Computer Security Flashcards

You may prefer our related Brainscape-certified flashcards:
1
Q
A

Confidentiality
Integrity
Availability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Define Identification

A

Associating an indentity with a subject

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Define Authentication

A

Verifying the validity of something

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Define Authorization

A

Granting (or denying) the right or permission of a system entity to access an object

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Define Access Control

A

Controlling the access of system entities (on behalf of subjects) to objects based on an access control policy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

What are four widely used mechanisms for authentication?

A
  1. Something you know - Password/PIN
  2. Something you have - Smart card or one-time password
  3. Something you are - Biometric Characteristics/Facial Scan/Photograph
  4. Location
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

What do good systems include?

A

Allow for passwords and validate passwords securely
How to access systems securely that require a password
Allow passwords of arbitrary length
Store passwords hashed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Define Social Engineering

A

Tricking people into giving up private information or doing things they shouldn’t, usually by pretending to be someone they trust.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Define a Soft Token

A

A one-time use password

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What is a bad example of a Hard Token?

A

UniCard as it could easily be duplicated

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What is a Biometric Scan?

A

Uses characteristics of your body
- Fingerprint
- Retina scan
- Face scan
To authenticate your identity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

What do Typical Access Control models focus on?

A

Authorization
- Specification of who is allowed to do what
- How to update/change permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Give an example of a simple access control model.

A

AC = Subject x Object x Request

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

List 4 key factors of access control models.

A
  1. Often depend on system state
  2. Subjects and permissionsd change over time
  3. Access rights might require the fulfillment of obligations
  4. They are prone to implementation and configuration mistakes (bugs)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

What does a security policy do?

A

Defines what is allowed (and/or forbidden)
- It is analogous to a set of laws
- Defined in terms of rules and/or requirements

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

What is a security model?

A

A representation of a class of systems (and their behaviour)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

What is a Role-based Access Control used for?

A
  • Create roles for job functions in enterprises
  • Assign users to roles
  • Assign a et of permissions for each role
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

How is a RBAC formalized?

A
  • A set ROLES
  • A set USERS
  • A relation UA ⊂ USER x ROLES
  • A relation PA ⊂ ROLES x PERMISSION
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

What are key factors of a RBAC when it comes to changing/removing roles?

A

It uncommon to add/remove roles in organizations - they are more static
If people leave/change roles only one smaller, simpler table/relationship to update

  • Employees leaving the company are much more in focus - don’t want them having permissions
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

What should be considered in a simple RBAC

A
  • Role Hierarchies
  • Who can change permission
  • Context information
  • User switching roles
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

What do most pratical RBAC applications use?

A

Extended/modified versions
- Role hierarchies
- Access control constraints (attributes)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

What is widely used with RBAC?

A

XACML (attribute-based access control, very flexible)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

What is a Hierarchical RBAC?

A

Extends RBAC with role hierarchy:
- A relation RH ⊂ ROLES x ROLES
- Describing the role hierarchy

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

What is Mandatory Access Control (MAC)?

A

AC descisions formalized by comparing security labels indicating sensitivity/critically of objects, with formal authorization - security clearances of subjects

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

How does MAC work?

A

Specifies system-wide access restriction to objects
- Mandatory because subjects may not ransfer their access rights
- Shift power from users to system owner

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
26
Q

What are the 4 security clearance levels?

A

Top secret
- Comprehensive backgrounc check, highly-trusted individual

Secret
- Routine background check, trust individual

Confidential/Sensitive
- No background check. Limited distribution, minimally trusted individuals

Unclassified
- Unlimited distribution and untrusted individuals

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
27
Q

Define a compartment

A

A compartment (or category) specifies a domain for a need-to-know policy

They are critical in complex coalitions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
28
Q

Define a partially ordered set

A

A set that is: Reflexive, Transitive, Anti-symmetric

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
29
Q

What is a Reflexive set?

A

A reflexive set is a set in which every element is related to itself under a given relation.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
30
Q

What is a Transitive set?

A

A transitive set is a set where everything inside the set also has all of its “parts” included in the set.

(If a→b and b→c then a→c)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
31
Q

What is an Anti-symmetric set?

A

An antisymmetric relation means that if two things are related in both directions, they must actually be the same thing.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
32
Q

What is a Lattice?

A

A mathematical structure used to model relationships between security levels, access controls, or permissions.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
33
Q

Why use Lattices?

A

Recall all pairs of lattice elements have a least upper bound and a greatest lower bound

If labels form a lattice, we can uniquely answer questions like:

Given 2 objects with different labels, what is the minimal label a subject requires to be allowed to read both objects?

Given 2 subjects with different labels, what is the maximal label an object can have that can still be read by both subjects?

Well-suited for need-to-know policies, where each subject is assigned a label reflecting least privilege required for this function.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
34
Q

What is the Bell-LaPadula Model (BLP) ?

A

A security model used to protect classified information and control access to it. Considers cross-level communication where subjects may interact below their level of clearance

Main insight: prohibiting write-down is essential for confidentiality as otherwise information can effectively be reclassified.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
35
Q

Conclude the BLP model.

A

No information leakage possible (if implementation is secure)

Prevents “legitimate” communication from high-level subjects to low-level ones.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
36
Q

What is the Discretionary Access Control (DAC)?

A

Owners can change permissions

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
37
Q

What is the Break-Glass Access Control?

A

Allows to override the access control in “emergencies”

38
Q

What is Usage Control?

A

Controlling the use of documents
For example:
- You aren’t allowed to share files but you can use them yourself
- You can watch a film 3 times in the next 2 weeks

39
Q

What are 2 techniques used for usage control/DRM?

A

Watermarking
Monitoring

40
Q

What are the Usage Control challenges and open questions?

A

Technical - how to implement usage control iin an open environment
Ethical - The right to read

41
Q

How does the Bell-LaPadula Model (BLP) work?

A

No Read Up - A user cannot read information that is classified higher than their clearance

No Write Down - A user cannot write information to a lower security level

42
Q

What is Cryptography, Steganography and Cryptanalysis in simple terms?

A

Cryptography - Secret Writing

Steganography - Concealed Writing

Cryptanalysis - Secret Analysis

43
Q

What is the main difference between Symmetric and Asymmetric Encrpytion?

A

Symmetric Encryption - Same key is used to encrypt/decrypt

Asymmetric Encryption - Different keys used to encrypt/decrypt (a public and private key)

44
Q

Define a Bijection

A

One-to-one relationship between items in sets

45
Q

What is a Code-book?

A

A guide that explains how data or information is encoded or translated. It lists codes and their corresponding meanings or values, helping to decode or interpret the data

46
Q

What is a Mono-Alphabetic Cipher?

A

Each letter in the plaintext is replaced with a different one, but the substitution pattern stays the same throughout the message.

47
Q

What is some key information about the Mono-Alphabetic Cipher?

A

Key-length: 26 letters
Key Space: total number of possible keys - 26!

48
Q

What is true about the security of Substitution Ciphers?

A
  • Brute-forcing a key is difficult
  • Trivial to crack using frequency analysis
49
Q

What is a Polyalphabetic Cipher?

A

A polyalphabetic cipher is a type of cipher where each letter in the plaintext can be encrypted using different alphabets at different points in the message. This means that the same letter may be replaced by different letters at different times.

50
Q

What is a One-Time pad (OTP) ?

A

Uses randmom key that is the same length as the message, each bit is encrypted with corresponding pad using XOR

51
Q

What is a Transposition (Permutation) Cipher?

A

Where the positions of the letters in the plaintext are rearranged according to a specific system, but the actual letters themselves remain unchanged.

52
Q

What is a Composite Cipher?

A

Combines two or more encryption methods, such as substitution and transposition, to make the encryption stronger and harder to break.

53
Q

What is a Feistel Cipher?

A

Splits data into two halves and repeatedly applies a series of operations, where one half is transformed using a function and then combined with the other half. The halves are swapped after each round. This process is repeated several times, creating strong encryption. The key idea is that decryption works by reversing the steps with the same key.

54
Q

What is the Data Encryption Standard (DES) ?

A
  • First cryptographic standard
  • 16 round Feistel cipher and key-scheduler
  • A block cipher, encrypting 64-bit blocks
  • Was extended to triple-DES to overcome key length problem
  • Now replaced by AES
55
Q

What is the security of DES?

A

Main attack: exhaustive search
- took 7 hours with $1M pc (1993)
- took 7 days with $10,000 FGPA-based machine (2006)
No mathematical attacks (but reduced key space from 2^56 to 2^43)
No known attacks on triple DES

56
Q

Define a One way function

A

Easy to compute in done direction but difficult (or pratically impossible) to reverse

57
Q

Define a Trapdoor One-Way function?

A

Easy to compute in one directrion but exteremely difficult to reverse unless you have special information

58
Q

What is RSA?

A

An expanded public-key encryption concept into encryption system

59
Q

What does RSA depend on?

A

RSA depends on the difficulty of factoring large prime numbers
- Breaking down a prime into its factors - (because factoring numbers over 2048 bits
is computationally infeasible

60
Q

What is congruent modulo n?

A

Two numbers are congruent modulo n if they have the same remainder when divided by n

(for example 10 and 7 are congruent modulo 3, as 10 mod 3 = 7 mod 3 = 1)

61
Q

What is GCD?

A

GCD of 2 numbers is the greatest common divider

62
Q

What is Relatively (Co-) Prime?

A

Two numbers are relavitely prime if their gcd is 1 (don’t share any factors except 1)

63
Q

What is Multiplicative Inverse?

A

The multiplicative inverse of a number is a value that, when multiplied by original number, results in 1.

64
Q

What are the steps on Key Generation in RSA?

A
  1. Find two (pretty large) prime numbers p & q
  2. Compute n & Φ(n)
  3. Choose public key (e)
  4. Compute (d)
65
Q

What is the symbol for Euler Quotient?

A

Φ(n)

66
Q

What is Euler’s Quotient?

A

A way of evaluating the performance or efficiency of an algorithm, particularly in the context of computational complexity.
It can be understood as the ratio of the actual performance of an algorithm to its theoretical performance.

67
Q

In Key management, what can be used for the maximum number of keys among a group on N users?

A
   2
68
Q

In Asymmetric Cryptography what are the public and private key used for?

A

Public - encryption
Private - decryption

69
Q

What is a digital signature used for?

A

Proving Identity

70
Q

What is the use of MDC?

A

Modifcation Detection Code provides a checkable fingerprint

(also known as hash, message digest, MAC, MDC, fingerprint)

71
Q

What is are the key details of a Hash Function?

A

Used to check if data has been altered does not encrypt the data

Hashing is a pure one-way function
Generates a unique hash for a piece of data
- changing the data, changes the hash

72
Q

What are two properties of a Hash Function h(x)?

A
  • Compression: h maps an input x of an arbitrary bit length to an output h(x) of fixed
    bit length n
    • Polynomial time computable
73
Q

When is a Hash Function cryptographic?

A

If it is additionally:
- One way (Pre-image Resistance)
- And usually either:
- 2nd Pre-image Resistance
- Collision Restistance

74
Q

What is One way (Pre-image Resistance) on a Hash Function?

A

Given a hash output y=h(x), it is computationally hard to find the original input x

75
Q

What is 2nd Pre-image Resistance on a Hash Function?

A

Given an input x, it is computationally infeasible to find another x’ (x!=x’) such that both inputs produce the same hash output –> h(x) = h(x’) (its very hard to find another input that produces the same output hash)

76
Q

What is Collision Resistance on a Hash Function?

A

It is difficult to find any two distinct inputs x and x’, such that h(x) = h(x’)

77
Q

How could you construct Cryptographic Hashes?

A

Block Chaining techniques can be used:
- Divide message M into fixed size blocks b1,…bn
- Use symmetric encryption algorithm (such as DES)

78
Q

What is the Application of Hashing Passwords?

A

Instead of storing passwords in plaintext, we store only its cryptographic hash:
- For password p, store h(p) in password file
- Requires only pre-image resistance

79
Q

What is the purpose of a cryptographic hash function?

A

To provide data integrity

80
Q

How is symmetric encryption different from a cryptographic hash function?

A

Symmetric encryption is reversible, while hash functions are not

81
Q

Which algorithm is used to provide confidentiality, not integrity?

A

AES (Advanced Encrpytion Standard)

82
Q

Which of the following is NOT a use case for hash functions?
1. Verifying data integrity
2. Password hashing for secure storage
3. Securing communication between two parties
4.Digital signatures for message verification

A
  1. Securing communication between two parties
83
Q

What is Public Key Infrastructure (PKI) used for?

A

To know if the private/public key pair belongs to the right person

84
Q

How does Public Key Infrastructure work (PKI)?

A

To join PKI, Alice
- Generates her own public/private key pair
- Takes her public key Ka to private certification authority (CA) that everybody trusts
and states she is Alice and this is her public key
The CA verifies that Alice is who she says she is, and then signs a digital certificate
- That says “Ka is Alice’s public key”

85
Q

What is a Public Key Infrastructure (PKI)?

A

An infrastructure that allows principles to recgonise which public key belongs to whom

86
Q

What are the core services of a PKI?

A

Linking public keys to entities (certificates)
Key life-cycle management (key revocation, recovery, updates)

87
Q

What are the core components of a PKI?

A
  1. Certification Authority (CA)
    • Creates Certificates and publishes them in the directory
  2. Directory
    • Makes user certificates and CRLs available
    • Must identify users uniquely (needs fresh/accurate user data)
    • Backs up certain keys
  3. Registration Authority (RA)
    • Manages process of registering users and issuing certificates
    • Ensures proper user identification
88
Q

What does the Certification Authority (CA) do?

A
  • Creates certificates and publishes them in directory
  • Maintains Certificate Revocation List (CRL) in directory. CRL checked actively by single
    clients or by validation services
  • Backs up certain keys
89
Q

Define a Certificate

A

A token that binds an identity to a key

90
Q

Define X.509

A

A standard that defines a framework for authentication services