Network and Computer Security

Answer 1

Confidentiality
Integrity
Availability

Question 2

Define Identification

Answer 2

Associating an indentity with a subject

Question 3

Define Authentication

Answer 3

Verifying the validity of something

Question 4

Define Authorization

Answer 4

Granting (or denying) the right or permission of a system entity to access an object

Question 5

Define Access Control

Answer 5

Controlling the access of system entities (on behalf of subjects) to objects based on an access control policy

Question 6

What are four widely used mechanisms for authentication?

Answer 6

1. Something you know - Password/PIN
2. Something you have - Smart card or one-time password
3. Something you are - Biometric Characteristics/Facial Scan/Photograph
4. Location

Question 7

What do good systems include?

Answer 7

Allow for passwords and validate passwords securely
How to access systems securely that require a password
Allow passwords of arbitrary length
Store passwords hashed

Question 8

Define Social Engineering

Answer 8

Tricking people into giving up private information or doing things they shouldn’t, usually by pretending to be someone they trust.

Question 9

Define a Soft Token

Answer 9

A one-time use password

Question 10

What is a bad example of a Hard Token?

Answer 10

UniCard as it could easily be duplicated

Question 11

What is a Biometric Scan?

Answer 11

Uses characteristics of your body
- Fingerprint
- Retina scan
- Face scan
To authenticate your identity

Question 12

What do Typical Access Control models focus on?

Answer 12

Authorization
- Specification of who is allowed to do what
- How to update/change permissions

Question 13

Give an example of a simple access control model.

Answer 13

AC = Subject x Object x Request

Question 14

List 4 key factors of access control models.

Answer 14

1. Often depend on system state
2. Subjects and permissionsd change over time
3. Access rights might require the fulfillment of obligations
4. They are prone to implementation and configuration mistakes (bugs)

Question 15

What does a security policy do?

Answer 15

Defines what is allowed (and/or forbidden)
- It is analogous to a set of laws
- Defined in terms of rules and/or requirements

Question 16

What is a security model?

Answer 16

A representation of a class of systems (and their behaviour)

Question 17

What is a Role-based Access Control used for?

Answer 17

• Create roles for job functions in enterprises
• Assign users to roles
• Assign a et of permissions for each role

Question 18

How is a RBAC formalized?

Answer 18

• A set ROLES
• A set USERS
• A relation UA ⊂ USER x ROLES
• A relation PA ⊂ ROLES x PERMISSION

Question 19

What are key factors of a RBAC when it comes to changing/removing roles?

Answer 19

It uncommon to add/remove roles in organizations - they are more static
If people leave/change roles only one smaller, simpler table/relationship to update

• Employees leaving the company are much more in focus - don’t want them having permissions

Question 20

What should be considered in a simple RBAC

Answer 20

• Role Hierarchies
• Who can change permission
• Context information
• User switching roles

Question 21

What do most pratical RBAC applications use?

Answer 21

Extended/modified versions
- Role hierarchies
- Access control constraints (attributes)

Question 22

What is widely used with RBAC?

Answer 22

XACML (attribute-based access control, very flexible)

Question 23

What is a Hierarchical RBAC?

Answer 23

Extends RBAC with role hierarchy:
- A relation RH ⊂ ROLES x ROLES
- Describing the role hierarchy

Question 24

What is Mandatory Access Control (MAC)?

Answer 24

AC descisions formalized by comparing security labels indicating sensitivity/critically of objects, with formal authorization - security clearances of subjects

Question 25

How does MAC work?

Answer 25

Specifies system-wide access restriction to objects
- Mandatory because subjects may not ransfer their access rights
- Shift power from users to system owner

Question 26

What are the 4 security clearance levels?

Answer 26

Top secret
- Comprehensive backgrounc check, highly-trusted individual

Secret
- Routine background check, trust individual

Confidential/Sensitive
- No background check. Limited distribution, minimally trusted individuals

Unclassified
- Unlimited distribution and untrusted individuals

Question 27

Define a compartment

Answer 27

A compartment (or category) specifies a domain for a need-to-know policy

They are critical in complex coalitions

Question 28

Define a partially ordered set

Answer 28

A set that is: Reflexive, Transitive, Anti-symmetric

Question 29

What is a Reflexive set?

Answer 29

A reflexive set is a set in which every element is related to itself under a given relation.

Question 30

What is a Transitive set?

Answer 30

A transitive set is a set where everything inside the set also has all of its “parts” included in the set.

(If a→b and b→c then a→c)

Question 31

What is an Anti-symmetric set?

Answer 31

An antisymmetric relation means that if two things are related in both directions, they must actually be the same thing.

Question 32

What is a Lattice?

Answer 32

A mathematical structure used to model relationships between security levels, access controls, or permissions.

Question 33

Why use Lattices?

Answer 33

Recall all pairs of lattice elements have a least upper bound and a greatest lower bound

If labels form a lattice, we can uniquely answer questions like:

Given 2 objects with different labels, what is the minimal label a subject requires to be allowed to read both objects?

Given 2 subjects with different labels, what is the maximal label an object can have that can still be read by both subjects?

Well-suited for need-to-know policies, where each subject is assigned a label reflecting least privilege required for this function.

Question 34

What is the Bell-LaPadula Model (BLP) ?

Answer 34

A security model used to protect classified information and control access to it. Considers cross-level communication where subjects may interact below their level of clearance

Main insight: prohibiting write-down is essential for confidentiality as otherwise information can effectively be reclassified.

Question 35

Conclude the BLP model.

Answer 35

No information leakage possible (if implementation is secure)

Prevents “legitimate” communication from high-level subjects to low-level ones.

Question 36

What is the Discretionary Access Control (DAC)?

Answer 36

Owners can change permissions

Question 37

What is the Break-Glass Access Control?

Answer 37

Allows to override the access control in “emergencies”

Question 38

What is Usage Control?

Answer 38

Controlling the use of documents
For example:
- You aren’t allowed to share files but you can use them yourself
- You can watch a film 3 times in the next 2 weeks

Question 39

What are 2 techniques used for usage control/DRM?

Answer 39

Watermarking
Monitoring

Question 40

What are the Usage Control challenges and open questions?

Answer 40

Technical - how to implement usage control iin an open environment
Ethical - The right to read

Question 41

How does the Bell-LaPadula Model (BLP) work?

Answer 41

No Read Up - A user cannot read information that is classified higher than their clearance

No Write Down - A user cannot write information to a lower security level

Question 42

What is Cryptography, Steganography and Cryptanalysis in simple terms?

Answer 42

Cryptography - Secret Writing

Steganography - Concealed Writing

Cryptanalysis - Secret Analysis

Question 43

What is the main difference between Symmetric and Asymmetric Encrpytion?

Answer 43

Symmetric Encryption - Same key is used to encrypt/decrypt

Asymmetric Encryption - Different keys used to encrypt/decrypt (a public and private key)

Question 44

Define a Bijection

Answer 44

One-to-one relationship between items in sets

Question 45

What is a Code-book?

Answer 45

A guide that explains how data or information is encoded or translated. It lists codes and their corresponding meanings or values, helping to decode or interpret the data

Question 46

What is a Mono-Alphabetic Cipher?

Answer 46

Each letter in the plaintext is replaced with a different one, but the substitution pattern stays the same throughout the message.

Question 47

What is some key information about the Mono-Alphabetic Cipher?

Answer 47

Key-length: 26 letters
Key Space: total number of possible keys - 26!

Question 48

What is true about the security of Substitution Ciphers?

Answer 48

• Brute-forcing a key is difficult
• Trivial to crack using frequency analysis

Question 49

What is a Polyalphabetic Cipher?

Answer 49

A polyalphabetic cipher is a type of cipher where each letter in the plaintext can be encrypted using different alphabets at different points in the message. This means that the same letter may be replaced by different letters at different times.

Question 50

What is a One-Time pad (OTP) ?

Answer 50

Uses randmom key that is the same length as the message, each bit is encrypted with corresponding pad using XOR

Question 51

What is a Transposition (Permutation) Cipher?

Answer 51

Where the positions of the letters in the plaintext are rearranged according to a specific system, but the actual letters themselves remain unchanged.

Question 52

What is a Composite Cipher?

Answer 52

Combines two or more encryption methods, such as substitution and transposition, to make the encryption stronger and harder to break.

Question 53

What is a Feistel Cipher?

Answer 53

Splits data into two halves and repeatedly applies a series of operations, where one half is transformed using a function and then combined with the other half. The halves are swapped after each round. This process is repeated several times, creating strong encryption. The key idea is that decryption works by reversing the steps with the same key.

Question 54

What is the Data Encryption Standard (DES) ?

Answer 54

• First cryptographic standard
• 16 round Feistel cipher and key-scheduler
• A block cipher, encrypting 64-bit blocks
• Was extended to triple-DES to overcome key length problem
• Now replaced by AES

Question 55

What is the security of DES?

Answer 55

Main attack: exhaustive search
- took 7 hours with $1M pc (1993)
- took 7 days with $10,000 FGPA-based machine (2006)
No mathematical attacks (but reduced key space from 2^56 to 2^43)
No known attacks on triple DES

Question 56

Define a One way function

Answer 56

Easy to compute in done direction but difficult (or pratically impossible) to reverse

Question 57

Define a Trapdoor One-Way function?

Answer 57

Easy to compute in one directrion but exteremely difficult to reverse unless you have special information

Question 58

What is RSA?

Answer 58

An expanded public-key encryption concept into encryption system

Question 59

What does RSA depend on?

Answer 59

RSA depends on the difficulty of factoring large prime numbers
- Breaking down a prime into its factors - (because factoring numbers over 2048 bits
is computationally infeasible

Question 60

What is congruent modulo n?

Answer 60

Two numbers are congruent modulo n if they have the same remainder when divided by n

(for example 10 and 7 are congruent modulo 3, as 10 mod 3 = 7 mod 3 = 1)

Question 61

What is GCD?

Answer 61

GCD of 2 numbers is the greatest common divider

Question 62

What is Relatively (Co-) Prime?

Answer 62

Two numbers are relavitely prime if their gcd is 1 (don’t share any factors except 1)

Question 63

What is Multiplicative Inverse?

Answer 63

The multiplicative inverse of a number is a value that, when multiplied by original number, results in 1.

Question 64

What are the steps on Key Generation in RSA?

Answer 64

1. Find two (pretty large) prime numbers p & q
2. Compute n & Φ(n)
3. Choose public key (e)
4. Compute (d)

Question 65

What is the symbol for Euler Quotient?

Answer 65

Φ(n)

Question 66

What is Euler’s Quotient?

Answer 66

A way of evaluating the performance or efficiency of an algorithm, particularly in the context of computational complexity.
It can be understood as the ratio of the actual performance of an algorithm to its theoretical performance.

Question 67

In Key management, what can be used for the maximum number of keys among a group on N users?

Answer 67

   2

Question 68

In Asymmetric Cryptography what are the public and private key used for?

Answer 68

Public - encryption
Private - decryption

Question 69

What is a digital signature used for?

Answer 69

Proving Identity

Question 70

What is the use of MDC?

Answer 70

Modifcation Detection Code provides a checkable fingerprint

(also known as hash, message digest, MAC, MDC, fingerprint)

Question 71

What is are the key details of a Hash Function?

Answer 71

Used to check if data has been altered does not encrypt the data

Hashing is a pure one-way function
Generates a unique hash for a piece of data
- changing the data, changes the hash

Question 72

What are two properties of a Hash Function h(x)?

Answer 72

• Compression: h maps an input x of an arbitrary bit length to an output h(x) of fixed
  bit length n
  
  • Polynomial time computable

Question 73

When is a Hash Function cryptographic?

Answer 73

If it is additionally:
- One way (Pre-image Resistance)
- And usually either:
- 2nd Pre-image Resistance
- Collision Restistance

Question 74

What is One way (Pre-image Resistance) on a Hash Function?

Answer 74

Given a hash output y=h(x), it is computationally hard to find the original input x

Question 75

What is 2nd Pre-image Resistance on a Hash Function?

Answer 75

Given an input x, it is computationally infeasible to find another x’ (x!=x’) such that both inputs produce the same hash output –> h(x) = h(x’) (its very hard to find another input that produces the same output hash)

Question 76

What is Collision Resistance on a Hash Function?

Answer 76

It is difficult to find any two distinct inputs x and x’, such that h(x) = h(x’)

Question 77

How could you construct Cryptographic Hashes?

Answer 77

Block Chaining techniques can be used:
- Divide message M into fixed size blocks b1,…bn
- Use symmetric encryption algorithm (such as DES)

Question 78

What is the Application of Hashing Passwords?

Answer 78

Instead of storing passwords in plaintext, we store only its cryptographic hash:
- For password p, store h(p) in password file
- Requires only pre-image resistance

Question 79

What is the purpose of a cryptographic hash function?

Answer 79

To provide data integrity

Question 80

How is symmetric encryption different from a cryptographic hash function?

Answer 80

Symmetric encryption is reversible, while hash functions are not

Question 81

Which algorithm is used to provide confidentiality, not integrity?

Answer 81

AES (Advanced Encrpytion Standard)

Question 82

Which of the following is NOT a use case for hash functions?
1. Verifying data integrity
2. Password hashing for secure storage
3. Securing communication between two parties
4.Digital signatures for message verification

Answer 82

3. Securing communication between two parties

Question 83

What is Public Key Infrastructure (PKI) used for?

Answer 83

To know if the private/public key pair belongs to the right person

Question 84

How does Public Key Infrastructure work (PKI)?

Answer 84

To join PKI, Alice
- Generates her own public/private key pair
- Takes her public key Ka to private certification authority (CA) that everybody trusts
and states she is Alice and this is her public key
The CA verifies that Alice is who she says she is, and then signs a digital certificate
- That says “Ka is Alice’s public key”

Question 85

What is a Public Key Infrastructure (PKI)?

Answer 85

An infrastructure that allows principles to recgonise which public key belongs to whom

Question 86

What are the core services of a PKI?

Answer 86

Linking public keys to entities (certificates)
Key life-cycle management (key revocation, recovery, updates)

Question 87

What are the core components of a PKI?

Answer 87

1. Certification Authority (CA)
   
   • Creates Certificates and publishes them in the directory
2. Directory
   
   • Makes user certificates and CRLs available
   • Must identify users uniquely (needs fresh/accurate user data)
   • Backs up certain keys
3. Registration Authority (RA)
   
   • Manages process of registering users and issuing certificates
   • Ensures proper user identification

Question 88

What does the Certification Authority (CA) do?

Answer 88

• Creates certificates and publishes them in directory
• Maintains Certificate Revocation List (CRL) in directory. CRL checked actively by single
  clients or by validation services
• Backs up certain keys

Question 89

Define a Certificate

Answer 89

A token that binds an identity to a key

Question 90

Define X.509

Answer 90

A standard that defines a framework for authentication services