Part 1 Flashcards
(188 cards)
1
Q
What are the 3 aspects of the CIA triad?
A
Confidentiality: No unauthorised reading/learning of data.
Integrity: No unauthorised modification or destruction.
Availability: Timely and reliable access to data.
2
Q
What is non-repudiation?
A
The assurance that an entity cannot deny having done an action.
3
Q
What is authenticity?
A
Property of being genuine and being able to be verified.
4
Q
What is accountability?
A
Property that an action should be able to be traced back to the entity that performed it.
5
Q
What are the assets of a security system?
A
Software
Hardware
Data
Communication facilities and networks.
6
Q
What are the 3 types of vulnerability?
A
Leaky: Unauthorised access
Unavailable: Slow, using becomes impossible/impractical
Corrupted: wrong thing/wrong answers
7
Q
What is an attack?
A
A thread that is carried out.
8
Q
What are the two attack classifications?
A
Active: Attempt to alter/affect operation of assets.
Passive: Attempt to learn/make use of information from a system.
9
Q
What is an inside attack?
A
An attack initiated by an entity inside the security perimeter.
The entity has authorised access to the system.
10
Q
What is an outside attack?
A
An attack initiated by someone outside the security perimeter.
11
Q
What is a risk?
A
Measure of the extent to which an asset is threatened by a potential circumstance/event.
The likelihood of occurance.
12
Q
What is a countermeasure?
A
An action that mitigates the effects of an attack/risk.
13
Q
What is encryption?
A
Transformation of information using a secret.
14
Q
What is access control?
A
Rules, policies and mechanisms that limit access to resources to those people/systems with a “need to know”.
15
Q
What is a “need-to-know” determined by?
A
Identity
Role
16
Q
What is authorisation?
A
Determining whether a person or system is allowed to access resources, based on an access policy.
17
Q
What is authentication?
A
Determination of role/identity.
18
Q
How can an entity be authentication?
A
Something they have (smart card)
Something they know (password)
Something they are (biometrics)
19
Q
What is physical security?
A
The physical barriers and restrictions used to improve the security of resources and components.
20
Q
What are examples of physical security?
A
Copper meshes in walls
Locks
Placement of computers in windowless rooms.
Sound dampening materials.
21
Q
What are backups?
A
Periodic archiving of data to enable restoration in the event of failure.
22
Q
What are checksums?
A
Functions turning a file into a numerical value.
23
Q
What does a checksum function rely on?
A
The whole file.
Flipping a single bit should change the output.
24
Q
What are computational redundancies?
A
Computers/storage devices that serve as fallbacks in the case of failures.
25
What is symmetric encryption?
Encryption using a single, secret key.
26
What is asymmetric encryption?
Encryption using a public-private key pair.
| Public for encryption, private for decryption.
27
What is the RSA process?
1. Choose 2 prime numbers (p and q).
2. Calculate N (N = pq).
3. Calcuate T (T = (p-1)(q-1)
4. Choose numbers e,d where ed mod T = 1.
5. PU = (N,e), PR = (N,d)
To encrypt: (message)^e
To decrypt: (message)^d
28
What is a digital signature?
Encryption of the hash of a message using the senders private key that can be used to authenticate their identity using their private key.
29
What is a Man-In-The-Middle attack?
An attack where communication is intercepted by a third party.
30
What is a primitive root?
N is a primitive root of the prime q if its powers mod q is an integer in the range 1-(q-1).
(2,13),(2,17)
31
What is a discrete logarithm?
i is the discrete logarithm of b:
| b = a^i mod q
32
What is the diffe-hellman process?
Explain it.
33
What is the job of a certificate?
BInd a user/company identity to their public key.
34
What are the mandatory fields of a certificate?
```
Version
Serial Number
Signature
Issuer
Validity
Subject
Public Key
```
35
What is the PKI?
Public Key Infrastructure.
| Set of hardware, software, people, processes and policies.
36
What is the role of the PKI?
Faciliate the creation of a verifiable association between a public key and the identity of the holder of the corresponding private key.
37
What cryptography does the PKI use?
Asymmetric
38
What is the job of the CA?
Certification Authority
| Issue, revoke and distribute public key certificates.
39
How are certificates signed?
Using the private key of the CA.
40
What is the PKI repository?
A means of storing and distributing x.509 certificates and CRL, and managing updates to certificates.
41
What is the job of the RA?
Registration Authority.
| Verify user request for a certificate.
42
What is the process of certificate issuance?
1. RA verifies user request.
2. User chooses PR, CA chooses PU.
3. Certificate issued by CA.
43
What is the process of certificate usage?
1 . User fetches certificate.
2. User fetches CRL.
3. User checks that the certificate is valid using CRL.
4. User checks the signature using certificate.
44
What are the reasons for certificate revocation?
Compromised private key
Company moves physical address
Expiration
HR reasons
45
What is a CRL?
Certificate Revocation List.
| List of no longer valid certificates.
46
What are the issues of a CRL?
Expensive to distribute.
Updates not sent quickly enough to defend against atttacks.
Vulnerable to DOS attacks.
47
What are the mandatory fields of a CRL?
```
Version
Signature
This Update
Next Update
Revoked Certificates [ ]
```
48
What is TSL?
Transport Layer Security Protocol
49
What does the TLS provide?
Privacy and data integrity
50
What are the 2 protocols of TLS?
Handshake protocol.
| Record protocol
51
What is the handshake protocol?
User sends: Client hello, protocol version, suite of supported cryptographic algorithms.
Server responds: Highest common version and suite, public key certificate (with key).
Client checks certificate, generates secret key and sends to server using its public key.
52
How does a client check the certificate of a server?
The certificate is signed by the private key of the CA, so can be verified using the public key of the CA which is included in browsers.
53
What is kerberos?
Network Authentication Protocol.
54
What encryption does kerberos use?
Symmetric encryption
55
What are the goals of kerberos?
Usrs password shouldn't travel on the network.
Single login for a session
Client and servers mutually authenticate.
User passwords never stored
Authentication information centralised on the authentication server.
56
What is a realm in kerberos?
The users and services authenticated by a KDC.
57
What is a principal?
User, application server, sevices on the network.
58
What is a ticket in kerberos?
Proof of id for a user to access a service.
59
What is the KDC?
Key Distribution Center.`
60
What does the KDC store?
A database of principals and their master keys generated using their passwords.
Database is encrypted using the master key of the KDC.
61
What are the 3 components of the KDC?
Database
Authentication Server
Ticket Granting Server
62
What is phase 1 of Kerberos?
User requests ticket.
AS generates SA.
AS generates TGT: (Username, SA, T1)
AS encrypts TGT with KDC master key.
AS sends to user, encrypting with user's key KA.
User logins in, KA generated from password.
User decrypts and obtains the TGT.
63
What are the limitations of Kerberos?
Single point of failure
Requires synchronised clocks
Assumes client's workstation is secure
Vulnerable to password guessing
64
What are the 2 steps of User Authentication?
Identification, Verification
65
What are the problems with passwords?
Password Overload
Passwords can be guessed
Must be stored safely
Password reuse
66
How can an attack crack a password?
```
Brute Force
Shoulder Surfing
Dumpster Diving
Guessing
Interception
Key Logging
Social Engineering
```
67
What is phising? + countermeasure
Using a fake site to gain credentials to be used on a target site.
CM: Server-side authentication
68
What is interception? + countermeasure
Clear text information intercepted by an attacker (man in the middle)
CM: Encrypt communication among users and website.
69
What is keylogging?
Using software to record the keys typed by users.
Can get passwords from this.
E.g. Kidlogger, Revealer
70
What are the countermeasures for Shoulder Surfing and Dumpster Diving?
User Training and awareness
71
What are the 2 types of password attacks?
Offline/Online
72
How many combinations are the for a brute force attack?
(Length of alphabet)^(length of password)
73
What is an online dictionary attack?
An attack that tries passwords from a dictionary of words, common passwords, important words to the user (name, address, pet...) etc.
Not 100% guarenteed to crack the password, but can lead to less trials and time needed.
74
What are good countermeasures for password cracking?
Throttling
Locking
Protective Monitoring
Password Blacklisting (common passwords)
75
What is password strength?
The effectiveness of a password against a brute force attack.
76
What is password entropy?
nlog(A)/log(2)
77
What is an offline dictionary attack?
An attack that tries to crack passwords in a password file.
| The attacker tries passwords from a dictionary of common passwords and compares the hashes.
78
What are the countermeasures for an offline dictionary attack?
Hashing
Salting
Password File access (only priviledged users)
Separation of user ids to passwords
79
What are the properties of a good hash function?
Non-reversible
Fixed length
Unique for each input
80
What is salting?
The process of adding random bits to a password, then hashing the result to make a brute force attack even harder.
81
What is the salting process?
1. Compute hash of the password.
2. Add salt (prepend/append).
3. Hash the result.
4. Store the hash and salt
82
What can be used to crack passwords?
Pwdump
| L0phtcrack
83
What are the password cracking methods?
Brute force
Dictionary: Only as good as your dictionary
Hybrid
84
What is a reduction function? + examples
A function that transforms a hash into a new string (possible password0 to be hashed.
E.g : First 6 letters, first 6 characters, last 5 numbers etc.
85
What is the rainbow table process?
1. Precompute hashes, apply red. funcs, compute hashes etc. to create the rainbow table. Only store first and last column.
2. Apply last red. func to hash to crack.
3. Check if result is in the table.
4. If so, go to the start of that row, and compute the hashes until the plaintext is found. (Its the plaintext that generates the hash.)
5. If not, apply the penultimate red. func, last red. func, check.
6. Repeat until row is found.
7. Go to the start of the row and calculate the hashes forward until the correct value is found.
86
Why are rainbow tables used?
They are a good trade off between time and space.
87
What is online and offline cracking?
Offline: Password of a program (zip file)
Online: Online service to crack (ssh) - Use hydra.
88
What are the security properties of privacy?
Confidentiallity, Integrity, Availability, Accountability
89
What must be considered with privacy?
The system as a whole: Software, Hardware, Physical Environment, Legal, Coroporate, Personnel
90
What is confidentiality?
Unauthorised reading/learning of data.
| Presumes an access control security policy.
91
What is privacy?
Keeping individuals information confidential.
92
What is secrecy?
Keeping company information confidential.
93
What is anonimity?
True identity of an individual is not known and cannot be learned.
94
What is intrusion?
Invasive acts that threaten the solitude or tranquility of a person.
95
What is decisional inference?
Government's incursion into the data subjects decisions regarding their private affairs.
96
What is surveillance?
The watching, listening to or recording of an individuals activies.
97
What is interrogation?
Various forms of questioning and probing for information.
98
What is aggregation?
Combining of data about a person.
99
What is identification?
Linking information to a particular individual.
100
What is insecuity?
Carelessness in protecting stored information from leaks and improper access.
101
What is secondary use?
The unconsensual use of data for purposes other than those for which the data was originally collected.
102
What is exclusion?
Failure to allow the data subject to know about the data that others have about them and participate in its handling and use.
103
What is a breach in confidentiality?
Breaking a promise to keep data confidential.
104
What is disclosure?
Releasing information that influences how an individual is jduged.
105
What is exposure?
Revealing nudity, greif or bodily functions.
106
What is increased accessibility?
Amplifiying accessibility of information.
107
What is blackmail?
The threat to relese personal information.
108
What is appropriation?
The use of someone's identity in order to serve another's aims.
109
What is distortion?
Dissemination of false/misleading information about an individual.
110
What is privacy as confidentiality?
Data anonymisation, secure messaging, anonymous communication, data minimisation.
111
What is privacy as control?
Annonymous credentials, privacy policy languages, purpose-based AC.
112
What is privacy as practice?
Feedback and awareness tools, privacy nudges, aid in privacy decision making.
113
What is a privacy policy?
Text that specifies how data may be used, under which conditions and what obligations this entails.
114
What are the privacy requirements?
```
AC requirements
Actions required before access
Actions that must be performed within a certain time period.
Restrictions on further distribution of data.
Restrictions on purpose of use.
Limitations of retention time.
Mandatory use of protection mechanisms
Duties of keeping data up-to-date.
```
115
What are the 2 pet families?
Soft Privacy Technology
Assume trust of 3rd party. (AC, tunnel encryption)
Hard Privacy Technology
No trust of 3rd party. (Tor)
116
What is a data controller, data subject and data analyst?
Controller: Entity that collects, holds and controls the data.
Subject: Entities that the data is about.
Analyst: Entities that use the data for studies and predictions.
117
What are the 3 classifications of attributes?
Explicit (key) Identifiers: Name, NI
Quasi-identifierL DOB, Postcode
Sensitive: Medical records
118
What is k-anonimity?
A record must be indistinguishable from at least k-1 other records with the same quasi-identifier.
There must be at least k records with the same equivalence class.
If this holds for each quasi-identifer, a table is k-anonymous.
119
How can k-anonimity be achieved?
Generalisation: Making quasi-identifiers less specific. (>40). Partition ordered-value domains into intervals.
Supression: 478****, if there is too much loss with generalisation.
120
How can k-anonimity be attacked?
If the attacker has backgroud information (background knowledge attack).
If there is not enough diversity in sensitive attributes for each equivalence class. (Homogeniety attack).
121
What is l-diversity?
```
If an equivalence class has at least l well represented values, then it has l diversity.
If all equivalence classes have l-diversity, the table is l-diverse.
```
122
What is distinct l-diversity?
Each equivalence class at at least l sensitive values for the field.
123
What is a limitation of l-diversity?
It doesn't protect again senstive attribute disclosure.
| Doesn't consider overall distribution of sensitive values.
124
What is sensitive attribute disclosure?
The attacker can make broader claims about an individual. (Salary range, illness domain - mental illness, stomach illness)
This is a similarity attack.
125
What is t-closeness?
The distribution of sensitive values in each equivalence class should be within a threshold t of the original distribution.
126
What is differential privacy?
The probability of a result of a query being nearly the same, regardless of whether a individual is included in the dataset.
127
Why is a proxy not fully anonymous?
The proxy server knows where information is coming from and going to.
The sender is not known to the recevier and vice versea, but known to the proxy.
128
What is a VPN?
Virtual Private Network.
| Can make computers outside a network be treated as if they are in the network.
129
What is encapsulation in a VPN?
The wrapping of a message for travel over a channel into a VPN. It is unwrapped once it arrives, and is then treated as normal network traffic.
130
Why are VPNs good?
Provide anonymity.
Can access sensitive resources from outside of a network.
Can be used to simulate current position to that of the server (US Netflix).
131
What is a mix network?
A routing protocol that sends traffic to different proxy servers to reach a final destination.
132
What is the process of a mix network?
1. Path identified by the user, public keys of servers collected.
2. Layers of encryption added to message using each public key.
3. Message sent along the path.
133
Why is a mix network anonymous?
Each server only knows its direct neighbours in the path.
134
How are replied returned to the user?
The server sends the data to the last in the path, it encrypts the reply using a key given to it by the user when the first request was sent. Then the data is passed up the path, each with a new layer of encryption being given to it.
Once it reaches the user, it is decrypted.
135
What are the 3 nodes in Tor network?
Guard, relay, exit
136
What is the job of a Tor browser?
To provide a path of nodes for the user to use to send a message.
137
What is perfect forward secrecy?
Using keys of each server to encrypt the data, so no nodes can access the data.
138
What are the 2 types of relay node?
Bridge node: Unlisted
| Advertised
139
How is 2-way anonimity achieved?
A rendezvous point is agreed on by a user and server. Messages are routed using paths to this point.
A server will register an Onion URL which can be accessed via a Tor browser. Server has introduction points, via a path, which is used to agree the rendezvous point.
140
What is the process of E-voting in Estonia?
```
Voter uses ID card and PinPad.
ID card and PinPad used to create key.
Key used to authenticate website.
Users uses second key to confirm vote.
Vote sent.
Vote encrypted using PU of government or LA.
Vote wrapped with voter's signature.
Vote collected, unwrapped and mixed.
All votes then counted.
```
141
What is homomorphic encryption?
Uses mathematical functions that allow for results to be found without decryption.
142
Where can AC be implemented?
Locally or over a network.
143
What is a security policy?
Defines which executions are allowed by which users/systems according to a set of measurable, high-level rules.
144
What is a security model?
A formal representation of a class of systems, highlighting security features.
145
What are 2 security models?
Code based
| Database oriented.
146
What is Discretionary Access Control?
Principle: Users own resources and control access to them.
| Each resource has a DAC list which specfies which entities have which access.
147
What are the issues of DAC?
Large systems are complex to manage.
Difficult to understand whether correct permissions have been given to the right users.
The objects and users change frequently, so their permissions need to be update frequently as well.
148
What is Mandatory Access Control?
Access control based upon security levels of subjects and objects.
Most systems use multi-level security policies.
Decisions are made by comparing security clearance of a subject with the security clearance of an object.
149
What does each subject have in a MAC system?
A clearance and "need-to-know".
To access a resource, the subject must have a clearance level or higher than that of the resource, and contain all the "need-to-knows" of an object.
150
What is an RBAC?
Role-Based Access Control.
Access given to subjects based upon their role an organisation.
Permissions are assigned to roles.
151
What are the advantages of RBAC?
```
Distinct from user groups.
Emphasis on responsibility
Increases abstraction in policies (more managable)
Simple
Reduces user administration.
```
152
What are the types of RBAC?
Flat
Hierarchical
Constrained
153
What is the Chinese Wall Model?
Commercially inspired confidentiality model.
Uses conflict classes.
A user can only have access to one dataset within each conflict class.
154
What is blockchain?
A decentralised ledger of transactions, fully replicated over a trustless peer to peer network.
155
What are the transactions of blockchain?
Events of interest for a specific application.
156
What is bitcoin?
A decentralised cryptocurrency that transfers currency via blockchain, providing pseudo-anonimity.
157
How are transacrtions carried out in blockchain?
Transaction is broadcasted to the whole network.
All nodes verify the transaction.
Each replica updates its ledger.
158
What are digital signatures used for?
Verifiying the sender, and proving ownership of the UTXO.
159
How are transactions identified?
Using the addresses which are associated to a (PU,PR).
| A wallet contains the key pairs associated to the addresses of a user.
160
What are the inputs for a transaction?
An amount of unspent bitcoin to be used for the transaction.
161
What is the UTXO?
Unspent Transaction Output
162
How is ownership of the UTXO proved?
Using digital signatures which verify the ownership of the private key associated to the address.
163
Why does having multiple address provide full anonymity?
A user can be profiled when different transactions are used for a UTXO.
164
Why is decentralisation good?
Doesn't require trust
No single point of failure
No censorship
165
How are blocks created?
Miners choose which txns to include in a block.
Miners choose which block to use as previous.
Miners solve resource-intensive puzzle to compute Proof-of-Work (PoW).
New block is broadcast to the network.
Each node adds it to its local blockchain replica.
166
What is on a new block?
A number of transactions.
Reference to previous block (hash)
Random number (solution)
167
What is the puzzle?
Find a number s.t the hash of the block has a certain number of zeros as a most significant digit.
168
What are the insentives to mine?
Amount of bitcoin for the block.
| Transaction fees.
169
How are branches dealt with?
They are allowed to grow until one becomes longer and is accepted; the others are rejected and the transactions are rolled back.
170
What is pooling?
The combination of computational power between groups of miners.
More chance of branches (and blocks) being accepted, so more fees.
Fees split between the group.
171
What are the advantages of blockchain?
```
Decentralised
Reliable
Pseudo-anonymity
No need for trust
Immutable history of txns.
```
172
What are the disadvantages of blockchain?
Not stablised
High transaction fees
Slow txn confirmation
Business may not be protected.
173
What is a smart contract?
A computerised txn protocol that executes the terms of a contract.
Digital representation of a legal contract that can be executed determinisically.
174
What is the life cycle of a contract?
Definition, Execution, Audit
175
What are the 4 conditions of a smart contract?
Integrity of Control: Accountability of contract enforcement
Democratic Control: Responsiblilty should be shared, no controlling party.
Non-repudiation: Cannot argue with any part of the execution.
Building of trust: Should start trustless, build and preserve for duration.
176
How does blockchain adhere to the conditions of smart contracts?
IoC: Transactions are immutable.
DC: Executedby all peers.
N-R: Transactions are immutable
BoT: PoW consensus builds trust.
177
What is ethereum?
Decentralised platform for executing smart contracts.
178
What are the 2 types of account for Ether?
Externally Owned Account
| Contract
179
What is EOA used for?
Transferring cryptocurrency.
180
What can contracts do?
Update state
| Carry out transactions to EOA/contracts
181
What is the cost of a smart contract?
Gas unit
182
What is a gas limit?
The maximum amount of gas units that a transaction is willing to pay.
183
What is a decentralised application?
An application whos backend runs on a decentralised P2P network.
Multiple stakeholders are willing to manage assets of interest accounding to a business logic encoded as smart contracts.
184
What is a permissioned blockchain?
A blockchain where the peers are invited.
185
Why are permission blockchains used?
Used in buisness, for company to company transactions.
| They may not want to make the txns public.
186
What determines the creator of the next block in a permissioned blockchain?
Leader election
187
Which performance is better, permissioned or permissionless?
Permissioned
188
What does responsible distribution ensure?
No single point of failure
| No priviledged nodes.
