SE4472 FINAL

Question 1

How large is a block in DES?

Answer 1

8 bytes

Question 2

How large is a block in AES?

Answer 2

16 bytes (128 bits)

Question 3

What is perfect secrecy?

Answer 3

No way to brute force (one-time pad)

Question 4

What are the three goals of security?

Answer 4

confidentiality (encryption, public key exchange)
integrity (MACs, hashes)
authenticity (digital signatures, certificates, public key infrastructure)

Question 5

What are the requirements for an ideal block cipher?

Answer 5

1. Encryption should be reversible
   - returns original message
   - bijection (1:1 mapping)
   - permutation (strings map 1:1 w/ itself)
2. Easy with the key, hard without
3. Efficient to compute

Question 6

What is the difference between a PRP and PRF?

Answer 6

PRF (pseudo random function) does not require 1:1 mapping

Question 7

What is a feistel network?

Answer 7

Method of turning a PRF into a PRP

• twisted ladder, at least 4 rounds
• decrypt by running backwards

Question 8

What is the security level of CBC?

Answer 8

If the IV is known: IND-EAV secure

If the IV is random: IND-CPA secure

Question 9

What is the security level of AES-GCM?

Answer 9

IND-CCA2

Question 10

What is the security level of ECB?

Answer 10

None (Not IND-EAV secure)

Question 11

What is the security level of CTR?

Answer 11

If the IV is known: IND-EAV secure

If the IV is random: IND-CPA secure

Question 12

What is the probability of a successful pre-image resistance attack?

Answer 12

2^(l-1)

** -1 since we already know 1 hash which is the one we are trying to guess with a guess message

Question 13

What is the probability of a successful second pre-image resistance attack?

Answer 13

2^(l)

**asked essex about this

Question 14

What is the probability of a successful collision attack?

Answer 14

2^(l/2)

**birthday paradox

Question 15

How many bits is an MD5 hash?

Answer 15

128

Question 16

What is computational secrecy?

Answer 16

Not perfect, but only vulnerable to brute force

Question 17

Public-key exchange achieves which security goal?

Answer 17

confidentialy

Question 18

MAC codes achieve which security goal?

Answer 18

Ingetrity

Question 19

Digital signatures achieve which security goal?

Answer 19

Authenticity

Question 20

What security level does a caesar cipher offer?

Answer 20

None

Question 21

Deterministic ciphers can offer at most what level of security?

Answer 21

IND-EAV

Question 22

In a Feistel network, how many rounds is required to turn a strong PRF into a PRP?

Answer 22

4

Question 23

What block size does DES use?

Answer 23

64 bits

Question 24

what is security rule #1?

Answer 24

Don’t roll (create) your own crypto

Question 25

What is security rule #2?

Answer 25

Kerckhoff’s Principal:

• A crypto system should be secure even if the algorithm is public
• Secrecy of the message should depend on the secrecy of the KEY, not security through obscurity of the algorithm

Question 26

What is second pre-image resistance?

Answer 26

Given m1 and h, it is hard to find another message m2 that produces the same hash

Question 27

Define plaintext

Answer 27

A message to be encrypted

Question 28

Define Ciphertext

Answer 28

the encrypted message

Question 29

Define Key

Answer 29

secret that is used to transform plaintext into ciphertext

Question 30

How many queries would be required for a padding oracle attack (worst case)?

Answer 30

255 queries/byte * 16 bytes = ~4000 queries

Question 31

Goals of cryptosystem designers

Answer 31

1. Key space exponential in key length
2. Infeasible to brute force ( > 2^100)
3. Brute force = worst case

Question 32

What is pre-image resistance?

Answer 32

given hash h, it is hard to find a message that hashes to h

Question 33

TLS uses what approach to authenticated encryption?

Answer 33

MAC-then-encrypt

Question 34

What is second pre-image resistance?

Answer 34

Given m1 and h, it is hard to find another message m2 that produces the same hash

Question 35

What are the 3 properties of a one-time pad?

Answer 35

1. Pad chosen independent to text, and at random
2. Pad is exactly as long as the message
3. Pad is only ever used once

Question 36

Properties of computational (practical) security:

Answer 36

1. Short length key
2. Crackable with enough computing power
3. Too many keys to brute force

Question 37

what is message authentication?

Answer 37

know who the message came from

Question 38

Reasons why one-time pad is not feasible:

Answer 38

1. Generating, transporting, storing too costly
2. size of key is long
3. Human error such as pad re-usal

Question 39

Properties of computational (practical) security:

Answer 39

1. Short length key
2. Crackable with enough computing power
3. Too many keys to brute force

Question 40

T/F: A linear modification in the ciphertext is preserved

in the plaintext in CTR mode

Answer 40

T

Question 41

T/F: Flipping a bit of ciphertext in CBC mode totally corrupts every plaintext block

Answer 41

F: Only corrups current plaintext block, but flips the bit in next block

Question 42

How would you pad this message using AES and PKCS#7:

68 65 6c 6c 6f 20 77 6f 72 06

Answer 42

68 65 6c 6c 6f 20 77 6f 72 06 06 06 06 06 06 06

Question 43

How many queries would be required for a padding oracle attack (worst case)?

Answer 43

255 queries/byte * 16 bytes = ~4000 queries

Question 44

How do you prevent a padding oracle attack?

Answer 44

Don’t let your decryption function return a

plaintext unless the ciphertext was valid (use MAC)

Question 45

GCM uses what approach to authenticated encryption?

Answer 45

Encrypt-then-MAC

Question 46

TLS uses what approach to authenticated encryption?

Answer 46

MAC-then-encrypt

Question 47

T/F: public keys are used to undo something (decrypt)

Answer 47

F: private keys are used for undoing.

Public keys are used for doing (encrypting)

Question 48

Why are the Caesar and Vigenere ciphers not secure?

Answer 48

They both leak letter frequency

Question 49

Why is Enigma not secure?

Answer 49

Leaks information about what the plain text is not

Question 50

What does CCA stand for

Answer 50

Chosen Ciphertext Attack

Question 51

Definition of A’s advantage in winning the game

Answer 51

Adv(A) = | P(b’ = b) - 0.5 |

Question 52

Does A have an advantage if winning more than 50% of time?

Answer 52

Yes

Question 53

Does A have an advantage if winning LESS than 50% of time?

Answer 53

Yes, pick opposite guess of what A thinks

Question 54

Does A have an advantage if they win exactly 50% of time?

Answer 54

No

Question 55

How is negligibility defined?

Answer 55

In terms of how the keyspace grows relative to the adversary advantage

Question 56

What is a negligible function?

Answer 56

e() is a negligible function if it grows more slowly than the inverse of a polynomial function: e(k) < | 1 / poly(k) |

Question 57

what does PPT stand for

Answer 57

Probabilistic Polynomial Time

-Realistic to computational resources

Question 58

What happens when you encrypt the same message twice using the same key, and the encryption is non-deterministic?

Answer 58

you get a different ciphertext every time.

Question 59

How can you prove enigma is not CCA2 secure

Answer 59

Use CPA or CCA attacks (or anything else of a lower security level than CCA2 such as EAV) to prove it is not CCA2

Question 60

What does CPA stand for?

Answer 60

Chosen Plaintext Attack

Question 61

What does CCA stand for

Answer 61

Chosen Ciphertext Attack

Question 62

What is the difference between CCA1 and CCA2

Answer 62

CCA1: Adversary can only make decryption queries BEFORE the challenge text is sent
CCA2: Adversary can make decryption queries both before and after challenge, but not the challenge itself

Question 63

List the permitted queries of IND-EAV Security

Answer 63

None

Question 64

List the permitted queries of IND-CPA Security

Answer 64

Pre challenge: encryption only

Post challenge: encryption only

Question 65

List the permitted queries of IND-CCA1 Security

Answer 65

Pre challenge: encryption / decryption

Post challenge: encryption only

Question 66

List the permitted queries of IND-CCA2 Security

Answer 66

Pre challenge: encryption / decryption

Post challenge: encryption / decryption

Question 67

if a ciphertext is IND-CCA1 is it also CPA secure?

Answer 67

Yes, each security level inherits the capabilities of anyone before it.

Question 68

if a cipher text is IND-CPA is it also IND-CCA1?

Answer 68

Insufficient information

Question 69

Prove all deterministic ciphers cannot be IND-CPA secure

Answer 69

Query Phase:
A sends m0 / m1 and gets c0 / c1

Challenge Phase: 
A sends m0 and m1 as challenges
B sends cb 
if cb = c0; m0 is correct ... if cb = c1; m1 is correct 
A wins 100% of time

Question 70

What is the triple of functions for block cipher?

Question 71

how many plaintexts are in an ideal block cypher?

Answer 71

2^b

Question 72

how many possible permutations of plaintexts are in an ideal block cypher?

Answer 72

2^b!

Question 73

How do block cyphers work?

Answer 73

1. Take b bits of message plaintext
2. Encrypt them to b bits of cipher text
   -encryption done in blocks (vs. classical single letter)
   DES - 8 bytes
   AES - 16 bytes

Question 74

What is the purpose of a PRP in terms of an electronic code book

Answer 74

Allows you to efficiently compute the code book with exponentially many entries that would normally be computationally infeasible.

Question 75

In CBC mode does the XOR come before or after the Encryption?

Answer 75

c-B-c mode B= Before

Question 76

Why do we need Hash functions?

Answer 76

Whenever it would be beneficial to create short fixed-length strings as a fingerprint to digest arbitrary length string

Question 77

In CTR mode, does the XOR come before or after the Encryption?

Answer 77

After

Question 78

Main difference between CTR and CBC?

Answer 78

CTR can be run in parallel while CBC must be run in series since the previous block creates the next block

Question 79

What does AES stand for?

Answer 79

Advanced Encryption Standard

Question 80

Does AES use a feistel network?

Answer 80

No, it uses Galois field operations

Question 81

What is the round function of AES

Answer 81

a PRP using Galois field arithmetic

Question 82

Why Galois fields?

Answer 82

Addition is just bit-wise XOR, Multiplication is simple bit wise operations, so GF operations are fast in hardware and easy to explain

Question 83

How do block cyphers work?

Answer 83

1. Take b bits of message plaintext
2. Encrypt them to b bits of cipher text
   -encryption done in blocks (vs. classical single letter)
   DES - 8 bytes
   AES - 16 bytes

Question 84

What key sizes does AES support?

Answer 84

128bit, 196 bit, or 256 bit keys

Question 85

In AES can the key length differ from the block size?

Answer 85

Yes

Question 86

Using AES, under PKCS #7, if I had an 8 byte message, how many bytes of padding do I need, and what HEX value of each byte do I need

Answer 86

8 bytes of PKCS7 padding, and they are all 08:

XX XX XX XX XX XX XX XX 08 08 08 08 08 08 08 08

Question 87

What i a random oracle?

Answer 87

1. Every arbitrary input, random oracle outputs a random fixed-length string
2. each unique query is independent of others
3. if you repeat a query to the oracle, it gives the same answer

Question 88

What type of function is a hash function?

Answer 88

Pseudo-random function

Question 89

What are the 3 properties of hash functions?

Answer 89

1. Pre-image resistance
2. Second pre image resistance
3. Collision resistance

Question 90

Explain Pre-image resistance

Answer 90

Given a hash, it should be hard to find a message producing the hash

Question 91

Explain Second pre-image resistance

Answer 91

Given a message, it should be hard to find another message that produces the same hash

Question 92

What is the goal of message authentication?

Answer 92

Make it infeasible for an attacker to generate a valid ciphertext

Question 93

What is a MAC

Answer 93

A function that accepts an arbitrary length plaintext and
a key and produces a fixed-length value that serves as an authenticator code/tag

like a hash, but must be infeasible to forge code/tag without key

Question 94

Do MACs prevent padding oracle attacks?

Answer 94

Yes

Question 95

How does a MAC prevent padding oracle attacks?

Answer 95

Receiver accepts or rejects message based on MAC not based on the message.
Receiver doesn’t look at message unless MAC is valid

Question 96

Under PKCS #7, if I had an 8 byte message, how many bytes of padding do I need, and what HEX value of each byte do I need

Answer 96

8 bytes of PKCS7 padding, and they are all 08

Question 97

Using AES, under PKCS #7, if I had an 16 byte message, how many bytes of padding do I need, and what HEX value of each byte do I need

Answer 97

16 bytes of padding in a new block, and 16 in hex is 10 so it would be 16 bytes of 10:
10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10

Question 98

What does a padding oracle tell you?

Answer 98

Cipher text —-> Padding oracle —-> tells you either the plaintext has valid or invalid padding

Question 99

Can you build a decryption oracle out of a padding oracle?

Answer 99

yes

Question 100

How many queries does it take Eve to recover plaintext in a padding oracle attack on one byte of ciphertext

Answer 100

255 queries

Question 101

How to stop padding oracle attacks?

Answer 101

1. don’t let decryption return plaintext unless cipher text was valid
2. make it infeasible for anyone except key holder to create valid ciphertext
3. Should be efficient for key holders to check ciphertext validity

Question 102

What are the outputs of an authenticated decryption function?

Answer 102

Plaintext or error if tag is invalid

Question 103

What are the 3 approaches to authenticated encryption?

Answer 103

1. MAC-then-encrypt (used by TLS)
2. MAC-and-encrypt (used by SSH)
3. Encrypt-then-MAC (best choice)

Question 104

Do MACs prevent padding oracle attacks?

Answer 104

Yes

Question 105

How does a MAC prevent padding oracle attacks?

Answer 105

Receiver accepts or rejects message based on MAC not based on the message.
Receiver doesn’t look at message unless MAC is valid

Question 106

What is the probability of producing a valid MAC?

Answer 106

1/2^128

Question 107

what is the probability of producing a valid padding byte?

Answer 107

1/256

Question 108

What is authenticated encryption

Answer 108

Explicit block cipher mode combining encryption and MAC operations

AE achieves CIA triad

Question 109

What are the inputs of an authenticated encryption function?

Answer 109

1. Plaintext (message)
2. Encryption key (Cipher key)
3. MAC key

Question 110

What are the outputs of an authenticated encryption function?

Answer 110

1. Cipher Text

2. Authentication (MAC) tag

Question 111

What are the inputs of an authenticated decryption function?

Answer 111

1. Mac Tag
2. Ciphertext
3. MAC Key
4. Encryption Key (Cipher key)

Question 112

What are the outputs of an authenticated decryption function?

Answer 112

Plaintext or error if tag is invalid

Question 113

What are the 3 approaches to authenticated encryption?

Answer 113

1. MAC-then-encrypt
2. MAC-and-encrypt
3. Encrypt-then-MAC

Question 114

What are the downsides of Encrypt-then-mac approach?

Answer 114

Does two passes on data:

• 1 block cipher call +2 hash functions
• 3x as long as just encryption alone

Question 115

What authenticated encryption mode has a lightweight MAC that runs in parallel with encryption?

Answer 115

GCM = Galois / Counter Mode

Question 116

What is the discrete logarithm problem?

Answer 116

Given a = g^r mod p

It is infeasible to calculate r

Question 117

T/F: Diffie Hellman is vulnerable to man in the middle attack

Answer 117

True - very vulnerable!

Question 118

What are the components of the DH tuple?

Answer 118

< g, g^a, g^b, g^ab >

Question 119

T/F: In Diffie Hellman agreement, the public key a is used to generate private key g^a

Answer 119

False. Private key a is used to generate public key g^a

Question 120

T/F: RSA is a symmetric key encryption scheme

Answer 120

False. RSA is a public key (asymmetric) scheme

Question 121

T/F: RSA is not widely used for key agreement, but is widely used for digital signatures

Answer 121

True

Question 122

What is the forumula for encryption with RSA?

Answer 122

c = Enc(m) = m^e mod n

Question 123

What is the forumula for decryption with RSA?

Answer 123

m = Dec(c) = c^d mod n

Question 124

Given two RSA message/signature pairs (m1,s1), (m2,s2), how could you do an existential forgery?

Answer 124

m3 = m1m2, s3 = s1s2

Question 125

Walk me through a DCF

Answer 125

Unfortunately, due to the high volume of applicants this year, we regret to inform you of your rejection from Chad school of Bullshit and Fuckery.

Question 126

How many bits of security does SHA1 offer?

Answer 126

80

Hash length is 160 bits

Question 127

How many bits of security does SHA1 offer?

Answer 127

80

Hash length is 160 bits

Question 128

Suppose there are two files f1 and f2 and suppose SHA1(f1) = SHA1(f2). Are these files identical?

Answer 128

Possibly. If they were the same, they would definitely have the same hash value since hash functions are deterministic. If they are different, they still could possibly have the same hash (called a collision

Question 129

What is DHE?

Answer 129

Ephemeral Diffie Hellman

A new private key is generated for each connection

Question 130

What is DHE?

Answer 130

Ephemeral Diffie Hellman

A new private key is generated for each connection

Question 131

What is a total break forgery?

Answer 131

Eve determines A’s private key

Question 132

What is a universal forgery?

Answer 132

Eve finds a sining algorithm to construct an equivalent signature to A on all messages for A

Question 133

What is a selective forgery?

Answer 133

Eve forges a signature on a specific message from A

Question 134

How could an attacker create a valid signature pair without knowing anything except public key

Answer 134

Choose s arbitrarily, (1

Question 135

List out Digital Signature Requirements

Answer 135

1. Signature bit pattern depends on message being signed
2. Signature uses unique information of sender, preventing forgery/denial
3. Easy to produce signature
4. Easy to recognize/verify digital signature
5. Infeasible to forge signature
6. Must be able to store digital signatures

Question 136

T/F: RSA is forward secret

Answer 136

FALSE, RSA is not forward secret

Question 137

What is forward secrecy

Answer 137

Forward secret cryptography means messages from the past are secured.

Question 138

T/F: Diffie-Hellman is forward secret

Answer 138

Only in ephemeral mode (DHE), not in regular DH

Question 139

What are the 3 types of crypto systems?

Answer 139

1. Generate
2. Signing
3. Verifying

Question 140

What is a universal signature forgery?

Answer 140

Attacker can generate a signature for any message

Question 141

What is an existential signature forgery?

Answer 141

Attacker can generate a signature for some messages, which they cannot control

Question 142

What is a selective signature forgery?

Answer 142

Attacker can generate a signature on a particular message that was chosen ahead of time

Question 143

T/F: Signatures are usually performed on the hash of a message, not the message itself

Answer 143

True

Question 144

What is the NIST minimum security level requirement?

Answer 144

112 bits of security

Question 145

What is the purpose of a digital signature?

Answer 145

• To prevent man-in-middle attacks on public key cryptography, specifically diffie-hellman which is majorly used today
• verifies the person is who they say they are

Question 146

Who verifies a certificate authorities certificate?

Answer 146

self-verification

Question 147

What are the 3 types of validation?

Answer 147

1. Domain Validation
2. Organization Validation
3. Extended Validation

Question 148

What is the first certificate in a certificate chain called?

Answer 148

A root certificate

Question 149

What is the trust store?

Answer 149

Place in your browser, device, or OS where root certificates are stored

Question 150

T/F: you can bypass certificate chains

Answer 150

True: If you directly associate with a host you can “pin it” in the browser as trust worthy

Question 151

T/F: all expired certificates are invalid

Answer 151

True

Question 152

T/F: all non expired certificates are valid

Answer 152

False, there are some the should not be valid, known better as certificate revocation

Question 153

What is OCSP stapling?

Answer 153

Server makes OCSP request, staples it to certificate chain

Less work for client and CA, more for server

Question 154

What are 3 main ways to check if a certificate has been revoked?

Answer 154

1. Certificate Revocation List
2. Request to Online Certificate Status Protocol (OCSP)
3. OCSP Stapling

Question 155

What are the inputs for the RSA signing function?

Answer 155

Message m, signing key (n,d)

Question 156

What are the inputs of the RSA verification function?

Answer 156

Message m’, signature s, verification key (n,e)

Question 157

What is the format of the output of PKCS 1.5?

Answer 157

p = 00 01 FF … FF 00 || h

Repeat FF’s until length of p must be equal to length of n, in bytes

Question 158

What does DSA stand for?

Answer 158

Digital Signature Algorithm

Question 159

What does ECDSA stand for?

Answer 159

Elliptic curve digitial signature algorithm

Question 160

What does ECDHE stand for?

Answer 160

Elliptic curve diffie hellman ephemeral

Question 161

What is ECC?

Answer 161

Elliptic Curve Cryptography

Question 162

What are the pros of ECC?

Answer 162

• point multiplication faster than analog modular exponentiation
• public-keys in ECC are smaller

Question 163

What are the cons of ECC?

Answer 163

• complex to implement, harder to understand

- concern about potential for backdoors

Question 164

What is the NIST minimum security level requirement?

Answer 164

112 bits of security

Question 165

What is OCSP Stapling?

Answer 165

• Client connects to server
• server OCSP pings CA and gets valid time stamped verification that server certificate has not been revoked
• server appends revocation stamp onto certificate
• sends it to client
• protects client privacy, more efficient

Question 166

List out phase 1 transfers in TLS connection

Answer 166

1. (Client->server): hello

2. (Server->client): hello

Question 167

List out phase 2 transfers in TLS connection

Answer 167

1. (Server->client): server_certificate
2. (Server->client): server_keyExchange
3. (Server->client): server_certificate_request
4. (Server->client): server_hello_done

Question 168

List out phase 3 transfers in TLS connection

Answer 168

1. (Client->server): client_certificate
2. (Client->server): client_keyExchange
3. (Client->server): client_certificate_verify

Question 169

List out phase 4 transfers in TLS connection

Answer 169

1. (Client->server): change_cipher_spec
2. (Client->server): finished
3. (Server->client): change_cipher_spec
4. (Server->client): finished

Question 170

If using DHE or ECDHE, what is considered the pre-master secret in the TLS protocol

Answer 170

pre-master secret = diffie-hellman shared secret

Question 171

What type of function is used to derive the master secret?

Answer 171

PRF

Question 172

What is the master secret used for?

Answer 172

Deriving the symmetric keys using a PRF

Question 173

What type of function is used to generate a key block?

Answer 173

PRF

Question 174

What is a key block?

Answer 174

Consists of all values used in symmetric-key operations, generated by subbing in a master secret to a PRF

Question 175

What are the 4 keys of a key block?

Answer 175

1. client_write_MAC
2. server_write_MAC
3. client_write_key
4. server_write_key

Question 176

What do major TLS attacks focus on?

Answer 176

recovering an encrypted single session cookie/token

Question 177

What is entropy?

Answer 177

random bits collected by your app/OS from various hardware sources like mouse position, time, network data…

Question 178

T/F: Cryptography needs non-uniform distributions of numbers

Answer 178

False

Question 179

T/F: Cryptography needs uniform distributions of numbers

Answer 179

True

Question 180

What is a uniform distribution of numbers?

Answer 180

Each number in the range has an equal likelihood of being picked

Question 181

What does CSPRNG stand for?

Answer 181

Cryptographically Secure Pseudo Random Number Generator

Question 182

What are the 3 key assumptions for CSPRNGs

Answer 182

1. Everyone knows f and h of the machine
2. Eavesdroppers know output r
3. State s is a secret, only user knows

Question 183

What are the 3 main security properties of CSPRNGs

Answer 183

1. h is one-way
2. f is one-way
3. output r is indistinguishable from uniform random bits

Question 184

in a CSPRNG, if h is not one-way what does this mean in terms of an attacker?

Answer 184

An attacker would be able to guess s given r, and could generate all future outputs

Question 185

in a CSPRNG, if f is not one-way what does this mean in terms of an attacker?

Answer 185

If an attacker was able to get a hold of s, they could generate all past outputs if f was not one way

Question 186

in a CSPRNG, if output r is a non-uniform set of bits what does this mean in terms of an attacker?

Answer 186

Given previous output r, an attacker would be able to guess the next bit with an advantage

Question 187

How much output would you need from a 128-bit CTR mode to be able to distinguish it from true randomness?

Answer 187

Another instance of birthday paradox, statistically you would need 2(128/2) tries and then you begin to have an advantage > 50%. Thus, you need 2^64 output for distinguishability.

Question 188

Code for CORRECT way to prevent modulo bias:

Answer 188

do {r=rng(b)} while r>n; return r

Question 189

Code for EFFICIENT way to prevent modulo bias:

Answer 189

r = rng(n.bitlength +margin) mod n; return r

Question 190

What does b-bits of security mean?

Answer 190

attacker must do 2^b operations to crack

Question 191

What are the 2 important parameters when determining security levels?

Answer 191

1. Primitives

2. Applications

Question 192

When are collisions not something that an attacker could make of during hashing?

Answer 192

No collisions applies to non-digital signature applications like HMAC and key derivation functions
HMAC:
-Eve would need to know the secret key to be able to compute tags and compare them, so this is not possible.

Question 193

Under NIST, is SHA-1 allowed as a cryptographic primitive?

Answer 193

No, SHA-1 is 160 bits implying 80 bits of security, but NIST standards are currently at 112 bits

Question 194

What are the different types of certificate validation?

Answer 194

domain
company
extended

Question 195

What is included in a certificate?

Answer 195

Subject info (issuer, validity, signature algorithm)

Public key (modulus, exponent)

Extensions

Signature (by CA)

Question 196

What is a root certificate?

Answer 196

The endpoint of a certificate chain

Root certificates are stored in the trust store of a browser/OS/device

Question 197

What is certificate pinning?

Answer 197

Directly associating a host with a public key, bypassing certificate chain

Question 198

When is it good to use certificate pinning?

Answer 198

In high-assurance applications

Question 199

What are possible reasons for certificate revocation?

Answer 199

1. Company hacked (private key compromised)
2. CA hacked
3. New business name
4. Company goes out of business

Question 200

What are the different ways to check if a ceritifcate has been revoked?

Answer 200

1. Certificate revocation list (CRL)
2. Online certificate status protocol (OCSP)
3. OCSP Stapling

Question 201

What is OCSP?

Answer 201

Online certificate status protocol

Client requests the CA to check certificate in real-time. Less work for clients, but privacy issues

Question 202

What is OCSP stapling?

Answer 202

Server makes OCSP request, staples it to certificate chain

Less work for client and CA, more for server

Question 203

T/F: storing just a hash of a password is good enough in a database

Answer 203

False. People with the same passwords will map to the same hash, if one gets cracked, many to.

NEED FOR A SALT FACTOR

Question 204

What is a salt factor?

Answer 204

A random value appended to the password and then hashed so every hash in a database is unique, even with the same password

Question 205

What is key stretching?

Answer 205

making a password slow to hash by extending time it takes, say 1 second, thus infeasible for hacker

Question 206

What does PBKDF2 stand for?

Answer 206

Password Based Key Derivation Function

Question 207

What is PBKDF2?

Answer 207

Iterative hashing with user chosen number of hash iterations hp=PBKDF2 (Hash(), p, salt, iteration, klength)

Question 208

Describe the 4 phases of TLS Handshake

Answer 208

1. Establish security capabilities
2. Authentications & public key exchange
3. Secret key exchange & derivation
4. Finish

Question 209

What are the 4 components of a TLS ciphersuite?

Answer 209

key agreement protocol
signature scheme
block cipher & mode
hash function

Question 210

Why does the server not send the root certificate?

Answer 210

Because client already knows it (trust store)

Question 211

T/F: During phase 2 of TLS handshake, server must send certificate chain to client

Answer 211

False, certificate is optional

Question 212

What are the three steps to key derivation in TLS?

Answer 212

1. Exchange pre-master secret
2. Derive master secret
3. Derive symmetric keys

Question 213

How is the pre-master secret derived in RSA?

Answer 213

Client generates pre-master secret, encrypts w/ public key, sends to server

Question 214

How is the pre-master secret derived in DHE?

Answer 214

Parties compute shared secret (g^ab), which becomes the pre-master secret

Question 215

What are the symmetric keys derived in TLS?

Answer 215

client MAC
client encryption
server MAC
server encryption

Question 216

What PRF does TLS use to derive the master secret?

Answer 216

HMAC

Question 217

When deriving master secret in TLS, what are the inputs to the PRF?

Answer 217

pre-master secret
label
seed

Question 218

What is a key block?

Answer 218

The key block consists of all the values used in the symmetric-key operations

Question 219

PBKDF2 and other key stretching algos are parallelizable. How do you prevent an attacker from making the operations parallel?

Answer 219

Make password verification take time AND MEMORY.

Known as memory HARD function

Question 220

What is scrypt?

Answer 220

a memory hard password function

Pros: memory hard, popular
Cons: new/not well understood, hard to analyze/implement

Question 221

Why don’t we use passwords in conjunction with keys?

Answer 221

1. Risk if server gets rooted
2. Hardware-secured encryption oracles (HSM)
3. HSM has to be bought by admin $$$
4. Attack at minimum needs physical access

Question 222

What does entropy mean, with respect to passwords?

Answer 222

Entropy refers to level of security - higher entropy password is harder to guess

Question 223

How should you store passwords in a database?

Answer 223

Store the hash of the password, not the plaintext

Use salting, so that if an attacker finds a hash/password pair, they cannot find all other users with the same password

Question 224

How do you use salting to protect passwords?

Answer 224

Append password p with random salt s, then hash.

h = Hash(p||s)

Store (user, h, s)

Question 225

What is key stretching?

Answer 225

Hashing is very fast, we want to slow down attackers. Key stretching is how we make hashing slower/require more memory

Question 226

What is PBKDF2?

Answer 226

Password based key derivation function - uses iterative hashing, repeating the hash several times based on user chosen number of iterations.

Question 227

What is the drawback of PBKDF2?

Answer 227

It is highly parallelizable, so still relatively efficient to compute

Question 228

What is scrypt?

Answer 228

A memory-hard derivation function. Cons: New, complicated

Question 229

What is CSPRNG?

Answer 229

Cryptographically secure pseudo-random number generator

Question 230

In CSPRNG, if f was not a one-way function, and an attacker knew s, what could they do?

Answer 230

They could generate all past outputs

Question 231

In CSPRNG, if h was not a one-way function, and an attacker knew s, what could they do?

Answer 231

They could generate all future outputs

Question 232

What are the 3 security requirements in CSPRNG?

Answer 232

1. Attacker shouldnt be able to guess s given output r
2. Attacker shouldn’t be able to guess previous s based on current s
3. Attacker shouldn’t be able to guess the next output r given previous r

Question 233

What is Fortuna?

Answer 233

A deterministic random bit generator

Question 234

In Fortuna, what is used for output function g?

Answer 234

g is the AES encryption of s

Question 235

In Fortuna, what is used for updating function f?

Answer 235

Counter

Question 236

How does Fortuna deal with not using a one-way function for f?

Answer 236

Reseeding frequently

Question 237

For a given security level b, what is the key length required for symmetric key encryption?

Answer 237

|k| >= b

Question 238

For a given security level b, what is the size of q required for an integer discrete log kx or signature?

Answer 238

|q| >= 2b

Question 239

For a given security level b, what is the size of q required for an elliptical curve kx or signature?

Answer 239

|q| >= 2b

Question 240

What is the size of n required for a RSA kx or signature?

Answer 240

|n| >= 2048 bits

Question 241

For a given security level b, what is the required length for a hash, if collisions are a concern?

Answer 241

|h| >= 2b

Question 242

For a given security level b, what is the required length for a hash, if collisions are not a concern?

Answer 242

|h| >= b

Question 243

What is the NIST minimum security requirement?

Answer 243

112 bits

Question 244

How large should p be in an integer discrete log system?

Answer 244

|p| ~ 8b

Question 245

What is the minimum hash length for an HMAC hash to comply with NIST?

Answer 245

112