SE4472 FINAL Flashcards
1
Q
How large is a block in DES?
A
8 bytes
2
Q
How large is a block in AES?
A
16 bytes (128 bits)
3
Q
What is perfect secrecy?
A
No way to brute force (one-time pad)
4
Q
What are the three goals of security?
A
confidentiality (encryption, public key exchange)
integrity (MACs, hashes)
authenticity (digital signatures, certificates, public key infrastructure)
5
Q
What are the requirements for an ideal block cipher?
A
- Encryption should be reversible
- returns original message
- bijection (1:1 mapping)
- permutation (strings map 1:1 w/ itself) - Easy with the key, hard without
- Efficient to compute
6
Q
What is the difference between a PRP and PRF?
A
PRF (pseudo random function) does not require 1:1 mapping
7
Q
What is a feistel network?
A
Method of turning a PRF into a PRP
- twisted ladder, at least 4 rounds
- decrypt by running backwards
8
Q
What is the security level of CBC?
A
If the IV is known: IND-EAV secure
If the IV is random: IND-CPA secure
9
Q
What is the security level of AES-GCM?
A
IND-CCA2
10
Q
What is the security level of ECB?
A
None (Not IND-EAV secure)
11
Q
What is the security level of CTR?
A
If the IV is known: IND-EAV secure
If the IV is random: IND-CPA secure
12
Q
What is the probability of a successful pre-image resistance attack?
A
2^(l-1)
** -1 since we already know 1 hash which is the one we are trying to guess with a guess message
13
Q
What is the probability of a successful second pre-image resistance attack?
A
2^(l)
**asked essex about this
14
Q
What is the probability of a successful collision attack?
A
2^(l/2)
**birthday paradox
15
Q
How many bits is an MD5 hash?
A
128
16
Q
What is computational secrecy?
A
Not perfect, but only vulnerable to brute force
17
Q
Public-key exchange achieves which security goal?
A
confidentialy
18
Q
MAC codes achieve which security goal?
A
Ingetrity
19
Q
Digital signatures achieve which security goal?
A
Authenticity
20
Q
What security level does a caesar cipher offer?
A
None
21
Q
Deterministic ciphers can offer at most what level of security?
A
IND-EAV
22
Q
In a Feistel network, how many rounds is required to turn a strong PRF into a PRP?
A
4
23
Q
What block size does DES use?
A
64 bits
24
Q
what is security rule #1?
A
Don’t roll (create) your own crypto
25
What is security rule #2?
Kerckhoff's Principal:
- A crypto system should be secure even if the algorithm is public
- Secrecy of the message should depend on the secrecy of the KEY, not security through obscurity of the algorithm
26
What is second pre-image resistance?
Given m1 and h, it is hard to find another message m2 that produces the same hash
27
Define plaintext
A message to be encrypted
28
Define Ciphertext
the encrypted message
29
Define Key
secret that is used to transform plaintext into ciphertext
30
How many queries would be required for a padding oracle attack (worst case)?
255 queries/byte * 16 bytes = ~4000 queries
31
Goals of cryptosystem designers
1. Key space exponential in key length
2. Infeasible to brute force ( > 2^100)
3. Brute force = worst case
32
What is pre-image resistance?
given hash h, it is hard to find a message that hashes to h
33
TLS uses what approach to authenticated encryption?
MAC-then-encrypt
34
What is second pre-image resistance?
Given m1 and h, it is hard to find another message m2 that produces the same hash
35
What are the 3 properties of a one-time pad?
1. Pad chosen independent to text, and at random
2. Pad is exactly as long as the message
3. Pad is only ever used once
36
Properties of computational (practical) security:
1. Short length key
2. Crackable with enough computing power
3. Too many keys to brute force
37
what is message authentication?
know who the message came from
38
Reasons why one-time pad is not feasible:
1. Generating, transporting, storing too costly
2. size of key is long
3. Human error such as pad re-usal
39
Properties of computational (practical) security:
1. Short length key
2. Crackable with enough computing power
3. Too many keys to brute force
40
T/F: A linear modification in the ciphertext is preserved
| in the plaintext in CTR mode
T
41
T/F: Flipping a bit of ciphertext in CBC mode totally corrupts every plaintext block
F: Only corrups current plaintext block, but flips the bit in next block
42
How would you pad this message using AES and PKCS#7:
68 65 6c 6c 6f 20 77 6f 72 06
68 65 6c 6c 6f 20 77 6f 72 06 06 06 06 06 06 06
43
How many queries would be required for a padding oracle attack (worst case)?
255 queries/byte * 16 bytes = ~4000 queries
44
How do you prevent a padding oracle attack?
Don’t let your decryption function return a
| plaintext unless the ciphertext was valid (use MAC)
45
GCM uses what approach to authenticated encryption?
Encrypt-then-MAC
46
TLS uses what approach to authenticated encryption?
MAC-then-encrypt
47
T/F: public keys are used to undo something (decrypt)
F: private keys are used for undoing.
Public keys are used for doing (encrypting)
48
Why are the Caesar and Vigenere ciphers not secure?
They both leak letter frequency
49
Why is Enigma not secure?
Leaks information about what the plain text is not
50
What does CCA stand for
Chosen Ciphertext Attack
51
Definition of A's advantage in winning the game
Adv(A) = | P(b' = b) - 0.5 |
52
Does A have an advantage if winning more than 50% of time?
Yes
53
Does A have an advantage if winning LESS than 50% of time?
Yes, pick opposite guess of what A thinks
54
Does A have an advantage if they win exactly 50% of time?
No
55
How is negligibility defined?
In terms of how the keyspace grows relative to the adversary advantage
56
What is a negligible function?
e() is a negligible function if it grows more slowly than the inverse of a polynomial function: e(k) < | 1 / poly(k) |
57
what does PPT stand for
Probabilistic Polynomial Time
| -Realistic to computational resources
58
What happens when you encrypt the same message twice using the same key, and the encryption is non-deterministic?
you get a different ciphertext every time.
59
How can you prove enigma is not CCA2 secure
Use CPA or CCA attacks (or anything else of a lower security level than CCA2 such as EAV) to prove it is not CCA2
60
What does CPA stand for?
Chosen Plaintext Attack
61
What does CCA stand for
Chosen Ciphertext Attack
62
What is the difference between CCA1 and CCA2
CCA1: Adversary can only make decryption queries BEFORE the challenge text is sent
CCA2: Adversary can make decryption queries both before and after challenge, but not the challenge itself
63
List the permitted queries of IND-EAV Security
None
64
List the permitted queries of IND-CPA Security
Pre challenge: encryption only
| Post challenge: encryption only
65
List the permitted queries of IND-CCA1 Security
Pre challenge: encryption / decryption
| Post challenge: encryption only
66
List the permitted queries of IND-CCA2 Security
Pre challenge: encryption / decryption
| Post challenge: encryption / decryption
67
if a ciphertext is IND-CCA1 is it also CPA secure?
Yes, each security level inherits the capabilities of anyone before it.
68
if a cipher text is IND-CPA is it also IND-CCA1?
Insufficient information
69
Prove all deterministic ciphers cannot be IND-CPA secure
Query Phase:
A sends m0 / m1 and gets c0 / c1
```
Challenge Phase:
A sends m0 and m1 as challenges
B sends cb
if cb = c0; m0 is correct ... if cb = c1; m1 is correct
A wins 100% of time
```
70
What is the triple of functions for block cipher?
71
how many plaintexts are in an ideal block cypher?
2^b
72
how many possible permutations of plaintexts are in an ideal block cypher?
2^b!
73
How do block cyphers work?
1. Take b bits of message plaintext
2. Encrypt them to b bits of cipher text
-encryption done in blocks (vs. classical single letter)
DES - 8 bytes
AES - 16 bytes
74
What is the purpose of a PRP in terms of an electronic code book
Allows you to efficiently compute the code book with exponentially many entries that would normally be computationally infeasible.
75
In CBC mode does the XOR come before or after the Encryption?
c-B-c mode B= Before
76
Why do we need Hash functions?
Whenever it would be beneficial to create short fixed-length strings as a fingerprint to digest arbitrary length string
77
In CTR mode, does the XOR come before or after the Encryption?
After
78
Main difference between CTR and CBC?
CTR can be run in parallel while CBC must be run in series since the previous block creates the next block
79
What does AES stand for?
Advanced Encryption Standard
80
Does AES use a feistel network?
No, it uses Galois field operations
81
What is the round function of AES
a PRP using Galois field arithmetic
82
Why Galois fields?
Addition is just bit-wise XOR, Multiplication is simple bit wise operations, so GF operations are fast in hardware and easy to explain
83
How do block cyphers work?
1. Take b bits of message plaintext
2. Encrypt them to b bits of cipher text
-encryption done in blocks (vs. classical single letter)
DES - 8 bytes
AES - 16 bytes
84
What key sizes does AES support?
128bit, 196 bit, or 256 bit keys
85
In AES can the key length differ from the block size?
Yes
86
Using AES, under PKCS #7, if I had an 8 byte message, how many bytes of padding do I need, and what HEX value of each byte do I need
8 bytes of PKCS7 padding, and they are all 08:
XX XX XX XX XX XX XX XX 08 08 08 08 08 08 08 08
87
What i a random oracle?
1. Every arbitrary input, random oracle outputs a random fixed-length string
2. each unique query is independent of others
3. if you repeat a query to the oracle, it gives the same answer
88
What type of function is a hash function?
Pseudo-random function
89
What are the 3 properties of hash functions?
1. Pre-image resistance
2. Second pre image resistance
3. Collision resistance
90
Explain Pre-image resistance
Given a hash, it should be hard to find a message producing the hash
91
Explain Second pre-image resistance
Given a message, it should be hard to find another message that produces the same hash
92
What is the goal of message authentication?
Make it infeasible for an attacker to generate a valid ciphertext
93
What is a MAC
A function that accepts an arbitrary length plaintext and
a key and produces a fixed-length value that serves as an authenticator code/tag
like a hash, but must be infeasible to forge code/tag without key
94
Do MACs prevent padding oracle attacks?
Yes
95
How does a MAC prevent padding oracle attacks?
Receiver accepts or rejects message based on MAC not based on the message.
Receiver doesn't look at message unless MAC is valid
96
Under PKCS #7, if I had an 8 byte message, how many bytes of padding do I need, and what HEX value of each byte do I need
8 bytes of PKCS7 padding, and they are all 08
97
Using AES, under PKCS #7, if I had an 16 byte message, how many bytes of padding do I need, and what HEX value of each byte do I need
16 bytes of padding in a new block, and 16 in hex is 10 so it would be 16 bytes of 10:
10 10 10 10 10 10 10 10 10 10 10 10 10 10 10 10
98
What does a padding oracle tell you?
Cipher text ----> Padding oracle ----> tells you either the plaintext has valid or invalid padding
99
Can you build a decryption oracle out of a padding oracle?
yes
100
How many queries does it take Eve to recover plaintext in a padding oracle attack on one byte of ciphertext
255 queries
101
How to stop padding oracle attacks?
1. don't let decryption return plaintext unless cipher text was valid
2. make it infeasible for anyone except key holder to create valid ciphertext
3. Should be efficient for key holders to check ciphertext validity
102
What are the outputs of an authenticated decryption function?
Plaintext or error if tag is invalid
103
What are the 3 approaches to authenticated encryption?
1. MAC-then-encrypt (used by TLS)
2. MAC-and-encrypt (used by SSH)
3. Encrypt-then-MAC (best choice)
104
Do MACs prevent padding oracle attacks?
Yes
105
How does a MAC prevent padding oracle attacks?
Receiver accepts or rejects message based on MAC not based on the message.
Receiver doesn't look at message unless MAC is valid
106
What is the probability of producing a valid MAC?
1/2^128
107
what is the probability of producing a valid padding byte?
1/256
108
What is authenticated encryption
Explicit block cipher mode combining encryption and MAC operations
AE achieves CIA triad
109
What are the inputs of an authenticated encryption function?
1. Plaintext (message)
2. Encryption key (Cipher key)
3. MAC key
110
What are the outputs of an authenticated encryption function?
1. Cipher Text
| 2. Authentication (MAC) tag
111
What are the inputs of an authenticated decryption function?
1. Mac Tag
2. Ciphertext
3. MAC Key
4. Encryption Key (Cipher key)
112
What are the outputs of an authenticated decryption function?
Plaintext or error if tag is invalid
113
What are the 3 approaches to authenticated encryption?
1. MAC-then-encrypt
2. MAC-and-encrypt
3. Encrypt-then-MAC
114
What are the downsides of Encrypt-then-mac approach?
Does two passes on data:
- 1 block cipher call +2 hash functions
- 3x as long as just encryption alone
115
What authenticated encryption mode has a lightweight MAC that runs in parallel with encryption?
GCM = Galois / Counter Mode
116
What is the discrete logarithm problem?
Given a = g^r mod p
It is infeasible to calculate r
117
T/F: Diffie Hellman is vulnerable to man in the middle attack
True - very vulnerable!
118
What are the components of the DH tuple?
< g, g^a, g^b, g^ab >
119
T/F: In Diffie Hellman agreement, the public key a is used to generate private key g^a
False. Private key a is used to generate public key g^a
120
T/F: RSA is a symmetric key encryption scheme
False. RSA is a public key (asymmetric) scheme
121
T/F: RSA is not widely used for key agreement, but is widely used for digital signatures
True
122
What is the forumula for encryption with RSA?
c = Enc(m) = m^e mod n
123
What is the forumula for decryption with RSA?
m = Dec(c) = c^d mod n
124
Given two RSA message/signature pairs (m1,s1), (m2,s2), how could you do an existential forgery?
m3 = m1m2, s3 = s1s2
125
Walk me through a DCF
Unfortunately, due to the high volume of applicants this year, we regret to inform you of your rejection from Chad school of Bullshit and Fuckery.
126
How many bits of security does SHA1 offer?
80
Hash length is 160 bits
127
How many bits of security does SHA1 offer?
80
Hash length is 160 bits
128
Suppose there are two files f1 and f2 and suppose SHA1(f1) = SHA1(f2). Are these files identical?
Possibly. If they were the same, they would definitely have the same hash value since hash functions are deterministic. If they are different, they still could possibly have the same hash (called a collision
129
What is DHE?
Ephemeral Diffie Hellman
A new private key is generated for each connection
130
What is DHE?
Ephemeral Diffie Hellman
A new private key is generated for each connection
131
What is a total break forgery?
Eve determines A's private key
132
What is a universal forgery?
Eve finds a sining algorithm to construct an equivalent signature to A on all messages for A
133
What is a selective forgery?
Eve forges a signature on a specific message from A
134
How could an attacker create a valid signature pair without knowing anything except public key
Choose s arbitrarily, (1
135
List out Digital Signature Requirements
1. Signature bit pattern depends on message being signed
2. Signature uses unique information of sender, preventing forgery/denial
3. Easy to produce signature
4. Easy to recognize/verify digital signature
5. Infeasible to forge signature
6. Must be able to store digital signatures
136
T/F: RSA is forward secret
FALSE, RSA is not forward secret
137
What is forward secrecy
Forward secret cryptography means messages from the past are secured.
138
T/F: Diffie-Hellman is forward secret
Only in ephemeral mode (DHE), not in regular DH
139
What are the 3 types of crypto systems?
1. Generate
2. Signing
3. Verifying
140
What is a universal signature forgery?
Attacker can generate a signature for any message
141
What is an existential signature forgery?
Attacker can generate a signature for some messages, which they cannot control
142
What is a selective signature forgery?
Attacker can generate a signature on a particular message that was chosen ahead of time
143
T/F: Signatures are usually performed on the hash of a message, not the message itself
True
144
What is the NIST minimum security level requirement?
112 bits of security
145
What is the purpose of a digital signature?
- To prevent man-in-middle attacks on public key cryptography, specifically diffie-hellman which is majorly used today
- verifies the person is who they say they are
146
Who verifies a certificate authorities certificate?
self-verification
147
What are the 3 types of validation?
1. Domain Validation
2. Organization Validation
3. Extended Validation
148
What is the first certificate in a certificate chain called?
A root certificate
149
What is the trust store?
Place in your browser, device, or OS where root certificates are stored
150
T/F: you can bypass certificate chains
True: If you directly associate with a host you can "pin it" in the browser as trust worthy
151
T/F: all expired certificates are invalid
True
152
T/F: all non expired certificates are valid
False, there are some the should not be valid, known better as certificate revocation
153
What is OCSP stapling?
Server makes OCSP request, staples it to certificate chain
Less work for client and CA, more for server
154
What are 3 main ways to check if a certificate has been revoked?
1. Certificate Revocation List
2. Request to Online Certificate Status Protocol (OCSP)
3. OCSP Stapling
155
What are the inputs for the RSA signing function?
Message m, signing key (n,d)
156
What are the inputs of the RSA verification function?
Message m', signature s, verification key (n,e)
157
What is the format of the output of PKCS 1.5?
p = 00 01 FF ... FF 00 || h
Repeat FF's until length of p must be equal to length of n, in bytes
158
What does DSA stand for?
Digital Signature Algorithm
159
What does ECDSA stand for?
Elliptic curve digitial signature algorithm
160
What does ECDHE stand for?
Elliptic curve diffie hellman ephemeral
161
What is ECC?
Elliptic Curve Cryptography
162
What are the pros of ECC?
- point multiplication faster than analog modular exponentiation
- public-keys in ECC are smaller
163
What are the cons of ECC?
- complex to implement, harder to understand
| - concern about potential for backdoors
164
What is the NIST minimum security level requirement?
112 bits of security
165
What is OCSP Stapling?
- Client connects to server
- server OCSP pings CA and gets valid time stamped verification that server certificate has not been revoked
- server appends revocation stamp onto certificate
- sends it to client
- protects client privacy, more efficient
166
List out phase 1 transfers in TLS connection
1. (Client->server): hello
| 2. (Server->client): hello
167
List out phase 2 transfers in TLS connection
1. (Server->client): server_certificate
2. (Server->client): server_keyExchange
3. (Server->client): server_certificate_request
4. (Server->client): server_hello_done
168
List out phase 3 transfers in TLS connection
1. (Client->server): client_certificate
2. (Client->server): client_keyExchange
3. (Client->server): client_certificate_verify
169
List out phase 4 transfers in TLS connection
1. (Client->server): change_cipher_spec
2. (Client->server): finished
3. (Server->client): change_cipher_spec
4. (Server->client): finished
170
If using DHE or ECDHE, what is considered the pre-master secret in the TLS protocol
pre-master secret = diffie-hellman shared secret
171
What type of function is used to derive the master secret?
PRF
172
What is the master secret used for?
Deriving the symmetric keys using a PRF
173
What type of function is used to generate a key block?
PRF
174
What is a key block?
Consists of all values used in symmetric-key operations, generated by subbing in a master secret to a PRF
175
What are the 4 keys of a key block?
1. client_write_MAC
2. server_write_MAC
3. client_write_key
4. server_write_key
176
What do major TLS attacks focus on?
recovering an encrypted single session cookie/token
177
What is entropy?
random bits collected by your app/OS from various hardware sources like mouse position, time, network data...
178
T/F: Cryptography needs non-uniform distributions of numbers
False
179
T/F: Cryptography needs uniform distributions of numbers
True
180
What is a uniform distribution of numbers?
Each number in the range has an equal likelihood of being picked
181
What does CSPRNG stand for?
Cryptographically Secure Pseudo Random Number Generator
182
What are the 3 key assumptions for CSPRNGs
1. Everyone knows f and h of the machine
2. Eavesdroppers know output r
3. State s is a secret, only user knows
183
What are the 3 main security properties of CSPRNGs
1. h is one-way
2. f is one-way
3. output r is indistinguishable from uniform random bits
184
in a CSPRNG, if h is not one-way what does this mean in terms of an attacker?
An attacker would be able to guess s given r, and could generate all future outputs
185
in a CSPRNG, if f is not one-way what does this mean in terms of an attacker?
If an attacker was able to get a hold of s, they could generate all past outputs if f was not one way
186
in a CSPRNG, if output r is a non-uniform set of bits what does this mean in terms of an attacker?
Given previous output r, an attacker would be able to guess the next bit with an advantage
187
How much output would you need from a 128-bit CTR mode to be able to distinguish it from true randomness?
Another instance of birthday paradox, statistically you would need 2(128/2) tries and then you begin to have an advantage > 50%. Thus, you need 2^64 output for distinguishability.
188
Code for CORRECT way to prevent modulo bias:
do {r=rng(b)} while r>n; return r
189
Code for EFFICIENT way to prevent modulo bias:
r = rng(n.bitlength +margin) mod n; return r
190
What does b-bits of security mean?
attacker must do 2^b operations to crack
191
What are the 2 important parameters when determining security levels?
1. Primitives
| 2. Applications
192
When are collisions not something that an attacker could make of during hashing?
No collisions applies to non-digital signature applications like HMAC and key derivation functions
HMAC:
-Eve would need to know the secret key to be able to compute tags and compare them, so this is not possible.
193
Under NIST, is SHA-1 allowed as a cryptographic primitive?
No, SHA-1 is 160 bits implying 80 bits of security, but NIST standards are currently at 112 bits
194
What are the different types of certificate validation?
domain
company
extended
195
What is included in a certificate?
Subject info (issuer, validity, signature algorithm)
Public key (modulus, exponent)
Extensions
Signature (by CA)
196
What is a root certificate?
The endpoint of a certificate chain
Root certificates are stored in the trust store of a browser/OS/device
197
What is certificate pinning?
Directly associating a host with a public key, bypassing certificate chain
198
When is it good to use certificate pinning?
In high-assurance applications
199
What are possible reasons for certificate revocation?
1. Company hacked (private key compromised)
2. CA hacked
3. New business name
4. Company goes out of business
200
What are the different ways to check if a ceritifcate has been revoked?
1. Certificate revocation list (CRL)
2. Online certificate status protocol (OCSP)
3. OCSP Stapling
201
What is OCSP?
Online certificate status protocol
Client requests the CA to check certificate in real-time. Less work for clients, but privacy issues
202
What is OCSP stapling?
Server makes OCSP request, staples it to certificate chain
Less work for client and CA, more for server
203
T/F: storing just a hash of a password is good enough in a database
False. People with the same passwords will map to the same hash, if one gets cracked, many to.
NEED FOR A SALT FACTOR
204
What is a salt factor?
A random value appended to the password and then hashed so every hash in a database is unique, even with the same password
205
What is key stretching?
making a password slow to hash by extending time it takes, say 1 second, thus infeasible for hacker
206
What does PBKDF2 stand for?
Password Based Key Derivation Function
207
What is PBKDF2?
Iterative hashing with user chosen number of hash iterations hp=PBKDF2 (Hash(), p, salt, iteration, klength)
208
Describe the 4 phases of TLS Handshake
1. Establish security capabilities
2. Authentications & public key exchange
3. Secret key exchange & derivation
4. Finish
209
What are the 4 components of a TLS ciphersuite?
key agreement protocol
signature scheme
block cipher & mode
hash function
210
Why does the server not send the root certificate?
Because client already knows it (trust store)
211
T/F: During phase 2 of TLS handshake, server must send certificate chain to client
False, certificate is optional
212
What are the three steps to key derivation in TLS?
1. Exchange pre-master secret
2. Derive master secret
3. Derive symmetric keys
213
How is the pre-master secret derived in RSA?
Client generates pre-master secret, encrypts w/ public key, sends to server
214
How is the pre-master secret derived in DHE?
Parties compute shared secret (g^ab), which becomes the pre-master secret
215
What are the symmetric keys derived in TLS?
client MAC
client encryption
server MAC
server encryption
216
What PRF does TLS use to derive the master secret?
HMAC
217
When deriving master secret in TLS, what are the inputs to the PRF?
pre-master secret
label
seed
218
What is a key block?
The key block consists of all the values used in the symmetric-key operations
219
PBKDF2 and other key stretching algos are parallelizable. How do you prevent an attacker from making the operations parallel?
Make password verification take time AND MEMORY.
Known as memory HARD function
220
What is scrypt?
a memory hard password function
Pros: memory hard, popular
Cons: new/not well understood, hard to analyze/implement
221
Why don't we use passwords in conjunction with keys?
1. Risk if server gets rooted
2. Hardware-secured encryption oracles (HSM)
3. HSM has to be bought by admin $$$
4. Attack at minimum needs physical access
222
What does entropy mean, with respect to passwords?
Entropy refers to level of security - higher entropy password is harder to guess
223
How should you store passwords in a database?
Store the hash of the password, not the plaintext
Use salting, so that if an attacker finds a hash/password pair, they cannot find all other users with the same password
224
How do you use salting to protect passwords?
Append password p with random salt s, then hash.
h = Hash(p||s)
Store (user, h, s)
225
What is key stretching?
Hashing is very fast, we want to slow down attackers. Key stretching is how we make hashing slower/require more memory
226
What is PBKDF2?
Password based key derivation function - uses iterative hashing, repeating the hash several times based on user chosen number of iterations.
227
What is the drawback of PBKDF2?
It is highly parallelizable, so still relatively efficient to compute
228
What is scrypt?
A memory-hard derivation function. Cons: New, complicated
229
What is CSPRNG?
Cryptographically secure pseudo-random number generator
230
In CSPRNG, if f was not a one-way function, and an attacker knew s, what could they do?
They could generate all past outputs
231
In CSPRNG, if h was not a one-way function, and an attacker knew s, what could they do?
They could generate all future outputs
232
What are the 3 security requirements in CSPRNG?
1. Attacker shouldnt be able to guess s given output r
2. Attacker shouldn't be able to guess previous s based on current s
3. Attacker shouldn't be able to guess the next output r given previous r
233
What is Fortuna?
A deterministic random bit generator
234
In Fortuna, what is used for output function g?
g is the AES encryption of s
235
In Fortuna, what is used for updating function f?
Counter
236
How does Fortuna deal with not using a one-way function for f?
Reseeding frequently
237
For a given security level b, what is the key length required for symmetric key encryption?
|k| >= b
238
For a given security level b, what is the size of q required for an integer discrete log kx or signature?
|q| >= 2b
239
For a given security level b, what is the size of q required for an elliptical curve kx or signature?
|q| >= 2b
240
What is the size of n required for a RSA kx or signature?
|n| >= 2048 bits
241
For a given security level b, what is the required length for a hash, if collisions are a concern?
|h| >= 2b
242
For a given security level b, what is the required length for a hash, if collisions are not a concern?
|h| >= b
243
What is the NIST minimum security requirement?
112 bits
244
How large should p be in an integer discrete log system?
|p| ~ 8b
245
What is the minimum hash length for an HMAC hash to comply with NIST?
112
