Security Flashcards
Unauthorized data access
A kind of threat when an unauthorized person gets access to confidential information. It can lead to a situation when such information becomes public or is used against its owner.
Unauthorized data modifications
A kind of threat when data can be changed or deleted accidentally or intentionally by the person that has no permissions for such actions.
Pseudo-random number is generated in two steps…
First, the program gets some parameters that are changing with time, for example, the system time, cursor position etc.
At the second step, the program calculates the digest or the hash function. Digest calculation algorithm creates a new sequence of bytes according to the data given. If we use the same parameters as input data for such algorithm we will get the same digest. But as soon as we change one bit in the input data, we will get a very different digest.
Such parameters, as the time or the cursor position, can be easily enumerated and tested one by one. So such data, without further processing, cannot be called really random.
Symmetric algorithms of two types are used for encryption…
Block algorithms
Stream algorithms
Block encryption
Such algorithm split data into blocks and encrypt each block separately with the same key. If the data size is not multiple of required block size, then last block will be enlarged up to necessary size and filled with some value. When encrypting with block algorithms, if you encrypt the same data with the same key you will get identical results. Usually, such algorithms are used for files, data bases and e-mail message encryptions. There can be variations when the key for the next block is based on the output of previous blocks.
Stream encryption
Unlike the block encryption, such algorithms encrypt each byte separately. For the encryption, the pseudo-random numbers are generated based on the key. The encryption result of the bytes, usually depends on the result of the encryption of previous byte. This method has high productivity and is used for encrypting the information which is transferred over the communication channels.
Popular symmetric encryption algorithms…
When choosing symmetric algorithm, the speed and length of the key are usually taken into account.
AES (Advanced Encryption Standard)
Twofish
Asymmetric encryption
Asymmetric encryption systems are based on some one-sided mathematical functions. It means that if you know the result, you cannot renew the input data.
Asymmetric keys are much longer than symmetric keys.
The asymmetric algorithm works much slower than symmetric one. So, when large amounts of secret data are transferred, they are encrypted with symmetric algorithms (using symmetric key) and then the key that was used, is encrypted with asymmetric algorithm using a public key.
Usually, each symmetric key is used only once and when the next document is encrypted, a new secret key is generated. As symmetric key is used only in one encryption session, it is often called as a session key. As a matter of fact, the user has no idea that the session key was used, as he only gave the public key to encryption to the program and all other actions it has done itself.
The fact is that there are no public key algorithms that have no weak points for today. For all asymmetric algorithms there are methods that allow recovery of the key faster than with direct enumeration. But this fact is not critical, since it was proved that even using weak points, an attack will take too much time. And probability to be lucky enough to find the correct value soon early tends to zero. So asymmetric encryption can be treated as secure enough for all modern practical purposes. The only thing you should remember is the longer key you use the better your data is protected.
Popular public-key algorithms…
Diffie-Hellman algorithm (asymmetry is based on discrete logarithm)
RSA ( factorization of the product of two large prime numbers, the “factoring problem”)
ECDH (Elliptic Curve Diffie-Hellman)
Digital signatures
Are used in order to confirm message authorship.
First you calculate message digest and encrypt it with private key. When sending message you attach the encrypted digest to it. Recipient calculates message digest using the same algorithm as you did, decrypts attached digest and compare them. If two digests are equal, then he can be sure that message was sent by you and was not altered during transfer.
Digital certificates
Are used for authentication purposes.
Certificates can be represented as a number of records containing information about its owner and certain cryptographic information. Owner information is usually human-readable, for example, the name or passport data. Cryptographic information consists on public key and digital signature of certificate authority (CA). This signature confirms that the certificate belongs to the person whose name is specified in the certificate.
To make sure that the message was sent by you, the message recipient has to do the following…
1) get CA’s public key;
2) verify digital signature of your certificate using the public key of CA.
If the signature corresponds to CA, then the information contained in certificate is valid and can be trusted. And in case of problems, the CA will be responsible for the information contained in the certificate.
SSL (Secure Socket Layer)
There are several modifications of this protocol today: SSLv2, SSLv3 and TLSv1. Most popular is TLSv1.
Secure Socket Layer (SSL) is a protocol for authentication and encryption on session level which represents secured communication channel between two sides (client and server). SSL provides confidentiality by generating secret common for client and server. SSL supports server authentication and optional client authentication in order to resist outside interference, messages substitution and listening in client-server applications. SSL is located on transport level (lower than application level).
TLS (Transport Layer Security)
TLS и SSL используют асимметричное шифрование для аутентификации, симметричное шифрование для конфиденциальности и коды аутентичности сообщений для сохранения целостности сообщений.
You should use SSL connection not only when the data is transferred over Internet but when local networks are used too
SSH (Secure Shell)
Was designed for message exchange between servers with UNIX and it requires authentication of both sides. SSH supports logical channels inside one secured session. SSH uses key pairs and not certificates for authentication.
