security and networks

Question 1

what do the following linux commands do?
* echo
* mkdir/rmdir
* ls
* pwd
* cat
* cp
* mv
* rm
* touch

Answer 1

• prints in terminal
• creates/ removes dirs
• lists all files/dirs in location
• prints current full path
• displays content of file
• copies current dirs and files
• moves a file/dir to a new location
• removes file/dir
• creates a new file

Question 2

what do the following linux commands do?
* locate
* find
* grep
* diff
* du
* head
* tar
* top
* history

Question 3

what are some attacks on hashes?

Answer 3

• Preimage attack: Find a message for a given hash: very hard.
• Collision attack: Find two messages with the same hash.
• Prefix collision attack: A collision attack where the attacker
  can pick a prefix for the message.

Question 4

what is a message authentication code (MAC)?

Answer 4

it is made by using the symmetric/private key on the message to create a code. this code is sent along with the message so that the receiver can create their own mac from their key on the message. If the MACs match, the message is known to not have been tampered with while sending. (with asym it is verified using the public key)

Question 5

how is a CBC-MAC made? (cypher block chaining mode)

Answer 5

• A random Initialisation vector is made (IV)
• The mesage is split up into blocks
• The IV is XORed with the first block before it is encrypted
• The result is XORed with the second plaintext block and is encrypted
• This process repeats until the last block is encrypted and the blocks are put together again

Question 6

What is AES encryption and what modes are there?

Answer 6

An encryption method that maps 128 bit blocks onto other 128 blocks in encryption and decryption. Even non-encryptions can be decrypted.
* CBC mode: any change affects all of the rest of the message.
* ECB mode: any change affects only the block.
* CTR mode: any change affects only the bits altered.

Question 7

What is CCM mode encryption?

Answer 7

Using the usual method for creating a CBC MAC, it uses blockchain encyption but with AES (CTR mdoe) for the encryption method. The encrypted blocks are added to become the encrypted final result but are also used in the blockchain to create the MAC. This is secure because AES-CTR can easily be tampered with so the MAC is necessary to authenticate.

Question 8

What is an access control matrix (ACM)?

Answer 8

A table of all principles (users, programs etc) against objects (files, directories etc). It defines permissions rwx for everything. In actual fact, is stored in an Access Control List (ACL) each entry is an object

Question 9

How do items in ACLs work?

Answer 9

• File type: d (directory/ - (link)/ b or c (device file
• rwx or - for owner then group then other
• link counter
• owner
• group
• size
• date
• file name

Question 10

What are uids?

Answer 10

They are assigned IDs to processes (running instances of programs).
* ruid: real owner of the process
* euid: effective uid represents the permissions the process has when accessing system resources. (can be changed during execution)
* suid: saved uid. when euid is changed, the old one is saved
* fsuid: filesystem uid. usually the same as the euid. represents permissions when accessing files and directories.

Question 11

What is a salt hash pair?

Answer 11

Storing passwords as (salt, hash) where salt is a random bitstring and the hash is made from the salt and the password together. This means that checking if two passwords are the same is impossible.

Question 12

What is password injection?

Answer 12

Getting access to the hard disk and adding your own password to the password file to gain access to a computer.

Question 13

What are the operations used in AES encryption?

Answer 13

SubBytes: sub-box is a 16x16 matrix that defines what every 8 bit combination becomes. all 8 bits of input are swapped to their corresponding 8 bit string.
ShiftRows: rows are shifted left by 0,1,2 and 3 spaces.
MixRows: entries in each column (a,b,c,d) are made into ax^3+bx^2+cx+d and this polynomial is multiplied by another polynomial (3x^3 + x^2 + x + 2). then you modulo the result by (x^4+1) and put back in the column.
AddRoundKey: A string of 128 bit keys are created from the original key and the matrix is xored against the key that corresponds with the round of encryption.

Question 14

How does AES encryption work?

Answer 14

They message is split up into 128 bit blocks. Each block is arranged into a 4x4 matrix (as if written left to right top to bottom) with 8 bits inside each. Then the 4 operations are performed on it for multiple rounds depending on the encryption type.

Question 15

How should you pad blocks?

Answer 15

If there is 1 byte of space, write 01, 2 bytes: 0202… 16 bytes 161616…

Question 16

How does AES with CTR work?

Answer 16

A random public number (nonce) is concatenated with the counter (increments every block). This value is encrypted with the key and then XORed with the block

Question 17

What is the main flaw with AES with CTR mode?

Answer 17

If you know a pair of encrypted and plaintext messages, you can encrypt a new message (m2) to cyphertext that looks like its been sent legitimately: enc(m1) ⊕ (m1⊕m2)

Question 18

How does the Diffie-Hellman key exchange work?

Answer 18

• A and B agree on a large prime (p) and a primitive root modulo of p (q) (a number that q^k mod p can make any number below p
• They both choose private keys (a and b) and calculate public keys A=q^a mod p and B=q^b mod p
• They then calculate a number S that only the both of them can calculate S=A^b mod p and S=B^a mod p

Question 19

What is the weakness of the Diffie-Hellman algorithm and how can it be resolved?

Answer 19

Man in the middle attacks can pretend to be both parties to each other, intercepting both communications to calculate S also. This can be prevented if the public key is authenticated using a trusted third party. RSA can be used to do this.

Question 20

How do you calculate the public and private keys using RSA?

Answer 20

• generate two distinct primes 𝑝 and 𝑞 for example 𝑝=3 𝑞=11
• Compute 𝑁 = 𝑝𝑞=33 and 𝜙(𝑁) = (𝑝 − 1)(𝑞 − 1)=20
• choose a random integer e that is between 1 and 𝜙(𝑁) and has no common factors with 𝜙(𝑁): 7
• compute d as de = 1 mod 𝜙(𝑁) so d=3 because (37) mod(21) = 1
• PK= (e=7, N=33) SK= (d=3, N=33)

Question 21

How does encrypting and decrypting a message m (4) work with RSA?

m has to be < N

Answer 21

encrypting using the PK (e=7, N=33): c = m^e mod(N) = 4^7 mod 33 = 16
decrypting using SK (d=3, N=33): m=c^d mod N = 16^3 mod 33 = 4

Question 22

How does signing work?

Answer 22

Hash message and encrypt with your private key. Send this along with the message so that it can be decrypted with the public key and compared with the has to show its legitimate.

Question 23

what is one-time pad encryption scheme?

Answer 23

a message and a key are used. the key is secret and they are added together and modulod by the largest possible value. for example the message ‘university’ encrypted with the key ‘birmingham’ has the first letter =u+b, the second n+i etc. then mod 26

Question 24

What do TCP and IP protocols do?

Answer 24

TCP: runs on top of IP, checks for errors in packets and requests resending if there are errors or it gets lost. Uses multiple ports. The socket is defined as (dest IP, dest port, sender IP, sender port)

Question 25

What are the layers of the TCP/IP stack?

Answer 25

• Application layer: sets rules and formats of data to enable different purposes such as sending emails or viewing webpages
• Transport layer: defines the rules used to send data end-to-end
• Network layer: provides rules for addressing, routing, and forwarding data packets between different networks.
• Link/hardware layer: repsonsible for routing data across physical mediums and transmits to directly connected nodes

Question 26

if you get time, look at week 6 page 30-32 and watch demo page 33

Question 27

How can a nonce be used to verify that the message hasnt been tampered with during symmetric encryption?

Answer 27

sender requests and receiver sends {N}k
sender sends {N+1,message}k
This proves that the sender is the right one, the message is unedited and the message is not replayed

Question 28

What is the Needham-Schroeder public key protocol?

Answer 28

A → B : Eb(Na, A)
B → A : Ea(Na,Nb)
A → B : Eb(Nb)
Where Ex is encrypting using public key x that has to be decrypted using private key x and A and B are identifiers of Alicce and Bob
Na and Nb can now be used to generate a symmetric key
to prevent MitM attack step 2, send B too in Ea.Doesn’t explain why this works just say it

Question 29

What is the advantage of the Needham-Schroeder algorithm over the Diffie-Hellman algorithm?

Answer 29

Both parties know who they are talking to

Question 30

What is forward secrecy and who does it protect against?

Answer 30

Forward secrecy keeps the message secret from someone who has a recording of the protocol run and has access to the long term private keys of the principles. Such an attacker may be a government who can legally force people to give up such information. Diffie-Hellman has forward secrecy because the shared secret is not stored longer than the exchange and it is used to encrypt, not the private keys.

Question 31

What is the station to station protocol?

Answer 31

STS is the same as Diffie-Hellman but after public keys are calculated, they sign (pubA,pubB,nonce,timestamp) with their private keys, so when received, the receiver knows it was sent by the right person. A certificate can also be added

Question 32

What is a certificate?

Answer 32

When a trusted third party (TTP) signs an identity and public key

Question 33

How can the Needham-Schroeder algorithm use a trusted third party S to generate a shared key?

Answer 33

A → S : A, B,Na
S → A : {Na, B, Kab, {Kab, A}ₖ₆ₛ}ₖₐₛ
A → B : {Kab, A}ₖ₆ₛ
B → A : {Nb}ₖₐ₆
A → B : {Nb + 1}ₖₐ₆

Question 34

What is TLS?

Answer 34

client server key encryption that works between application and transport layers

Question 35

How does the TLS key set up work?

Answer 35

C > S: N꜀
S > C: Nₛ, Certₛ
C > S: Eₛ(Keyseed), {Hash₁}ₖ꜀ₛ
S > C: {Hash₂}ₖ꜀ₛ

Kcs is a session key based on Nc, Ns and keyseed
Hash₁ = #(N꜀,Nₛ,Eₛ(Keyseed))
Hash₂ = #(N꜀,Nₛ,Eₛ(Keyseed), {Hash₁}ₖ꜀ₛ)
Hashes store all previously sent values

Hashes ensure no values have been tampered with but also cant bee read

Question 36

How does the TLS variation TLS-DHE use the Diffie-Hellman algorithm to incorporate forward secrecy?

Answer 36

C > S: N꜀
S > C: Nₛ, g^x Certₛ
C > S: Eₛ(Keyseed), g^y {#}ₖ꜀ₛ
S > C: {#}ₖ꜀ₛ

g^x and g^y are the Diffie-Hellman public keys (A and B in the definition flashcard) that only work during this exchange
Kcs is a session key based on Nc, Ns and g^xy

Question 37

What is the cipher suites handshake?

Answer 37

client sends: greeting, list of supported ciphers, key share
server sends: greeting, chosen cipher based on both ordered preferences, key share, certification, (finished)
client sends: (finished), data GET/request

Question 38

What is a cipher downgrading attack?

Answer 38

Whoever owns the network can remove the preferred ciphers that have better protection such as ones with authentication and encryption so that the server is forced to choose a less secure one (assuming they both support this chosen one) and the attacker can easily obtain the data being sent using it. An example of this is the LogJam attack which made the client and server agree on a weak prime (512 bits or lower) that could later be cracked.

Question 39

What is the problem with self signed certificates?

Answer 39

Not authenticated by a TTP meaning susceptable to MitM attacks

Question 40

How does a VPN work?

Answer 40

You send all internet traffic to a VPN’s server so your ISP can only see your connecting to the VPN and not the websites/servers. the website thinks you’re the VPN so cant track you only a global observer can see all traffic.

Question 41

What is onion routing?

Answer 41

Client chooses three proxies. Traffic is sent through each one by one before conencting to the server. Each proxy can only see the IP of the proxy before and after it unlike the VPN that can piece the whole connection together. TOR sets up a one time rendevous point between client and server so the both sides are secure from each other

Question 42

What is a steal cookie attack and how can it be prevented?

Answer 42

An attacker can steal the cookie of someone logged into the website and log in as them. this can be prevented by using https (TLS) not just before logging in.

Question 43

What is Cross-Site Scripting? (XSS)

Answer 43

When an attacker injects malicious scripts into a website via input boxes, URLs, cookies or anything that allows client-side text.
* Stored XSS is when the script is entered into an input field in the page, altering the database for all users in the future
* Reflected XSS is when the URL or HTTP request is altered meaning, when clicked, the users browser executes the script.
*

Question 44

What can XSS scripts be used for?

`

Answer 44

• Steal the cookie and send to an attacker so they can log in
• Launch exploits against the browser or plugins to install malicious software on the user’s computer
• Changes the log in page to steal credentials or maliciously redirect the user

Question 45

How can XSS attacks be prevented?

Answer 45

remove strings and characters such as

, ", etc

Question 46

What is a cross-site request forgery attack? (CSRF)

Answer 46

The victim might be logged into a site in the browser such as a bank site. A hacker creates a malicious request such as a request to transfer money and hides this request in the form of a url or a malicious site so that when clicked on, the user’s browser logs them into the site and the request is sent off to the server before being executed.

Question 47

How can CSRF attacks be prevented?

Answer 47

• Check the referer header (shows the url of the page that linked you to this page
• Generate a one time use number (CSRF token) that corresponds to the user’s session that is included when the user requests a form from the server. Send it with the request and check if it matches the user’s session before executing the request.

Question 48

What are XML external entities and why are they vulnerabilities

Answer 48

When external XMP scripts are used that represnent data. If not checked or authenticated correctly, this can be used to read sensitive files, make server do things and spamming entity references causes a DDoS attack

Question 49

How can URLs be altered for malicious purposes and how can they be prevented?

Answer 49

• you can alter query strings such as account=tpc&action=add to account=admin&action=delete for example
  (this can be stopped by authenticating the account with other methods)
• you can manipulate path traversal such as http://nameOfHost/../../../etc/shadow
  (this can be prevented by setting access control or making a webserver account that is the only one with access to public files)

Question 50

Why might you want to reverse engineer code?

Answer 50

• To analyse malware for example to find the kill switch
• To debug bad memory errors
• To analyse legacy code that you may not have the source code for
• To check the program for security reasons if you dont trust the source code given to you

Question 51

How does the Java VM use a stack instead of an accumulator?

Answer 51

Stack stores values and when an operation such as add is pushed onto it, it replaces the operation and the two values below with the new value. Values can be pushed onto the stack or popped off onto registers etc

Question 52

What registers are stored in the stack of a running function?

Answer 52

• Accumulator EAX
• Instruction point EIP
• Top of stack ESP
• Bottom of frame EBP

Question 53

What happens when a function is called within a function?

Answer 53

Old EIP and EBP are pushed onto the stack and the new space that it expands to is the second function’s space.

Question 54

How do memory buffer attacks work?

Answer 54

When prompted to enter an input in a [100] for example, enter more than 100 bytes with a malicious instruction within the 100 and the address of it straight after the 100. The address will overwrite the EIB in the stack and when the stack returns to the parent function, it will jump to and run the instruction.

Question 55

How can the NX bit prevent memory buffer attacks? What is the get-around?

Answer 55

NX-bit provides hardware distinction between text and stack meaning that if the EIB ever points to the stack, the program will crash. However, can still make it point to functions in executable code or libraries such as System() in libc

Question 56

What is Address space layout randomization (ASLR)? What is the get-around?

Answer 56

When a randomised space is added before the next stack so that addresses can’t be guesses so easily. To overcome, inject mostly 0x90 instructions (do nothing) before adding malicious code. If guessed address is somewhere here, code will run until you hit the malicious instructions.