Security (w7-8) Flashcards

1
Q

3 Key goals of cryptography

A

Confidentiality, Data Integrety and Authentication

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Key points on symmetric encryption

A

Both parties have shared key, is fast compared to asymmetric encryption, key needs to be hidden somehow, as is a vulnerability

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Substitution Cipher - Ceaser Cipher?

A

Substitution is replaceing letters with another letter to genereate ciphertext. Ceaser Cipher is shift the alphabet by fixed number of lettters, easily reverssed, so not very safe

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Transposition Cipher - Rail Fence Cipher?

A

Transposition - re-arrange position of letters without altering their value. Rail-Fence key is kniwing the amount of rows.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Product Cipher

A

combonation of different types of ciphers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Unconditionally secure vs Computationally secure

A

Uncondition means ciphertext does not contain enough information to figure out the original text. Computational secure means cost to break the information exceeds the value of the information, or the time needed to break the information exceeds the useful lifetime of the informatiopn

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

One Time Pad, what is it?

A

random key, as long as the message, xor the binaary as cipher

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

What is frequency analysis?

A

if “a” always encodes to “f”, then it is easy to reverse. e ~13%, t~9%.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

if two parties have a shared secret, how can they authenticate each other, without showing the secret?

A

A sends B large number, B sends it back encrytped with the secret. A verifies. B sends A large number, A sends it back encypted with the secret. B verifies.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

why is a larger key more exponentially secure?

A

Larger key = more possible options = more time to brute force the key

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

WHat is a hashkey and what is it used for

A

hash keys are codes that represent a file of data. changing a single letter in a file should change the hash key. use on file received, to verify no change has occurred on it.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Is assymmetric encryption commonly used to encrypt application data?

A

No, usually symmetric encryption is used as it is faster

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

How does a site with a certificate prove that the certificate has been given to him by a CA?

A

site sends hash of digital signature of CA encrypted with private key, user uses sites public key to decrypt. Only private key has power to crypt data in such a way that the public key is the only one which can decrypt the data.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

When is TLS generally implemented within a TCP connection

A

typically immediatly upon connection establishment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

In the client hello part of TLS handshake, what info is conveyed to the server

A

Highest TLS version supported, supported cipher functions, and random value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

How does Server respond to client hello?

A

server selects cipher and hash function, tls and a random value.
then sends client its sertificate, with public key, server name and who signed their certificate (CA).
Then sends ServerHelloDone

17
Q

After server sends serverhellodone, what does the client retrun? how does the server respond?

A

Sends info to allow server to use the same symmetric encryption key.
Tells server it is now using the symmetric key.
Tells server it is finished the handshake, contains data for server to verify encryption is correctly in place.
Server then says im using the encryption too, then sends a message saying the handshake is finished, with information for the client to verify encryption is correctly in place

18
Q

When client verifys the authenticity of the server, what does it check?

A

The certificate is signed by a trusted authority and certificate has not expired.
Hostname verification.

19
Q

what is the problem with libraries that dont do hostname verification, and only certificate verification

A

attackers can pass a cert with a valid cert path, that will then pass (because the hostname is not checked)

20
Q

What is passed to CA when asking for a cert?

A

A certificate signing request (CSR)

21
Q

when creating SSL sockets from socket factory, what parameters will be set by the socket factory?

A

TLS parameters,

  • which TLS version to support
  • which ciphers and hash to use
  • which keys to use and which certs to trust
22
Q

When creating a serversocketfactory, before returning the factory instance, which key class instances are needed.

A

SSL context that speaks TLS,
Key manager which holds certs in X.509 format
JavaKeyStore instance

23
Q

before initializing the SSL context with the keys, what has to be done first?

A

KeyManagerFactory has to be initialized with a source of key material (keystore)

24
Q

where does a SSLServerSocket get an instance of a SSLServerSocket, and which protocol has to be establised before the serversocket can accept incoming sockets?

A

SSLServerSocket gets its instance from an instance of a SSLServerSocketFactory. The port has to be defined, and the TLS version has to be defined.

25
Q

How would you start a handshake from a clients point of view? 3 lines of code.

A
SSLSocketFactory factory =
 (SSLSocketFactory)SSLSocketFactory.getDefault();
 SSLSocket socket =
 (SSLSocket)factory.createSocket(, );
 socket.startHandshake();
26
Q

does java do hostname validation?

A

yes, but not by default

27
Q

before starting the handshake, which three lines of code set an HTTPS style of checking hostnames.

A

SSLParameters params = new SSLParameters();

params. setEndpointIdentificationAlgorithm(“HTTPS”);
socket. setSSLParameters(params);

28
Q

how would you get the X509 certificate for a session, and why would you need the common name from this cert?

A

before the setEndPointIdentificationAlgorithm was created, checking the Common Name in the cert was one check we could do to validate the hostname.

SSLSession sesh = socket.getSession();
X509Certificate cert = (X509Certificate)
sesh.getPeerCertificates()[0];