Security (w7-8) Flashcards
3 Key goals of cryptography
Confidentiality, Data Integrety and Authentication
Key points on symmetric encryption
Both parties have shared key, is fast compared to asymmetric encryption, key needs to be hidden somehow, as is a vulnerability
Substitution Cipher - Ceaser Cipher?
Substitution is replaceing letters with another letter to genereate ciphertext. Ceaser Cipher is shift the alphabet by fixed number of lettters, easily reverssed, so not very safe
Transposition Cipher - Rail Fence Cipher?
Transposition - re-arrange position of letters without altering their value. Rail-Fence key is kniwing the amount of rows.
Product Cipher
combonation of different types of ciphers
Unconditionally secure vs Computationally secure
Uncondition means ciphertext does not contain enough information to figure out the original text. Computational secure means cost to break the information exceeds the value of the information, or the time needed to break the information exceeds the useful lifetime of the informatiopn
One Time Pad, what is it?
random key, as long as the message, xor the binaary as cipher
What is frequency analysis?
if “a” always encodes to “f”, then it is easy to reverse. e ~13%, t~9%.
if two parties have a shared secret, how can they authenticate each other, without showing the secret?
A sends B large number, B sends it back encrytped with the secret. A verifies. B sends A large number, A sends it back encypted with the secret. B verifies.
why is a larger key more exponentially secure?
Larger key = more possible options = more time to brute force the key
WHat is a hashkey and what is it used for
hash keys are codes that represent a file of data. changing a single letter in a file should change the hash key. use on file received, to verify no change has occurred on it.
Is assymmetric encryption commonly used to encrypt application data?
No, usually symmetric encryption is used as it is faster
How does a site with a certificate prove that the certificate has been given to him by a CA?
site sends hash of digital signature of CA encrypted with private key, user uses sites public key to decrypt. Only private key has power to crypt data in such a way that the public key is the only one which can decrypt the data.
When is TLS generally implemented within a TCP connection
typically immediatly upon connection establishment
In the client hello part of TLS handshake, what info is conveyed to the server
Highest TLS version supported, supported cipher functions, and random value
How does Server respond to client hello?
server selects cipher and hash function, tls and a random value.
then sends client its sertificate, with public key, server name and who signed their certificate (CA).
Then sends ServerHelloDone
After server sends serverhellodone, what does the client retrun? how does the server respond?
Sends info to allow server to use the same symmetric encryption key.
Tells server it is now using the symmetric key.
Tells server it is finished the handshake, contains data for server to verify encryption is correctly in place.
Server then says im using the encryption too, then sends a message saying the handshake is finished, with information for the client to verify encryption is correctly in place
When client verifys the authenticity of the server, what does it check?
The certificate is signed by a trusted authority and certificate has not expired.
Hostname verification.
what is the problem with libraries that dont do hostname verification, and only certificate verification
attackers can pass a cert with a valid cert path, that will then pass (because the hostname is not checked)
What is passed to CA when asking for a cert?
A certificate signing request (CSR)
when creating SSL sockets from socket factory, what parameters will be set by the socket factory?
TLS parameters,
- which TLS version to support
- which ciphers and hash to use
- which keys to use and which certs to trust
When creating a serversocketfactory, before returning the factory instance, which key class instances are needed.
SSL context that speaks TLS,
Key manager which holds certs in X.509 format
JavaKeyStore instance
before initializing the SSL context with the keys, what has to be done first?
KeyManagerFactory has to be initialized with a source of key material (keystore)
where does a SSLServerSocket get an instance of a SSLServerSocket, and which protocol has to be establised before the serversocket can accept incoming sockets?
SSLServerSocket gets its instance from an instance of a SSLServerSocketFactory. The port has to be defined, and the TLS version has to be defined.
How would you start a handshake from a clients point of view? 3 lines of code.
SSLSocketFactory factory = (SSLSocketFactory)SSLSocketFactory.getDefault(); SSLSocket socket = (SSLSocket)factory.createSocket(, ); socket.startHandshake();
does java do hostname validation?
yes, but not by default
before starting the handshake, which three lines of code set an HTTPS style of checking hostnames.
SSLParameters params = new SSLParameters();
params. setEndpointIdentificationAlgorithm(“HTTPS”);
socket. setSSLParameters(params);
how would you get the X509 certificate for a session, and why would you need the common name from this cert?
before the setEndPointIdentificationAlgorithm was created, checking the Common Name in the cert was one check we could do to validate the hostname.
SSLSession sesh = socket.getSession();
X509Certificate cert = (X509Certificate)
sesh.getPeerCertificates()[0];
