IT 351 - Cryptography Final Exam
Studied by 0 people
Call Kai
Learn
Practice Test
Spaced Repetition
Match
Flashcards
Knowt Play1/95
There's no tags or description
Looks like no tags are added yet.
Name | Mastery | Learn | Test | Matching | Spaced |
|---|
No study sessions yet.
96 Terms
What is data confidentiality?
Confidentiality ensures that data is accessible only to authorized parties.
Example: Encrypting sensitive emails to prevent unauthorized access.
What is data privacy?
Assures that individuals have control over what information related to them is stored, collected, and sold.
What is data integrity?
Integrity ensures that data has not been altered during storage or transmission.
Example: Using hashing to verify file contents.
What is data availability?
Availability ensures that data and resources are accessible to authorized users when needed.
Example: Cloud servers with redundant backups to minimize downtime.
What is data authenticity?
Authenticity verifies that the source of data or communication is genuine.
Example: Using digital certificates to prove the legitimacy of a website.
What is non-repudiation (accountability)?
Non-repudiation ensures that a person cannot deny their actions or communications.
Example: A digital signature on a contract prevents the signer from denying they signed it.
What is a security attack?
A security attack is any action that compromises confidentiality, integrity, or availability.
Example: Intercepting sensitive data or disrupting a system's services.
What is a security mechanism?
A security mechanism is a tool or technique used to detect, prevent, or recover from attacks.
Example: Firewalls, WAF, IDS, MFA, IDS/IPS
What is a security service?
A security service provides features that enhance the protection of systems and data.
Example: Authentication, Access Control, Data Confidentiality, Data Integrity, and Non-Repudiation.
What are passive attacks?
Passive attacks involve monitoring or eavesdropping on communication without altering it.
Example: Traffic analysis and packet sniffing.
What are active attacks?
Active attacks involve tampering with, modifying, or disrupting communication or data.
Example: Man-in-the-middle attacks or Denial of Service (DoS) attacks.
Masquerade: Pretending to be a legitimate user.
Example: Spoofing an email address.
Replay: Intercepting and retransmitting valid data.
Example: Resubmitting a financial transaction packet.
Message Modification: Altering the contents of a message.
Example: Changing an account number in a transfer request.
Denial of Service (DoS): Disrupting access to services.
Example: Flooding a server with fake requests.
What is symmetric encryption?
Symmetric encryption is a cryptographic method where the same key is used for both encryption and decryption.
Example: Encrypting a file with a password and using the same password to decrypt it.
How does the Caesar Cipher work for encryption and decryption?
Encryption: Shift each letter by a fixed number of positions.Example: With a shift of 3, "HELLO" becomes "KHOOR."
Decryption: Shift each letter back by the same number of positions.Example: "KHOOR" with a shift of 3 becomes "HELLO."
How does the Playfair Cipher work?
Create a 5x5 grid using a keyword (e.g., "MONARCHY") and fill unused letters.
Divide plaintext into pairs of letters.If a pair has repeated letters, insert a filler (e.g., X).
Encryption rules:
Same row: Shift each letter right.
Same column: Shift each letter down.
Rectangle: Replace letters with those at opposite corners.
How does the Vigenère Cipher work?
Use a repeating key to determine letter shifts.
Each plaintext letter is shifted based on the corresponding key letter.
Example: Plaintext: "HELLO,"
Key: "KEY" → Ciphertext: "RIJVS."
How does a one-time pad work?
XOR each plaintext bit with a random key bit of the same length.
Decryption reverses the XOR operation.
Key property: It is unbreakable if the key is random, as long as the plaintext, and used only once.
What is a monoalphabetic cipher, and why is it weak?
A monoalphabetic cipher substitutes each letter of the plaintext with a fixed letter of the ciphertext alphabet.
Its weakness lies in predictable letter frequency patterns, which can be analyzed to break the code.
Example: Ceasar Cipher
What is a polyalphabetic cipher, and how does it improve security?
A polyalphabetic cipher uses multiple alphabets to vary the substitution for each letter of the plaintext.
By distributing letter frequencies across different shifts, it makes frequency analysis more difficult.
Example: The Vigenère and the playfair Cipher is a classic polyalphabetic cipher.
How does a stream cipher work?
Encrypts data bit-by-bit or byte-by-byte.
XOR plaintext with a pseudorandom keystream.
Example: RC4 generates a pseudorandom keystream for XORing.
What is the difference between substitution and permutation?
Substitution replaces data with different values, adding confusion.
Permutation rearranges the data, adding diffusion.
Block size
Number of bits processed at a time (e.g., 64-bit for DES, 128-bit for AES).
Key size
Length of the encryption key, determining security (e.g., 56-bit for DES, 256-bit for AES).
Encryption rounds
Number of encryption cycles (e.g., 16 rounds in DES).
Subkey generation algorithm
Derives round-specific keys from the main key.
Greater complexity in this algorithm should lead to greater difficulty of cryptanalysis
Round function
Mathematical function applied to plaintext and subkey during encryption.
What is the block size, key size, and number of rounds for DES?
DES: 64-bit block size, 56-bit key, 16 rounds.
What is the block size, key size, and number of rounds for 3DES?
64-bit block size, 168-bit effective key, 48 rounds.
What is the block size, key size, and number of rounds for AES?
AES: 128-bit block size, key sizes of 128/192/256 bits, 10/12/14 rounds.
What is the S-box in block ciphers?
An S-box (substitution box) replaces input bits with a predefined set of output bits, adding confusion.
Example: In DES, S-boxes map 6-bit input to a 4-bit output.
What is the Feistel Cipher structure?
1. Split plaintext into two halves (L and R).
2. Apply a round function to one half and XOR it with the other.
3. Swap the halves and repeat for the required number of rounds.
4. For decryption, reverse the steps.
Example: DES uses a Feistel structure.
Is AES a Feistel cipher or an iterative cipher?
AES is an iterative cipher, not a Feistel cipher, as it processes data in multiple rounds without swapping halves.
ECB (Electronic Codebook)
Encrypts each block independently.
Advantages: Simple, efficient for short blocks.
Disadvantages: Patterns in plaintext are visible in ciphertext.
CBC (Cipher Block Chaining)
Each block depends on the previous block's ciphertext.
Advantages: Adds randomness by chaining blocks.
Disadvantages: Sequential processing slows down decryption.
CTR (Counter)
Encrypts block numbers (counters) and XORs with plaintext.
Advantages: High performance; parallelizable.
Disadvantages: Counter reuse breaks security.
OFB (Output Feedback)
Converts a block cipher into a stream cipher.
Advantages: Prevents block errors from propagating.
Disadvantages: Vulnerable to IV reuse.
CFB (Cipher Feedback)
Also works as a stream cipher.
Advantages: Works well for stream data.
Disadvantages: Error propagation possible in small amounts.
What are the key properties of a random number?
Unpredictability: The next number cannot be guessed based on previous numbers.
Uniform Distribution: All possible numbers have an equal chance of being generated.
Independence: Generated numbers are not correlated with one another.
Reproducibility (for pseudorandom numbers): Same seed produces the same sequence.
What is entropy in the context of random numbers?
Entropy measures the level of randomness or unpredictability in a system, often expressed in bits. Higher entropy means greater randomness.
What is a true random number?
A true random number is generated from a physical, unpredictable phenomenon (e.g., radioactive decay, atmospheric noise).
Non-deterministic.
Cannot be reproduced.
Example: A hardware-based random number generator measuring environmental noise.
What is a pseudorandom number?
A pseudorandom number is generated algorithmically using a deterministic process (e.g., a pseudorandom number generator or PRNG).
Deterministic; same seed produces the same sequence.
Efficient but may exhibit patterns over long sequences.
What is the main difference between true random numbers and pseudorandom numbers?
True Random Numbers: Derived from unpredictable physical processes.
Pseudorandom Numbers: Generated deterministically using an algorithm and a seed.
What is a hash function?
A hash function is a mathematical algorithm that converts input data (of any size) into a fixed-size output, called a hash or digest.
Example: The SHA-256 hash function takes any input and produces a 256-bit (64-character) hash.
What is a hash function used for?
Data Integrity Verification: Ensures that data has not been tampered with by comparing hash values.
Password Storage: Stores hashed passwords to avoid storing plaintext passwords.
Digital Signatures: Hashes the data to create a smaller, fixed-size representation before signing.
Cryptographic Applications: Forms the basis for Message Authentication Codes (MACs) and digital certificates.
What services does a hash function achieve?
Integrity: Detects data modifications by comparing hash values.
Authentication: Supports digital signatures by hashing data to verify authenticity.
What services does a hash function NOT achieve?
Confidentiality: Hashes do not encrypt data; they are one-way functions.
Non-repudiation: Hashes alone cannot prove who created the data.
What are the properties of a cryptographically secure hash function?
One-way Property (Pre-image Resistance): Given a hash, it should be infeasible to find the original input.
Weak Collision Resistance (Second Pre-image Resistance): It should be hard to find another input that produces the same hash as a given input.
Strong Collision Resistance: It should be hard to find any two inputs that produce the same hash.
What is the difference between weak collision resistance and strong collision resistance?
Weak Collision Resistance: Prevents attackers from finding a specific second input for a given hash.
Strong Collision Resistance: Prevents attackers from finding any two inputs with the same hash.
What is a Message Authentication Code (MAC) used for?
A MAC is used to verify the integrity and authenticity of a message. It combines a secret key and the message to create a fixed-size code, ensuring:
The message was not altered (integrity).
The sender is authentic (authentication).
What services does a MAC achieve?
Integrity: Ensures the message has not been tampered with.
Authentication: Verifies the sender's identity.
What services does a MAC NOT achieve?
Confidentiality: A MAC does not encrypt the message.
Non-repudiation: A MAC cannot prove the sender's identity to third parties.
What are the different ways of creating a MAC?
Using Block Ciphers:
CMAC (Cipher-based MAC): Uses block ciphers (e.g., AES, DES) to generate a MAC.
Using Hash Functions:
HMAC (Hash-based MAC): Combines a cryptographic hash function (e.g., SHA-256) with a secret key.
How can you distinguish between CMAC, HMAC, and a generic hash function in a diagram?
Generic Hash Function: No key is used; input goes through the hash algorithm directly.
CMAC: Involves block cipher operations in the diagram.
HMAC: Shows a secret key combined with a hash function in two stages.
What is an example use case for HMAC?
HMAC is commonly used in HTTPS (TLS protocol) to verify the integrity and authenticity of transmitted data.
Why are cryptographically secure hash functions critical for MACs?
Secure hash functions ensure that the MAC cannot be forged or reversed, maintaining message integrity and authentication.
What is public key cryptography, and which limitations of symmetric key cryptography does it address?
Public key cryptography uses a pair of keys: a public key for encryption and a private key for decryption.
Limitations addressed:
Public keys can be shared openly, eliminating the need to securely distribute symmetric keys.
No need for a unique key for each communication pair; one key pair per user suffices.
Symmetric key cryptography cannot prove the origin of messages, while public key cryptography enables digital signatures for proof.
What services can you achieve using Diffie-Hellman and RSA?
Diffie-Hellman: Secure key exchange over an insecure channel.
Service achieved: Confidentiality.
RSA: Encryption/decryption and digital signatures.
Services achieved: Confidentiality, authenticity, non-repudiation.
What is Diffie-Hellman used for?
Diffie-Hellman is used for securely exchanging cryptographic keys between two parties over an insecure network.
What attack is Diffie-Hellman vulnerable to?
Diffie-Hellman is vulnerable to man-in-the-middle (MITM) attacks if the key exchange is not authenticated.
The basic Diffie-Hellman protocol doesn't verify the identity of the other party, making it susceptible to a MitM attack where an attacker can impersonate one of the users.
What is a digital signature, and how is it created?
A digital signature is a cryptographic method to prove the authenticity and integrity of a message.
1. The sender hashes the message.
2. The sender encrypts the hash with their private key
3. The encrypted hash (digital signature) is sent along with the message.
4. The recipient decrypts the digital signature using the sender's public key. The recipient hashes the received message and compares it with the decrypted hash.
What services do digital signatures provide?
Services provided:
Authentication: Proves the sender's identity.
Integrity: Ensures the message has not been tampered with.
Non-repudiation: Prevents the sender from denying they signed the message.
What is the benefit of ECC cryptography over RSA in terms of key size?
ECC (Elliptic Curve Cryptography) provides the same level of security as RSA with significantly smaller key sizes.
A 256-bit ECC key offers equivalent security to a 3072-bit RSA key.
What are digital certificates used for?
Digital certificates are used to:
1. Bind a public key to an entity (e.g., person, organization, or website).
2. Ensure the authenticity of the entity's public key.
3. Enable secure communication by supporting encryption and authentication (e.g., HTTPS).
Example: Supporting encrypted email communication with tools like S/MIME.
Who creates a digital certificate?
Certificate Authority (CA): A trusted third party that issues certificates after verifying the identity of the requester.
Example: Let's Encrypt, DigiCert, GlobalSign.
Self-signed Certificates: Created by individuals or organizations themselves but are not trusted by default because no third-party validation exists.
What are the main pieces of information stored in a digital certificate?
Contains:
- Name of the certificate issuer (the signer)
- Certificate validity period
- Certificate issuer specific serial number
- Certificate issuer's signature algorithm identifier
- Certificate issuer's signature
-Extensions
What is a root CA certificate?
A root CA certificate is the top-most certificate in a certificate hierarchy, issued by a trusted Certificate Authority.
Self-signed Certificate: Root certificates sign themselves to establish their authority.
Trust Anchor: Trusted by browsers and operating systems to verify other certificates.
How is a root CA certificate created?
1. The CA generates a public-private key pair.
2. The CA creates a certificate for itself, embedding its public key and other required information.
3. The certificate is signed using the CA's private key.
How is a root CA certificate retrieved?
Root certificates are pre-installed in the trusted certificate store of operating systems and browsers. Users can view these certificates via browser or OS settings (e.g., Windows Certificate Manager).
How is a digital certificate verified?
1. The recipient verifies the CA's digital signature on the certificate using the CA's public key. (The CA's public key is obtained from a trusted root certificate.)
2. If the certificate is part of a chain, each intermediate certificate in the chain is verified back to the root CA.
3. Verify the certificate has not expired (check the validity period) and then ensure it has not been revoked by checking the CRL.
4. Confirm the certificate subject matches the entity being verified (e.g., website domain name).
Why are digital certificates critical in public key cryptography?
They enable secure communication by:
1. Verifying the authenticity of public keys.
2. Preventing impersonation attacks (e.g., phishing).
3. Facilitating trust between entities in a distributed system.
What is the purpose of the SSL/TLS handshake protocol?
To establish a secure communication channel by:
1. Negotiating encryption parameters.
2. Authenticating the server (and optionally the client).
3. Exchanging a session key.
What happens during the Client Hello phase of the SSL/TLS handshake?
The client sends a "ClientHello" message containing:
1.Supported cipher suites (encryption algorithms).
2.Supported TLS versions (e.g., TLS 1.2, TLS 1.3).
3. A random value (Client Random).
What happens during the Server Hello phase of the SSL/TLS handshake?
The server responds with a "ServerHello" message containing:
1. The selected cipher suite and TLS version.
2. A random value (Server Random).
3. The server's digital certificate (for authentication).
What happens during the Key Exchange and Authentication Phase in the SSL/TLS handshake?
1. The key exchange process occurs based on the selected cipher suite:
RSA: The server encrypts session key material with its private key, and the client decrypts it using the server's public key.
Diffie-Hellman or ECDHE: Both parties compute a shared session key based on exchanged public values.
2. The client verifies the server's certificate to ensure authenticity.
What happens during the Session Key Finalization Phase in the SSL/TLS handshake?
1. Both client and server generate a session key using the random values exchanged earlier.
2. A "Finished" message, encrypted with the session key, is sent by both parties to confirm that encryption is operational.
3. Secure communication begins using the session key.
How does the server authenticate itself during the handshake protocol?
1. The server sends its digital certificate during the "ServerHello" phase.
The certificate contains the server's public key and is signed by a trusted Certificate Authority (CA).
2. The client validates the certificate by checking:
- The CA's signature.
- The certificate's validity (expiry and revocation).
- The certificate's subject matches the server's domain name.
2. The server proves ownership of the private key in the "Key Exchange" phase by participating in the key exchange process (e.g., signing or encrypting data).
What is the role of symmetric encryption in the SSL/TLS handshake?
Once the handshake is complete, the session key (established during the handshake) is used for symmetric encryption. This ensures:
1. Confidentiality: Data is encrypted during transmission.
2. Integrity: Data cannot be tampered with during transmission.
How does the SSL/TLS handshake prevent eavesdropping and tampering?
1. Eavesdropping Prevention: All session keys are exchanged securely using public-key cryptography (e.g., RSA or Diffie-Hellman).
2. Tampering Prevention: The handshake verifies the server's identity using a digital certificate.
How is Kerberos used for single sign-on?
Kerberos allows users to log in once and access multiple services without re-entering credentials.
This is achieved by issuing a Ticket Granting Ticket (TGT) that the client uses to request service tickets for other resources.
Is Kerberos based on symmetric key cryptography or public key cryptography?
Kerberos is based on symmetric key cryptography.
What are the 3 main entities in Kerberos?
1. Client: The user or device requesting access.
2. Authentication Server (AS): Verifies the client's identity and issues the TGT.
3. Ticket Granting Server (TGS): Issues service tickets for specific resources.
Who generates the Ticket Granting Ticket (TGT) for Kerberos?
The Authentication Server (AS) generates the TGT.
Who generates the service ticket for Kerberos?
The Ticket Granting Server (TGS) generates the service ticket.
Who generates the session key between the client and TGS for Kerberos?
The Authentication Server (AS) generates the session key shared between the client and TGS.
Who generates the session key between the client and the server for Kerberos?
The Ticket Granting Server (TGS) generates the session key shared between the client and the server.
What layers does IPSec protect?
IPSec operates at the Network Layer (Layer 3) in the OSI model.
What are the key differences between AH and ESP protocols?
1. AH (Authentication Header): Provides integrity and authentication, no encryption.
2. ESP (Encapsulating Security Payload): Provides encryption, integrity, and authentication.
What services does the AH protocol provide?
Integrity: Ensures data is not altered.
Authentication: Verifies the identity of the sender.
No confidentiality: AH does not provide encryption.
What services does the ESP protocol provide?
1. Confidentiality: Encrypts the data payload.
2. Integrity: Ensures data has not been tampered with.
3. Authentication: Verifies the sender's identity.
What is the difference between tunnel mode and transport mode in IPSec?
1. Tunnel Mode: Encrypts the entire IP packet (header + payload). Used for VPNs.
2. Transport Mode: Encrypts only the payload, leaving the header intact. Used for end-to-end communications.
What is the IKE protocol used for?
IKE (Internet Key Exchange) is used to negotiate and establish secure cryptographic keys for IPSec.
What are the main steps in the IKE protocol?
Phase 1:
Establishes a secure channel by authenticating both parties and negotiating cryptographic parameters.
Creates the ISAKMP Security Association (SA).
Phase 2:
Negotiates the IPSec SA to securely exchange data.
Generates session keys for encryption and integrity.
Can the Counter mode (CTR) be used to calculate an HMAC. Why or why not?
No it cannot be used. CTR mode does not provide integrity as it does not involve a hash function.
Both Diffie-Hellman and RSA are hard to break as they are based on discrete logarithm problems. True or False?
True
RSA is a public key encryption algorithm. But it can also be used for key exchange/distribution. True or False?
True
Diffie-Hellman can be used to provide authentication and accountability. True or False?
False
RSA can be used to provide authentication and accountability. True or False?
True