COSC366 Final Study Guide

avatar
Created by
Faith Chernowski

Cards (111)

  • Secure communication
    • Confidentiality: Keep others from reading Alice's messages/data
    • Integrity: Keep others from undetectably tampering with Alice's messages/data
    • Authenticity: Keep others from undetectably impersonating Alice
  • Plaintext
    The actual message we want to send
  • Encryption algorithm
    Takes the plaintext, a key, (and randomness) and generates a ciphertext
  • Ciphertext

    The data that actually gets written to the insecure infrastructure
  • Decryption algorithm

    Takes ciphertext and a key, returns plaintext
  • Symmetric Key systems

    Both parties have the same key (shared secret)
  • Asymmetric Key systems

    One person holds a private key, everyone else knows their public key
  • Symmetric Key systems are very fast, but require sharing a secret key
  • Asymmetric Key systems are very slow, but don't require sharing a secret key
  • Block Ciphers

    Based on a pseudorandom function, essentially a keyed permutation, takes in a fixed number of bytes, spits out a permutation of those bytes of the same size
  • ECB (Electronic Codebook) Mode

    Block ciphers are deterministic, for a given m and K, E(K,m) always returns the same c, an eavesdropper could determine when messages are re-sent
  • NEVER use ECB mode (but over 50% of Android apps do)
  • One-way Hash Function
    • Difference from Hash Function: one-way, collision resistant
    • Common One-way Hash Functions: MD series, SHA series
  • MD2, MD4 - severely broken (obsolete), MD5 - collision resistance property broken, one-way property not broken, MD6 - developed in response to proposal by NIST
  • Secure communication
    • Confidentiality: Keep others from reading Alice's messages/data
    • Integrity: Keep others from undetectably tampering with Alice's messages/data
    • Authenticity: Keep others from undetectably impersonating Alice
  • Symmetric Key vs Asymmetric Key
    • Symmetric Key: requires secure channel for key distribution, impossible for two parties having no prior relationship, needs many keys for n parties to communicate
    • Asymmetric Key: keys are mathematically linked, very slow systems
  • Plaintext

    The actual message we want to send
  • Public Key Encryption
    Each party has a pair (K, K-1) of keys: K is the public key, and used for encryption, K-1 is the private key, and used for decryption, satisfies DK-1[EK[M]] = M, knowing the public-key K, it is computationally infeasible to compute the private key K-1
  • Digital Signatures
    Provide Integrity: Generate the signature with my private key, anyone can validate it with my public key, key use is inverse of encryption
  • Encryption algorithm
    Takes the plaintext, a key, (and randomness) and generates a ciphertext
  • Fundamental problem with public key cryptography: Bob has no way to tell whether the public key he has received belongs to Alice or not
  • Ciphertext
    The data that actually gets written to the insecure infrastructure
  • Decryption algorithm

    Takes ciphertext and a key, returns plaintext
  • Public Key Infrastructure (PKI)
    Certificate Authority (CA): a trusted party, responsible for verifying the identity of users, and then bind the verified identity to a public keys, Digital Certificates: A document certifying that the public key included inside does belong to the identity described in the document, X.509 standard
  • Symmetric Key systems

    Both parties have the same key (shared secret)
  • Core Functionalities of CA
    Verify the subject, Signing digital certificates
  • Asymmetric Key systems
    One person holds a private key, everyone else knows their public key
  • PKI defeats the Man-in-the-Middle (MITM) attack by verifying the authenticity of the public key
  • Symmetric Key systems are very fast but require sharing a secret
  • Attacks on CA's verification process (Comodo Breach) and signing process (DigiNotar Breach) can compromise the PKI system
  • Asymmetric Key systems are very slow but don't require sharing a secret
  • Attacks on the algorithms used in digital certificates, such as collision attacks on one-way hash functions (MD5, SHA-1), can also compromise the PKI system
  • Attacks on user confirmation, where the software does not properly compare the information provided by the user with the information in the server's certificate, can also lead to security flaws
  • Block Ciphers
    • Based on a pseudorandom function
    • Essentially a keyed permutation
    • Takes in a fixed number of bytes, spits out a permutation of those bytes of the same size
    • Divide the data to be encrypted up into blocks of fixed size, padding at the end
    • Blocks are fed into a PRF, and the ciphertext is based on output
    • Have a mode, a way of combining the blocks of a message and (often) randomness
  • SQL Injection

    Mixing data and code together is the cause of several types of vulnerabilities and attacks including SQL Injection attack, XSS attack, attacks on the system() function and format string attacks
  • SQL Injection Countermeasures
    Blacklisting: Delete the characters you don't want, Downside: "Peter O'Connor"
  • ECB Mode

    • Block ciphers are deterministic
    • For a given m and K, E(K,m) always returns the same c
    • An eavesdropper could determine when messages are re-sent
    • The same data block gets encrypted the same way, revealing patterns of data when a data block repeats
    • When the same key is used, the same message is encrypted the same way
  • NEVER use ECB (but over 50% of Android apps do)
  • Hash Function
    Maps arbitrary size data to data of fixed size
  • Certificate

    Valid and authentic