CSE484 Final Study Guide

Similar documents
L13. Reviews. Rocky K. C. Chang, April 10, 2015

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

The question paper contains 40 multiple choice questions with four choices and students will have to pick the correct one (each carrying ½ marks.).

Summary on Crypto Primitives and Protocols

Computer Security Course. Midterm Review

Data Security and Privacy. Topic 14: Authentication and Key Establishment

CSE 127: Computer Security Cryptography. Kirill Levchenko

David Wetherall, with some slides from Radia Perlman s security lectures.

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Information Security CS 526

Cryptography and Network Security

CRYPTOGRAPHY AND NETWROK SECURITY-QUESTION BANK

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Network Security Chapter 8

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Information Security: Principles and Practice Second Edition. Mark Stamp

Computer Security: Crypto & Web Security

Public Key Algorithms

Cryptography MIS

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

PROTECTING CONVERSATIONS

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Test Conditions. Closed book, closed notes, no calculator, no laptop just brains 75 minutes. Steven M. Bellovin October 19,

BCA III Network security and Cryptography Examination-2016 Model Paper 1

Winter 2011 Josh Benaloh Brian LaMacchia

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Cryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39

Study Guide to Mideterm Exam

Cryptography (cont.)

Lecture 1 Applied Cryptography (Part 1)

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

CASP CompTIA Advanced Security Practitioner Study Guide: (Exam CAS-001)

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Computer Security 3/23/18

Cryptographic Systems

Software Security and Intro to Cryptography

CS 645 : Lecture 6 Hashes, HMAC, and Authentication. Rachel Greenstadt May 16, 2012

Unit 8 Review. Secure your network! CS144, Stanford University

Software Security Design Principles + Intro to Crypto

Refresher: Applied Cryptography

Symmetric Cryptography

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

Lecture 20 Public key Crypto. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller and Bailey s ECE 422

APNIC elearning: Cryptography Basics

Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7

Network Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

How many DES keys, on the average, encrypt a particular plaintext block to a particular ciphertext block?

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

PGP: An Algorithmic Overview

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1


Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Practical Aspects of Modern Cryptography

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Lecture 6 - Cryptography

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

CS155. Cryptography Overview

CS155. Cryptography Overview

Outline. From last time. Feistel cipher. Some DES history DES. Block ciphers and modes of operation

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

Tuesday, January 17, 17. Crypto - mini lecture 1

Chapter 4: Securing TCP connections

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

CS 161 Computer Security

CIS 4360 Secure Computer Systems Symmetric Cryptography

Computer Security CS 526

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

1.264 Lecture 28. Cryptography: Asymmetric keys

Security I exercises

CS Paul Krzyzanowski

Computer Security Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Introduction to Cryptography. Steven M. Bellovin September 27,

Public Key Algorithms

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Information Security CS526

SSH Algorithms for Common Criteria Certification

(Continue) Cryptography + (Back to) Software Security

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Cryptography and Network Security

Chapter 9 Public Key Cryptography. WANG YANG

Acronyms. International Organization for Standardization International Telecommunication Union ITU Telecommunication Standardization Sector

Encryption. INST 346, Section 0201 April 3, 2018

Crypto meets Web Security: Certificates and SSL/TLS

Introduction and Overview. Why CSCI 454/554?

Symmetric Encryption. Thierry Sans

Understanding Cisco Cybersecurity Fundamentals

Cryptographic Hash Functions

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Cryptographic Concepts

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING


n-bit Output Feedback

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

ECE 646 Fall 2009 Final Exam December 15, Multiple-choice test

Transcription:

CSE484 Final Study Guide Winter 2013 NOTE: This study guide presents a list of ideas and topics that the TAs find useful to know, and may not represent all the topics that could appear on the final exam. Security Mindset Security reviews Assets Adversaries Threats Vulnerabilities Risks Defenses Attack trees Buffer Overflows and Software Security Off-by-one errors Overflow function pointers Format string vulnerabilities TOCTOU Overflow implicit casts Timing attacks Canaries Fuzzing Difference between /dev/random and /dev/urandom Why not use the rand() function for security purposes? Cryptography Secrecy guarantees of one-time pad vs. block ciphers Pros and cons of OTP What s the purpose of a Feistel network? What is a meet-in-the-middle attack, and why does it work on double DES (but not triple DES)? Why use a PBKDF (password-based key derivation function)? CBC vs ECB vs CTR mode What happens if an IV isn t random for CBC mode? Why should counters not overlap in CTR mode? Is integrity checked with these modes? Why have multiple rounds in a Feistel network? How to break it with one or two rounds? CBC-MAC 1

Properties of cryptographic hash functions One-wayness Collision resistance Weak collision resistance HMAC Encrypt-and-Mac vs. Mac-then-Encrypt vs. Encrypt-then-Mac Why is Encrypt-and-Mac insecure? Why is Mac-then-Encrypt weaker than Encrypt-then-Mac? Birthday attacks How many random input attempts would it take to find a collision for a particular 128-bit hash value? And for the same hash function how many attempts to find any single collision? How can Alice and Bob flip a coin over the phone? Password strength and entropy Is CBC or CTR mode preferred for parallelization, and why? Why is Diffie-Hellman secure? DHP and DDH and Discrete Logarithm Problem Privacy and integrity in RSA RSA key generation. Or given p, q, n, phi, e, d, what are the PK and SK? Why is repeated squaring method of optimizing exponentiation insecure? Why is RSA secure? Factoring is hard Modular inverses are hard Taking the e th root mod is hard TLS version rollback attack What alternative to CAs, used with PGP, enables trust of public keys? Cryptography Attack scenarios Ciphertext only Known plaintext Chosen plaintext Chosen ciphertext Cryptography Summary Privacy OTP Block ciphers: AES, DES,... Modes: ECB, CBC, CTR Public Key: DH, RSA Integrity MAC Hashes: MD5, SHA,... Privacy and Integrity Enc-then-MAC Authenticity (and integrity) 2

Digital signatures: RSA, DSS,... Certificates Certificate Authorities sign certificates Roots authorize intermediates What s a certificate chain, and why do we have them? Risks of trusting certificate authorities? Alternate solutions? Convergence, CRLs,... ROP What is return oriented programming? What defense drives attackers to use it? Equivalents General Principles to Achieve Software Security Input validation Least privilege Always check return values Securely clear memory (passwords and keys) Failsafe defaults Defense in depth Reduce size of TCB Minimize attack surface Use vetted components (and standard crypto libs!) Security by design Web Why is encoding state in URL a bad idea? Web authentication via cookies Why is adding a MAC just to value (or price) is still insecure? Attack scenario Better cookie authenticator (what s included in the cookie, what s MAC-ed, etc.) Javascript security model Cross-site scripting attack Stealing cookies Login with CSRF why would an attacker do this? Input validation / escaping Better to MAC all data at the same time rather than separately to prevent them being reassembled differently. Cookies set-cookie (HTML) or document.cookie (JS) Can narrow to subdomain or path 3

Secure cookie (only send HTTPS) Set to HTTPOnly for to prevent JS access SQL Injections Web tracking Storage Cookies HTML5LocalStorage Flash cookies (LSO) Popups and redirects can make 1 st party cookies Evercookie / zombie cookie Authentication How should you store passwords on a server and what threats are you worried about? Dictionary attack, and why would we want to use salt/pepper? How can we improve the security of passwords? What are the possible alternatives or enhancements? Pros and cons for each? (graphical password, biometrics, password managers, two-factor authentication) Biometrics Types of biometrics Any issues associated with using biometrics? Advantages and disadvantages? Fraud rate and insult rate Why not store encrypted passwords on server? Something you know, something you have, something you are. Security and HCI Why is usability important to achieving security? What are the key issues and challenges? How to cope with these challenges? CAPTCHA Phishing and social engineering Clickjacking Android Security How are Android apps isolated? How/why does this differ from desktops? Sandboxes Permissions and manifests Memory management App signing 4

Anonymity You cannot be anonymous by yourself Anonymous emails How does a mix network work? Onion routing How does it work? Tor circuits Attacks on anonymity Eg. What is a sybil attack? How does it affect Tor? Social Engineering Elicitation How and why does it work? Strategies Physical Security Why is it necessary? Locks Pin tumbler lock design and lock-picking basics 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback