terms

¡Supera tus tareas y exámenes ahora con Quizwiz!

SHA-1

(was vulnerable to attacks) Produces a 160-bit hash value and is used in DSS

SAML (Security Assertion Markup Language)

* assertion & authorization (communicates between authentication and service) An XML-based data format used to exchange authentication information between a client and a service. 1. auth statement 2. attribute statement 3. authorization decision statement== subject S allowed to use R based on E (compatible w XACML)

Good Hash Function qualities:

1. Must be deterministic: -> Key must ALWAYS generate the same Hash Index (excluding rehashing). 2. Must achieve uniformity -> Keys should be distributed evenly across hash table. 3. FAST/EASY to compute -> only use parts of the key that DISTINGUISH THE ITEMS FROM EACH OTHER 4. Minimize collisions:

TLS Handshake

1. cryptographic negotiation (be ware of version rollback attack) 2. server shows certificate, check w CA 3. key negotiation--> client sends a nonce, hashes it to get a shared symmetric key

Product Life Cycle (PLC)

1. requirements & design- data requirements and risks 2. Engineering- is dev compliant w design?? 3. Maintenance- data subject requests 4. product phase out- data disposald

Advanced Encryption Standard (AES)

A block cipher created in the late 1990s that uses a 128-bit block size and a 128-, 192-, or 256-bit key size. Practically uncrackable.REPLACE DES

DevSecOps (Development, Security and Operations)

A combination of software development, security operations, and systems operations by integrating each discipline with the others

man-in-the-middle attack

A form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

Privacy Policy

A legal document that an app or website must provide and that describes what user information they collect and how they use it (INTERNAL, strict w employees)

Certificate Revocation List (CRL)

A list of certificate serial numbers that have been revoked not expired

dictionary attack

A password attack that creates encrypted versions of common dictionary words and compares them against those in a stolen password file.

Cipher Block Chaining (CBC)

A process in which each block of unencrypted text is XORed with the block of cipher text immediately preceding it before it is encrypted using the DES algorithm.

SSO (Single Sign-On)

A session/user authentication process that permits a user to enter one name and password in order to access multiple applications.

IPSec (Internet Protocol Security)

A set of open, non-proprietary standards that you can use to secure data as it travels across the network or the Internet through data authentication and encryption.

Message Authentication Code (MAC)

A small block of data that is generated using a secret key and then appended to the message.

Message Digest

A small representation of a larger message using HASH. Message digests are used to ensure the authentication and integrity of information, not the confidentiality. (without having to encrypt entire thing)

XACML (Extensible Access Control Markup Language)

A standard that defines a declarative fine-grained, attribute-based access control policy language; an architecture; and a processing model describing how to evaluate access requests according to the rules defined in policies. access for enterprise resource language (xml)

Data Leak Prevention (DLP)

A suite of technologies aimed at stemming the loss of sensitive information that occurs in the enterprise. ALERTS EMPLOYEES!!!

threat modeling

A way of prioritizing threats to an application.

Privacy Notice

A written explanation of how the company handles and shares your personal financial information.

VPN

Allows a secure private connection over a public network, using an encrypted 'tunnel'. For example, a remote computer can securely connect to a LAN, as though it were physically connected.

Data Link Layer

An OSI layer responsible for error-free transfer of data packets between nodes on the network.

pseudorandom number generator (PRNG)

An algorithm for creating a sequence of numbers whose properties approximate those of a random number.

Replay Attack

An attack where the data is captured and replayed. Attackers typically modify data before replaying it A type of network attack where an attacker captures network traffic and stores it for retransmission at a later time to gain unauthorized access to a network.

stream cipher

An encryption method that encrypts data as a stream of bits or bytes. Compare with block cipher.

Block Cipher

An encryption method that encrypts data in fixed-sized blocks. Compare with stream cipher.

certificate path

An enumeration of the chain of trust from one certificate to another tracing back to a trusted root. (trusted anchor ---> target user). back or forward traverses multiple CAs should be validated

Data Processor

An individual or organization, often a third-party outsourcing service, that processes data on behalf of the data controller.

OpenID

An open standard and decentralized protocol that is used to authenticate users in a federated identity management system

computer Trojan Horse

Any malicious computer program which misleads users of its true intent. The term is derived from the Ancient Greek story of the deceptive wooden horse that led to the fall of the city of Troy. (SEEMS LIKE LEGIT)

CCPA (California Consumer Privacy Act)

Articles outlined are largely inspired by GDPR, and also outline the legal action a consumer can take in the case of a breach of their private data. allows residents to know all their personal info being collected be able to access that info know if it is disclosed and to whom know if it is sold (right to say no), disclosure receive equal prices whether exercising privacy rights or not applies on all sectors takes effect 1/1/20 NOW CALLED CPRA

offline attack

Attacker is using password-cracking tools against a stolen password file; database stolen, bad guys have access to to passwords --> you should hash your passwords!

RBAC (decentralized trust)

Bank has to be able to specify who can issue these credentials (trust relationship/delegation) - e.g. HumanResources

Public Key Certificate

Consists of a public key plus a user ID of the key owner, CA, with the whole block signed by CA

PKI complexities (user requests service)

Decentralized Trust Mgmt: Complexity of PKI Steps involved in processing a request to access an application by a certificate holder, when using PKI: 1. Obtain requester certificate, verify signatures on certif and applic request, determine public key of original signer 2. Check that certificates are unrevoked 3. Look for trust path 4. Extract names from certificates 5. Lookup names in DB to check if allowed to perform requested action 6. Determine whether action is legal based on names and chain of policies 7. Execute requested action - if everything is OK Observation: Steps 5 and 6 are application-specific: PKI does not explicitly help with this * lack of interoperability

3D's

Detection (alerts, logs), Deterrence (policies, cameras, access control), Defense(firewalls, asset protect, backup) --> what's missing?

Elliptic Curve Cryptography (ECC)

ECC is considered more secure than RSA, because RSA is based on factoring large numbers, a problem that computers have solved. In contrast, elliptic curve cryptography is based on the discrete logarithm problem, which is much harder to solve. It's been proven that even with today's technology, it would take longer than the universe's age to reverse engineer a key that's been generated using ECC. Elliptic Curve Discrete Logarithm Problem (ECDLP), which states that it is hard to solve for x if we know y = g^x mod p where g is some known integer and p is prime.

Privacy engineering

Encompasses how privacy values and principles are applied in technology systems and programs while recognizing and maintaining security levels to mitigate risk. It brings the complementary perspectives and practices of software engineers and privacy professionals together. works with PM, requires the softwskilss

Decentralized Trust Management

FLEXIBLE (app independent) Use local trust management engines that can evaluate requests based on: Certificates and description of local policy both expressed in the same language Deferring/Delegating trust to third parties 1. Obtain certificates, verify signatures on certif andapplic request, determine public key of original signer 2. Check that certificates are unrevoked 3. Submit request, certificates and description of local policy to local "trust management engine"4. Proceed if approved

Data minimization

In data protection, the principle that only necessary and sufficient personal information can be collected and processed for the stated purpose. 1. featurization 2. sanitzation 3. pseudonympization 4. anonymizaiton 5. aggreagation 6. add noise

PII (Personally Identifiable Information)

Information about an individual that can be used to uniquely identify them (directly or indirectly), locate, or contact

Rainbow tables

Large pregenerated data sets of encrypted passwords used in password attacks.

web-of-trust model

Makes every one an authority. alternative to PKI.

ADFS (active directory federation services)

Manages authentication through a proxy service hosted between ad and the target application using a federated trust to provide an SSO solution. Local token to get access to all modules

RSA Encryption

Named after inventors Rivest, Shamir, and Adelman, RSA is a system for encrypting and decrypting a message using a pair of keys, both of which contain the product of two prime numbers. From Alice to Bob: 1. Looks up Bob's public key 2. Convert the message into an integer: m 3. Compute the ciphertext c as: c = m^e (mod n) 4. Send c to Bob

Data Encryption Standard (DES)

One of the first widely popular symmetric cryptography algorithms. No longer considered secure. A symmetric block cipher that uses a 56-bit key and encrypts data in 64-bit blocks.

Privacy by Design

Privacy by Design is a framework that emphasizes integrating privacy into technology and practices from the start. It comprises seven principles: Proactive, Not Reactive: Prevent privacy issues before they occur. Privacy as the Default Setting: Make privacy the automatic choice, requiring no action from individuals. Privacy Embedded into Design: Incorporate privacy as a core feature in product development. Full Functionality - Positive-Sum: Balance all interests without unnecessary trade-offs. End-to-End Security: Ensure strong security throughout the data lifecycle. Visibility and Transparency: Maintain transparency and verification of practices. User-Centric: Prioritize user interests with strong defaults and user-friendly options.

Key Replacement

Process of issuing new keys to valid users; if key expires; might be needed later so better to ARCHIVE

computer Worms

Programs that attack computer networks (or the Internet) by self-replicating and sending themselves to other users, generally via email without the aid of the operator.

Information Security

Protecting an organization's information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.

GDPR (General Data Protection Regulation)

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements. -always requires consent -not sectoral - SINGLE MARKET= any of 27 countries it works, helps do business - privacy by design= protect first, consent, informed

sim based authentication

SIM Card: Each mobile device is associated with a SIM card, which contains a unique International Mobile Subscriber Identity (IMSI) and a secret key (Ki). The SIM card stores this information securely. Authentication Request: When a mobile device attempts to connect to a mobile network, it sends an authentication request to the network. Challenge-Response: The network responds with a random challenge, often called RAND, and the mobile device uses its secret key (Ki) to compute a response (SRES). Authentication: The mobile device sends the computed SRES back to the network. Network Verification: The network, which also has access to the secret key (Ki) associated with the SIM card, computes its own SRES using the RAND and Ki. It compares its calculated SRES with the SRES received from the mobile device. Authentication Success or Failure: If the SRES values match, the network considers the mobile device authenticated and allows it to connect to the network. If there is a mismatch, the authentication fails, and network access is denied.

STRIDE Model

STRIDE is a threat model while DREAD is a risk assessment model. STRIDE stands for Spoofing, Tampering, Repudiation, Information Disclosure, Denial of service, Elevation of privilege.

3DES (Triple DES)

Symmetric Key Algorithm, Applies DES three times, 168-bit key (+24 for parity)

Public Key Infrastructure (PKI)

System ,tools, policy for creating public and private keys using a certificate authority (CA) and digital certificates for authentication.

Network Layer

The OSI layer that addresses data packets, routes the packets from a source to a destination through the network, and ensures the delivery of those packets.

Key Management

The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.

Data Controller

The person in charge of the data in an organisation.

certificate management

The practice of issuing, updating, and revoking digital certificates.

Cryptoanalysis

The process of obtaining the plaintext message from a ciphertext message without knowing the keys used to perform the encryption. CAN LOOK AT A LOT OF CIPHERTEXT AND ANALYZE

De-identification

The process of removing identifying information from data sets in order to assure the anonymity of individuals. (identifiable ---> complete anonymous)

Needham-Schroeder Protocol

The protocol is a shared-key authentication protocol designed to generate and propagate a session key, i.e., a shared key for subsequent symmetrically encrypted communication. The protocol also uses nonces. If a nonce is generated and sent by A in one step and returned by B in a later step, A knows that B's message is fresh and not a replay from an earlier exchange. know steps! how is it susceptible to MiM how can it be fixed

Dark Patterns

Website design features intended to trick users into consenting things they might not want to do, but which benefit the business in question

differential privacy

a method of protecting data that adds enough statistical noise to a published table or statistic so that no individual can be recognized in the data, thus protecting the privacy of every respondent

Electronic Codebook (ECB) mode

a mode of operation that divides plaintext into blocks and then encrypt each block using the same key. SIMPLISTIC!!!!

Salt passwords

a random piece of data is added to the password before it runs through the hashing algorithm, making it unique and harder to crack. When using both hashing and salting, even if two users choose the same password, salting adds random characters to each password when the users enter them. diff salts per user

Diffie-Hellman key exchange

a security algorithm with only one private key that is used by both client and server i.e the key is shared by both client and user. Diffie- Hellman uses exponential methods for the generation of keys. x, y chosen private a^xmodp, a^ymodp NOW we get: a^xymodp as secret

computer Virus

a software program capable of reproducing itself and usually capable of causing great harm to files or other programs on the same computer (user)

PGP (Pretty Good Privacy)

an encryption program that provides cryptographic privacy and authentication for data communication. PGP is used for signing, encrypting, and decrypting texts, e-mails, files, directories, and whole disk partitions and to increase the security of e-mail communications

OAuth

an open-standard authorization protocol or framework that provides applications the ability for "secure designated access." For example, you can tell Facebook that it's OK for ESPN.com to access your profile or post updates to your timeline without having to give ESPN your Facebook password. Users hand out tokens for their data on their services (constraints are imposed)- can have some potential abuse with data mining

good crypto system

cannot get plaintext from ciphertext without decryption key

8 FIPP for GDPR

collection limitation, data quality, purpose specification, use limitation, security safeguard, oppenness, individual participation (challenge it), accountability

Security Layers

data link, network, transport, application

Anonymous information

demographic and behavioral information that does not include any personal identifiers

Digital signature requirement

different messages have different signatures

protect against replays

hash your passwords, generate OTP with a Nonce, use timestamp, OTP use it n times, digital signature (WITH time stamp/nonce)

augmented password login

identify picture after u get your id to validate that u are on the right sight, but not usable because ppl forget what if cookies get intercepted

Data Flow Diagram (DFD)

illustrates the movement of information between external entities and the processes and data stores within the system (entity, data store, data flow, process)

Perfect Cryptosystem

knowing protocol but cannot break system

LINDDUN

linkability, identifiability, non-repudiation, detectability (detect that u are part of some other system), disclosure of information (adversary), unawareness, non-compliance (not following lawS) USES DATA FLOW DIAGRAMS (DFD) , THEN CREATE LINDDUN TABLE FOR EACH COMPONENT IN DFD, then CREATE LINDDUN TREE non-repudiation--> subject not able to deny a claim ab a request (BUT THEY SHOULD BE ABLE TO !!)-- opposite than security

Ransomware

malware that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid // malware designed to deny a user or organization access to files on their computer. By encrypting these files and demanding a ransom payment for the decryption key, cyberattackers place organizations in a position where paying the ransom is the easiest and cheapest way to regain access to their files.

Crypto Hash Function

map large messages to smaller # bits

Types of threats

masquerade, system penetration, ransomware, planting (trojan horse, virus, worms)

Fair Information Practice Principles (FIPP)

notice/awareness, choice/consent, access/participation, security, enforcement/redress

Limits of notice and consent

ppl dont read it, understand it, underspecified, dark patterns

zero knowledge proof

prove knowledge of a fact to a third party without revealing the fact itself; ask you to prove it MANY times to ensure reliability eg: using graph isomorphism-- one to one mapping between graphs in practice: have G1 & G2, ALICE permute G1 as H, ask BOB to prove H is isomorphic to G1 or G2 , repeat n times

Application Layer

provides a wide variety of applications with the ability to access the services of the lower layers

two-factor authentication

requires the user to provide two means of authentication, what the user knows (password) and what the user has (security /personal token)

Chief Privacy Officer (CPO) / data protection officer

responsible for ensuring that the company complies with existing data privacy laws; governance, data inventory, privacy policies, trainings, security, contracts, breaches

Transport Layer

responsible for providing communication with the application by acknowledging and sequencing the packets to and from the application

TLS/SSL (Transport Layer Security and Secure Sockets Layer)

secure channel that aims to authenticate the SERVER primarily, record=how data transmits handshake=crypto parameters, algorithms, MAC alert=manage exception

RSA Symmetric Key Transport

sender chose symmetric key and encrypts w receivers priv, encrypts message w symmetric, sends both now, receiver decrypts symmetric key first then the message

TCP/IP (Transmission Control Protocol/Internet Protocol)

suite of communication protocols used to interconnect network devices on the internet. how data is exchanged over the internet by providing end-to-end communications that identify how it should be broken into packets, addressed, transmitted, routed and received at the destination. TCP/IP requires little central management and is designed to make networks reliable with the ability to recover automatically from the failure of any device on the network. originally not designed for security; Now standard is IPSec

Authenticated Key Exchange

the exchange of session key in a key exchange protocol which also authenticates the identities of parties involved in key exchange. Transport Layer Security integral to securing HTTP connections is perhaps the most widely deployed AKE protocol

Biometrics

the identification of a user based on a physical characteristic, such as a fingerprint, iris, face, voice, or handwriting very usable, ppl dont like setting it up tho, but some downsides is that it is compromisable?, not entirely unique

Kerberos

uses symmetric key encryption to validate an individual user to various network resources. a computer-network authentication protocol that works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to one another in a secure manner. Its designers aimed it primarily at a client-server model, and it provides mutual authentication—both the user and the server verify each other's identity. Kerberos protocol messages are protected against eavesdropping and replay attacks.

public key cryptography

uses two keys: A public key the sender uses to create encrypted messages, and a mathematically-related private key that the receiver can use to decrypt messages encrypted by that public key.

assymetric vs symmetric

•Asymmetric Cryptography is slower than Symmetric BUT MORE SCALABLE • Asymmetric crypto often isn't suitable for encrypting large amounts of data or even multiple blocks • Asymmetric crypto is often used together with Symmetric crypto as a way of exchanging a joint secret key Secret key SK • CipherText := Encrypt(SK, message) • message := Decrypt(SK, CipherText ) • PublicKey, PrivateKey • CipherText := Encrypt(PublicKey, message) • message := Decrypt(PrivateKey, CipherText )


Conjuntos de estudio relacionados

As a gas is compressed in a cylinder

View Set

7.24.T - Lesson: Emotions with Estar

View Set

Cutaneous Fungal Infections Athlete's Foot

View Set