EECS388 Midterm
Encrypt-and-MAC
- Encrypt plaintext - Keyed has on plaintext - Uses different keys for MAC and Encrypt
Encrypt-then-MAC
- Encrypt plaintext - Keyed hash on ciphertext - Uses different keys for MAC and Encrypt
HTTP protocol
- Hypertext Transport Protocol - allows fetching individual resources like HTML - client sends: method (get,post), path & query, headers - server sends: response code, headers, content data
MAC-then-Encrypt
- Keyed hash on plaintext - Plaintext and hash encrypted as a single message - Uses different keys for MAC and Encrypt
TLS
- Transport Layer Security - cryptographic protocol layered above TCP to provide a secure channel - HTTP + TLS = HTTPS - Assumes client and server are secure but talking over a malicious network
URLs
- Uniform Resource Locators scheme://host:port/path?query#fragment scheme: protocol used to access resource (http/s) host: server's domain name or IP Address (eecs388.org) port: TCP port (443 for HTTPS, 80 for HTTP) path: identifies a resource to server (/papers/index.html) query: parameter passed to server (?key1=value1) fragment: visible to client (#section4)
TCP
- a plaintext transport protocol - carries HTTP over internet - doesn't provide confidentiality, integrity, or authenticity
Cookie weaknesses
- cookies set over HTTPS are sent on HTTP requests SOLUTION: server sets "secure" attribute - cookies readable by any JS running in origin SOLUTION: server sets HttpOnly attribute
CSRF Attack
- cross-site request forgery - cause user's browser to perform unwanted actions on a different site on user's behalf Login CSRF Attack - log victim's browser into honest site with account controlled by attacker CSRF via POST request - attacker can trigger POST request using HTML + JS
Kerckhoff's Principle
A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.
Cipher Block Chaining (CBC)
A process in which each block of unencrypted text is XORed with the block of cipher text immediately preceding it before it is encrypted using the DES algorithm.
Cross-Site Scripting (XSS)
A web application vulnerability. Attackers embed malicious HTML or JavaScript code into a web site's code, which executes when a user visits the site.
Why is it important to carefully apply and verify message padding when using RSA digital signatures? A. If a message is improperly padded, it becomes vulnerable to the padding oracle attack B. Failure to verify proper padding can lead to signature forgery attacks C. If an attacker knows where the message ends and the padding begins, they could use it to deduce your private key D. Without padding, an attacker can deduce your message when e=3
B. Failure to verify proper padding can lead to signature forgery attacks
Assuming a 64 bit (8 byte) block size, which of the following is the PKCS7 padding for a 3 byte message? A. 00 00 00 00 05 B. 01 02 03 04 05 C. 00 00 00 00 00 D. 05 05 05 05 05
D. 05 05 05 05 05
Since RSA can provide confidentiality without the need for symmetric keys, why do we use AES at all? A. There's a limit to how secure RSA can get B. We need RSA to provide forward secrecy. C. RSA is patented by Rivest, Shamir, and Adleman D. AES is a lot faster than RSA
D. AES is a lot faster than RSA
Which of the following is implied by the Cryptographic Doom Principle? A. It's risky to verify a MAC before decrypting a message B. It's risky to use the same key for encryption and for MACing C. It's risky to send two messages using the same one-time pad D. It's risky to decrypt a message before verifying its MAC
D. It's risky to decrypt a message before verifying its MAC
Which of the following are susceptible to length extension attacks? A. Pseudorandom functions B. Pseudorandom generators C. The HMAC construction D. Merkle-Damgård hash functions
D. Merkle-Damgård hash functions
RSA in Practice
For RSA Public key (e, N) 1. Generate random x < N 2. c1 = x^e modN 3. k = SHA-256(x) 4. c2 = AESk(m)
Second preimage resistance
Given input m1, hard to find second input m2 such that H(m1) = H(m2)
Preimage resistance
Given output h, hard to find m such that h = H(m)
Length Extension Attack
Given y=H(m) for some unknown m, attackers can calculate z = H(m || padding || v) for an arbitrary v. This doesn't violate the properties of strong hash functions
Collision resistance
Hard to find pair of inputs m1, m2 such that H(m1) = H(m2)
HMAC
Hashed Message Authentication Code. Designed to be a secure verifier. Inputs: key, arbitrary length data Output: fixed-size digest (n-bits) HMAC construction turns any secure hash H() into a MAC Protects against length extension HMAC-SHA-256 is an HMAC with SHA-256 as H()
XSS Defenses
Input Validation - check headers, cookies, forms, links, etc Output Escaping - encode all special characters to prevent interpreting code Content Security Policy
Textbook RSA
Key Generation (in secret) 1. Generate large random primes, p and q 2. Compute "modulus" N = pq 3. Pick small "encryption exponent e, must be relatively prime to (p-1)(q-1) 4. Compute "decryption exponent" d such that ed = 1mod(p-1)(q-1) Yields RSA key pair: Public (e,N) Private (d,N) Public Key Encryption: Encrypt: c = m^e modN Decrypt: m = c^d modN Digital Signatures: Sign: s = m^d modN Verify m = s^e modN
D-H Security
Passive Eavesdropping fails, MITM attacks succeed (Mallory does D-H with both Alice and Bob)
Properties of strong hash function
Preimage resistance, second preimage resistance, collision resistance
is RSA secure
RSA can be used for confidentiality, integrity, and/or authenticity. Confidentiality: public-key encryption Integrity: Digital signatures Both: Both with two key pairs * Over 1000x slower than AES
CSRF Defenses
Referrer Validation - referrer request header contains URL of page making the request Secret Token Validation - every form contains a secret token the server validates - usually a cookie so SOP prevents access SameSite Cookies - can enable SameSite cookie attribute
Uncracked Hash Functions (so far)
SHA-256, SHA-512, SHA-3
Counter (CTR) Mode
Turns a block cipher into a stream cipher. Generates keystream s for k and unique nonce.
Stream Cipher
Use PRG instead of a truly random pad. Alice and Bob choose PRG g(), share secret key k Encrypt: s = gk(); c = p XOR s Decrypt: s = gk(); p = c XOR s Must never reuse keys * Don't know how to prove PRGs exist
Do PRF's exist?
We don't know. If one was found it would imply that P != NP
Browser Execution Model
When loading a document, the browser: 1. loads content at URL 2. parses HTML and runs inline Javascript 3. Fetches and renders subresources (JS, images, CSS)
Mallory in a MITM attack
can see, modify, and forge messages. Wants to trick Bob into accepting a message Alice didn't send.
Ciphertext Malleability
can transform ciphertext into another ciphertext that decrypts to a related plaintext without knowing the plaintext. In CBC mode, flipping bits in ciphertext block i will completely corrupt decrypted block i and flip corresponding bits in decrypted block i + 1
cookies
- piece of data a server sends to the browser - used for maintaining session state, personalization, and tracking user behavior on or across sites
CBC padding oracle
- problem with MAC-then-Encrypt - attacker submits any ciphertext and learns if last bytes of plaintext are valid padding (Think of project, padding error and mac error)
Web Security Goals
- protect users from malicious sites and networks - isolates sites from each other within browser
Attacks on textbook RSA
- small e attack - ciphertext malleability - key generation failures - forging signatures for random/specific messages
Stored XSS
-Code is injected permanently on target servers, such as databases - Victim retrieves malicious script when it requests the stored information
Merkle-Damgard construction
1. Pad input m to multiple of 512 2. Break into 512 bit blocks b0, b1, etc 3. y0 = 256-bit initialization vector y1 = h(y0, b0) ... yi = h(yi-1, bi-1) 4. Return yn as SHA-256(m)
A secure channel protocol
1. Use D-H to generate shared secret 2. Use RSA signature to confirm who we're talking to 3. Derive symmetric keys using a PRF 4. AEAD or Encrypt-then-MAC for messages
How do we know is a PRF is secure?
1. choose secret k and random function g() 2. flip a coin secretly to get bit b 3. if b = 0, let h() = g() if b = 1, let h() = fk() 4. Mallory chooses x: we announce h(x) Repeat until Mallory has had enough 5. Mallory guesses b in poly time We say f() is secure PRF if Mallory can't do much better than randomly guessing.
Message Integrity with PRFs
1. let f() be secure PRF known to everyone 2. Alice and Bob secretly meet up before to get random key k 3. Alice computes v=fk(m) 4. Bob computes v'=fk(m'), accepts iff true Assumptions: no way for Mallory to get k Attacks: Mallory can resend m, v (Replay Attack)
What do you do if message is already a multiple of the block size?
Add an entire block of padding
PKCS7
Add n bytes of padding of value n
Does the Same Origin Policy prevent CSRF attacks? A. No, the policy does not prevent web pages of different origins from making requests to each other B. Yes, scripts in one page can only access the data of a second page if they share the same origin C. No, CSRF attacks don't require anything to be exchanged between pages of different origins D. Yes, the policy prevents scripts from other origins from being executed
A. No, the policy does not prevent web pages of different origins from making requests to each other
What is a reason that preventing security flaws can be more difficult than preventing other kinds of flaws in a system? A. Security flaws are exploited by intelligent adversaries B. Security flaws exist in computer systems, which are harder to understand C. Security flaws are much more common D. Security flaws can't be prevented by thinking like a defender
A. Security flaws are exploited by intelligent adversaries
What does the HttpOnly; cookie attribute ensure? A. The cookie will not be accessible by the DOM B. The cookie cannot be used to track you C. The cookie will be securely deleted once the HTTP response is received D. The cookie will not be sent over HTTPS
A. The cookie will not be accessible by the DOM
Which of the following completely prevents a padding oracle attack? A. Verifying a MAC before decrypting the data B. Returning an identical error, whether the padding or the MAC check fails C. Using random IVs for each encrypted message D. Implementing a standard protocol, such as TLS 1.0
A. Verifying a MAC before decrypting the data
Many programming languages offer multiple ways to obtain "random" numbers. Which of the following Python functions is safe to use for cryptography? A. secrets.randbits() B. random.getrandbits() C. numpy.random.bytes() D. scipy.stats.randint()
A. secrets.randbits()
Which of these cipher constructions are malleable? (Choose all that apply.) AES in CTR mode AES-GCM AES in CBC mode AES in ECB mode
AES in CTR mode AES in CBC mode
SQL Injection
An attack that targets SQL servers by injecting commands to be manipulated by the database.
Constructing SHA-256
Arbitrary length input to 256 bit output. Built from a compression function h
How can a PRF be used to ensure message integrity in the presence of a man-in-the-middle attacker? (gk() refers to a secure PRF using key k) A. Alice sends m, Bob receives m', Bob replies with gk(m'), and Alice verifies that gk(m) = gk(m') B. Alice sends m and v := gk(m), Bob receives m', v', and Bob reject the message if v' ≠ gk(m') C. Alice sends m, Bob replies with m', and Alice verifies that gk(m) = gk(m') D. Alice sends m and m', Bob receives them, and Bob rejects the messages if gk(m) = gk(m')
B. Alice sends m and v := gk(m), Bob receives m', v', and Bob reject the message if v' ≠ gk(m')
What is the main vulnerability in Electronic Codebook (ECB) encryption? A. You must never reuse a nonce for a particular key B. Each block containing the same plaintext results in the same block of ciphertext C. The keyspace is small, allowing attackers to easily brute force the key D. The key is released publicly
B. Each block containing the same plaintext results in the same block of ciphertext
one-time pad (OTP)
Combining plaintext with a random key to create ciphertext that cannot be broken mathematically. Pro: information theoretically secure Con: must never reuse an part of the pad
Which of the following is a barrier to proving that Pseudorandom Functions (PRFs) exist? A. We are not sure whether or not random functions truly exist, therefore the existence of PRFs cannot be verified B. If true, it would imply that P≠NP C. We cannot demonstrate the differences between a PRF's implementation and a random function's implementation D. Both PRFs and random functions often produce output according to truly random patterns in nature, making it difficult to distinguish between the two
B. If true, it would imply that P≠NP
Which of the following statements is known to be true? A. It's impossible to prove that secure PRGs exist. B. We can prove that secure PRGs exist, if secure PRFs exist. C. We can prove that secure PRGs do not exist. D. We can prove that secure PRGs exist, but we can't prove that secure PRFs exist
B. We can prove that secure PRGs exist, if secure PRFs exist.
What is the relationship between a hash function and an HMAC function? A. Hash functions provide authenticity whereas HMAC functions provide message integrity B. Of the two, only hash functions have been proven to exist C. A hash function is used to construct an HMAC function D. A hash function applies an HMAC function to fixed-size blocks in order to hash arbitrary-length inputs
C. A hash function is used to construct an HMAC function
Block Cipher
Consists of a function that encrypts fixed-size blocks with a reusable key k and inverse functions that decrypt blocks using the same key.
Which of the following is NOT an effective way to guard against SQL injection attacks? A. Use an ORM B. Create a whitelist to validate all parameters against a rigorous specification of allowable input C. Build your own SQL commands D. Use parameterized SQL
C. Build your own SQL commands
What will happen if a website makes an HTTP request to get some JSON from a different origin? Assume that CORS is not enabled, but otherwise no other protections are in place. A. The request and response will go through just fine B. The server will ignore the request C. The request will be made, but the response will be blocked by the browser D. The browser will block the request from being made
C. The request will be made, but the response will be blocked by the browser
Which of the following is NOT an example of an XSS attack? A. Storing malicious code in a database managed by the web application B. Submitting malicious code into a site's input fields C. Tricking users into clicking a link that sends a POST request to a site, logging the users into an attacker account without their knowledge D. Tricking users into accessing a URL hosted on a legitimate site, then using injected code to redirect them to a phishing site
C. Tricking users into clicking a link that sends a POST request to a site, logging the users into an attacker account without their knowledge
Which of the following are examples of encryption algorithms? (Select all that apply) SHA1 MD5 ChaCha20 AES HMAC-SHA256
ChaCha20 AES
Frames
Displaying two or more web pages at the same time in the same browser window (Example: text or graphic menus in one frame and the main page in the larger frame on one web page)
Which of the following is an example of a cost effective security measure? A. Storing pocket change in a safe B. Having daily long-distance conversations by mail to avoid network eavesdroppers C. A student hiring a security guard to protect their cell phone D. Storing your social security card in a locked box
D. Storing your social security card in a locked box
Which of the following is a blind spot you will develop if you think like a defender? A. You will overestimate adversarial power B. You will find too many insignificant vulnerabilities in your system C. You will look for vulnerabilities in competing systems D. You will convince yourself that your system is secure
D. You will convince yourself that your system is secure
Vigenere Cipher
Encrypt successive letters using a sequence of caesar ciphers keyed by letters of a keyword k = ABC p: bbbbbb +k 012012 ------------ c: bcdbcd
Cracked Hash Functions
MD5, SHA-1
Reflected XSS
The attacker includes HTML code within a link to a web address knowing the linked page will fail to sanitize the included HTML code, which is often seen on pages that display the query that a user entered.
What cookies can "banana.apple.com" access? (Select all the apply) The cookies for banana.com The cookies for orange.banana.apple.com The cookies for banana.apple.com The cookies for apple.com
The cookies for banana.apple.com The cookies for apple.com
Man in the middle attack
a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.
Pseudorandom Permutation (PRP)
a function that cannot be distinguished from a random permutation
Cryptographic Hashes
a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size
Caesar Cipher
a technique for encryption that shifts the alphabet by some number of characters
Same Origin Policy (SOP)
a web page from one host should not be able to read or modify content from another host 1. the base HTML document is assigned an origin from its URI 2. scripts and images are assigned the origin of the loading document 3. scripts can access content whose assigned origin matches their own
Padding
adding bytes to a message to make it a multiple of the block size
Cipher Modes
algorithms for applying block ciphers to multiple blocks
Message Verifier
alice sends message m and verifier v. Bob verifies v' = f(m') and accepts message iff true
Diffie-Hellman key exchange
an asymmetric standard for exchanging keys. primarily used to send private keys over public networks.
Properties for f() in MITM attack
easily computable by Alice and Bob but not by Mallory. The game is lost if Mallory deduces f(x) for any x != m
How to break Vigenere Cipher
easy to break if we know length of k, n: 1. break ciphertext into n slices 2. solve each slice as caesar cipher how to find n? - kaski method - repeated strings in plaintext sometimes encrypted using same word - distance between repeats = n (sometimes)
Security mindset
encourages thinking about how attackers could cause systems to fail, to head off problems before they are exploited
Injection Attack
exploit vulnerabilities that mistake untrusted data for code, allowing specially crafted inputs to cause execution of malicious instructions
Cryptographic Doom Principle
if you have to perform any cryptographic operation before verifying the MAC on a message you've received, it will somehow inevitably lead to doom
Thinking like a defender
know what you're defending, and against whom. weigh costs and benefits of security measures ("rational paranoia")
Which of the following are known to a passive eavesdropper during a Diffie-Hellman key exchange? (Choose all that apply.) p b a gab mod p ga mod p gb mod p g
p ga mod p gb mod p g
Message Integrity
sender, receiver want to ensure message not altered (in transit, or afterwards) without detection
Pseudorandom function (PRF)
start with a family of 2^n functions all known to Mallory. Let v = fk() where k is a secret index/key.
Security
studies how systems behave in the presence of an adversary
Cryptography
study of communicating securely in the presence of an adversary
Cryptoanalysis
study of techniques used for breaking cryptosystems
Web Platform
the collection of technologies developed as open standards that powers web sites and applications
Thinking like an attacker
understand techniques for circumventing security; look for ways security can break, not reasons why it won't
Authentication Token
upon successful login, sever sets a cookie with an unguessable random value so that when user revisits site it validates the user and stays logged in
Preventing SQL Injection
use prepared statements
Pseudorandom Generator (PRG)
used to create random sequences of numbers in deterministic devices. All computer algorithms are strictly deterministic. PRGs allow encryption of many data blocks using data generated from secret keys which have only few bits.