EECS388 Midterm

Encrypt-and-MAC

- Encrypt plaintext - Keyed has on plaintext - Uses different keys for MAC and Encrypt

Encrypt-then-MAC

- Encrypt plaintext - Keyed hash on ciphertext - Uses different keys for MAC and Encrypt

HTTP protocol

- Hypertext Transport Protocol - allows fetching individual resources like HTML - client sends: method (get,post), path & query, headers - server sends: response code, headers, content data

MAC-then-Encrypt

- Keyed hash on plaintext - Plaintext and hash encrypted as a single message - Uses different keys for MAC and Encrypt

TLS

- Transport Layer Security - cryptographic protocol layered above TCP to provide a secure channel - HTTP + TLS = HTTPS - Assumes client and server are secure but talking over a malicious network

URLs

- Uniform Resource Locators scheme://host:port/path?query#fragment scheme: protocol used to access resource (http/s) host: server's domain name or IP Address (eecs388.org) port: TCP port (443 for HTTPS, 80 for HTTP) path: identifies a resource to server (/papers/index.html) query: parameter passed to server (?key1=value1) fragment: visible to client (#section4)

TCP

- a plaintext transport protocol - carries HTTP over internet - doesn't provide confidentiality, integrity, or authenticity

Cookie weaknesses

- cookies set over HTTPS are sent on HTTP requests SOLUTION: server sets "secure" attribute - cookies readable by any JS running in origin SOLUTION: server sets HttpOnly attribute

CSRF Attack

- cross-site request forgery - cause user's browser to perform unwanted actions on a different site on user's behalf Login CSRF Attack - log victim's browser into honest site with account controlled by attacker CSRF via POST request - attacker can trigger POST request using HTML + JS

Kerckhoff's Principle

A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.

Cipher Block Chaining (CBC)

A process in which each block of unencrypted text is XORed with the block of cipher text immediately preceding it before it is encrypted using the DES algorithm.

Cross-Site Scripting (XSS)

A web application vulnerability. Attackers embed malicious HTML or JavaScript code into a web site's code, which executes when a user visits the site.

Why is it important to carefully apply and verify message padding when using RSA digital signatures? A. If a message is improperly padded, it becomes vulnerable to the padding oracle attack B. Failure to verify proper padding can lead to signature forgery attacks C. If an attacker knows where the message ends and the padding begins, they could use it to deduce your private key D. Without padding, an attacker can deduce your message when e=3

B. Failure to verify proper padding can lead to signature forgery attacks

Assuming a 64 bit (8 byte) block size, which of the following is the PKCS7 padding for a 3 byte message? A. 00 00 00 00 05 B. 01 02 03 04 05 C. 00 00 00 00 00 D. 05 05 05 05 05

D. 05 05 05 05 05

Since RSA can provide confidentiality without the need for symmetric keys, why do we use AES at all? A. There's a limit to how secure RSA can get B. We need RSA to provide forward secrecy. C. RSA is patented by Rivest, Shamir, and Adleman D. AES is a lot faster than RSA

D. AES is a lot faster than RSA

Which of the following is implied by the Cryptographic Doom Principle? A. It's risky to verify a MAC before decrypting a message B. It's risky to use the same key for encryption and for MACing C. It's risky to send two messages using the same one-time pad D. It's risky to decrypt a message before verifying its MAC

D. It's risky to decrypt a message before verifying its MAC

Which of the following are susceptible to length extension attacks? A. Pseudorandom functions B. Pseudorandom generators C. The HMAC construction D. Merkle-Damgård hash functions

D. Merkle-Damgård hash functions

RSA in Practice

For RSA Public key (e, N) 1. Generate random x < N 2. c1 = x^e modN 3. k = SHA-256(x) 4. c2 = AESk(m)

Second preimage resistance

Given input m1, hard to find second input m2 such that H(m1) = H(m2)

Preimage resistance

Given output h, hard to find m such that h = H(m)

Length Extension Attack

Given y=H(m) for some unknown m, attackers can calculate z = H(m || padding || v) for an arbitrary v. This doesn't violate the properties of strong hash functions

Collision resistance

Hard to find pair of inputs m1, m2 such that H(m1) = H(m2)

HMAC

Hashed Message Authentication Code. Designed to be a secure verifier. Inputs: key, arbitrary length data Output: fixed-size digest (n-bits) HMAC construction turns any secure hash H() into a MAC Protects against length extension HMAC-SHA-256 is an HMAC with SHA-256 as H()

XSS Defenses

Input Validation - check headers, cookies, forms, links, etc Output Escaping - encode all special characters to prevent interpreting code Content Security Policy

Textbook RSA

Key Generation (in secret) 1. Generate large random primes, p and q 2. Compute "modulus" N = pq 3. Pick small "encryption exponent e, must be relatively prime to (p-1)(q-1) 4. Compute "decryption exponent" d such that ed = 1mod(p-1)(q-1) Yields RSA key pair: Public (e,N) Private (d,N) Public Key Encryption: Encrypt: c = m^e modN Decrypt: m = c^d modN Digital Signatures: Sign: s = m^d modN Verify m = s^e modN

D-H Security

Passive Eavesdropping fails, MITM attacks succeed (Mallory does D-H with both Alice and Bob)

Properties of strong hash function

Preimage resistance, second preimage resistance, collision resistance

is RSA secure

RSA can be used for confidentiality, integrity, and/or authenticity. Confidentiality: public-key encryption Integrity: Digital signatures Both: Both with two key pairs * Over 1000x slower than AES

CSRF Defenses

Referrer Validation - referrer request header contains URL of page making the request Secret Token Validation - every form contains a secret token the server validates - usually a cookie so SOP prevents access SameSite Cookies - can enable SameSite cookie attribute

Uncracked Hash Functions (so far)

SHA-256, SHA-512, SHA-3

Counter (CTR) Mode

Turns a block cipher into a stream cipher. Generates keystream s for k and unique nonce.

Stream Cipher

Use PRG instead of a truly random pad. Alice and Bob choose PRG g(), share secret key k Encrypt: s = gk(); c = p XOR s Decrypt: s = gk(); p = c XOR s Must never reuse keys * Don't know how to prove PRGs exist

Do PRF's exist?

We don't know. If one was found it would imply that P != NP

Browser Execution Model

When loading a document, the browser: 1. loads content at URL 2. parses HTML and runs inline Javascript 3. Fetches and renders subresources (JS, images, CSS)

Mallory in a MITM attack

can see, modify, and forge messages. Wants to trick Bob into accepting a message Alice didn't send.

Ciphertext Malleability

can transform ciphertext into another ciphertext that decrypts to a related plaintext without knowing the plaintext. In CBC mode, flipping bits in ciphertext block i will completely corrupt decrypted block i and flip corresponding bits in decrypted block i + 1

cookies

- piece of data a server sends to the browser - used for maintaining session state, personalization, and tracking user behavior on or across sites

CBC padding oracle

- problem with MAC-then-Encrypt - attacker submits any ciphertext and learns if last bytes of plaintext are valid padding (Think of project, padding error and mac error)

Web Security Goals

- protect users from malicious sites and networks - isolates sites from each other within browser

Attacks on textbook RSA

- small e attack - ciphertext malleability - key generation failures - forging signatures for random/specific messages

Stored XSS

-Code is injected permanently on target servers, such as databases - Victim retrieves malicious script when it requests the stored information

Merkle-Damgard construction

1. Pad input m to multiple of 512 2. Break into 512 bit blocks b0, b1, etc 3. y0 = 256-bit initialization vector y1 = h(y0, b0) ... yi = h(yi-1, bi-1) 4. Return yn as SHA-256(m)

A secure channel protocol

1. Use D-H to generate shared secret 2. Use RSA signature to confirm who we're talking to 3. Derive symmetric keys using a PRF 4. AEAD or Encrypt-then-MAC for messages

How do we know is a PRF is secure?

1. choose secret k and random function g() 2. flip a coin secretly to get bit b 3. if b = 0, let h() = g() if b = 1, let h() = fk() 4. Mallory chooses x: we announce h(x) Repeat until Mallory has had enough 5. Mallory guesses b in poly time We say f() is secure PRF if Mallory can't do much better than randomly guessing.

Message Integrity with PRFs

1. let f() be secure PRF known to everyone 2. Alice and Bob secretly meet up before to get random key k 3. Alice computes v=fk(m) 4. Bob computes v'=fk(m'), accepts iff true Assumptions: no way for Mallory to get k Attacks: Mallory can resend m, v (Replay Attack)

What do you do if message is already a multiple of the block size?

Add an entire block of padding

PKCS7

Add n bytes of padding of value n

Does the Same Origin Policy prevent CSRF attacks? A. No, the policy does not prevent web pages of different origins from making requests to each other B. Yes, scripts in one page can only access the data of a second page if they share the same origin C. No, CSRF attacks don't require anything to be exchanged between pages of different origins D. Yes, the policy prevents scripts from other origins from being executed

A. No, the policy does not prevent web pages of different origins from making requests to each other

What is a reason that preventing security flaws can be more difficult than preventing other kinds of flaws in a system? A. Security flaws are exploited by intelligent adversaries B. Security flaws exist in computer systems, which are harder to understand C. Security flaws are much more common D. Security flaws can't be prevented by thinking like a defender

A. Security flaws are exploited by intelligent adversaries

What does the HttpOnly; cookie attribute ensure? A. The cookie will not be accessible by the DOM B. The cookie cannot be used to track you C. The cookie will be securely deleted once the HTTP response is received D. The cookie will not be sent over HTTPS

A. The cookie will not be accessible by the DOM

Which of the following completely prevents a padding oracle attack? A. Verifying a MAC before decrypting the data B. Returning an identical error, whether the padding or the MAC check fails C. Using random IVs for each encrypted message D. Implementing a standard protocol, such as TLS 1.0

A. Verifying a MAC before decrypting the data

Many programming languages offer multiple ways to obtain "random" numbers. Which of the following Python functions is safe to use for cryptography? A. secrets.randbits() B. random.getrandbits() C. numpy.random.bytes() D. scipy.stats.randint()

A. secrets.randbits()

Which of these cipher constructions are malleable? (Choose all that apply.) AES in CTR mode AES-GCM AES in CBC mode AES in ECB mode

AES in CTR mode AES in CBC mode

SQL Injection

An attack that targets SQL servers by injecting commands to be manipulated by the database.

Constructing SHA-256

Arbitrary length input to 256 bit output. Built from a compression function h

How can a PRF be used to ensure message integrity in the presence of a man-in-the-middle attacker? (gk() refers to a secure PRF using key k) A. Alice sends m, Bob receives m', Bob replies with gk(m'), and Alice verifies that gk(m) = gk(m') B. Alice sends m and v := gk(m), Bob receives m', v', and Bob reject the message if v' ≠ gk(m') C. Alice sends m, Bob replies with m', and Alice verifies that gk(m) = gk(m') D. Alice sends m and m', Bob receives them, and Bob rejects the messages if gk(m) = gk(m')

B. Alice sends m and v := gk(m), Bob receives m', v', and Bob reject the message if v' ≠ gk(m')

What is the main vulnerability in Electronic Codebook (ECB) encryption? A. You must never reuse a nonce for a particular key B. Each block containing the same plaintext results in the same block of ciphertext C. The keyspace is small, allowing attackers to easily brute force the key D. The key is released publicly

B. Each block containing the same plaintext results in the same block of ciphertext

one-time pad (OTP)

Combining plaintext with a random key to create ciphertext that cannot be broken mathematically. Pro: information theoretically secure Con: must never reuse an part of the pad

Which of the following is a barrier to proving that Pseudorandom Functions (PRFs) exist? A. We are not sure whether or not random functions truly exist, therefore the existence of PRFs cannot be verified B. If true, it would imply that P≠NP C. We cannot demonstrate the differences between a PRF's implementation and a random function's implementation D. Both PRFs and random functions often produce output according to truly random patterns in nature, making it difficult to distinguish between the two

B. If true, it would imply that P≠NP

Which of the following statements is known to be true? A. It's impossible to prove that secure PRGs exist. B. We can prove that secure PRGs exist, if secure PRFs exist. C. We can prove that secure PRGs do not exist. D. We can prove that secure PRGs exist, but we can't prove that secure PRFs exist

B. We can prove that secure PRGs exist, if secure PRFs exist.

What is the relationship between a hash function and an HMAC function? A. Hash functions provide authenticity whereas HMAC functions provide message integrity B. Of the two, only hash functions have been proven to exist C. A hash function is used to construct an HMAC function D. A hash function applies an HMAC function to fixed-size blocks in order to hash arbitrary-length inputs

C. A hash function is used to construct an HMAC function

Block Cipher

Consists of a function that encrypts fixed-size blocks with a reusable key k and inverse functions that decrypt blocks using the same key.

Which of the following is NOT an effective way to guard against SQL injection attacks? A. Use an ORM B. Create a whitelist to validate all parameters against a rigorous specification of allowable input C. Build your own SQL commands D. Use parameterized SQL

C. Build your own SQL commands

What will happen if a website makes an HTTP request to get some JSON from a different origin? Assume that CORS is not enabled, but otherwise no other protections are in place. A. The request and response will go through just fine B. The server will ignore the request C. The request will be made, but the response will be blocked by the browser D. The browser will block the request from being made

C. The request will be made, but the response will be blocked by the browser

Which of the following is NOT an example of an XSS attack? A. Storing malicious code in a database managed by the web application B. Submitting malicious code into a site's input fields C. Tricking users into clicking a link that sends a POST request to a site, logging the users into an attacker account without their knowledge D. Tricking users into accessing a URL hosted on a legitimate site, then using injected code to redirect them to a phishing site

C. Tricking users into clicking a link that sends a POST request to a site, logging the users into an attacker account without their knowledge

Which of the following are examples of encryption algorithms? (Select all that apply) SHA1 MD5 ChaCha20 AES HMAC-SHA256

ChaCha20 AES

Frames

Displaying two or more web pages at the same time in the same browser window (Example: text or graphic menus in one frame and the main page in the larger frame on one web page)

Which of the following is an example of a cost effective security measure? A. Storing pocket change in a safe B. Having daily long-distance conversations by mail to avoid network eavesdroppers C. A student hiring a security guard to protect their cell phone D. Storing your social security card in a locked box

D. Storing your social security card in a locked box

Which of the following is a blind spot you will develop if you think like a defender? A. You will overestimate adversarial power B. You will find too many insignificant vulnerabilities in your system C. You will look for vulnerabilities in competing systems D. You will convince yourself that your system is secure

D. You will convince yourself that your system is secure

Vigenere Cipher

Encrypt successive letters using a sequence of caesar ciphers keyed by letters of a keyword k = ABC p: bbbbbb +k 012012 ------------ c: bcdbcd

Cracked Hash Functions

MD5, SHA-1

Reflected XSS

The attacker includes HTML code within a link to a web address knowing the linked page will fail to sanitize the included HTML code, which is often seen on pages that display the query that a user entered.

What cookies can "banana.apple.com" access? (Select all the apply) The cookies for banana.com The cookies for orange.banana.apple.com The cookies for banana.apple.com The cookies for apple.com

The cookies for banana.apple.com The cookies for apple.com

Man in the middle attack

a form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.

Pseudorandom Permutation (PRP)

a function that cannot be distinguished from a random permutation

Cryptographic Hashes

a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size

Caesar Cipher

a technique for encryption that shifts the alphabet by some number of characters

Same Origin Policy (SOP)

a web page from one host should not be able to read or modify content from another host 1. the base HTML document is assigned an origin from its URI 2. scripts and images are assigned the origin of the loading document 3. scripts can access content whose assigned origin matches their own

Padding

adding bytes to a message to make it a multiple of the block size

Cipher Modes

algorithms for applying block ciphers to multiple blocks

Message Verifier

alice sends message m and verifier v. Bob verifies v' = f(m') and accepts message iff true

Diffie-Hellman key exchange

an asymmetric standard for exchanging keys. primarily used to send private keys over public networks.

Properties for f() in MITM attack

easily computable by Alice and Bob but not by Mallory. The game is lost if Mallory deduces f(x) for any x != m

How to break Vigenere Cipher

easy to break if we know length of k, n: 1. break ciphertext into n slices 2. solve each slice as caesar cipher how to find n? - kaski method - repeated strings in plaintext sometimes encrypted using same word - distance between repeats = n (sometimes)

Security mindset

encourages thinking about how attackers could cause systems to fail, to head off problems before they are exploited

Injection Attack

exploit vulnerabilities that mistake untrusted data for code, allowing specially crafted inputs to cause execution of malicious instructions

Cryptographic Doom Principle

if you have to perform any cryptographic operation before verifying the MAC on a message you've received, it will somehow inevitably lead to doom

Thinking like a defender

know what you're defending, and against whom. weigh costs and benefits of security measures ("rational paranoia")

Which of the following are known to a passive eavesdropper during a Diffie-Hellman key exchange? (Choose all that apply.) p b a gab mod p ga mod p gb mod p g

p ga mod p gb mod p g

Message Integrity

sender, receiver want to ensure message not altered (in transit, or afterwards) without detection

Pseudorandom function (PRF)

start with a family of 2^n functions all known to Mallory. Let v = fk() where k is a secret index/key.

Security

studies how systems behave in the presence of an adversary

Cryptography

study of communicating securely in the presence of an adversary

Cryptoanalysis

study of techniques used for breaking cryptosystems

Web Platform

the collection of technologies developed as open standards that powers web sites and applications

Thinking like an attacker

understand techniques for circumventing security; look for ways security can break, not reasons why it won't

Authentication Token

upon successful login, sever sets a cookie with an unguessable random value so that when user revisits site it validates the user and stays logged in

Preventing SQL Injection

use prepared statements

Pseudorandom Generator (PRG)

used to create random sequences of numbers in deterministic devices. All computer algorithms are strictly deterministic. PRGs allow encryption of many data blocks using data generated from secret keys which have only few bits.