Security exam question
What re the percent to known the next binary digit
50/50% as it may be 1 or 0 so called perfect secrecy
what are the length of message of SHA 512
512 BITS
speaking people who have the proper authority should be able to do whatever it is (and only whatever it is) they are authorised to do. Nobody else should be able to do anything on the system.
A multi-user distributed computer system offers access to objects such as resources (memory, printers), data (files) and applications (software).
what are approach take to minimise the chance of present a false key in the ring
1- alice can get the public key directly from bob (physically) but the problem are physical limitation 2-alice can verify the key via telephone 3-alice got the key from other one in which bob trusted in it 4- use trusted certificate agency to obtain the key
how alice and bob communicate through the server?
1- alice communicate with the server and send the names of alice and bob and request that session key to be generated 2-
how are 3 DES work?
1- alice encrypt M by key1 to form c 2- then alice decrypt c to form m' 3- then alice encrypt m' by key 3 to produce c' for decryption it will reverse the sequence 1- alice decrypt c' by using k3 to prosuce m' 2- alice encrypt m' by using k2 to produce c 3- alice decrypt the c by using k1 to produce m
give a list of alternative way of the authentication
1- answer a secret question 2- finger print or scan retina 3- present of something you have such as passport or credit card
what are the step of key escrow?
1- assume that the key have the binary b k=k1k2k3...kb 2-the first key is n of bits that chosen in random 3- the second part of key X2 are calcualted by XORING K and K1 4-THE ORIGINAL KEY ARE RECOVERED BY XORING K1 AND K2
steps to make certificate
1- bob generate a document which include his relevant information and present him self with a document to at CA 2-CA confirm bob identitity 3-CA hash the document using hashing secure hash algorithm function and encrypt the resulting message digest using their own private key 4-the encrypted message digest are the certificate and published together with the unencrypted message include the public key
what are five services does PGP offer?
1- confidentiality 2- segmentation 3- authentication 4-compression 5- compatibility
which method can be used to [rotect the password file?
1- cryptographic method 2- access control over the password file
what are the four properties should be in hash function to be strong?
1- easy to compute 2- no collisions 3- no preimages 4-input can be or arbitrary length
what are five properties should block cipher satisfy
1- large block size 2- large key space 3- diffusion property 4- confusion property 5-completeness
why use hashing in digital signature?
1- speed 2- confidentiality
why use digital signature?
1- to prove from who the message are 2- that message have not been corrupted or altered in any way
what are the two component of password system ?
1- user name to establish identity 2- password to confirm the authentication of identity
how PGP associate a level of trust with each public key as follow
1- when alice insert a new public key onto her public key ring ,she can specify unknown , trusted ,marginally trusted ,completely trusted 2- ligitimicy value in which give indication of what are signed it
223 mod 660 find the inverse
1-660=223*2+214 223=214*1+9 214=9*23+7 9=7*1+2 7=2*3+1 rearrange the last equation to make 1 are the subject 1=7-3(2) from equation 9-7*1+2 2=9-(7*1) substitute 1=7-3(9-7) 1=4(7)-3*(9)
Nine of the twelve mode bits are used to encode access rights.4 These access bits can be thought of as the access control matrix entry. They are divided into three groups of three bits which represent the owner, group and other users respectively. For each of these three groups, the three bits are r w x representing read access, write access
For example, the 9 bits r w - r - - r - - indicates that the owner has read and write access but not permission to execute the file, whereas the group members and all other users have read access only. The 9 bits r w x r - - - - - indicates that the owner has read, write and execute access, whereas the group members have read access only and other users have no access to the file.
example to the term of size form
For example: b(5) = b(1012) = 3 b(20) = b(101002) = 5 b(212) = b(4096) = b(10000000000002) = 13
One time pad
Is a security method that provide perfect secrecy
Random substitution cipher
Is more secure than Ceaser cipher
Cryptoanalyst
Is person who try to decrypt the ciphertext for malicious use
What are limitation. Of DAC
Is that if the file are control by the owner it have a risky that it may be unexpected propagation of acres rights suspected to malicious action. On it
What are the main aim of blocking
Is that the same letter take more than one value when using the ciphertext
One method for improving security
Is using blocking
What are one time key pad and what advantages and disadvantages of it
It amthod of summetric key cryptosystem
What does the authentication
It answer claim which who are you that you are you
Why it is called. One time pad
It called because each digit in stream are only used one time and never repeated
What are relation between one. Pad time and the key generation iteratively using XOR operation
It can generate the key stream by xor function. By generate the. Next bit by Xoring the fist bit with the last bit of the previous n bits to produce a key length of 2^n-1
What does non repudiation concern with
It concern with known the sender and receiver and can be used in digital signature
What are issue with access control. Security
It concerned with Acess control. Rights when design the security system
What does PGP confidenatilty contain
It contain combination of both public key and symmetric key cryptosystem to provide confidential to the message
What does computer security deal with
It deal with detection and reaction of unauthorized user dealing with information in computer system
What does PGP authentication depend on
It depend on that Alice only known his private key and no one other known that key
What does stream cipher security depend on
It depend on the keystream generator
What the meaning of ownership. Policy
It determine which subject have which permission on an object
What are disadvantage of the LFSR
It easy to predict so should not used alone for keystream generation
Non-repudiation
It ensure that either the sender or receiver can not denied the message
Shortly what are access control. Are
Access control are the limitation to access of authorized users by identification and authorizationn
access controls provide the limitation and control of access to authorised users through identification and authentication
Access control is crucial in computer security. All of the features that we would like a security system to provide (confidentiality, availability, integrity, non-repudiation, authentication and accountability) depend upon the proper implementation of access controls.
Authentication Authentication is proving a claim - usually that you are who you say you are, where you say you are, at the time that you say it is. Authentication may be obtained by the provision of a password or by a scan of your retina for example. See Chapter 2 for further methods of authentication.
Access controls Access controls provide the limitation and control of access to authorised users through identification and authentication. A system needs to be able to identify and authenticate users for access to data, applications and hardware. In a large system there may be a complex structure determining which users and applications have access to which objects. See Chapter 3 for further details on access control models
With this model, a process can be granted just the permissions it needs to be functional. This follows the principle of least privilege. Under MAC, for example, users who have exposed their data using chmod are protected by the fact that their data is a kind only associated with user home directories, and confined processes cannot touch files without permissions and purpose written into the policy
All interactions between subjects and objects are disallowed by default on a SELinux system. The policy specifically allows certain operations. To know what to allow, an access control matrix is used. The matrix is derived from the policy rules. The matrix clearly defines all the interactions of processes and the targets of their operations.
To implement a OTP, users generally have a token (similar to a small electrical keyring, for example) which generates the passwords either based on a
Answering a question that only you are likely to know the answer to such as your mother's maiden name or date of birth. This information is not that hard for a hacker to acquire so provides only a low level of security. Presentation of something that you have, such as a credit card or passport. These can be forged or stolen but in general are a good means of identification and authentication. Use of finger prints, retina patterns or palm prints. This is a high cost solution, but fingerprints, etc. are fairly hard to replicate and are not something that the genuine user can lose or forget! However, a determined attacker with adequate financial resources can replicate these physical attributes leading to a catastrophic failure of a supposedly high security identity system
RSA Key Generation
Bob used a strong pseudo random to generate two random primes which are p and q Then calculate n =p*q Then calculate r=(p-1)(q-1) Then choose a number e which between 1 and r and no have common factor with r Compute d which is private key by solve e*d mod(p-1)=1 Then use (e, n) as public keys and d as private key
What are aim of blocking
By blocking we decrease the statistical analysis problem
What mean by group in Acess control
It mean a group of subject which have the same access permission
What are security attacks mean
It mean intercept the transmission f message between the sender and receiver
What are integrity mean
It mean prevention of alter or. Modify information It mean that data stored in computer as it is. Intended
What are aim of availability
It mean that information should be available. And accessible when needed from authorized user
What are the confidentiality mean
It mean that prevention of unauthorized disclosure of information
What mean of statistical analysid
It mean that redundancy of English letter can be used to known the plain message from ciphertext
What is discretionary owner policy are
It mean that the owner of resource decide who have access to which object and resources
What does access control. Mean
It mean the limitation to reach to some information through identification and authentication
How man in the middle attack in diffe hellman exchange protocol occur
It occur by change the values that send from. Alice to Bob and vice versa to be 1
What advantage of MAC
It provide a frame work allow you to define all access permission. Over the objects and resource by all subjects
How the key used in substitution cipher
It shared between the sender and receiver
Whar are the key in random substitution cipher
It table of letter substitutions
What are objects in control system
It the shared resources such as printers data files or software
How we can obtain authentication.
Can obtain by password or scan of your retina or finger print
What are chosen message
Charles generate message and oeesude Alice to encrypt. It and then try to known the encryption key
Known message what is it
Charles known part of message and corresponding ciphertext and try to find the decryption key or encryption. Key
What are ciphertext only attack
Charles only known the ciphertext and have no idea what the message are
Probable chosen message idea
Charles predict the message may contain some word which are related to the message sender or receiver such as company name and so on
What are chosen ciphertext
Charles take apart of the chosen ciphertex abd persuade Bob to decrypt then and from that can generate the decryption key
Example of Ceaser cipher
If k is 5 then letter A become F Letter B become G
What are disadvantage of one time pad
Costly and difficult to organize
which type used by the DES
DES use festiel structure for encryption
What are method to attack
Differential analysis Try all keys
How compression works
It works by replacing the repitited in the text by a short code
What are properties of good cryptosystem
Large block Large key space High speed of execution The same algorithm for encryption and decryption to reduce the development cost and prevent the bottlenecks
It is important that no-one else gets a copy of this digit stream so to achieve perfect secrecy Alice should personally give it to Bob. When Alice wants to send her message to Bob (this may be some time later when Alice cannot physically meet Bob) she codes it into a stream of binary digits. Then for each binary digit in the message she XORs 2 it to the binary digit in the random digit stream at the corresponding position
Message 0 1 1 1 0 0 1 0 1 0 0 1 1... Random Stream 1 0 0 1 1 0 0 0 1 1 0 1 0... Ciphertext 1 1 1 0 1 0 1 0 0 1 0 0 1... Alice sends Bob the ciphertext. Bob uses his copy of the random stream to retrieve the original message. The inverse of XOR is also XOR, so all Bob has to do is XOR the ciphertext with the random stream and he will recover the message.
Communication is intercepted if the attacker interrupts the communication and receives the source information
Modification occurs when the attacker intercepts the communication, alters it in some way, and then sends it on to the destination. The attacker intends to deceive the destination into thinking that the modified communication has come directly from the source. This is also known as a Man-in-the-middle attack
Example of math problem to be solved with fermatts little theorem
Prime number p Number m between 2 and p-1 Number e between 2 and p-1 Compute c=m^e mod p The problem is to find m and you known e and c and p To solve it We calculate d by solve the equation e*d mod(p-1)=1 We can find value of d using Euclid method Then compute m =c^d mod p
What are other name of confidenality
Privacy or secrecy
what types of scheme to provide authentication for e mail
PGP and S/MIME
Examples on subjects
Persons such as Alice Bob or may be a another program or computer
This type of attack can be thwarted by using a relatively inefficient function to encrypt the passwords. Consider that the hacker may have to encrypt millions of possible passwords before a match is found. If each encryption takes one or two seconds then this will take many days. However, for a genuine individual user a time lapse of a few seconds each time they enter their user-name and password is negligible.
Rainbow tables If a well known function, such as a secure hashing function, is used to encrypt passwords then pre-computed rainbow tables can be used to find passwords very quickly
There are 5 types of operation in access control list them
Read Write Append Delete Execute
What does types of permissions on fikes
Read Write Delete Apoend Execute Change permission Change ownership
Give example of protection ring model
Ring with five with 0 in the outer level and 4 in the inner level
Whar is SSH
SH (secure shell) is a protocol which allows data to be securely exchanged between two computers. SSH uses encryption to provide condentiality and integrity of data being passed over an insecure network such as the Internet. Like TLS, SSH uses public key cryptography to authenticate the remote computer. Unlike TLS, SSH also allows the remote computer to authenticate the user if necessary.
what are types of hash function
SHA and MD5 MD5 not used recently
there are five types of secure hash function which are
SHA,SHA1,SHA 384,SHA256,SHA512
WHAT THE HSAH 512 DO IN COMPUTATION STAGE
SHA-512 uses six logical functions which involve shifts, bitstring operations (and,or) and modular arithmetic mod264.
What are the main component of LA padullaa model
Set of subjects s Set of objects o Set of permissions access A Set of security level L
This is hard to achieve although not impossible. The one-time pad is a method of encryption that offers perfect secrecy.
Suppose Alice wants to send Bob a message using the one-time pad. Alice generates a stream of random binary digits (a list of 0s and 1s occurring at random) which is as long as the message. She makes a copy of this stream of digits and gives it to Bob
Number of passwords An intelligent attacker will carry out dictionary and intelligent or modified dictionary attacks before attempting an exhaustive search. This is because, although an exhaustive search is bound to succeed eventually and a dictionary search may fail, if it succeeds, the dictionary search is much faster.
Suppose that passwords are six characters long. If the password is made up only of lower case letters, then there are 26 choices for each character in the password. Hence there are 266 = 308, 915, 776 ≈ 3 8 possible passwords of six lower case letters. If we include lower and capital letters, there are 526 ≈ 2 10 possible passwords. Adding in digits as well, gives a choice out of 62 for each character in the password and there are now 626 ≈ 5.7 10 possible passwords. Finally if we allow any keyboard character including ¡ ¿ * & etc. there are approximately 100 different choices for each character in the password and hence there are 1006 = 1012 possible passwords.
What are types of encryption algorithm
Symmetric and asymmetric types
Aim. Of access control
System. Should be able to identify and authenticate the user to. Identify it
What are TLS and ssl
TLS (Transport Layer Security) is the successor of SSL (Secure Sockets Layer) and is the security protocol used by web browsers to connect securely to web browsers. SSL was implemented by Netscape and became the de facto standard until TLS, which varies only slightly from SSL, came into use in 1999. TLS is now the ofcial version. TLS uses public key infrastructure and certicates issued by a trusted third party, the certication agency or CA. When a TLS client wants to make contact with a server, a handshake is performed which consists of several steps. If any of these steps fail,
which other we use to internet
TLS transport layer security SSH secure shell to provide authentication for internet client
how to recover the original key ?
The key K is recovered by XORing all of the key pieces together: K = X1 ⊕ X2 ⊕ X3 ⊕ . . . ⊕ Xn−1 ⊕ Xn
What types of key used in symmetric key cryptosystem
The key are shared between two parties which used in both encryption and decryption
what key do in key?
The key that is provided as input is expanded into an array of 44 32-bit words wi
Explain the difference between master key and session key
The master key is the key that are used and are stable in it generation as it not changes But session key is the key which generated every time we call. Some thing and this occur in trusted third party exchange Protocols
Which Acess permission type used in LA padullaa security model
The model access control matrix are used
What are relation between security features and access control
The relation are all features depend proper implementation of access control
How do I know that you are who you say you are? The computer must now establish that the person logging into the system as John Smith actually is John Smith. Since the user-name is not a secret, anyone could try to log into the system using the identity of John. The person logging in must somehow prove that they are the genuine John Smith. This is usually done by using a password. The password is a secret and is only known to the genuine user John Smith. By entering this secret password, in conjunction with his user-name, John proves to the computer that he is an authorised user and is allowed access to the system
Thus there are typically two stages in the process of identification. 1. A user-name is used to establish identity. 2. A password is used to establish authentication of identity
What are the benefit of added authentication to siffie hellman. Exchange to protocol
To prevent. Man in.the Middle attack
The password file can be protected by using a one-way function f(x) to encrypt the stored passwords as follows: To create a new user-name/password pair: The user inputs their user-name and password x. The system computes f(x). The password file does not store x but instead stores f(x) indexed by user-name.
To verify a user: The system asks for the user-name and password. The system computes f(x ′ ) where x ′ is the password entered by the user. The system checks to see if there is a match between the f(x) stored for the given user-name and f(x ′ ) just computed. If f(x) = f(x ′ ) then x = x ′ and the user is verified. If f(x) 6= f(x ′ ) then the password entered by the user is incorrect and access to the system is denied.
what are the differecne when use hashing in digital signature
bob create amessage then bob hashing the message with hashing function then encrypte it and then send them to alice alice decrypt the signature and then hashing the message with the same hashing function if the same then it will be good
the last step
bob decrypt the alice message with bob KBS to obtain KAB now both alice and bob known KAB
does n of n escrow protocol practicle
bot practice and not used except in emergency case
how we can encrypt password file
by do the following create user name password pair (x) the system are not tored the password as x it stored as f(x) which is indexed by user name
how we can known if the numer is prime or composite?
by using fermatts little theory
how to improve the security of message in digital signature?
by using hash function
how to inititlse initital values
by using the hash words H0 to h7 WITH HEXADECIMAL
what are ways used to determine the initialisation vector IV
fixed iv counter iv random iv nonce generated iv
how fesistel structure work?
for each round the data block are divided into two halves right and left each half are prcoessd and used as input into other half in the next round
what are one way function ?
function say to be one way if it is easy to compute in one way but hard to compute in reverse
what hash computation stage contain
generate a message schedule and use that schedule along with the functions , constants and word operations
what are methods used in password guessing?
guessing password using the user personal knowledge dictionary searching intelligent searching exhaustive searching
what are factorisation problem are?
it depend on that it is easy to multiply two numbers to produce integer but hard to find the two numbers
what are needham schroner key depend on?
it depended on trusted third party method and have use symmetric key cryptography
how encryption method are done in block cipher
it done block by block act on block to produce a cipher text with the same size
what role of certification agency are?
it gurantee the link beween the key holder and the public key by signing a document which contain user name,public key , name of agency, expire date of dicument
what are question who are you refer to?
it identification part of password method as the user put its name to get the user identification
what mechanism of rainbow tables
it is a tables of password which are fast search for the password in the table to find it
what are intelligent searching are?
many passwords are combinations of letters and numbers in which intelligent search that we try many combination of the letters and numbers apple0, apple1, apple2,....,apple9, apply0, apply1,
what are the idea of hack password guessing personal information?
many people use password that relate to their personal information such as parent name , dog name or other related information
what type of function hash function used?
many to one function are used this mean that there exist different value for for the same h(x) collisions
what are ways that the one time password can be applied?
mathematical algorithm which generate password based on previous password time synchronisation protocol mathematical equation that create password based on challenge such as random number
what type of certification agency may be?
may be governement or finaincial
what are SHA 512 PREPROCESSING CONTAIN(1)
message are padded as use equation of L + 1 + k ≡ 896 mod 1024 l length of message k=smallest non negative soln to equation l=128 bit alway append to the end of the message
ht are output feed back mode depend on ?
message not used and the block cipher are used to generate random streaam of bytes called the keystream the keystream is then cored with the stream to produce the ciphertext
How to generate keystream simply
We can create by using initial key of n bits and generate the next bit by Xoring the first bit and with the last bit of previous n bits
What are practice to generate stream cipher
We create stream cipher from small key
O1 O2 O3 O4 G1 √ √ √ G2 √ √ Table 3.3: Access control matrix with groups
We have not yet considered who has the authority to decide which subjects have which permissions over which objects. The ownership policy may either be discretionary or mandatory.
What are PGP segmentation
We segment the message before encryption. Also. In PGP segmentation
Which things used to represent access control when the system are not hierarchial
We use lists and matrix
How to prevent the high level object to be copied into lower level
We use no write down policy
Is method of certificate
X 509
what the name of standard protocol for certificate issue?
X.509 standard
2 of 2 key escrow what function used?
XOR function are used to hide the original key
what idea of n of n escrow protocol?
Xn = K ⊕ X1 ⊕ X2 ⊕ X3 ⊕ . . . ⊕ Xn−1
How authentication and confidentiality doing with each other
Yes
Can Mac provide an authentication
Yes as it provide define permissions for all processes called subjects which interact with all other objects in the system
Could we break the no read up poocy without known of the high level
Yes by Trojan horse program
Can we make flexibility without breaking the rules
Yes by downgrading all subject and objects to the lower level and then all. Can access to other objects easily
Can hash function used in output feedback mode
Yes it can be used and this give speed and confidentiality perferances than normal
Can security level. Include operations
Yes it can include operations as well
Does LA padula security model are used
Yes it on eof th famous security model used It aim to provide multi user secure operating system
what are good example of one way function?
a good example are multiplying and factorising
A rainbow table is a table that stores the encryption of all possible passwords of a given format. For example, all passwords that are eight characters long and contain lower case letters and digits. These rainbow tables are huge and require a large amount of storage space and initially a lot of time to compile.
are built they can be searched very quickly to find password matches. These tables are used to retrieve lost user passwords and they are very useful for this purpose. However, in the wrong hands they can obviously be used to find passwords for malicious purposes.
what are mechanism of modification?
attacker intercept the information and make changes and send them back to the destination
how does fabrication occur?
attacker set up a communication and send to destination pretending that it come from the source
what happened for after 16 round?
after 16 round the two halves are concatenated with each other
what are aim of CBC
aim that if two identical plaintext will produce non identical ciphertext
what happen when alice receieve all what server send in the second step?
alice decrypt all what send and now he known KAB
how use a symmetric exchange into symmetric key?
alice generate KAB symmetric key alice look for bob public key and encrypt KAB c=encrypt bob public(KAB0 alice send the ciphertext c to bob which decrypt it by it private key to known AB now both alice and bob known the key and begin to exchange them
how alice send message to bob in public key crtptosystem?
alice look for bob public key and encrypt the message using public key and send the encrypted message to bob who can decrypt it using his private keys
how bob receive from alice?
alice send to bob the name of alice and a session key encrypted with KBS
what happen if alice want to communicate with bob?
alice use the public key of the CA to decrypt the certificate she use the same hash function to CA to hash the document she checks to see whether the hash of the document is exactly equal to the decrypted certificate
what rc6 features?
allow direct analysis suitable for use by hardware or software used in number of products of RSA
what mean of key escrow?
allow two or more people to hold part of the key ans each piece of the key reveal no information and can not be used alone and when enough key pieces are available the key reassembled
how we used fixed iv as intitalisation vector
use the same iv every time with not recommended because if the first block of the message are the same it will give the same ciphertext every time give the same problem with ecb
what the action that PGP are used?
use web of trust for key management
what are IDEA FEATURES?
used in PGP in number of commerical uses not use substitution s box used three math functions xor binary addition and multiplication of 16 bit integers has 8 rounds , 6 subkeys for each round subkey used circular shifts
where use the x.509 used?
used in most network security application include ip security
what are advantage of rainbow tables?
used to restore the lost password
what are dictionary searching in it simple way?
user name may choose word to remember word may be in a natural language we can use a dictionary by run a program that try all words in that dictionary until find the password
how to claculate the value of k
value of k k=896-l-1 if l =24 bits then k =896-24-1=871 then the message become message(l) ++1+871 zeros+128 bits in binary then the message parsed in bloks of 1024 length
to prevent attack from charles in nodeham protocol?
we added another step which are signifying that alice or bob receieve the message
how we can prevent the attacker from taking the password ?
we can prevent attacker from the password by education that not give any one your password
hw we can used the hash function?
we can use the hash function to shorten and store data
what are needed in needham method for keys ?
we need trusted third party or server to exchange keys
what should do to ensure the security of public key ?
we should use a large parameter of 200 t0 600 decimal point to defend against exhaustive searching
diffie helam example
we will use equation to form x =g^a mod p y = g^b mod p then exchange x and y then use the equation k=y^a mod p k=x^b mod p generator used only in the first part and the x,y used in the second pary
what are types of trusting public key?
web of trust certificate
to solve the problem of certificate what we use?
web of trust are used to be trust the keys PGP
does rijndael use fesitel algorithm?
no it not use feistel algorithm
what are session key idea?
no need to store many keys you only need a key which are share between the Alice and server and each time invoke the protocol new session key will be form
what are relatd in public ring key
signature trust and key legitimacy
what are the add round key operation?
simple bit wise XOR of the current block with a portion of the expanded key
what shift row ?
simple permutation performed row by row
what are computational complexity in term of size ?
size of the problem are determine it
ranking of password
small letters so n of passwords 26^6 which 6 is pssword length small and capital so n is 52^6 added digits 0-9 then 62^6 allow any keyboard character so it be 100^6
how to prevent fake login
some screen have a unique patterns that cannot be repeated and will be shown to it and impossible to replicate
what are the hash vlue
the hash value the det by the hash computation represent the hash
idea of digital signtaure
the idea is that the holder only have its private key and can be decrypt the signature by it public key and this expalin why it is perfect
what are the input to rijndael
the input is block in encryption and decryption of 128 bits this blcok will copied instate array which is squre matrix of bytes and which modified at each stage in encryption and decryption
what are isea of 2 of 2 key escrow
the key are split into two pieces both of them needed to restore the key
what happen for keys k
the key is split to 16 keys each of 48 bits length
what are the main disadvantages of symmetric key cryptosystem
the number of keys grow as the users numbers grow n=n(n-1)/n
what are the simplest form of spoofing?
the simplest form of the spoofing are simply asking the user to get his password
to decry-pt the password file and verify the user?
the system ask the user for user name and password user enter the password x the system compute x' where f(x') the system check if there is a match between f(x) and f(x') if there are matched between them then the match is completed and log in completed
what are the recommended to password?
the user to change the password every three or four months
in symmetric cryptosystem the value of security are
the value in the key
What are subject and object reprsen
they represent the active and passive part if the process
what are idea of 2 of 3 key escrow
three key pieces are generated any two of three pieces are used to recover the original key we think of original key as decimal value we require a prime parameter p with graeater than k
what are the problem in x 509 certificate?
to certify the key it should have third party involved trusted third party may be corrupted and so there are problem in which all kkeys will be available to any one nnot secure
how we can fast calculate exponentiation
to compute X^n do the following y=1 and x=u repeat if n%2=1 then y=u*y n=n/2 if n not equal to 1 u=u*u until n=1 output y
how fast algorithm for modular exponentiation
to compute x^n mod m initialize y=1 and x=u mod m repeat if n%2=1 then y=y*u mod m n=ndiv 2 if n not equal 1 then u=u*umod m until n=0 output =y
what are the problem we face when use cbc
to decide the value of c0 which will be used to xored with the first plain text
why need hash function easy to compute?
to make computations fast and efficient as cryptographic protocols may need many hash to compute so it should be easy to compute
large key space why
to prevent exhaustive searching
why no collision needed?
to prevent non repudiation
why large block size needed?
to prevent statistical analysis
how to ensure that public key used are specific to certain one which needed?
to prevent the incorrect use of another public key rather than needed
why no pre image needed
to prvent that no two x have the same hash value
what required to implement one time password
token are used in generate the password
example modular inverse of 2 mod 17
.5 mod 17=
Give an example of access control matrix
--------------------------------- Prolg. Database 1. Database 2 --------------------------------- Alice {e}. {r,w} Bon ---------------------------—----
what are the basic protocol to generate three pieces protocol?
1- alice ,the holder of key k , generate a random number a ,and three random number x1,x2,x3 must be different and between in 1 and p 2-alice compute ki=((a*xi)+k)mod p for i=1,2,3 3-alice keep the value of a secret and give the each of three key holders(xi,ki)
We have the following sets: a set of subjects S a set of objects O a set of access operations A = {execute, read, append, write} a set of security levels L with a partial ordering ≤. 1 Every subject is allocated a maximum security level fs and a current security level fc. Every object has a security classification
1. A subject can read an object only if the subject's security level is greater than or equal to the objects classification. This is a no-read up policy
give ashort expression to protocol used third party
1. A −→ S : A, B 2. S −→ A : eKAS(B, KAB, eKBS(A, KAB)) 3. Alice decrypts to get B, KAB, eKBS(A, KAB) 4. A −→ B : eKBS(A, KAB) 5. Bob decrypts to get A, KAB
How we make encryption sequence
1. Alice signs the original message m as before: sig = pk:encryptApriv(h(m)) 2. Alice compresses the original message using the ZIP algorithm M = ZIP(m). 3. Alice generates a session key, K, and uses it to encrypt the compressed message and the signature. c =sk:encryptK(M;sig) 4. Alice encrypts the session key using Bob's public key to obtain K′. 5. Alice sends Bob the pair (K′;c). 6. On receiving (K′;c) from Alice, Bob decrypts K′ using his own private key to obtain K. K =pk:decryptBpriv(K′) 7. Bob decrypts the ciphertext c using the session key K to obtain M and sig. (M;sig) = sk:decryptK(c) 8. Bob decompresses M to obtain the original message m. m=UNZIP(M) 9. Bob now has the message m. In order to authenticate it he uses Alice's public key Apub to decrypt the signature and hashes the message m. If the two results match then the message is authenticated. h(m) ?= pk:decryptApub(sig)
How radix 64 system work
1. The binary input is split into blocks of 24 bits (3 bytes). 2. Each 24-bit block is then split into four smaller blocks each of 6-bits. 3. Each 6-bit block will then have a (decimal) value between 0 and 26 −1 = 63. This value is encoded into a printable character using Table 11.1.
what are towfish?
128 block length with key length of 256 bits 16 fesistel round similar to DES sbox are key dependent unlike the des
what are the second step in hash computation
2. Initialise the eight working variables a, b, c, d, e, f, g and h with the (i − 1)st hash value: a = H (i−1) 0 , b = H (i−1) 1 , . . . , h = H (i−1)
example of modularity
25 mod 7 = 4 18 mod 12 = 6 573 mod 2 = 1
What are the commercial message alphabet length
2^128 bit is the avarage message alphabet length
How much bits can be generate by simple method
2^n - 1 bits can be generated
how many many three keys
3 keys
how we can improve DES ?
3DES triple DES increase the keysize
what operation added to ensure that no interception in the message from alice to bob?
6. B −→ A : eKAB(NB) 7. A −→ B : eKAB(NB − 1)
Under DAC, there are really only two major categories of users, administrators and non-administrators. In order for services and programs to run with any level of elevated privilege, the choices are few and course grained, and typically resolve to just giving full administrator access. Solutions such as access control lists can provide some additional security for allowing non-administrators expanded privileges but for the most part a root account has complete discretion over the file system
A MAC or non-discretionary access control framework allows you to define permissions for how all processes (called subjects) interact with other parts of the system such as files, devices, sockets, ports, and other processes (called objects). This is done through an administratively-defined security policy over all processes and objects. These processes and objects are controlled through the kernel and security decisions are made on all available information rather than just user identity.
In cryptography, the one-way problems used are mathematical functions. A good example of a mathematical one way function is multiplying/factorising. A one-way function is a function f : X → Y which satisfies the following two properties: Given x in X it is easy to compute y = f(x) in Y . Given y in Y it is very difficult to find an x in X such that f(x) = y.
A good example of a mathematical one-way function is multiplying/factorising. It is very easy (especially given a computer or calculator) to multiply together two integers, even if those integers are very large. However, given the resulting number, it is very hard (even with access to a computer) to find the two numbers that were originally multiplied together. In this example, both X and Y are the set of positive integers.
what are SHA 512
ALGORITHM used message schedule of 80(64 bits)words w0 to w79 eight working variables (64 bits) a,b,c,d,e,f,g,h hash value 8 (64 bits) words H0,h7 result is message digest of 512 bits
What are steps to rsa decryption
Bob take the value of c and and decrypt it using the private key d which by the following M=c^d mod n
What are type of users under DAC
Administrators and non administrators
what are the main idea of needham shroder key exchange?
Alice and server have a shared key KAS BOB and server have shared key KBS alice and bob want to establish a shared key KAB
Steps to PGP confidentiality
Alice generate a random session key for a symmetric cryptosystem Alice encrypt k using Bob public key K′ =pk:encryptBpub(K) Alice encrypt the message using the session k to obtain c = sk:encryptK(m) Alice send the values of k- and c to Bob Bob decrypt the k by its own private key Obtain k Then decrypt the message using the session key m=sk:decryptK(c)
How steps to combine authentication and confidentiality
Alice generate a signature for his message as authentication protocol Alice generates a signature for her message as in the authentication protocol: sig = pk:encryptApriv(h(m)) 2. Alice generates a random session key K and encrypts the message m and the signature sig using a symmetric cryptosystem to obtain ciphertext c. c =sk:encryptK(m;sig) 3. Alice encrypts the session key using Bob's public key. K′ =pk:encryptBpub(K) 4. Alice sends Bob the values of K′ and c.
What are rsa encryption steps
Alice look at Bob public key in the directory which are e, n It convert the message into numbers of different length Alice Comoute the ciphertext by C=m^e mod n
Steps of PGP authentication
Alice send a message m to Bob Alice hash the message to obtain h(m) Alice encrypt the hashed message using her private key to obtain the signature Alice send to Bob m and signature When Bob receive the message he decrypt the message using public key of alice Bob compute the hash of message as same hash of alice used and obtain the message If h m is equal to message so the message are authenticated and Bob have verify that message are from bob
Access control is often not as hierarchical or clear cut as in the example above and so a protection ring may not be a suitable model. Instead we might write an access control list which gives details of a subject's particular access writes to an object, or an access control matrix which combines details of different subjects and objects and defines the rights of the subjects over the objects. We can also illustrate these access control policies by drawing an access control graph.
Alice: prog1{execute}; database1{write, read}; database2{read} Bob: prog1{write, read, execute}; database1{read}
Example of access control lists
Alice: prog1{execute}; database1{write, read}; database2{read} Bob: prog1{write, read, execute}; database1{read}
decryption in rijndael
All of the operations are easily reversible. The decryption algorithm makes use of the expanded key in the reverse order to recover the plaintext
What are the main modes in access control
Alter read and write delete Append Observe read only and execute
Describe the anarchy model
Anarchy key distribution model. Is the model on which trusted keys is used
The base of using large block size
As block size increase thus lead to more difficult to decrypt the ciphertext without using a key
Password spoofing A spoofing attack is when the user is fooled into giving the hacker their password. Spoofing attacks may be very simple or very sophisticated
Asking the user This may sound unlikely, but it is a fact that a lot of people will tell you a password if you can convince them that you need to know it.1 For example, the hacker may phone the user, and tell them that he is from their office computer staff and that there is a problem with the files. All backed-up information is going to be lost so he needs the user password in order to recover the data. Sometimes an approach as simple as this will work and the user is fooled into giving the hacker their password. This attack will fail if the user has been educated in computer security and refuses to reveal their password.
Why PGP allow user to have more than one or more public key or private key
Because it is not a cryptosystem but it is a combination of best practices of the cryptography Also public key rings are used PGP to construct public key hierarchies
Why Ceaser cipher may be easy to intercept
Because only 25 keys are avaliable and then it easy to cryptanalyst to known that plaintext by try every key until. Find the menangiful meaning
How block cipher and stream cipher encrypt data
Block cipher encrypt data block by block and stream cipher encrypt data in a key stream continously stream cipher
Symmetric key cryptosystem can be
Block cipher or stream cipher
How to improve performance of linear feed back shift register
By using combining data with each other using the output and combing function to produce the output
How we can increase security
By using single normal alphabet we have 27 letter block when make the block 2 it will have 27^2 of alphabets And so on
What are types of substitution cipher
Ceaser cipher Random substitution cipher
equation used in cbc
Ci = Encrypt(K, Pi ⊕ Ci−1)
What are relation between key stream and plain text and ciphertext are
Ci = Pi ⊕K Pi = Ci ⊕K Ki =Ci ⊕Pi
What are different types to attack cryptosystem
Cipher text only Known message Probable known message Chosen ciphertext Chosen message Chosen ciphertext and message
Accountability Accountability means that the system is able to provide audit trails of all transactions. The system managers are accountable to scrutiny from outside the system and must be able to provide details of all transactions that have occurred. Audit trails must be selectively kept (and protected to maintain their integrity) so that actions affecting security can be traced back to the responsible party
Communication is interrupted if the attacker does not allow the information to reach the destination
List the feature of security system
Confidenality Non reoudation Integrity Avaliablity Acess control Accounatbility Authentication
Information can be stolen - but you still have it. If a physical item such as a car is stolen then the thief has possession of the car and you no longer have it. If a thief steals a file from your computer, he will probably make a copy of the file for himself and leave the original on your computer. Hence you still have the file but it has also been stolen.
Confidential information may be copied and sold - but the theft might not be detected. If your car has been stolen it is not hard to detect the fact - the car is missing! However as mentioned above, a thief who steals computer files may leave the files on your computer and only copy them for himself. Nothing appears to have changed on your computer so you may not be aware that anything untoward has happened
The criminal may be on the other side of the world. If a thief steals your car you at least know where he was when he stole the car. However, it is possible to hack into computer systems remotely from anywhere in the world. This makes it very hard to know who is responsible for catching a computer criminal. Is it the police in the country where the computer is, or the police in the country where the criminal is?
Computer security deals with the prevention and detection of unauthorised actions by users of a computer system.
List five types of security model.
He bell LA padula Chinese wall Clark Wilson Harisson Biba model
Which attack are common against availability
Denial of service attack are the most one against it availability of information
Eat are the symmetric system used today
Des AES rijandael Rc6 Blowfish Idea
What are other properties should block cipher and what they mean and why they are needed
Diffusion Confusion Completeness
What are types of ownership policy
Discretionary or mandatory
These permissions are from the set {read, write, execute}. Three different sets of access rights are defined for the file: one is for the file's owner (usually the user who created the file), one is for the file's group (usually the principal group of the file's owner but sometimes the directory group if this has been set using Set GroupID3 ), and the last is for all other users (i.e., those users who are neither the owner nor in the file's group).
Each file in Unix is really a pair consisting of the filename and the i-node number of the file. The i-node number contains a lot of information about the file including: where the file is stored the length of the file the last time the file was read the last time the file was written the last time the i-node was read the last time the i-node was written the owner - generally the UID of the user who created the file a group - the GID of the group that the file belongs to 12 mode bits which encode a set of access rights
What are substitution cipher re
Each letter in the plain text are substituted for another letter to make the ciphertext
The model should have some flexibility
Enable some subject to break the rule. Of both no read up or no write down by temporiately upgrading the security level trust subjects
What are the main idea in protection ring model
Every subject and object have a security level
The rule that are used in protection ring model
Every subject can access any object with the same level or less than it's level
Password guessing Suppose that a hacker wants to access a system which is protected by a user-name/password identification system. We will assume that the hacker knows the user-name of an authorised user since this information is not generally secret. Therefore if the hacker can guess the user's password he will gain access to the system
Guessing using personal knowledge of the user Many people use passwords which relate to them personally. For example, they may use the name of their spouse or child or pet. They may use their football team or street name or birth date. If the hacker can find out personal information about the user, then they may be able to guess a personal password without too much difficulty. This attack will fail if the user is careful not to use a password which is personally related to them in any way.
What if the ownership policy are mandatory
If the ownership is mandatory so the Acess permission are determine by the company security policy under regulations
If the ownership policy is discretionary the owner of the resource decides who has access permission. For example, I could write a web page and post it openly on the Internet so that everyone has access. Alternatively, I could post the web page with a password access control system and then decide to whom I give the password.
If the ownership policy is mandatory then the security system manager allocates permissions according to the security policy of the organisation.
Temporarily downgrade a subject's level from fs to fc where fc < fs. Identify a set of subjects which are allowed to violate the no-write down policy. These are called trusted subjects.
If the three rules are satisfied then the state of the model is called secure. Furthermore the basic security theorem states that if you start with a secure state and all transitions are secure then every subsequent state will also be secure.
Should the security system be simple or sophisticated? As discussed above, there are disadvantages to having a security system, not least in terms of time and cost. The more sophisticated a system the costlier it is likely to be. On the other hand, a system which is too simple may not provide the necessary level of security
In a distributed system should the security be centralised or spread? Should a security manager have ultimate control, for example over access control issues (this will make it easier to achieve a consistent and rigorous approach, but may cause time delays if the security manager has to be applied to for every change of access rights)? Alternatively, should individual users be allowed to choose who has access to their files? See section 3.3.3 for a description of how SELinux implements mandatory access control.
prog1 database1 database2 Alice {e} {w,r} {r} Bob {w,r,e} {r} { } Table 3.1: Access control matrix
In a large organisation, it is likely that several subjects will all have the same access control permissions. These subjects can be grouped together and the group access permissions listed.
When can we use the one time pad method
In critical situations
What are aim of PGP aurhentication
In e mail if Alice send e mail to Bob then Bob should ensure that e mail are from Lice and not third party
Risk analysis When designing or implementing a computer security system it is very important to bear in mind the level of risk involved and the value of the information that is to be protected. As an illustration, consider that you may be willing to leave £50 in a changing room locker, but you would not be likely to leave £5,000 unattended. You would assess the risk involved before deciding whether to leave the money or not. On the other hand, it would be foolish to pay someone, say £20, to look after your £50, but this might be a good investment in the case of the £5,000 (assuming that you totally trust the person charged with keeping your money safe of course!).
In terms of computer security, the disadvantages of security systems are that they are time consuming, costly, often clumsy, and impede management and the smooth running of the system. Risk analysis is the study of the cost of a particular system (in terms of effort and time as well as cost) against the benefits of the system (the level of security offered).
In order to prevent and detect unauthorised actions by its users a good security system should provide (some of) the following features: confidentiality integrity availability non-repudiation authentication access controls accountability
In this context, the term unauthorised implies not only malicious or criminal, but could also be accidental. For example, a breach of confidentiality arises maliciously if a spy deliberately hacks into a computer and looks at confidential material stored there. It happens accidentally if the material is left out on a desk and is seen by the office cleaner.
Protection ring model If access control is strictly hierarchical, this can be illustrated by a simple protection ring model.
In this model, every subject and object is given a security level. Subjects can access all objects at their own level or lower. A security level may involve operations as well. For example, read and write permission may be at a higher level than read only
What we mean by term of collision in hashing function
In which hashing function have the hashing many to one function i . Which many value can hashing to the same value
Information security different from the traditional security discuss these statement
Information are stolen but still present Confidential information can be copied and sold The criminal may be on the other side of the world
What type. Of stream generated in one time pad
It is random stream which are binary
Confidentiality Confidentiality is the prevention of unauthorised disclosure of information. In other words, confidentiality means keeping information private or safe. Confidentiality may be important for military, business or personal reasons. Confidentiality may also be known as privacy or secrecy
Integrity Integrity is the prevention of unauthorised writing or modification of information. Integrity in a computer system means that there is an external consistency in the system - everything is as it is expected to be. Data integrity means that the data stored on the computer is the same as what is intended.
Dictionary searching Another favourite method of generating easy to remember passwords is for the user to choose a word, usually in their own language. If the hacker cannot directly guess the user's password then he may set up a dictionary attack. This means that he will run a computer programme which tries every word in a dictionary as the password of the user until he finds a match. This attack will fail if the user does not use a word which appears in a dictionary as their password.
Intelligent searching Some user-name/password systems insist that the user's password contains a mix of letters and numbers. The most common thing for a user (who has not been educated in password security) to do is add a number onto the end of a word. For example, using a password such as banana1. An intelligent dictionary search might try all words with numbers added. Thus if the hacker knows that a particular password system insists that passwords are a minimum of six characters long and must contain at least one number, then the hacker may try all five letter words with each of the digits 0,..,9 attached. Thus apple0, apple1, apple2,....,apple9, apply0, apply1,... and so on would form part of this search.
What are types of attacks
Intercepted Interrepted Modification fabrication
What are the component of PGP authentication protocol
It is a digital signature with hashing
What does unauthorized action refer to
It is not refer to only a malicious but also can be accidental
What are jet in Ceaser cipher
It is number called k and it is between 1 and 25
iv not resused
K0 = IV Ki = Encrypt(K, Ki−1) Ci = Pi ⊕ Ki
What are PGP key issues
Key generation Key identifiers
What are the problem with one time pad method
Key stream are random it is good But it can not be generate simultaneously
What are idea of Ceaser cipher
Letter of alphabet are moved by certain number to another letter to form ciphertext
What are kind of method that can generate the keystream
Linear feedback shift register
what are the example of communication modification
Man in the middle attack
Why need email. Compatability
Many electronic mail systems can only transmit blocks of ASCII text
Accountability meaning in security
Mean that should known the accountable party for security in transaction and determine which party responsible on it
give an example of prototcol which make key exchange using trusted third party?
Needham-Schroeder protocol
Password shadowing means that the encrypted password field of /etc/password is replaced with a special token and the encrypted password is stored in a separate file (or files) which is not readable by normal system users
Networked systems may also use NIS (Network Information System) which allows many machines on a network to share configuration information, including password data. On a machine with NIS there will be a very short /etc/password entry and the real password file is elsewhere. Note that NIS is not designed to promote system security.
Does access control always hierarchial
No it not often hierarchial
After encryption what happen to the message if it obtain by interceptro
No thing interceptor not known the meaning of ciphertext and so the original message winot known
Availability Availability is the prevention of unauthorised with-holding of information. Information should be accessible and usable upon appropriate demand by an authorised user. Denial of service attacks are a common form of attack against computer systems whereby authorised users are denied access to the computer system. Such an attack may be orchestrated by the attacker flooding the system with requests until it cannot keep up and crashes. Authorised users are unable to access the system. Consider the damage that such an attack may cause to an electronic commerce site such as an internet shop
Non-repudiation Non-repudiation is the prevention of either the sender or the receiver denying a transmitted message. Non-repudiation is often implemented by using digital signatures
In general, if a password is n characters long and is made up from an alphabet of A different characters, then there are An possible different passwords.
Note that the average time for a hacker to find a particular kind of password is only half the time taken to do a complete search (i.e. if a user has chosen a dictionary word as their password, then the hacker will, on average, only have to search through half of the dictionary in order to find the password). Likewise, on average, a hacker using an exhaustive search will only have to search through half of the possible passwords before finding a match.
Unix access control Subjects in Unix are users. Each user belongs to at least one group, their principal group. They may also belong to other groups. If a user belongs to more than one group then they will have a designated principal group. For example, a user may belong to the groups Staff and Project1 where Staff is their principal group.
Objects in Unix are files. Unix thinks of all resources as files. Each file belongs to a user and a group, and has a set of permissions associated with it.
examples of objects in access control
Objects such as data files. Or any other shared resources
One-time passwords Given enough time and attempts, a static password (i.e. a password which remains the same) may be accessed by an unauthorised attacker. To counter this, some systems are now making use of one-time passwords or OTP. By constantly changing the password, the risk of the password being discovered is greatly reduced. Furthermore, an attacker who does find a password, will only be able to use it to gain access to the system once. The next time the attacker tries to use the password it will be rejected.
One-time passwords typically work in one of three ways. A mathematical algorithm is used to generate a new password based on the previous password. A time synchronisation protocol is used between the authentication server and the client providing the password. A mathematical algorithm is used to create each new password based on a challenge such as a random number chosen by the authentication server and a counter.
cryptographic protection A password file can be encrypted by using a one-way function. After encryption, the password file is just a list of garbled characters. Even if a hacker manages to view the file, it will not help him to gain access to the system.
One-way functions A problem is said to be one-way if it is easy to do one way but hard to do in reverse. A non-mathematical example is making a cup of instant coffee. It is easy to put coffee granules, boiling water and milk into a mug and stir them together to make a cup of coffee. However, given a cup of coffee, it is difficult to reverse the operation and retrieve the separate components of milk, coffee granules and water.
What are the type. Of one. Pad time
One. Pad time. Is a kind of stream cipher
For example, suppose that Alice, Bob and Charles are subjects and a database is an object. We could either say that Alice has write and read access, Bob has read only access and Charles does not have any access to the database
Operations and modes Operations that the system may offer include: read write (which may or may not automatically include read access) append execute delete
Modes that the system may offer include: observe (look at the contents) alter (change the contents)
Operations are defined by the security model. Modes are basic notions of what can be done to an object. The relationship between operations and access modes can be summarised as follows:
What are padding
Padding is complete the plaintext block before encryption to complete the block size according to the normal division of it
To avoid pre-compiled rainbow tables being used on a security system, the function used to encrypt the passwords should be somehow unique to the system. Pre-compiled tables will therefore not be available. If a user loses or forgets their password it will be irretrievable. An alternative secure method for resetting the lost password to a new value will have to be devised.
Password salting Password salting is a process used to ensure that all passwords in a system are unique. Most systems insist that all user-names are unique. If a new user tries to create an account with a user-name that is already in use, they will be informed that the user-name is already used and that they should choose another. However, the system cannot inform a new user that the password they have chosen is already in use - that would be a gift for a hacker! Instead, the system adds some salt which is another piece of information such as the user-name to all the passwords before encryption. This ensures that every password is unique.
Other name for one pad time
Perfect secrecy
each message process to general rule ?
Prepare the message schedule (W0, W1, . . . , W79) by expanding the 1024-bit message block M(i) into 80 64-bit words using the following algorithm. Wt = Mi t 0 ≤ t ≤ 15 σ 512 1 (Wt−2) + Wt−7 + σ 512 0 (Wt−15) + Wt−16 16 ≤ t ≤ 79
What are the main cornerstone of security
Prevention Detection Reaction
What are the main goal. Of security
Prevention of attacks from cryptanalyst
What is availability
Prevention of unauthorized with holding. Of information
What are encryption are
Process of ransformation of plaintext which are readable to ciphertext which are not readable text
HOW THE Decryption of fesistel are processed
Ri=LI+1 LI=Ri+1 xored (ki,Ri)
3. An access control matrix M is defined and subject s can only perform operation a on object o if (s, o, a) is (ticked) in the access control matrix. This is called a secure transition.
Rules 1 and 2 mean that subjects could in theory write a document which they cannot read. Also a subject at a high security level cannot send messages to a subject at a lower level. Obviously this is not very practical so the model allows the ability to: Temporarily downgrade a subject's level from fs to fc where fc < fs. Identify a set of subjects which are allowed to violate the no-write down policy. These are called trusted subjects.
How do you secure the levels below the level of the security system? An attacker may manage to gain access to the operating system and from there make alterations to access control limitations giving themselves access to other parts of the system. The logical access controls of the system may be by-passed by gaining direct access to the physical memory. It is therefore important to ensure that physical security measures are in place as well as the logical computer security mechanisms.
Security models Computer security protects the computer system and the data it processes. Success depends on the implementation of security controls designed for the system. A security model is a means of formally expressing the rules of the security policy. The model should: be easy to comprehend be without ambiguity be possible to implement reflect the policies of the organisation
What re condition required in any stream key
Should be unpredictable stream
What re the rule which related to access matrix
Subject can only perform operation a on object I if s, o, a are in the access matrix
What are non read up policy are
Subject can read the object only if the subject have a security level. More than the object
What are subjects in Acess contril
Subject is what the person do or who do the action. On the object
Example of access in protection ring model
Subject with level 4 can access any object with level of 4 or less than
How to get around the non read up policy
Subject with low securitylevel persuade the subject of high security model to copy the content and take it a copy with new document with low security model
The system offers this access of subjects such as users, processes and other applications.
Subjects and objects represent respectively the active and passive parties in a request for access. In defining access controls, we can either specify: what a subject is allowed to do; or what may be done with an object.
What are the main component of the access control security
Subjects, objects, modes, permissions, operations
What are PGP compression are
The PGP compress the message using zip and decompress using unzip
Encryption is the process of transforming a plaintext message (a message that can be read) into an unreadable encrypted form called a ciphertext message.1 The intention of encryption, is that if the encrypted message is intercepted, then the interceptor will not be able to interpret the ciphertext.
The aim of anyone encrypting a message is to ensure that no-one viewing the resulting ciphertext will be able to decrypt or make any sense of the ciphertext,
What are the basic idea of Le padullaa model
The basic idea is that information can not flow from high security to low security level
What is block cipher idea
The data are divided
what are block size and key size in DES?
block size are 64 key size are 56
ttacking an encrypted password file If a hacker manages to access a password file which has been encrypted using a one-way function, all he will see is the encrypted passwords, indexed by user-names. These encrypted passwords will not enable the hacker to access the system, and the actual passwords are not stored anywhere.
The function used to encrypt the passwords is not usually a secret, so the hacker may try to find an actual password by running a computer program that encrypts a dictionary list or an exhaustive list of passwords and then check to see if the result matches any of the stored encrypted passwords. If a match is found then the hacker has a password and can now gain access to the system
How stream cipher work
The plain text are encrypted bit by bit by adding a keystream
What are the main component of one time pad method
The plain text in binary format Stream of keys which generate by Alice and send it to Bob Xor the plain text with the stream key and the result will be ciphertex To decrypt with Bob Bob xoring the ciphertext with stream key to obtain the original. Message
what are new in AES?
block size of 128 key size of 192,128,256
the final step in hash 512
The values of H (N) 0 , H (N) 1 , . . . , H(N) 7 are concatenated to produce the 512-bit message digest
what third step in hash computation
The values of a, b, c, d, e, f, g and h are operated on using the six logical functions and with input of the eighty W values and temporary variables T1 and T2
Permissions for files may include: read write execute append delete change permission change ownership.
There are different ways of expressing access control permissions including lists, matrices and graphs.
The password file, where the system stores the data for verifying passwords, is very sensitive to attack. In an insecure system, the password file will be a list of passwords indexed by user-name. A hacker with access to this file has potential knowledge of every password. It is therefore essential that the password file is protected.
There are essentially two ways in which the password file can be protected: using cryptographic protection implementing access control over the password file. Ideally, the password file should be both encrypted and protected from unauthorised access by the implementation of access controls.
A basic identification system consists of a database of passwords indexed by user-names. This is called the password file. When a user logs into the system, the computer checks that the user-name and password input match an entry in the password file. If a match is found, the process is complete and the user is allowed access to the system. If not, access is denied although the user may be given another chance to enter their user-name and password.
There are various ways in which a user-name/password identification system can be abused. The simplest attacks include the hacker looking over the user's shoulder when they are typing in their password, or finding a written note that the user has 12 Threats made of their password. I
Exhaustive searching If the user has been clever enough to use a random, meaningless string of characters as their password, then the hacker may have to resort to trying an exhaustive search attack. An exhaustive search is similar to a dictionary search, but in the exhaustive case, the computer programme used by the hacker will try every possible combination of permissible characters as the password in order to find a match. Thus if searching for a six character password, the hacker might try aaaaaa, aaaaab, aaaaac, ....., aaaaaz, aaaaa0,...., aaaaa9, aaaaa*, etc. and move systematically through all possible permutations.
This attack will always succeed eventually. Since every possible password is tried in turn sooner or later a match will be found. However, there are ways of making an exhaustive search so time consuming for the hacker that it is not successful during the life of the password (i.e. before the exhaustive search is successful the password has been changed). Some password systems insist that the users change their passwords every three months, for example.
Fake log-in screens A more sophisticated spoofing attack is when the hacker sets up a fake log-in screen which exactly resembles the genuine log-in screen for the system. The user is presented with this log-in screen and unsuspectingly enters their user-name and password. The hacker captures this information and then typically gives the user an error message saying that they have incorrectly typed in their password. The genuine log-in screen is then displayed. The user cannot be sure that they did not make a typing mistake, so they type in their user-name and password again and gain access to the system. The user may have no idea that they have been the victim of a spoofing attack
This attack will fail if the user notices that there is something wrong with the log-in screen and so does not enter their user-name and password. Some log-in interfaces contain patterns or pictures which are impossible to replicate accurately. The attack can be detected (although not prevented) if the user is informed, at every log-in, of the time of the last failed log-in attempt. After a spoof attack, the user thinks that they had a failed log-in. If when the user successfully logs in, the system does not inform them of this failed log-in then the user is alerted to the fact that they may have been the victim of a spoof attack.
Every subject which have the same operation permission will grouped
This lead to decrease the database size and easy to control.
What are idea of random substitution cipher
This time we replace the letter with random letter
How many steps RSA required
Three step Key generation Encryption Decryption
WHT are aim. Of confidentiality
To make information private and safe
What are type of ownership inSlinux
Type are mandatory
A real life example of access control is SELinux (Security-enhanced Linux). SELinux is an implementation of a mandatory access control mechanism. This mechanism is in the Linux kernel and checks for allowed operations after standard Linux discretionary access controls are checked.
Under DAC, ownership of a file object provides potentially crippling or risky control over the object. A user can expose a file or directory to a security or confidentiality breach with a misconfigured chmod command and an unexpected propagation of access rights. A process started by that user, such as a CGI script, can do anything it wants to the files owned by the user
However, it is possible, without breaking any of the rules, to: downgrade all subjects to the lowest level downgrade all objects to the lowest level give all subjects permission to perform any operation on any object by completely filling in the access control matrix.
Unix - access control in practice Finally we will look at an actual control access model and see what happens in real life rather than in theory. We will be looking at how Unix deals with access control.
Which system. Is example to deal. With access control
Unix is deal with access control
what are the key exchange type in el ammal ?
diffie hellman key exchange
Unix users and superusers In Unix every user has an identifier, their user name, and each user belongs to one or more groups. Every Unix system has one user with special privileges. This superuser has user ID 0 and usually the user name root. The root account is used by the operating system for essential tasks like login, recording the audit log, or accessing I/O devices. Almost all security checks are turned off for the superuser. The root account is required to perform certain tasks such as installing certain software. The system manager who holds the root password should never use the root account as their personal account but should change to user root as and when necessary to perform a superuser task
Unix security measures Users are authenticated by user name and password. Passwords are encrypted using a one-way function which is based on the DES algorithm and run 25 times. The encrypted passwords were traditionally stored in the /etc/password file. However, most modern Unix systems use either password shadowing or NIS and much of the Unix password data is stored elsewhere.
How to overcome email compatability problem
Use radix 64 system conversion
PGP use what
Web of trust model. For key management so. It. Lead to have more than one or private public keys
Why linear feedback are widely used in keystream generator
Well use in implementation in hardware produce a sequence of a large period with no Repetition up to 2n _1
To send confidential email between two parties
What are PGP confidenatilty
Does the system focus on the data, operations or users of the system? For example, is it more important to have a data focused rule such as: Only data of type A can be inserted in data box A or a user focused rule such as: Only section managers are able to access the information in data box A?
What level should the security system operate from? The security system may consist of a software package that runs on top of the operating system, such as Norton Internet Security which runs on top of Windows. Alternatively, it may be part of the hardware and have physical control over the data such as where it is stored and how it is manipulated, for example Security Enhanced Linux (SELinux).
Entries in the password file have the following form: accountname : encryptedpassword : U ID : groupID : IDstring : homedirectory : loginshell and so may look something like this: RS : ru78Pjey : 92 : 4 : Shipsey,R : /usr/RS : /bin/sh
When changing their password, users must supply the old password first to guard against another person changing the password. The new password must be entered twice in order to confirm that it has been typed correctly. The actual characters of the password are never shown on the screen but appear as * or • characters instead. Passwords may be salted if required. Controls can be set so that weak passwords are rejected. Password expiry dates can also be set, together with enforced rules on the re-use of old passwords. Root login can be restricted to specially nominated terminals only.
When use the protection ring model
When the security system are strictly hierarchy
User-names and Passwords When a computer system has to verify a user's identity, there are two basic questions that have to be asked and answered appropriately
Who are you? The computer system has to establish somehow who is trying to gain access to its files. This is usually done by use of a user-name which, although probably unique to the user, is not a secret. The user-name is often simply produced using all or part of the user's actual name. For example, the user-name of John Smith might be JSmith or johnsmith. When John Smith correctly enters his user-name, the computer can establish, by looking in a database of authorised user-names, that John Smith is an authorised user of the system.
what does AES mean
advanced encryption standard
which operations are performed at the begin and end of the process
add round key
what are sequence of fesistel structure
block are divides into two parts the half left of the output at next round is the right haldf of the previous round li+1=R the new right half is the xored of the left half with f(RI,KI)
why should compute any length?
because hash function should able to process data of any length
why key chaining is not very efficient ?
because if cryptoanalyst known one key so he can known the key changing after that key
why should public keys authorised to be related to person
because if with mistake use anther public key or person it will lead to malicious action by that person which the message are understandable to him
why hash function are strong
because it is one way function which compute in one way and difficult to solve in reverse
why computational complexity?
because there are several algorithms to perform certain task so we need to judge the efficiency of ecah algorithm comparing to another one
which property hash function contain
diffusion property small change in message will produce a large change in the hash function value
computer security model should be?
can be comprehend be without ambiguity be possible to implement
Equations for rsa
cd = (me)d modp = m(ed) mod p = m(k(p−1)+1) mod p = mk(p−1) ×m1 mod p = (mp−1)k ×mmodp = 1k×mmodp = m
what are mode to resolve the problem of electronic codebook
cipher block chaining mode (cbc)
what are phishing ?
communication such as instant messages and email are pretained to that the same as fake login sites such as e pay and paypal which ask to give their names and passwords and other details
what does PGP provide?
confidentiality authentication compression segmentation
what are component of certificate??
consist of public key together with an identification of key holder
What are one-time passwords?
constantly changed password will lead to decrease the problem of making the password changed
what are DES ?
data encryption standard in which used to encrypte data
what are password file composition
database of passwords indexed by users name
numbers of passwords?
depend on the combination of the password that doing by the user
how A legitimacy value is given to the key
depend on who signed it
are there a question should be asked ?
does the systems focus on data , operations or users of system?
what hash function intital features ?
easy to compute easy to find collisions easy to fine pre image should be crypt graphically strong
what features of RSA
easy to implement and hard to break
what are strengths in rijnadeal
eay to implement and flexible , very efficient and require less memory can be implemeted in hardwre
what are method used to calcuate modular inverse
eculid algorithm
what are the key chaining?
encrypt the new key according to the previous key
what are idea of exhaustive searching ?
exhaustive searching are similar to the dictionary searching it try all possible permutations combination of numbers and letters in the dictionary
what are other method in spoofing?
fake log in screen
what happedned to the block at the final stage
it copied in the output matrix
There are many security models which can be used to describe how access control is to be managed. These include: the Bell-LaPadula Model the Harrison-Ruzzo-Ullman Model the Chinese Wall Model the Biba Model the Clark-Wilson Model.
he Bell-LaPadula model The Bell-LaPadula security model (BLP) is one of the most famous security models. It was developed by Bell and LaPadula and aims to provide a secure multi-user operating system. Access permissions are defined by an access control matrix and security levels. The basic idea is that information cannot flow from a high security level to a lower security level.
how to attack password file system encrypted?
if attacker can known the function in which used to store thepassword file
why it is not recommended to use electronic codebook mode
if blocks are repeated and block use the same key so it will produce the same hypertext which it is easy to cryptoanalyst
when we say that number is prime ?
if it has only two factor it self and number 1
when say that hash function are collision resistance ?
if it is impossible to find two value which give the same hash function
what are the main equation to fermats little theorem
if p is integer and a is integer between 1 and p-1 then the following should be right a^p-1 mod p =1
the general method of computing password?
if password n of n length and of alphabet A characters so the number of passwords possible are A^n
what are congruent number ?
if r mod s = m mod s then r and m are congruent
What are rainbow tables?
if secure hashing function used pre computed tables can be used to find the password easily
what are the number make the problem of factorisation impossible to solve?
it decimal number which are about 200 decimal value
why we need block cipher modes
if the plain text is greater than length of on block cipher so it should be in specific mode in order to encrypt the whole message
what happen if need to create a user name repeated?
if try to make this this will lead to error that it is it already present
what are mean of interrupted attack?
in which attacker does not allow information to reach destination
what benefits of using euclid algorithm
include only multiplications and division computational complexity of ob^2
Password Salting
insist that used names are also unique
how to use trusted third parties?
instead of alice generating its key it rely on third party to do this and to delivery to bob and herself
what are the benefit of modular arithmetic
instead of use the whole number we use only the modulus of this number by using mod
what is substitution bytes operation in rijndael?
is look up table in s box is used to perform a byte to byte substitutions of the block
what does the computational complexity of calculating mod?
is ob^2 because taking mod isdivision and subtraction so tke 2 sp to reach the result
what are difference between DES and AES?
is possible to think of the data in Rijndael as being polynomials with co-efficients of either 0 or 1. This means that, unlike DES, it is possible to write a Rijndael encryption as an algebraic formula
what are the mean of exponentiation
is raising to the power important part in RSA and ELgamal
what mean to find collisions?
is that hard to find x1 and x2 as h(x1)=h(x2) in which these collision in feasible amount of time
what does rijndael formed of ?
it be 128 bit block size and 128,192,256 bits length
how to make identification more secure??
it become more secure as put password to it as it is easy to login with the user name only
how the digital signature work?
it calculated using the private key of the signer and decrypted using the public key of the signer
hat are the first value to be xored called
it called italicisation vector
what happen if the block size greater than normal
it compromise the speed
given y in Y
it is hard to find x where y=f(x)
what are the idea of electronic codebook mode
it is simplest method and include divide the plaintext into blocks and then encrypt each one individually Ci = Encrypt(K, Pi)
how use nonce generated key
it is solution to iv problem nonce is number used once and each message assigned a number with a counter this is nonce instead of using nonce as iv the nonce are encrypted by the block cipher in ECB mode to generate the IV nonce generated iv
what are the risk analysis ?
it is the study of the cost of implement a security system versus the benefit of that system
what are disadvantages of computer security?
it is time consuming costly money
what are new in output feedback mode
it is used block cipher as stream cipher
what should consider when implement computer security system?
it is very important to bear in mind the level of security needed and the value of information to be secure
WHAT HAPPEN TO MESSAGE with hash function
it iterative and message are processed and condensed to produce message digest
what are disdavtage of rainbow tables?
it may be used by malicious used to known the password
what are diffusion property
it mean that any small change in plain text will produce large change in the cipher text this prevent chosen message and chosen cipher text attack through differential analysis
what mean that attacker intercept communication?
it mean that attacker intercept the communication to receive information
what are completeness property and why it is needed?
it mean that every bit in cipher text should depend on every bit of the key this prevent divide and conquer attack
the computer security is computerised-social?
it need to persons conscious about computer security and how to set up passwords
does PGP is cryptosystem
it not cryptosystem but conatin the best avaliable cryptgraphic algorithms
what does digital signtaure provide?
it provide a mean of identification and authentication
what password resemble ?
it resemble your identity as passport which give you identification for travelling to another r country
how to use random iv
it s more secure than others in which use random number but have a problem in how to generate random number and how we can exchange that with the others
what we should do with password file?
it should be encrypted and implementing access control to prevent any unauthorised access to password file
what are the pseudo number generator ?
it take a seed and then begin to generate the key generation
how to use counter iv
it the same fixed but we use cunter iv=0 iv=1 and so on and this will lead to problem that it can be expected
what are computational complexity mean ?
it used to determine the efficiency of algorithm
how cbc are worked
it worked by xored the plain text with the previous block of the ciphertext
what are t in n key escreow
key are split into pieces any t of n (1<t<n) can be used to recover key
what are the key management issues?
key generation(how and by whom the key generated) key storage(how are the key stored) key distribution(how are the keys distributed to appropriate users) key replacement (how often the key often be replaced)
what are the modular inverse of a mod p
modular inverse of a mod p is b in which b<p-1 also a*b mod p=1 denoated by a^-1 modp
what are other method to transfer the keys?
more time consuming and costly use convert channels in place in a regular basis
whic protocol used trusted third party?
needham shroedor protocol
what are the computational complexity of modular multiplication?
o b^3
how we can encrypt password file?
one way function can be used to encrypt the password file
what are the heart of rsa ?
one way function in which depend on factorization
what happen if the attacker find the password?
only one time the password are used by the user if try to use it again it will be not use it and rejected
which operation only use the key?
only operation of add round key use the key
given two integers
p*q=n
what does pre processing involve ?
padding the message parsing the padded message into m bits setting initialisation values
what are the most method used in break password?
password guessing
what are the two stage of hash
pre processing hash computation
what are the mean of PGP?
pretty good privacy
what are password salting?
process that ensure that are password used are unique
what are asymmetric cryptosystem are?
public key cryptosystem
what are the practice pf web of trust
public key ring are used as web of trust model
how many keys in public key cryptosystems?
public key that known and present in dictionary private key which are specific to the user and it owner
what are the idea of cipherblock chaning mode
randomised the plain text using the previous cipher text
why complexity is important when study cryptography?
rsa and elgammal need modular calcuation so it is important to use an efficient method for calculation
what are the definition of S/MIME
secure multipurpose internet mail extension use public key certificate x.509
what does server send to alice in the step 2?
server send to alice the following all encrypted by the KAS 1- name of bob 2-a session key for alice and bob to be shared 3-the name of alice and a session key both encrypted using KBS
alwhat alice do if want to use PGP TO USE IN EMAIL?
she will have to build up the public key ring containing the public key of other users
what are other
should system be implemented simple or sophisticated
what are password spoofing?
spoofing attack when the user are fooled to give the attacker their password
what are the first operation used in encryption and decryption?
start with add round key operation which followed by nine round include four operations followed by tenth round of three operation
how to find inverse of b mod a
static long find inverse(long a , long b){ long store =a long temp long q int sign =1 long r=1 long s=0 while b(!=0){ q=a/b temp=r r=temp*q+r s=temp temp=b b=a-q*temp a=temp sign=-sign} long answer = (r − (sign ∗ s))%store; return answer } }
what are feature of public keys?
stored openly should be genuine related to person with declared person
what are mix columns ?
substitution algorithm in which that alter each byte in a column using a function which take all inouts in the column
what are the different operations are used
substitution bytes shift rows mix columns add round key
what are operation used
substitutions and permutations
examples on digital signature
suppose alice want to send to bob the digital signature dig=encryptbobpriv(message) bob send to alice the message and signature alice use bob public key to decrypt the signature and then check if the message after decrtption are the same message unencrypted so he message orginiate from bob
who is faster public key or symmetric key
symmetric key more faster than public key
Phishing Phishing is similar to the above. Communications such as emails or instant messages purporting to be from reliable sites such as eBay, PayPal or online banks direct users to a fake website which looks very like the genuine one. Here the user is asked to input their username, password and perhaps their bank details. Phishing is a growing problem and attempts to deal with it include legislation, user training, public awareness and technical security measures.
t is important that the users are informed of the following measures: The user should always set up a password and not leave the password option as blank. The user should change the default password. The user should change their password frequently. The user should not use the same password for all systems. When changing a password, the user should not just add a digit onto the end of the old password. The user should not choose a password that relates to them personally such as their date of birth or the name of their child. The user should not choose a dictionary word as their password. The user should not choose a password that is too short. The user should choose a password that contains a mix of letters and numbers. The user should not write their password down or reveal it to anyon
what does hash function work?
take data of arbitrary size and return a value in a fixed range , if you hash the same data at different time it will produce the same hash
example of hash function ?
take the full name of person and return two letters which represent the first name and last name , if we hash the same name in different date it will produce the same two character
what are confusion property and why needed
that mean if the key is nearly correct should not given any indication about this make exhaustive searching more harder
what are construction of 3 DES
that mean that key size are tripled and the 2^168 this will defeat the exhaustive search but the block size remain the same unchanged 64 bits block size
what mean that it hard to find pre images
that mean there hard to find x in which y = f(x) by exhaustive search in definite time
what are the advantage of public key over symmetric key
that private key are required to be stored
Cryptography
the art of protecting information by transforming it into an unreadable format, called cipher text
what are the average time for searching in ?
the average time for a hacker to find a particular kind of password is only half the time taken to do a complete search
what are the currently used block size
the currently are 256 and it related directly to alphabet size
how to avoid the pre compiled rainbow table
the function should be unique to the system
what are the base to security
the greater the block size the greater the security
what are the idea of fake log in screen
the hacker set up a fake log in screen which are resemble the genius log in system screen the users presented with this fake login and gve user name and password then give message that you put the password wrong then the original fake login displayed
who issue the certificate ?
trusted third party which called certification agency
what are the type of RSA?
type of RA arepublic key cryptosystem
An attacker may also make up a communication and send it to the destination pretending that it has come from the source. This is called fabrication.
types of attack
from where does block cipher use key?
use a key from key space with a particular size
what are the realtion of symmetric and a symmetric key ?
use asymmetric key method to exchange key and then use
png is cryptographcally strong?
when cryptoanalyst can not
what happen when the user login the system ?
when the person log into the system then it show if the system are gin the system and match the password in the password file with that used name if matched the the user name will be login
what are the two question asked ?
who are you? how to known that you what you say ?
what intelligent attacker do before do exhaustive searching?
will carry dictionary attack and modified dictionary attack before attempting exhaustive searching
which commerical cmapy use SHA
windows use hash function to hash the [assword of users
given x in X it easy to find
y=f(x)
does keysize is important?
yes if key size is small so the key space will also small and this may lead to easy exhaustive searching
is there way to break and hack the password system ?
yes there are many ways
example of getting password by asking the user?
you may receive a call from the attacker that tell you that system company will be fail so we need your password to retrieve information and save that
