CySec Foundations Teil 2
CySec Foundations Teil 2
CySec Foundations Teil 2
Set of flashcards Details
| Flashcards | 210 |
|---|---|
| Language | Deutsch |
| Category | Computer Science |
| Level | University |
| Created / Updated | 31.07.2020 / 10.08.2020 |
| Weblink |
https://card2brain.ch/box/20200731_cysec_foundations_teil_2
|
| Embed |
<iframe src="https://card2brain.ch/box/20200731_cysec_foundations_teil_2/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
Is PBKDF2 a viable replacement for SHA-2? If no, why not, if yes, why?
No, it is not.
PBKDF2 = password based key derivation function 2
PBKDF2 uses hash similar to SHA2, but runs it in a loop 5000 times to slow it down
this is good for logins and password, but nowhere else
What is the advantage of Bcrypt over PBKDF2?
It doesn't sit well on a GPU, so it cannot be brute-forced as quickly
What is pseudonymization?
the process of replacing some data with an identifier (pseudonym)
What is the goal of pseudonymization?
to make it more difficult to identify an indivdual from data
What is the right to be forgotten?
an inidividuals right to erasure to have their information removed from processing or use
Tim is analyzing an attack against his company in which the attacker found comments
embedded in HTML code that provided the clues needed to exploit a software vulnerability.
Using the STRIDE model, what type of attack did he uncover?
information disclosure attack
Matthieu recently authored an innovative algorithm for solving a mathematical problem,
and he wants to share it with the world. However, prior to publishing the software code in
a technical journal, he wants to obtain some sort of intellectual property protection. Which
type of protection is best suited to his needs?
copyright law
If Matthieu protects his innovate algorithm through copyright law, what is protected, what is not?
the specefic code is protect, not the idea or the process behind the software
Would degaussing be a suitable data method for destroying data stored on an SSD?
no, since the SSD doesn't have a magnetic flux
How is single loss expectancy (SLE) calculated?
SLE is calculated using the formula SLE = asset value ($) * exposure factor (SLE = AV *
EF).
Which of the following factors change if you implement a countermeasure?
- Exposure factor
- single loss expectancy
- asset value
- annualized rate of occurrence
annualized rate of occurence
What kind of risk response is purchasing cybersecurity breach insurance?
risk transfer
RAID-5 is an example of what type of control?
recovery control
What type of authentication factor is voice pattern recognition?
something you are
What type of authentication factor is the callback to a landline?
something you have
How would you shortly describe the SUID?
The SUID is used to execute a command as the owner of the file instead of the user that issued the command
How would you shortly describe the GUID?
The GUID is used to execute a command as a member of the group owner the file instead of the group of the user who issued the command
What is the difference between a nonce and an IV?
A nonce is a number which main property is that it has to used only once. It doesn’t have
to be neither random, nor secret.
An IV is a number which main property is to be random.
What are the two types of ciphers in symmetric cryptography?
- Stream cipher
- Block cipher
Why is Elliptic Curve Diffie Hellman becoming the standard nowadays?
Shorter keys
What are the two use cases for RSA?
non-secret encryption
digital signing
What does it mean that my cipher adds confusion? How can confusion be added?
A cipher adds confusion when the relationship between the message and the ciphertext is not obvious. e.g. substitution
What does it mean that my cipher adds diffusion? How can diffusion be added?
A cipher adds diffusion when little change in the message results in a big change in the ciphertext. e.g. permutations
Why are most of the most used encryption algorithms, like AES, well documented for
the public?
Because of the Kerckhoffs Principle
Which is the currently most in-use symmetric block cipher?
AES
In order to implement a block cipher, why are ECB and cipher block chaining not recommended?
ECB is not good for repeating patterns
CBC cannot be run parallel
How do Bob and Alice share a key over an insecure channel?
with Diffie-Hellman
What are the parameters shared over Diffie-Hellman?
g
p
g^a mod p
g^b mod p
When RSA is used for signature, which key is used for encryption and which key is used for decryption?
encryption: private
decryption: public
What is a hash collision? Give an example of where to find it
hash collision happens when the hash of two different inputs is the same
can "easily" be found in MD5, possibly found in SHA-1
Which hash method can be used in a secure way at this moment?
SHA-2 256 bits or 512 bits
Is SHA-3 better or worse than SHA-2?
neither, but its based on a different algorithm
Why does SHA-3 exist?
if something happens with SHA-2, SHA-3 can be used
Why is SHA-2 not an appropriate way to store passwords?
too quick -> vulnerable to brute-force attacks
What 2 hashes can be used for storing passwords?
PBKDF2
bcrypt
How does HMAC work?
The message is hashed twice.
First, message is hashed with one part of the key and then with another part of the key
A CA has received a CSR from a webserver.
What does the CSR include?
- public key
- unsigned signature
- signature hash algorithm
A CA has received a Certificate Signing Request from a webserver.
Once verification is completed, what is the CA going to do with that CSR?
- CA creates a x509 cert with
- valid period
- key usage
- signed signature
- and send the cert back to the server
How is a root cert signed and why is it trustworthy?
- it is self signed
- turstworthy because already preinstalled
How can a client trust the issuer of a x509 cert?
by autiding the best practices of the issuer
