Hash Applications

Questions and Answers

Which of the following is NOT a solution for securely storing passwords using hash functions?

Using salt to store hashed password in a database

Direct storage of userid and password in a database table

Storing plaintext password in a database (correct)

Storing hashed password in a database

What is the risk associated with direct storage of userid and password in a database table?

If an attacker gains access to the database, they can only impersonate the user whose credentials they stole

If an attacker gains access to the database, they can only view the user's credentials

If an attacker gains access to the database, they can impersonate any user (correct)

There is no risk associated with direct storage of userid and password in a database table

What is the issue with storing hashed password in a database without using salt?

There is no issue with storing hashed password in a database without using salt

If an attacker gains access to the database, they can impersonate any user

If an attacker gains access to the database, they can use precomputed lookup tables of hashes of frequently used passwords to find matches (correct)

If an attacker gains access to the database, they can only view the user's credentials

What is the recommended solution for securely storing passwords using hash functions?

Using salt to store hashed password in a database

What is a blockchain?

A distributed ledger for storing cryptocurrency transactions

What makes a blockchain immutable and secure?

Any changes to a block's content would require altering all subsequent blocks

What is a proof-of-work scheme?

A scheme employed in Bitcoin and anti-spam systems that uses hash functions to ensure that creating a valid message requires a certain amount of computing resources

What is the purpose of a nonce in proof-of-work schemes?

To append to a file or message and compute a hash

What is the role of a miner in Bitcoin mining?

To check new transactions, build a new block, compute a proof-of-work, and write the successful nonce into the block

What is the purpose of a proof-of-work nonce in anti-spam schemes?

To produce a nonce that satisfies the proof-of-work condition to send a message

What happens to emails without proof-of-work in anti-spam schemes?

They are rejected by the receiver

What is the purpose of adjusting the required pattern of the hash code in proof-of-work schemes?

To adjust the difficulty of proof-of-work

Which of the following is a risk associated with storing user credentials directly in a database table?

An attacker can impersonate any user

What is the recommended solution for securely storing passwords using hash functions?

Using salt

What is the purpose of a salt in password storage using hash functions?

To add randomness to the hash function

What is a blockchain?

A distributed ledger

What is the difference between permissionless and permissioned blockchain?

Permissionless blockchain allows anybody to join

What is the purpose of proof-of-work in Bitcoin and anti-spam systems?

To prevent spam emails from being sent

What is the role of a miner in Bitcoin mining?

To build a new block and compute a proof-of-work

What is the purpose of a nonce in proof-of-work schemes?

To add randomness to the hash function

What happens if an email sender does not provide a proof-of-work nonce in anti-spam schemes?

The email is rejected by the receiver

What is the purpose of adjusting the required pattern of the hash code in proof-of-work schemes?

To make it more difficult for miners to validate transactions

What is the difference between direct storage and storing hashed password in password storage using hash functions?

Storing hashed password is more secure

What is the purpose of a distributed ledger in blockchain technology?

To ensure the security of the blockchain

What are the different levels of knowledge an attacker can have when trying to break a cipher?

Ciphertext only, known plaintext, chosen plaintext, chosen ciphertext, samples of previous signatures or message authentication codes.

What does it mean to 'break' a cryptosystem?

Finding the plaintext, the key, creating a digital signature or creating a message authentication code.

Does obtaining some partial information about the plaintext/key count as 'breaking' the cryptosystem?

It depends on the definition of security being used.

What is computational security?

It means that breaking the cipher is unfeasible (too time/resource consuming) based on the currently available algorithms and computing power.

What is unconditional security?

It means that breaking the cipher is impossible (even with unlimited time/resources).

What is perfect secrecy?

It means that the ciphertext leaks no information about the plaintext (except the length); guessing the plaintext has the same chances of success after having seen the ciphertext as it had before seeing it.

What is provable security?

It means that there is no efficient algorithm that can be used by the attacker to succeed with reasonably high probability.

For which type of cryptography are there security proofs?

Mainly public key cryptography.

Is there provable security for symmetric cryptography?

No.

What do the other ciphers in use today have in terms of security?

Computational security only in the sense that no attack has succeeded in a reasonable amount of time. However, there is no proof that no efficient attack will be found.

What is the one-time pad?

A cipher that has perfect secrecy.

Why is the one-time pad not used in practice?

Because it is expensive.