Key Space, Digital Certificates, Biometrics

Questions and Answers

How does an increase in the key space size impact the difficulty for an attacker attempting a brute force attack?

• It linearly increases the computational resources required for a successful brute force attack.
• It makes the brute force attack easier by providing more predictable key patterns.
• It exponentially increases the computational resources required for a successful brute force attack. (correct)
• It has no impact, as brute force attacks depend solely on the algorithm's complexity, not the key size.

Which of the following best explains the primary role of a Certificate Authority (CA) in the context of digital certificates?

• To manage and distribute symmetric keys for secure communication.
• To issue and sign digital certificates, vouching for the identity of the certificate holder. (correct)
• To encrypt data transmitted between a client and a server.
• To decrypt data encrypted with a private key.

In a biometric security system, what do the False Rejection Rate (FRR) and False Acceptance Rate (FAR) measure, respectively?

• FRR measures the rate at which unauthorized access attempts are detected, while FAR measures the rate at which authorized access attempts are successful.
• FRR measures incorrect acceptances, while FAR measures incorrect rejections.
• FRR measures the rate of system failures, while FAR measures the rate of successful authentications.
• FRR measures the rate at which authorized users are incorrectly rejected, and FAR measures the rate at which unauthorized users are incorrectly accepted. (correct)

In asymmetric cryptography, under what circumstances is a private key typically used for encryption?

To create a digital signature for verifying the authenticity and integrity of data. (A)

Which of the following describes a common practice that leverages both asymmetric and symmetric cryptography to secure communication channels?

Using symmetric encryption to encrypt the data, and then using asymmetric encryption to encrypt the symmetric key. (B)

What is the primary role of a Registration Authority (RA) within a Public Key Infrastructure (PKI)?

To collect and verify the identity information of certificate requesters. (C)

Besides hashing, what other mechanism can ensure data integrity?

Digital signatures. (B)

Which of the following authentication factors provides the strongest level of security when used in multi-factor authentication?

Combining something you know with something you have. (C)

What is the primary goal of cryptanalysis?

To find vulnerabilities in cryptographic algorithms or implementations. (A)

Which of the following best describes how the Bell-LaPadula model enforces confidentiality?

By preventing subjects from reading data at a higher security level and writing data to a lower security level. (A)

How does a worm differ from a virus in terms of propagation?

A worm can spread independently across networks, while a virus typically needs a host file. (B)

Which of the following is NOT a primary function of a Public Key Infrastructure (PKI)?

Data encryption. (C)

What is the purpose of using an access token for physical or logical access?

To provide proof of identity for accessing physical locations or computer systems. (B)

Which social engineering technique involves creating a false scenario to trick someone into divulging confidential information?

Pretexting. (C)

What is the primary consequence if a Root Certificate Authority's (CA) private key is compromised?

All certificates issued by that CA become untrustworthy, enabling attackers to forge seemingly valid certificates. (B)

How do hash functions ensure data integrity?

By creating a unique, fixed-size value for any input data, where even a small change to the input data results in a drastically different hash value. (D)

Which layer of the OSI model uses MAC addresses for delivering data within a Local Area Network (LAN)?

Data Link Layer. (B)

In what scenario would UDP be preferred over TCP?

When streaming video or in online gaming where speed is more important than guaranteed delivery. (D)

Which of the following best describes the structure of a digital certificate?

A document that binds an identity to a public key and is signed by a Certificate Authority (CA). (B)

What is the primary purpose of non-repudiation in security?

Ensuring that the sender of a message cannot deny having sent it. (A)

What is the purpose of DHCP (Dynamic Host Configuration Protocol) in a network?

To dynamically assign IP addresses and other network configuration parameters to devices. (B)

What is the main security risk associated with Single Sign-On (SSO) implementations?

If the SSO system is compromised, an attacker may gain access to multiple systems and resources. (D)

Which of the following correctly lists the three properties of security defined by the CIA triad?

Confidentiality, Integrity, Availability. (A)

Which of the following is the major benefit two-factor authentication provides over single-factor authentication?

It increases the cost and complexity for an attacker to compromise authentication. (D)

What is the purpose of encryption?

To transform plaintext into ciphertext, making it unreadable without the correct key. (D)

In the AAA security framework, what does 'Authorization' determine?

Determining what an authenticated user is allowed to access or do. (C)

Which network device is responsible for forwarding data packets across different networks based on IP addresses?

Router. (D)

Which IPv4 network class is designed to support the largest number of hosts?

Class A. (C)

In a network, what is a key difference between a star and bus topology?

A star topology relies on a central device, while a bus topology shares a single communication line. (A)

Which protocol is commonly used for sending lightweight diagnostic messages such as 'ping'?

ICMP. (A)

What is 'Shoulder Surfing'?

Observing someone's screen or keyboard to obtain sensitive information. (D)

What is the primary difference between TCP and UDP?

TCP guarantees data delivery, while UDP does not. (D)

How do Local Area Networks (LANs) and Wide Area Networks (WANs) differ?

LANs cover smaller geographic areas, such as a single building or campus, while WANs span broader distances. (A)

In a Public Key Infrastructure (PKI), who is responsible for validating an identity and binding it to a public key certificate?

The Certificate Authority (CA). (D)

What is the role of a Registration Authority (RA) in PKI?

Collecting and verifying identity information from certificate requesters. (C)

How does HMAC differ from a Digital Signature?

HMAC uses a symmetric key and hashing for integrity and authenticity among parties sharing the key, while Digital Signatures use asymmetric keys for broader authenticity and integrity. (B)

Flashcards

Key Space

The range of all possible key values in a cryptographic system.

False Rejection Rate (FRR)

A rate that measures how often an authorized user is incorrectly denied access.

False Acceptance Rate (FAR)

A rate that measures how often an unauthorized user is incorrectly granted access.

Symmetric Cryptography

Cryptography using the same key for encryption and decryption; generally faster.

Asymmetric Cryptography

Cryptography using public/private key pairs; slower but more secure for key exchange.

Public Key Infrastructure (PKI)

Framework for managing digital keys and certificates.

Data Integrity

Ensuring data is not altered or corrupted, typically through hashing or checksums.

Authentication Factors

Verifying a user's identity based on something they know, have, or are.

Cryptanalysis

Finding weaknesses in cryptographic algorithms or implementations.

Bell-LaPadula Model

Security model primarily enforcing confidentiality with 'No Read Up' and 'No Write Down' rules.

Worm

Malicious program that replicates independently across networks.

Social Engineering

Manipulating individuals to reveal confidential information.

Certificate Authority (CA)

Entity that issues and signs digital certificates.

Digital Signature

Ensures authenticity and integrity using private key to sign and public key to verify.

Policy

High-level statement of management intent.

Procedure

Detailed, step-by-step instructions for policy implementation.

Guideline

Suggested best practices; more flexible than procedures or policies.

Hashing

Mapping data to a fixed-length value; irreversible.

Local Area Network (LAN)

Using MAC addresses to forward frames at the data-link layer.

DHCP

Automatically assigns IP addresses on a network.

Single Sign-On (SSO)

User logs in once, and gains access to multiple systems without re-authenticating.

Confidentiality

Preventing unauthorized disclosure of information.

Availability

Ensuring timely, reliable access to information.

Encryption

Algorithm + key transforms plaintext to ciphertext.

Authorization

Determines what an authenticated user is allowed to access.

ICMP

Lightweight protocol for diagnostic messages (e.g., 'ping').

Shoulder Surfing

Observing someone’s screen or keyboard to obtain sensitive information.

TCP

Connection-oriented, reliable protocol with three-way handshake.

UDP

Connectionless protocol with no handshake or reliability checks.

Registration Authority (RA)

Collects and verifies identity information from the certificate requestor.

HMAC

Uses a symmetric key plus hashing to ensure message integrity.

Study Notes

• Study guide covers topics for multiple-choice and true/false questions.

Key Space

• Key Space Definition: The range of all possible values of keys in a cryptographic system.
• Significance: A larger key space increases the difficulty for attackers to brute-force a key due to higher computational expense.
• Example: A 128-bit key has 2^128 possible values.
• Symmetric and Asymmetric keys can vary in bit length, but more bits always equate to a larger key space.

Digital Certificates

• Uses Asymmetric Keys for Validation.
• Components: Digital certificates include a public (asymmetric) key and information about the certificate holder's identity like name and organization.
• Validation: A Certificate Authority (CA) signs the certificate using its private key, and verification is done using the CA's public key.

FRR, FAR (Biometrics)

• FRR Definition: False Rejection Rate is the rate at which authorized users are incorrectly rejected.
• FAR Definition: False Acceptance Rate is the rate at which unauthorized users are incorrectly accepted.
• Application: Commonly used in biometric security to assess accuracy and balance user convenience with security.

Private Key Usage

• A private key can decrypt data encrypted with the corresponding public key in asymmetric cryptography.
• Private keys are also used to create digital signatures.
• While private keys can perform both roles (decrypting and signing), they are typically used for signing or decryption rather than encrypting for confidentiality.

Asymmetric vs. Symmetric Cryptography Speed

• Symmetric cryptography is generally faster than asymmetric cryptography.
• Asymmetric cryptography is slower because of complex math operations like large prime factorization.
• A common practice uses asymmetric cryptography to securely exchange a session key, then switches to symmetric cryptography for bulk data encryption.

PKI Keys

• Public Key Infrastructure (PKI): A framework for managing keys and certificates, including Certificate Authorities (CAs), Registration Authorities (RAs), and certificate databases.
• PKI ensures users and devices can trust that a public key belongs to its claimed owner.

Data Integrity

• Typically ensured by hashing (e.g., SHA-256) or other integrity checks such as checksums or message authentication codes.
• Data Integrity is the "I" in CIA (Confidentiality, Integrity, Availability).
• Digital signatures also assure integrity as signature verification fails if data is modified.

Authentication Factors

• Three main factors:
  • Something you know (password, PIN)
  • Something you have (smart card, token, phone)
  • Something you are (biometrics: fingerprint, face recognition)
• Additional factors includes:
  • Something you do (behavioral biometrics like keystroke dynamics)
  • Somewhere you are (location-based).

Cryptanalysis

• Cryptanalysis Definition: The study of finding weaknesses in cryptographic algorithms or implementations.
• Goal: Break encryption, find collisions, or deduce keys using methods like brute force, known-plaintext attacks, and chosen-plaintext attacks.

Bell-LaPadula Model

• Key focus is enforcing confidentiality in access control.
• Key rules:
  • No Read Up: A subject cannot read data at a higher security level.
  • No Write Down: A subject cannot write data to a lower security level.
• Often used in military or government contexts with strict classification levels.

Worm Software

• Worm Definition: A malicious program that can replicate itself across computers and networks.
• Key Difference from a virus: Worms propagate independently and don't require a host file or program to spread.

Multi-Factor Authentication

• You Have: token, smartphone, etc.
• You Are: biometric fingerprint, iris, etc.
• You Do: dynamic signature, voice pattern, keystroke pattern.

Purpose of PKI

• Enable secure, detectable, and reliable communication.
• Provides a structure to manage:
  • Key generation
  • Distribution
  • Revocation (if compromised)
  • Trust (via CA signatures)

Access Token

• Physical access token example: smart card, USB security key, or badge.
• Use: Proves physical or logical access rights.

Social Engineering

• Social Engineering Definition: Manipulating people into divulging confidential information through phishing, pretexting, tailgating, or baiting.
• Prevention: Training, awareness, and strict policies on information disclosure.

Certificate Authority (CA)

• Certificate Authority: Issues and signs digital certificates using its private key.
• Recipients verify a certificate by checking the CA’s public key.

Digital Signatures

• Digital Signatures Use Asymmetric Keys.
  • The private key signs the data.
  • The public key verifies the signature.
• Ensures authenticity and integrity.

Organizational Levels

• Policy: High-level statement of management intent (broad rules and principles).
• Procedure: Detailed, step-by-step instructions to implement a policy.
• Guideline: Suggested best practices; more flexible than procedures or policies.

Root CA Compromise

• The consequences of Root CA Private Key Compromise:
  • Security breach risk.
  • All certificates issued by that CA become untrustworthy.
  • Attackers could forge certificates that appear valid.
• Resolution: Requires revoking and reissuing new certificates under a new root authority.

Hashing

• Hashing is Irreversible
• Hash function: Maps data to a fixed-length value (the “digest”).
• Purpose: Designed so you cannot feasibly retrieve the original data from the hash.
• Example: SHA-256, SHA-3

PKI

• PKI = Public Key Infrastructure
• It’s the framework for managing public key certificates and encryption.

Local Area Network

• Within a LAN, devices use MAC (Media Access Control) addresses to forward frames at the data‐link layer.
• The LAN switch/hub typically uses MAC addresses to deliver data.
• IP addresses are used at higher layers, but at the local link layer, MAC is key.

TCP vs UDP Speed

• UDP is generally faster with less overhead (no connection setup, no reliability checks).
• TCP is connection-oriented with acknowledgments and retransmissions, and is more reliable.
• UDP is preferred for time-sensitive data like gaming and streaming.

Digital Certificate Structure

• Document that binds an identity (user, device) and a public key (associated with that identity).
• Signed by a CA, it proves "this public key belongs to this individual or organization."

Security Goals

• Non-repudiation: The sender cannot deny having sent the message (digital signatures help).
• Integrity: Ensures the message was not altered (hashing plus signatures help).

DHCP

• DHCP (Dynamic Host Configuration Protocol)
• Automatically assigns IP addresses and other network configuration parameters to devices on a network.
• Simplifies management of multiple devices.

Single Sign-On (SSO)

• A user logs in once and gains access to multiple systems or resources without reauthenticating.
• Enhances convenience, but if compromised, an attacker might gain wide access.

Security Properties

• CIA:
  • Confidentiality: Preventing unauthorized disclosure of information.
  • Integrity: Preventing unauthorized alteration or destruction of information.
  • Availability: Ensuring timely, reliable access to information.

Two-Factor Authentication

• Combines 2 of these:
  • Something you know (password)
  • Something you have (phone, token)
  • Something you are (biometric)

Encryption

• Plain Text → Cipher Text
• Encryption transforms readable data (plaintext) into unreadable data (ciphertext) via an algorithm and a key.
• Decryption reverts ciphertext back to plaintext (with the correct key).

AAA

AAA stands for Authentication, Authorization, and Accounting (sometimes also "Auditing").

• Authorization: Determines what an authenticated user is allowed to do or access.

Internet Package Delivery

• Router: Forwards data packets between different networks (based on IP addresses) at the network layer (Layer 3 in the OSI model).

Network Classifications

• Difference Between Class A, B, and C Network
• Class A: 0.0.0.0–127.255.255.255 (very large networks, many hosts)
• Class B: 128.0.0.0–191.255.255.255 (medium networks)
• Class C: 192.0.0.0–223.255.255.255 (smaller networks)

Network Topologies

• Star: All nodes connect to a central device (switch/hub); easier to troubleshoot but depends on the central device.
• Bus: All nodes share a single communication line; failure of the line breaks the network.

Packets

• ICMP: Internet Control Message Protocol, used for diagnostic messages.
• Usually the most lightweight, with no connection overhead.

Shoulder Surfing Prevention

• Observing someone’s screen or keyboard to obtain sensitive information like passwords or PINs.
• Prevention: Privacy screens, awareness, physical environment considerations.

TCP vs UDP

• TCP: Connection-oriented, reliable, uses three-way handshake (SYN, SYN-ACK, ACK); guarantees data delivery (retransmissions).
• UDP: Connectionless, no handshake, no reliability checks; lower overhead, faster.

Network Types

• LAN: Local Area Network, covers a small geographic area (single building, campus); typically under one organization’s control.
• WAN: Wide Area Network, spans broader geographic distance (e.g., connecting multiple LANs across cities or countries).

PKI

• CA Validates Identity.
• Ensures that public key truly belongs to the named entity.

RA Task

• Registration Authority.
• RA Collects and verifies identity information from the certificate requestor.
• It does not sign the certificate.

HMAC vs Digital Signature

• Uses a symmetric key plus a hashing function.
• Protects message integrity and authenticity for parties who share the secret key.
• Uses an asymmetric key pair (private key to sign, public key to verify).
• Proves authenticity and integrity to anyone with the public key (not just secret key holders).

Data Integrity

• Verified by Hashing.
• Hash functions generates a fixed‐length output from an input of any length.
• Any change in the input produces a completely different hash (high sensitivity to changes).

Hashing Property

• Hashing Is One-Way, Irreversible.
• There is no such thing as “two‐way hashing.”
• Once data is hashed, you cannot reconstitute the original data from the hash alone.

Description

Study guide covering key space in cryptography, digital certificates and biometrics. Key space refers to the range of possible values for cryptographic keys, with larger key spaces increasing security. Digital certificates use asymmetric keys for validation, signed by a Certificate Authority.