**Computer Security**: Paul Krzyzanowski

# Exam Info

# When & Where

The first exam will be held in our regular classroom on
**Monday, October 7, 2024**.

It will take up about half the lecture, starting
approximately during the second half of the class period.
**Please arrive on time** and do not plan on coming in just
to take the exam. If you arrive after the exam has started, you
will **not** be allowed to take it.

# Exam rules

Be sure to arrive on time. If you arrive after the exam starts, you will not be allowed to take it.

This will be a closed book, closed notes exam. Calculators, phones, augmented reality glasses, laptops, and tablets are neither needed nor permitted. If you have these devices, you must turn them off, put them out of sight, and not access them for the duration of the exam.

No other electronic devices are permitted except for hearing aids, pacemakers, electronic nerve stimulators, other implanted medical devices, or electronic watches that function only as timekeeping devices or chronographs.

Bring a couple of pens or pencils with you. Plan to use a pen only if you are supremely confident in not changing your mind about your answers. . Check here for information about pencils, sharpeners, and the craft of pencil sharpening.

# Past exams

You can use my past exams as a guide to what this exam may look like, but realize there are differences in topics and in the sequencing of the topics. Expect around 25 multiple-choice questions. I do not refer to old exams when I come up with a new one, so it is likely that many of the topics that I considered important in past exams will show up on future exams. Some material may have changed, however, so do not worry about questions that appear to relate to topics we have not covered.

# Study guide

You are responsible for the material from the first four lectures and recitations.

I’ve prepared a study guide
that attempts to cover *most* of the material you should know.
It is **not** a substitute for the lectures, lecture material, and other reading matter. All the material may not be in the guide.
My goal is to put most of the information you need to know a
concise with fewer elaborations.

You can also prepare your own guide, which would be a much better way to prepare for the exam!

# Topics

Topics that you should know and may be on the exam include:

## Introduction

- What is computer security? Know the terms
- CIA Triad
- Confidentiality
- Understand how privacy relates to confidentiality
- Integrity
- Data integrity
- origin/destination (endpoint) integrity
- system integrity

- Availability

- Security goals
- Prevention
- Detection
- Recovery

- Policy vs. Mechanism
- Definitions
- Vulnerability
- Exploit
- Attack, attack vector, attack surface
- Threat categories (know but don’t memorize)
- Disclosure
- Deception
- Disruption
- Usurpation

- Threat modeling

- Examples of threats
- Snooping
- Modification
- Alteration
- Repudiation of origin
- Denial of receipt
- Delay
- Denial of service

- Types of attackers: opportunistic, targeted, advanced persistent threat
- What is a trusted computing base?

## Cryptography: Symmetric

- Terms:
- authentication, integrity, nonrepudiation, confidentiality
- plaintext, encryption, ciphertext, decryption, cipher
- secret algorithm, public key cipher, symmetric cipher, symmetric key, public key, private key

- Schneier’s Law
- Kerckhoffs’s principle
- Properties of a good cryptosystem
- What is Shannon entropy? (You don’t need to know the formula)
- Key length
- Classic cryptography
- Monoalphabetic substitution cipher; shift cipher
- Attacks: frequency analysis
- Polyalphabetic substitution cipher: VigenĂ¨re cipher
- Why is it better than a monoalphabetic substitution cipher?

- One-time pad: why is it so secure?

- What is perfect secrecy and what is needed to achieve it?
- What is a stream cipher and a keystream? Seeded pseudorandom number generator.
- What is a running key?

- What is a rotor machine? Just know it’s a symmetric polyalphabetic cipher.
- Transposition cipher: Have a basic idea of what it does
- What’s a scytale?
- Columnar transposition cipher

- What is a block cipher?
- What is meant by an iterative cipher and multiple rounds?
- What is a subkey?
- What is meant by substitution-permutation?
- What is meant by confusion and diffusion?
- What is an s-box?
- What is the general idea behind a Feistel cipher?
- What is an SP-Network?
- I will not ask you how DES works but know it’s a Feistel cipher
- DES vs. 3DES
- I will not ask you how AES works but know it’s an SP-Network

- Block cipher modes
- Electronic Code Book mode (ECB) - problems with using it
- Cipher Block Chaining mode (CBC)
- Counter mode (CTR)

## Cryptography: Public

- Key distribution
- Why is it a problem?

- What is meant by a trapdoor function?
- Public key cryptography
- Understand how you use public & private keys
- I will not ask you about how RSA works but know it’s based on the difficulty of factoring products of large primes.
- I will not ask you about how ECC works but know it’s based on the difficulty of computing discrete logarithms
- Some problems with using public key algorithms for general purpose communication

- Diffie-Hellman key exchange
- You don’t have to know the algorithm
- Know that it’s for key exchange and not encryption
- Know that it is based on (a
^{b})mod c and its strength is based on our inability to find the inverse - do discrete logarithms - Understand how public & private keys are exchanged (you don’t need to know the formula)
- Advantage over using RSA for key exchange (speed and speed in generating keys)

- What is a hybrid cryptosystem? What’s the advantage?
- What is meant by forward secrecy?
- What are ephemeral keys vs. long-term keys?
- What are session keys?
- Understand what algorithms are most affected by quantum computing

## Data Integrity

- What is meant by a
*one-way function*? - What is a cryptographic hash function?
- What are the properties of a cryptographic hash function?
- What is pre-image resistance?
- What does it mean to be collision resistant?
- How do the birthday paradox and the pigeonhole principle tell us about hash functions?
- I will not ask you about the difference between strong and weak collision resistance

- I will not ask you how SHA-1 or SHA-2 work (or any hash functions)

- Message Authentication Codes
- What is a Message Authentication Code (MAC, or keyed hash)?
- I will not ask you the formula for HMAC but understand it’s based on hashing the message and a secret key
- Understand what a CBC-MAC is

- Digital signatures
- What is a digital signature? How do you create one?
- What are the properties of a digital signature?
- What are the three basic operations you need to create and use digital signatures?

- What is a session key?
- How can a public key serve as an anonymous identity?
- Certificates
- How do certificates serve as non-anonymous identities?
- Understand that a certificate contains identifying information, a public key, the CA’s identification, and CA’s signature
- What is a CA (Certification Authority)?
- What is certificate revocation?

- Signed software
- Understand the principle
- Advantage of per-page signatures

## Combined authentication and key exchange

- Security protocol notation
- How is a trusted third party play a role in combined authentication and key exchange
- Public key authentication
- Diffie-Hellman key exchange (see earlier notes)
- Needham-Schroeder: understand the value of adding a nonce
- Understand the value of adding a timestamp (you don’t have to remember the names Denning-Sacco)
- Understand the value of using session IDs (you don’t have to remember the names Otway-Rees)
- Kerberos
- Understand it uses a trusted third party
- You don’t have to know the protocol in detail but understand the phases and data you get
- Understand that you get an encrypted session key and a ticket
- Understand what a ticket is (basically, the same session key encrypted for the service)
- Understand what a Ticket Granting Server does (provides tickets for all services other than giving the user a ticket for the TGS)

## Authentication

Distinction between identification, authentication, & authorization

What are the three factors of authentication?

What is multi-factor authentication (MFA)?

Password Authentication Protocol

- How does it work?
- What are the security problems?
- Hashed passwords
- Dictionary vs. brute force attacks
- Precomputed hashes
- Salt
- Credential stuffing & password spraying attacks
- Password recovery options

One-time Passwords

- Sequence-based
- S/key: understand how one-way functions can be used to create a list of one-time passwords

- Challenge-based
- Know the basic steps of CHAP
- What makes it secure over a network?
- Passkey authentication

- Time-based and hash-based
- Have a basic understanding of how time-based one-time passwords (TOTP) work: f(time, key)
- I will not ask about Yubikey or SecurID (we didn’t cover those)
- The difference between TOTP and HOTP

- Sequence-based
Second factor

- Push authentications
- MFA fatigue (Push authentication fatigue)
- Number matching authentication (NMA)

What is a man-in-the-middle (MitM) attack?

## Biometric Authentication

- Text: Chapter 15: pages 457–482 (from homework)
- How does
*pattern recognition*apply to biometrics? - How do _thresholds apply to biometrics?
- False accept rate (FAR) vs. false reject rate (FRR)
- Receiver Operator Characteristic (ROC) plot
- Behavioral factors
- Fingerprint minutiae
- Robustness vs. distinctiveness
- Authentication process: enrollment, sensing, feature extraction, pattern matching, decision
- Challenges:
- trusted devices and data path
- human liveness
- tamper-proof devices and secure communications
- thresholds
- compartmentalization
- theft of biometric

- Cooperative vs. non-cooperative systems