Security & Privacy | Final Exam Review

TOPICS COVERED
these will be on the exam in one form or another

anonymity networks

biometrics

hash functions (incl. ROM)

need to know how ROM works

password and pin security

ransomware

symmetric key and public key cryptography

LOGISTICS

final exam is 25% of grade

closed-book one-hour exam

look over HW 1 to prep

short-answer responses/pseudocode

Symmetric Key Encryption

key k

Encrypt(m, k) c

Decrypt(c, k) m

aka secret key algorithm

uses same key for both encryption and decryption

lecture provided by Cornell:http://www.cs.cornell.edu/courses/cs5430/2010sp/

TL03.symmetric.html

There exist many symmetric encryption algorithms. A few of the well-known ones include AES, DES,
Blowfish, and Skipjack. Symmetric encryption is typically more efficient than asymmetric encryption,

and is often used for bulk data encryption.

Block Ciphers

In cryptography, a block cipher is a deterministic algorithm operating on fixed-length groups

of bits, called blocks, with an unvarying transformation that is specified by a symmetric
key.

The Advanced Encryption Standard or AES is a symmetric block cipher used by the U.S. government
to protect classified information and is implemented in software and hardware throughout the world to
encrypt sensitive data.

Anonymity Networks
Alice wants to send a http request to Bob over the Internet. Alice can encrypt request block just
once but to make it truly anonymous shes going to encrypt message within another encrypted
message and then will do that again. At each passing point, the message is encrypted several
times.
Understand how these network paths work.

All nodes in path from Alice to Bob have different symmetric keys

Each node is decrypted in order, once at a time

Alice (decrypt message to get R1) (k) (decrypt message to get R2)(k1-R1) (k2-R2) (k3R3) Bob (k4-R4)

Tor is an example of an example of an anonymity network. Tor has multiple encryption layers like an onion
- ergo onion logo.
Tors application independence sets it apart from most other anonymity networks: it works at
the Transmission Control Protocol (TCP) stream level. Applications whose traffic is commonly
anonymized using Tor include Internet Relay Chat (IRC), instant messaging, and World Wide Web
browsing.
HIDDEN SERVICES PROTOCOL

helpful overview provided by Tor:https://www.torproject.org/docs/hidden-services.html.en

Hashing
remember, hashing is NOT an encryption algorithm
a lot of students mentioned in HW 1 or 2 that they were going to encrypt or decrypt a hash - this isnt proper

defined: one-way function that is easy to compute but hard to reverse

output should be random looking since youre trying to avoid being able to learn anything
from the output to get the input

H: { 0, 1 }* { 0, 1 }^(128)

pre-image resistance

collision resistance

need to be able to compute it forward but not backward

theres no key involved and theres no such thing as unhashing (brute force algorithms are
still not unhashing)

SALTING

salting is a way of making hashing non-deterministic and more secure

more technical overview:http://security.stackexchange.com/questions/51959/

why-are-salted-hashes-more-secure-for-password-storage

basic overview:https://www.addedbytes.com/blog/why-you-should-always-salt-your-hashes/

RANDOM ORACLE MODEL (ROM)

ideal hash you want to use to analyze hash functions

relates to birthday paradox

k balls into n bins (k being people, n being days of the year)

Passwords & Pins

people pick bad passwords - that much is obvious

entropy is how you measure the strength of a password

password security = how hard it is to guess

example: strong password generator

GP = guessing probability
GPP = password with highest guessing probability
Smith = .09
number of tries = 1/GP

Ransomware and Malware

rip ask Ari

Public Key Encryption

opposite of symmetricencryption

aka asymmetric encryption

two keys: secret key and public key

quick overview:https://medium.com/@vrypan/
explaining-public-key-cryptography-to-non-geeks-f0994b3c2d5#.vktjm04jc

DIFFIE HELLMAN PUBLIC KEY CRYPTOGRAPHY

viewed as an asymmetric algorithm even though it produces symmetric keys

uses two different numbers to derive secret key

each side has a different key to start with and they end up with the same secret key - ergo
its asymmetric

Alice and Bob decide publicly on a number (15).

Alice then chooses a secret number (2) that no one knows and takes the public number and puts it
to the power of her secret number (15^2=225) and sends the result (225) to Bob.
Bob then does the same exact thing that Alice does, but with his secret number(3). So he takes the
public number(15) and puts it to the power of his secret number (15^3=3375) and then sends the
result (3375) to Alice.
At this point in the game Alice has Bobs result 3375 and Bob has Alices result of 225. Now
the fun part. Alice takes Bobs result (3375) and puts it to the power of her secret number(3375^2=11390625). Then Bob takes Alices result and puts it to the power of his secret number
(225^3=11390625). They come up with the same number!

technical overview:http://crypto.stackexchange.com/questions/6307/
why-is-diffie-hellman-considered-in-the-context-of-public-key-cryptography

Biometrics

authentication based on something you are

fuzzy crypto

spoofable

FAR (false acceptance rate)

someone spoofs my thumb print to unlock my phone and lets them get into my phone
(eep)

FRR (false rejection rate)

using my thumb to unlock my own phone and it doesnt let me get into my phone (eep)