Search Results

Cryptography is the study of techniques to allow secure communication and data storage in presence of attackers. The features that it aims to provide are: Confidentiality: data can be accessed only by chosen entities Integrity/freshness: detect/prevent tamper...

A modern practical assumption is to build ciphers such that a successful attack is carried only if a computational hard problem is solved. Examples of such hard computational problems are: Solve a generic nonlinear bollean sim. equation set Factor large integ...

Our attacker knows a set of plaintexts which can be encrypted and he wants to understand which one is being encrypted. Ideal attacker: cannot tell which plaintext was encrypted out of two he chose (having the same length). The CTR mode of operation is insecure...

Confidentiality does not means integrity. Changes in the ciphertext are undetected. Message Authentication Codes (MAC) consists of adding a small piece of information (tag) allowing us to test for the message integrity of the encrypted message itself. A MAC is...

We would like to have the following features: Agreeing on a short secret over a public channel Confidentially sending a message over a public authenticated channel without sharing a secret with the recipient Actual data authentication This features are imple...

We’d like to be able to verify the authenticity of a piece of data without a pre-shared secret. Using asymmetric encryption we can build digital signatures, which: Provide strong evidence that data is bound to a specific user No shared secret is needed to che...

Both in asymmetric encryption and digital signatures, the public key must be bound to the correct user identity. If public keys are not authentic: A MITM attack is possible on asymmetric encryption Anyone can produce a signature on behalf of anyone else The ...

Shannon’s information theory is a way to quantify information and to mathematically frame communication. A communication takes place between two endpoints: sender: made of an information source and an encoder receiver: made of an information destination and a...

More exercises aviable at overthewire.org. 2021-2022 DEMO Exam exercise 2 (5 points) You have intercepted two ciphertexts: c1 = 1111100101111001110011000001011110000110 c2 = 1111101001100111110111010000100110001000 You know that both are OTP ciphertexts,...

Security is a non-functional requirement of software engineering. Creating inherently secure applications is a fundamental, yet often unknown, skill for a good developer or software engineer. A vulnerability is software is an unmet security specification. Bug-...

The following concepts apply, with proper modifications, to any machine architecture (e.g., ARM, x86), operating system (e.g., Windows, Linux, Darwin), and executable (e.g., Portable Executable (PE), Executable and Linkable Format (ELF)). For simplicity, we as...

A function foo() allocates a buffer, e.g., char buf[8]. buf is filled without size checking. int foo(int a, int b) { int c = 14; char buf[8]; gets(buf); //security bug -> vulnerability c = (a + b) * c; return c; } If we fille the buf and overwrite the s...

A format string is solution to the problem of allowing a string to be output that includes variables formatted precisely as dictated by the programmer. The data format is specified into a string using placeholders. For example in C we have the printf function,...

2022-2021 DEMO Exam exercise 3 (6 points) Assume that: The C standard library is loaded at a known address during every execution of the program, and that the address of the function system() is 0xf4d0e2d3. Environment variables are located in the highest add...

Denial of Service (against availability) Make the service unavailable to legitimate users. Killer Packets Ping of Death Pathological ICMP echo request that exploit a memory error in the protocol implementation. gazillions of machines can be crashed by sending...

Firewall: network access control system that verifies all the packets flowing through it. Its main functions are usually: IP packet filtering Network address translation (NAT) Must be the single enforcement point between a screened network and outside networ...

Dual- or Multi-zone Architectures In most cases, the perimeter defense works on the assumption that what is “good” is inside, and what's outside should be kept outside if possible. There are two counterexamples: Access to resources from remote (i.e., to a web...

Issues of Transactions Security: Problems of remoteness Trust factor between parties Use of sensitive data Atomicity of transaction Internet protocol problems Authentication Confidentiality Transparence and critical mass problem Two valiant protocols f...

2021-2022 DEMO Exam exercise 5 (6 points) Consider the above network diagram, describing a company’s network structure, composed of a subnetwork with employees computers and another with the company’s local DNS server, and finally the outside connection towar...

Agents in the real world need to handle uncertainty, whether due to partial observability, nondeterminism, or adversaries. An agent may never know for sure what state it is in now or where it will end up after a sequence of actions. Logical reasoning and uncer...