Questions for Fun and Profit - Security Edition

Rick Butler

Well-known member
  • Aug 8, 2019
    2,101
    7
    3,754
    121,321
    Colorado Springs, CO
    www.intellitec.edu
    In keeping with @Trevor Chandler 's idea, I think it will be fun to start tossing out questions. Maybe it's something we all can do to keep sharp.

    1. Your CEO is concerned about security leaks in the organization. So, she shares three versions of info about a product release, one to the head of marketing, one to the head of finance, and one to the head of business development. Each department head is given specific instructions to not disclose the information to anyone else. Two weeks later, she is told that information about that the story released to the finance director ended up on LinkedIn. She now knows the leak is with her finance lead.

    What kind of technique did she employ?

    2. You are concerned about rainbow tables, employed against your passwords. So, you require salting to be employed, however, you wish to keep the salt values secret. What is this called?

    3. Diffie-Hellman (and Elliptic Curve) was created in the 70's to overcome what cryptographic problem? From what ancient mathematic crypto concept is this derived?

    No multiple guesses. You gotta figure 'em out. And of course, Googlers only get 10% credit.

    /r
     
    • Like
    Reactions: Brian Ford
    Intimidating questions…and three of them…

    The CEO used the age old technique of “smoking out a rat”. Maybe you could call it “baiting and switching”.

    …fahgetaboutit…
    Well, with that first question, there is an animal involved, but not a rat. Pretty close to the answer tho...
     
    • Like
    Reactions: Fanuel
    1. Mole?

    2. Hashing

    3. ECC was because RSA was taking to long so needed a shorter method but secure as well I was going to go with, also perfect forward secrecy. I think looking for like an algebra type style mathematics?
    1. Not quite the animal we were looking for...lol... try skyward, instead of in the ground.

    2. No - we salt the value to get a different hash, but this requires a different seasoning.

    3. The original problem that DH wasn't for PFS, but a more rudimentary problem.
     
    So, here are the answers for this one:

    1. Canary trap is right.
    2. Peppering is correct.
    3. So, DH was designed to solve the problem of symmetric key exchange. How do you transmit an encryption key over an unsecured transmission channel? This was considered an unsolvable problem until the 70's when Diffee and Hellman created a way to do it using linear algebra and modulus mathematics. This goes back to 1929 with the Hill Cipher which uses a modulo 26.

    /r
     
    • Like
    Reactions: Joel M
    Love the questions.
    1. I honestly didn't know #1 re: canary trap. Nice to know new things!
    2. Atleast with #2, I am somewhat familiar with peppering.
    3. What's the answer? said to be rudimentary. so, algebra? LOL
      • I am thinking of discrete log, as that is mostly related to DH problem, but it ain't what it is trying to solve tho. so I am unsure...
     
    • Like
    Reactions: Mallia
    Jarrel
    What's the answer? said to be rudimentary. so, algebra? LOL
    • I am thinking of discrete log, as that is mostly related to DH problem, but it ain't what it is trying to solve tho. so I am unsure...
    The rudimentary question that DH was to solve, again, is "how do I we exchange keys between sender and receiver when the communication channel, itself, is unsecure?" For example, I remember that the military would use an punch tape that would be sent by courier to each side of an encryption link. From there, each side would have to be on the correct "day" in order for the KG's to synchronize. But there still had to be an activity to exchange a key securely. But how do you do it over an unsecure medium?

    Think about key exchange like this - you're back in high school and you want to send secret paper messages to your pal. You can try the security-through-obscurity route and hide the messages (dead drop techniques - ask Robert Hanssen about those), or agree on a cipher of some kind, so that if your messages were intercepted, they were protected. As long as that key was protected, your messages were safe (early expression of Perfect Forward Secrecy).

    In the Sherlock episode, The Blind Banker, the Tongs used the London A-Z as their symmetric key. They used an ancient Chinese dialect to spray numbers, and using a simple numeric coding system, we're able to transmit messages in the clear. In the end of the episode, I believe it was Sherlock that remarked, "They can always pick up another book", when the "key" was discovered.

    /r