What is a symmetric cipher?
What is Kerkchoff’s principle?
What is an asymmetric cipher?
How does signing work?
What is a hash function?
What do we want from a hash function? (3 things)
List 2 use-cases of hashing
What to properties we want when generating randomness?
What is a hybrid cipher?
What is a CRAM?
How known ciphertext attack works?
How known plaintext attack works?
How chosen ciphertext attack works?
How chosen plaintext attack works?
How does distinguishing attack works?
What is a birthday attack?
What is a Verman cipher?
How do we define perfect security?
What is a MAC?
What is an HMAC?
Describe the structure similar to Verman Cipher.
What are thresholds schemes?
What is the (k,2) scheme?
What is the (k, k) scheme?
What is the (k, l) scheme?
What says Lemma I?
What says Lemma II?
What is Lagrange’s theorem for polynomials?
What is the one information that can leak from a shared secret?
How does Lagrange interpolation work?
What is a block cipher?
What is a stream cipher?
Describe Vigener cipher.
Define the security of block ciphers.
What type of permutations you can usually encounter in block ciphers?
What is an iterated cipher?
What is SPN?
What is Feistel network?
How does the DES work?
How NSA mingled with the DES?
Describe key-schedule of DES.
Describe expansion in DES.
What are the sizes of inputs and outputs of DES S-boxes.
Critique of DES?
What is AES?
Describe one round of AES?
How many rounds of AES?
Why some people don’t like AES?
What 3 criteria were judged in 1997 NIST competition?
Describe AES s-boxes.
Which operations commute in AES and why?
What is missing in the last AES round?
What is special in the first AES round?
Describe AES key-schedule.
How often should key in AES be changed?
What are the standard key sizes of AES?
Describe Serpent.
Describe Twofish.
List at least 5 types of padding.
What is ECB and why it sucks?
What is CBC?
CBC leaks?
What is CTR?
CTR leak?
What is OFB, why it’s not used today?
Describe padding oracle attack on CBC.
What was eStream project?
What is LFSR?
What is NLFSR?
What is Trivium?
What is RC4?
What is ChaCha20?
What is the predecessor of ChaCha20?
For what 20 stands in the name of ChaCha20?
Which of the 1997 NIST finalists is a Feistel network?
For what ARX stands? What’s nice about it?
Which block is not recoverable with CBC padding oracle?
What is ciphertext stealing?
What ChaCha20 uses to produce a block of keystream?
What properties people want from hash function and which implies which?
What is a Merle-Damgard construction?
Prove that if the compression function in MD is collision-resistant then the whole hash is collision-resistant.
What is the length-extension property?
What is GCM?
Describe birthday attacks on hash functions.
Why non-collision-resistant compression function in MD is such a big problem?
How you can exploit somebody who is signing only good messages?
How can you create a good compression function?
Why is it important to xor in Davies-Meyer?
Prove that when E/D is ideal, D-M of it is collision-resistant.
Describe MD5.
Is SHA-1 safe?
What do you know about SHA-2 family?
Describe sponge construction?
What is the security level of sponge construction?
What is Keccak?
What is SHAKE?
Describe Merkle trees and ways to prevent them from being extended?
What is a MAC?
Describe some common wrong ideas about how could a good MAC look?
How HMAC works?
Define the security of MAC.
Describe MAC and encrypt and say why it’s horrible.
Describe MAC then encrypt.
Describe Encrypt then MAC.
What is better Encrypt then MAC or MAC then encrypt?
Can we use the same key for MAC and encryption?
How CBCMac works?
Define Shanon-security for MACs.
What is a 2-independence?
How is 2-independence useful?
Describe polynomial-based MACs.
How does is Poly1305 work?
Explain the hare, tortoise, and turtle technique.
What kind of attack is possible because of the fact that there is a multiple-collision in M.D.?
What changes tried NIST to do in the Keccak before it became SHA-3?
Describe internal collision attack.
Why using the same key for CBC encryption and CBCMac is not stupid but spectacularly stupid?
Explain how can 2-independent function be used to construct a Shanon-secure MAC and why it’s impractical.
Can we reuse ‘a’ in a polynomial MAC?
What is Fortuna?
How works the generator in Fortuna?
How does the accumulator in Fortuna work?
Give 6 sources of physical randomness.
Give an example of a simple PRNG.
What Linux utility allows us to get randomness?
What is statistical uniformity?
What is re-key?
What pools are used in Fortuna in i-th mixing?
What is Forward Secrecy?
How often can pool mix occur?
Who developed Fortuna?
What cipher in which mode is used?
How often we need a new IV?
Which MAC encrypt construction we use?
How do we derive keys and how many of them are needed?
What are the time complexities in bits of the following operations: addition, mul, div, mod, x^n mod m
What is a good upper bound on Euclid’s?
Proof Euclid’s algorithm.
What are Bezeout coefficients?
How can we use Bezeout coefficients to compute inverses?
State Lagrange’s theorem.
Prove Euler’s theorem. (the correct one)
State CRT.
Give at least two proofs of CTR.
What is phi(p^k)?
How do you calculate the phi(xy) of a composite number and proof for coprime x, y?
What is harder, factoring or primality testing and why?
List factoring algorithms.
List primality testing algorithms.
Describe the Fermat test.
Describe the Rabin-Muller test.
Proof of Fermat test for not Carmichael numbers.
How can you generate primes and what is the time complexity?
Define discrete log.
Define discrete square root.
What are quadratic residue and nonresidue?
Define Legendre’s symbol.
Proof why there is always the same number of QRs and NQRs.
What is Euler’s criterion and how is it connected to Legendre?
What is the current state of the art in computing square roots?
Is the hardness of discrete log similar to factorization?
Define what it means for a group to be cyclic.
How can we show that g is **not** a generator?
Describe an algorithm for finding a generator.
If g is generator when is g^k also generator.
Who invented RSA?
Describe the setup of RSA.
What would happen if phi(n) and e weren’t coprime?
What would happen if (x, n)≠1?
Why is too small e bad?
Why is small e good?
Describe decryption using CTR.
What does it mean that RSA is commutative?
What does it mean for RSA to be homomorphism?
How can the homomorphism property be exploited in a chosen-ciphertext attack?
How can RSA be used for blind signatures?
List at least 12 attacks on AES.
Define Jacobi symbol?
How is the Jacobi symbol connected to the Legendre symbol?
How is parity function related to half?
If we knew how to compute parity what would it mean?
Define semantic security.
What happens when phi(n) leaks?
What attack uses continue fraction method and what are constraints for it to be computable?
Does e,d leak allows the factorization of n?
Can we meet in the middle?
What if two messages are similar?
What happens when p and q are close?
Describe the chosen-ciphertext attack.
How can the chosen-plaintext attack be used against RSA?
What happens when the same message is encrypted with different moduly multiple times?
How does a miscalculation attack work?
Describe PKCS v1.5.
Describe PKCS v2.0.
List steps in the Diffie-Hellman
Is it necessary for g to be a generator of G?
What problem is connected to Diffie-Hellman? Is D-H equivalent to it?
What can you do with the result of the protocol to get rid of the algebraic structure?
When we don’t sign the whole communication but just the result how can we get tricked by the attacker?
What leaks in D-H?
Define a safe prime.
How we can speed up D-H? Also, specify size of q.
Construct an asymmetric cipher with D-H.
Describe El Gamal, how it’s connected to D-H?
A notable difference between El Gamal and RSA.
# **Key setup for secure channel**
Define *key setup for secure channel* without D-H.
Define *key setup for secure channel* with D-H.
Is better to use D-H or not?
What is PBKDF2?
How is PBKDF2 attackable?
When can there be multiple passwords with the same PBKDF2?
How Argon2 works?
Describe CRAM and SCRAM.
What is the difference between CRAM and SCRAM?
What is Kerberos and how it works?
How DNSSEC works?
What is PKI?
Explain web of trust.
Explain trust on the first use.
What is a CA?
Explain PGPkeys and where are they used?
How do you protect Kerberos against reply attacks?
What is a different name Ticket Granting Service?
How can Bob authenticate to Alice in Kerberos?
What is TGT?
How Kerberos prevents offline attacks?
What is a zone in DNSSEC?
What is an RRSIG record?
Why some browsers don’t support DNSSEC?