[Information Security Technology] Final review and examination points
Dingdu! Here is the compilation of Xiao Ah Woo's study course materials. A good memory is not as good as a bad pen. Today is also a day to make progress. Let's advance together!
1. Selection & True or False Test Paper Collection
截至2020/10/20 共计10份测试卷。
02 Password and Concealment Technology Test Paper: 02 Password and Concealment Technology
03 Digital Signature and Certification Test Volume: 03 Digital Signature and Certification
04 Identity and Access Security Test Volume: 04 Identity and Access Security
05 Computer Virus and Hacking Test Volume: 05 Computer Virus and Hacking
06 Cyber Attack and Prevention Test Volume: 06 Cyber Attack and Prevention
07 Cyber Security and Programming Test Paper: 07 Cyber Security and Programming
08 Equipment and Environmental Safety Test Paper: 08 Equipment and Environmental Safety
09 Software Protection Technology Test Volume 1: 09 Software Protection Technology
10 Software Protection Technology Test Volume 2: 10 Software Protection Technology
11 Blockchain Foundation Test Paper: 11 Blockchain Foundation
Two, short answer questions
1. Simple replacement of password encryption and decryption
见习题。教材P57页习题4、5、6、7;
Friendly Link: Information Security Practice 1: Password and Concealment Technology 1
信息安全实践一之密码与隐藏技术1内容:【计算步骤】
实验1.1凯撒密码
实验1.2 仿射密码
2. The principle of DES algorithm:
**P17-24**
(1)对输入的明文从左到右按顺序每64位分为一组,并按组进行加密或解密
(2)进行初始置换
(3)将置换后的明文分成左右两组,每组32位
(4)进行16轮相同的变换,包括密钥变换
(5)将变换后的左右两部分合并在一起
(6)逆初始变换,输出64位密文。
3. The whole process of RSA algorithm: P40-41
(1) Select the key
①选择两个不同的素数p,q
②计算公开模数r=p*q
③计算欧拉函数φ(r)=(p-1)*(q-1)
④选一个与φ(r)互质的量k,即保证gcd(φ(r),k)=1时,选择K,可以令sp=k或pk=k
⑤根据sk*pk=- 1modφ(r),已知 sk或pk,用乘逆算法求pk或sk
(2) Encryption
密文Ci=PipkMod r
(3) Decryption
明文Pi=Ci skMod r 明文P=P1p2…Pi…。
4. Digital signature scheme based on public key:公开密钥体制
**P61**
5. Features of single item hash function:
**P62-63**
(1)hash函数能从任意长度的M中产生固定长度的散列值h
(2)已知M时,利用h(M)很容易计算出h
(3)已知M时,要想通过同一个h(M)计算处不同的h 是很困难的
(4)已知h时,要想从h(M)计算处不同的M 是很困难的
(5)已知M时,要找出另一信息M’,使h(M)=h(m’)是很困难的。
6. Briefly describe the integrity, availability and confidentiality of the information:
(1)完整性:保护计算机系统内软件和数据不被偶然或人为蓄意破坏、篡改、伪造等
(2)可用性:在用户授权的情况下,无论什么时候只要客户需要,信息必须是可用的和可访问的,信息系统不能拒绝服务
(3)保密性:信息必须按照拥有者的要求保持一定的秘密性。
7. Briefly describe the main features of digital watermarking:
稳定性、水印容量、安全性、自恢复性、不可见性。
8. Discuss the typical characteristics of public key algorithms:
(1)在公开密钥算法中有一对密钥分别为公钥和私钥
(2)进行加密和解密时使用不同的加密密钥和解密密钥,且加密密钥和解密密钥不能户型推导出来或者很难
(3)公开密钥和私密密钥必须配对使用
(4)公开密钥算法的安全性是依赖于某个数学问题很难解决的基础上的。
9. Discuss the symmetric encryption system:
(1)采用的解密算法就是加密算法的逆运算,或解密算法与加密算法完全相同
(2)加密密钥和解密密钥相同,或加密密钥能从解密密钥中推导出来。
10. Discuss the public key system:
`非对称算法`
11. Briefly describe what is a digital certificate? What is included in the X.509 digital certificate;
数字证书是有权威机构CA发行的一种权威性的电子文档,是网络环境中的一种身份证,用于证明某一用户的身份及公开密钥的合法性;
包含版本号、序列号、签名算法标识符、认证机构、有效期、主体、主体公开密钥信息、CA的数字签名、可选项等。
12. Discuss the general steps of a cyber attack:
隐藏攻击源-信息收集-掌握系统控制权-实施攻击-安装后门-隐藏攻击痕迹。
13. Discuss the general composition of computer virus programs:
(1)安装模块:病毒程序必须通过自身实现自启动并安装到计算机系统中;
(2)传染模块:传染控制部分、传染判断部分、传染操作部分;
(3)破坏模块:激发控制、破坏操作。
14. Discuss the general composition of anti-virus software:
用户界面模块、
病毒数据库、
病毒扫描引擎(文件解析模块,病毒扫描模块,特征码加载模块)、
文件实时监控模块、
进程实时监控模块。
15. In the software system, what measures should be taken to protect the user's password safely:
(1)用户:增大口令空间,选用无规则的口令,多个口令,用工具生成口令
(2)网站:登录时间限制,限制登录次数,尽量减少会话透露的信息,增加认证的信息量
16. General recommendations for designing software protection:
软件发行前对可执行程序进行加壳;
自己写的程序中嵌入反跟踪代码;
增加对软件自身的完整性检查;
检测到软件破解企图时,不要立即给用户提示信息;
不过于依赖众所周知的函数来获取系统时间;
给软件保护加入一定随机性;
将注册码、安装时间记录到多个不同地方;
采用一机一码。
17. What is blockchain technology? What are its characteristics?
区块链:
是一种特殊的去中心化分布式数据库,集分布式数据存储、点对点传输、共识机制、加密算法等计算机技术的新型应用模式。
特点:去中心化交易,信息不可篡改,完全匿名
18. What is a social engineering attack? What are the common attack methods?
社会工程攻击,是一种利用"社会工程学" 来实施的网络攻击行为。
社会工程学是一种利用人的弱点如人的本能反应、好奇心、信任、贪便宜等弱点进行诸如欺骗、伤害等危害手段,获取自身利益的手法。
Common attack methods:
-
1.
环境渗透Penetrating into a specific environment is one of the methods that social engineering often uses in order to obtain required intelligence or sensitive information. The social engineering attacker collects information by observing the target’s response speed to e-mails, the degree of importance it attaches, and the relevant information that may be provided, such as a person’s name, birthday, ID phone number, administrator’s IP address, and email address. Judge the general content of the target's network structure or system password to obtain information.
-
2.
引诱Internet surfing often encounters emails or webpages with content such as winning prizes, free gifts, etc., tempting users to enter the page to run downloading programs, or asking to fill in an account and password to "verify" their identity, and use people's neglect of defense to lure users. This is usually The hacker has already set a trap.
-
3.
伪装The current popular phishing incidents, as well as the earlier cover letter viruses and Christmas greeting cards, all use emails and fake Web sites to carry out fraudulent activities. A survey shows that up to 5% of all users exposed to fraudulent information will respond to these scams.
-
4.
说服Persuasion is a social engineering attack method that is more harmful to information security. It requires the target insider to reach a certain agreement with the attacker to provide various convenient conditions for the attack. Personal persuasion is a powerful means to make someone cooperate or obey the attacker’s intentions. In particular, when the target’s interests do not conflict with the attacker’s interests, or even coincide with the attacker’s interests, this method is very effective. effective. If the target insider is already dissatisfied or even has the idea of revenge, then the match can be easily achieved, and he will even become an assistant to the attacker, helping the attacker obtain unexpected intelligence or data.
-
5.
恐吓Social engineers often use people’s sensitivity to security, vulnerabilities, viruses, Trojan horses, hackers, etc., to appear as an authoritative organization, spread information such as security warnings, system risks, and use alarmist tricks to intimidate and deceive computer users. And claimed that if they do not follow their requirements, it will cause very serious harm or loss.
-
6.
恭维Smart hackers are proficient in psychology, interpersonal relations, behavior and other social engineering knowledge and skills, and are good at using human instincts, curiosity, blind trust, greed and other human weaknesses to set traps, deceive, and control the will of others. Self service. They are usually very friendly, very particular about the art of speaking, and know how to cater to people with equal opportunities, and do what they like, so that most people will respond friendly and willing to continue working with them.
-
7.
反向社会工程学Reverse social engineering refers to the fact that the attacker creates "problems" for the network or computer application through technical or non-technical means, so that the company's employees are convinced, and induces staff or network managers to disclose or leak information that the attacker needs to obtain. This method is relatively concealed, difficult to detect, particularly harmful, and difficult to prevent.
Ending!
More course knowledge learning records will come later!
就酱,嘎啦!
Note:
1. Life is diligent, nothing is gained.
2. See the blog post for common social engineering methods:
https://www.cnblogs.com/liang-chen/p/11802736.html