Chapter 28 Quiz: Cryptography for Hackers

Test your understanding of cryptographic concepts, vulnerabilities, and practical testing techniques. Select the best answer for each question.

Question 1: Which property of a cryptographic hash function means that finding two different inputs that produce the same output should be computationally infeasible?

A) Determinism B) Preimage resistance C) Collision resistance D) Avalanche effect

Question 2: Why is ECB (Electronic Codebook) mode considered insecure for encrypting structured data?

A) It uses keys that are too short for modern security standards B) Identical plaintext blocks produce identical ciphertext blocks, leaking data patterns C) It does not support keys longer than 128 bits D) It requires an initialization vector that is difficult to generate securely

Question 3: What is the primary difference between TLS 1.2 and TLS 1.3 regarding key exchange?

A) TLS 1.3 only supports RSA key exchange for backward compatibility B) TLS 1.3 requires ephemeral Diffie-Hellman (PFS), removing static RSA key exchange C) TLS 1.3 eliminates key exchange entirely by using pre-shared keys D) TLS 1.2 supports more key exchange algorithms than TLS 1.3

Question 4: The POODLE attack exploited a vulnerability in which protocol?

A) TLS 1.2 CBC mode B) SSL 3.0 CBC mode padding C) TLS 1.3 AEAD encryption D) SSL 2.0 export cipher suites

Question 5: What does "Perfect Forward Secrecy" (PFS) provide?

A) Guaranteed protection against all future quantum computing attacks B) Assurance that past session keys cannot be recovered even if the server's long-term private key is compromised C) Automatic rotation of TLS certificates every 90 days D) Protection against man-in-the-middle attacks without certificate validation

Question 6: The DROWN attack demonstrated that a TLS 1.2 server could be compromised if:

A) It used cipher suites that were too strong for the client B) Any server sharing the same RSA private key supported SSL 2.0 C) The server's certificate was issued by an untrusted CA D) The server did not implement HSTS

Question 7: A penetration tester discovers that a web application stores passwords using MD5(password) without a salt. What is the most significant risk?

A) MD5 is too slow for password verification, causing denial of service B) Identical passwords produce identical hashes, and precomputed rainbow tables can crack them instantly C) MD5 only produces 64-bit hashes, which are too short for security D) MD5 is a symmetric encryption algorithm that can be reversed with the key

Question 8: Which tool provides the most comprehensive automated TLS configuration assessment?

A) Nmap with default scripts B) testssl.sh C) Wireshark D) Burp Suite passive scanner

Question 9: In a padding oracle attack against AES-CBC, the attacker exploits:

A) Weak encryption keys that can be brute-forced B) Different server responses to valid versus invalid padding in decrypted ciphertext C) Predictable initialization vectors in the first block D) The server's certificate private key to decrypt traffic

Question 10: What is the "none algorithm" attack against JWT?

A) Removing the JWT header entirely so no algorithm is specified B) Changing the JWT algorithm to "none" and removing the signature, causing the server to accept an unsigned token C) Setting the JWT payload to null, bypassing claim validation D) Using a brute-force attack to find that the signing key is "none"

Question 11: The Heartbleed vulnerability (CVE-2014-0160) was:

A) A flaw in the TLS protocol specification B) A padding oracle in TLS CBC mode C) An implementation bug in OpenSSL's Heartbeat extension that leaked server memory D) A certificate authority compromise that allowed forged certificates

Question 12: Which of the following best describes the "harvest now, decrypt later" threat?

A) Attackers steal encrypted data today and wait for quantum computers to decrypt it in the future B) Attackers harvest user credentials and use them later for credential stuffing C) Attackers collect SSL certificates now and use them for MITM attacks later D) Attackers record DNS queries and use them for future reconnaissance

Question 13: A certificate transparency (CT) log search reveals subdomains that the organization did not intend to make public. How is this useful for a penetration tester?

A) It allows the tester to forge certificates for those subdomains B) It provides reconnaissance data about the organization's infrastructure, including potentially vulnerable staging or development systems C) It proves that the organization's CA has been compromised D) It enables the tester to revoke certificates for those subdomains

Question 14: What is the algorithm confusion (key confusion) attack against JWT?

A) Confusing the server by sending multiple JWTs with different algorithms simultaneously B) Changing the algorithm from asymmetric (RS256) to symmetric (HS256) and signing with the public key, which the server treats as the HMAC secret C) Using algorithm names that the server does not recognize, causing it to skip validation D) Encrypting the JWT with a different algorithm than specified in the header

Question 15: HSTS (HTTP Strict Transport Security) mitigates TLS stripping attacks by:

A) Encrypting all DNS queries for the domain B) Instructing the browser to only connect to the domain over HTTPS, preventing HTTP downgrade C) Automatically installing a client certificate in the browser D) Blocking all non-TLS 1.3 connections to the domain

Question 16: Which NIST post-quantum cryptographic standard is designated for key encapsulation (key exchange)?

A) ML-DSA (CRYSTALS-Dilithium) B) SLH-DSA (SPHINCS+) C) ML-KEM (CRYSTALS-Kyber) D) FN-DSA (FALCON)

Question 17: The Debian OpenSSL bug (2008) resulted in predictable cryptographic keys because:

A) The random number generator was seeded with only the process ID, reducing entropy to approximately 15 bits B) The OpenSSL library used DES instead of AES for key generation C) The bug caused all keys to be generated with the same prime numbers D) Certificate serial numbers were reused across all Debian systems

Question 18: During a penetration test of MedSecure, you discover their patient portal supports TLS 1.0 with RC4 cipher suites. Which of the following is the correct risk assessment?

A) Low risk -- TLS 1.0 with RC4 is still considered acceptable for healthcare B) High risk -- both TLS 1.0 and RC4 are deprecated; TLS 1.0 is vulnerable to BEAST and RC4 has known biases that enable partial plaintext recovery C) Medium risk -- only RC4 is a concern; TLS 1.0 itself is secure D) Critical risk -- patient data is being transmitted in plaintext

Question 19: What is the primary advantage of AES-GCM over AES-CBC for TLS?

A) AES-GCM uses shorter keys, improving performance B) AES-GCM provides both encryption and authentication (AEAD), eliminating padding oracle vulnerabilities C) AES-GCM does not require an initialization vector D) AES-GCM is resistant to quantum computing attacks

Question 20: A web application generates encryption keys using Python's random.randint() instead of os.urandom() or secrets.token_bytes(). Why is this a critical vulnerability?

A) random.randint() is slower than os.urandom() B) random.randint() uses a deterministic PRNG that can be predicted if the seed is known, making the encryption keys predictable C) random.randint() only generates numbers up to 255 D) random.randint() is not available in Python 3

Answer Key

  1. C - Collision resistance means it should be computationally infeasible to find two different inputs x and y such that hash(x) = hash(y). This is distinct from preimage resistance (finding x given hash(x)).

  2. B - ECB mode encrypts each block independently with the same key, so identical plaintext blocks always produce identical ciphertext blocks. This preserves patterns in the data, as famously demonstrated by the "ECB Penguin" and the Adobe password breach.

  3. B - TLS 1.3 removed static RSA key exchange entirely, requiring ephemeral Diffie-Hellman (ECDHE or DHE) for all connections. This provides mandatory Perfect Forward Secrecy.

  4. B - POODLE (Padding Oracle On Downgraded Legacy Encryption) exploited a vulnerability in SSL 3.0's non-deterministic CBC padding, which was not covered by the MAC.

  5. B - Perfect Forward Secrecy ensures that session keys are ephemeral. Even if an attacker later obtains the server's long-term private key, they cannot decrypt previously recorded sessions because the session keys were discarded.

  6. B - DROWN showed that if any server sharing the same RSA private key supported SSL 2.0, an attacker could exploit SSL 2.0's weak cryptography to recover session keys and decrypt TLS connections that used RSA key exchange.

  7. B - Unsalted MD5 hashes allow identical passwords to produce identical hashes, and the entire MD5 hash space has been precomputed in rainbow tables, enabling instant lookup of common passwords.

  8. B - testssl.sh provides the most comprehensive automated TLS assessment, checking for protocol versions, cipher suites, vulnerabilities (BEAST, POODLE, DROWN, Heartbleed, ROBOT), certificate details, and security headers.

  9. B - The padding oracle attack works when the server responds differently (different error codes, timing, or messages) to valid versus invalid PKCS#7 padding, leaking information that allows byte-by-byte decryption.

  10. B - The none algorithm attack changes the JWT header's "alg" field to "none" and removes the signature. If the JWT library accepts "none" as a valid algorithm, it skips signature verification entirely.

  11. C - Heartbleed was an implementation bug in OpenSSL (not a protocol flaw) where a malicious heartbeat request could read up to 64KB of server process memory, potentially exposing private keys and session data.

  12. A - "Harvest now, decrypt later" refers to nation-state actors recording encrypted traffic today with the intention of decrypting it when quantum computers become available, since Shor's algorithm will break RSA and ECC.

  13. B - CT logs reveal all certificates issued for a domain, including subdomains for staging, development, or internal systems that may not be publicly known. These systems often have weaker security and represent valuable reconnaissance targets.

  14. B - Algorithm confusion exploits JWT libraries that allow algorithm switching. The attacker changes from RS256 (asymmetric, signed with private key) to HS256 (symmetric, signed with shared secret) and uses the server's public key as the HMAC secret, since the public key is publicly available.

  15. B - HSTS tells the browser to only connect to the domain over HTTPS for a specified duration, preventing TLS stripping attacks that downgrade the initial HTTP connection.

  16. C - ML-KEM (Module-Lattice Key Encapsulation Mechanism), based on CRYSTALS-Kyber, is the NIST standard for post-quantum key exchange/encapsulation.

  17. A - A Debian maintainer accidentally removed entropy sources, causing the PRNG to be seeded only with the process ID (PID), which on Linux is a 15-bit value, making all generated keys predictable.

  18. B - Both TLS 1.0 and RC4 are deprecated. TLS 1.0 is vulnerable to BEAST (predictable IVs in CBC mode) and was deprecated by PCI DSS in 2018. RC4 has known statistical biases that enable partial plaintext recovery. Together, they represent a high risk for sensitive healthcare data.

  19. B - AES-GCM is an Authenticated Encryption with Associated Data (AEAD) cipher that combines encryption and authentication in a single operation, eliminating the CBC padding that padding oracle attacks exploit.

  20. B - Python's random module uses a Mersenne Twister PRNG, which is deterministic and predictable. If an attacker can observe enough output or determine the seed (e.g., based on timestamp), they can predict all generated values, including encryption keys. Cryptographic applications must use os.urandom() or secrets module.