Basic Security Questions to ask during Interview with anyone?
1) How does the security work between two users interacting remotely?
Securing communication between two entities starts with the pubic private key as a preferred mechanism.
If you encode a message using a person’s public key, they can only decode it using their matching private key. This is also known as asymmetric cryptography — in plain words, encryption and decryption require two different cryptographic keys.
Here is a simple example: John wants to send Smith an encrypted message. To do this, John takes Smith’s public key and encrypts his message to him. Then, when Smith receives the message, he takes the private key that is known only to him in order to decrypt the message from John. If a hacker was able to get the message as sent from John, but he doesn’t have Smith’s private key, he won’t be able to view the message. A private key is unique and paired with the public key, which can publish publicly and anyone can use it and encrypt it.
Examples of asymmetric encryption: Diffie-Hellman, ECC, El Gamal, DSA and RSA
2) Difference between Symmetrical and Asymmetrical encryption.
As understood, symmetrical encryption utilises the same key for encryption and decryption. The encryption process is very fast and is utilised in case of large data, but it only provides confidentiality — no authenticity or non-repudiation, unlike asymmetric encryption. Asymmetric encryption was introduced to resolve the inherent problem of the need to share the key in the symmetric encryption model resolving the need to share the key by using a pair of public-private keys.
Examples : RC4, AES, DES, 3DES
3). Encryption vs Hashing
Encryption is the process of converting a normal readable message known as plaintext into a garbage message or not readable message known as Ciphertext, it can be converted back using the key, it grows with the data. However, Hashing is the process of converting the information into a key using a hash function. The original information cannot be retrieved from the hash key by any means, it is a one-way process, also output data is of fixed length always.
3). SSL vs TLS
Both SSL and TLS are cryptographic protocol that provides secure communication between the web server and client via implicit connections. TLS is the successor of SSL protocol. The latest version of TLS is 1.3.
4.) How TLS Communication happens.
A nice overview of the entire flow.
5). How to secure Data at rest or stored?
Encryption is the secure encoding of data used to protect the confidentiality of data. The Encryption at Rest design uses symmetric encryption to encrypt and decrypt large amounts of data quickly. Encryption at rest provides data protection for stored data (at rest). Attacks against data-at-rest include attempts to obtain physical access to the hardware on which the data is stored, and then compromise the contained data.
6). How to secure Data in Transit?
Encryption in transit often uses asymmetric key exchange, such as elliptic-curve-based Diffie-Hellman, to establish a shared symmetric key that is used for data encryption.
7). What are the various OWASP Top 10 Vulnerabilities
- Sensitive Data Exposure.
- XML External Entities.
- Broken Access Control.
- Security Misconfiguration.
- Cross-Site Scripting.
- Insecure Deserialization.
- Using Components with Known Vulnerabilities.
- Insufficient Logging and Monitoring.
8) Where do you store data within the browser?
Data is stored in cookies, session and local storage and is accessible to users using various tools.
9). How does the browser work?
10). What is SSO?
Single sign-on (SSO) is an authentication method that enables users to securely authenticate with multiple applications and websites by using just one set of credentials.