Part 1: Determine if the following statements are True or False.
1. An agent in Clock-Wilson Model(CWM) should also have the execute rights regarding anentity after the agent is permitted to certify that entity.
2. Since physical security is often managed under separate responsibility from information security, however, risk analysis for information security still needs to address physical security.
3. The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner.Answer:
4. With unlimited resources and security controls, it is possible to reduce risk to zero.
5. Viruses infect executable files and hardware as well.
6. Cryptanalytic attacks try every possible key on a piece of ciphertext until an intelligible translation into plaintext is obtained.
7. The purpose of the DSS algorithm is to enable two users to securely reach agreement about a shared secret that can be used as a secret key for subsequent symmetric encryption of messages.
8. Traditional RBAC systems define the access rights of individual users and groups of users.
9. Some process of managed downgrading of information is needed to restore reasonable classification levels.
10. A BLP model breaks down when low classified executable data are allowed to be executed by a high clearance subject.
11. The secret key is input to the encryption algorithm.
12. Triple DES takes a plaintext block of 64 bits and a key of 56 bits to produce a ciphertext block of 64 bits.
13. The advantage of a stream cipher is that you can reuse keys.
14. Like the MAC, a hash function also takes a secret key as input.
15. The strength of a hash function against brute-force attacks depends solely on the length of the hash code produced by the algorithm.
16. Public-key cryptography is asymmetric.
17. Public-key algorithms are based on simple operations on bit patterns.
18. A token is the best means of authentication because it cannot be forged or stolen by an adversary.
19. User authentication is a procedure that allows communicating parties to verify that the contents of a received message have not been altered and that the source is authentic.
20. A good technique for choosing a password is to use the first letter ofeach word of a phrase.
21. Memory cards store and process data.
22. Depending on the application, user authentication on a biometricsystem involves either verification or identification.
23. An individual's signature is not unique enough to use in biometricapplications.
24. A smart card contains an entire microprocessor.
25. Access control is the central element of computer security.
26. The authentication function determines who is trusted for a given purpose.
27. An auditing function monitors and keeps a record of user accesses to system resources.
28. External devices such as firewalls cannot provide access control services.
29. The principal objectives of computer security are to prevent unauthorized users from gaining access to resources, to prevent legitimate users from accessing resources in an unauthorized manner, and to enable legitimate users to access resources in an authorized manner.
30. A user program executes in a kernel mode in which certain areas of memory are protected from the user's use and certain instructions may not be executed.
Part 2: Short Answers. Please answer briefly and completely, and you must cite all sources of information if any.
1. Describe the fundamental principles in both the Bell-LaPadula and Biba security models. For each, explain what sort of security the model is intended to provide, the two key properties of the model, and then explain in your own words why each of the properties makes sense from a security standpoint.
2. Consider a public key encryption. Ann wants to send Bill a message. Let Annpriv and Annpub be Ann's private and public keys respectively. The same for Bill (Billpriv and Billpub).
(a) If Ann sends a message to Bill, what encryption should Ann use so that only Bill can decrypt the message (secrecy)?
(b) Can Ann encrypt the message so that anyone who receives the message is assured that the message only came from Ann (authenticity)?
(c) Is it possible for Ann to devise a method that will allow for both secrecy and authenticity for her message? Please justify your answer.
3. Assume that passwords are limited to the use of the 95 printable ASCII characters and that all passwords are 12 characters in length. Assume a password cracker with an encryption rate of 10 giga encryptions per second. How many years will it take to test exhaustively all possible passwords on a UNIX system? Note you need to show the procedures of calculation step by step as well.