QUESTION 1:
(a) Differentiate between confidentiality, integrity and availability. Demonstrate your answer using an example.
(b) What is the dissimilarity amid between a virus, a worm and a trojan horse?
(c) Why are commercial employees especially dangerous? What sorts of attacks do they perpetrate?
(d) Does using passwords with salts make attacking a specific account more difficult than using passwords without salts? Give explanation why or why not.
(e) Illustrate the principle of least privilege. Why is it significant?
(f) Data compression is frequently used in data storage or transmission. Presume you want to use data compression in conjunction with encryption.
Does it make added sense to
I. Compress the data and then encrypt the result, or
II. Encrypt the data and then compress the result.
Give good reason for your answer.
QUESTION 2
(a) Decrypt the subsequent, which has been encrypted with a Caesar cipher: G AYKC, G QYU, G AMLOSCPCB
(b) Why is it significant for a cipher to have a large number of potential keys?
(c) Converse the algorithm of the rail fence cipher. You may use an instance to illustrate your answer.
(d) Thrash out the need to perform a threat assessment to implement a physical security program?
(e) Teardrop attacks and Ping of death attacks are methods of launching a Denial of Service attack. Make clear the terms in bold.
(f) Portray five services in PGP operation.
(g) Give explanation the need for web security. Describe briefly the three different approaches to provide web security.
QUESTION 3
(a) Illustrate three network threats that a firewall does not protect against.
(b) Clarify the strengths and weaknesses of each of the following firewall deployment scenarios in defending servers, desktop machines, and laptops against network threats.
I. A firewall at the network perimeter.
II. Firewalls on every end host machine.
III. A network perimeter firewall and firewalls on every end host machine.
(c) Amy desires to send a cellphone text message to Bill securely, over an insecure communication network.
Amy's cellphone has a RSA public key KA and co petitioning private key vA; likewise, Bill's cellphone has KB and vB.
Let's design or intend a cryptographic protocol for doing this, assuming both know each other's public keys.
Here is what Amy's cellphone will do to post the text message m:
1. Amy's phone arbitrarily picks a new AES session key k and computes c = RSA-Encrypt(KB; k), c' = AES-CBC-Encrypt(k;m), and t = RSA-Sign(vA; (c; c')).
2. Amy's phone sends (c; c'; t) to Bill's phone.
And at this time is what Bill's cellphone will do, upon receiving (c; c'; t):
1. Bill's phone ensures that t is a valid RSA signature on (c; c') under public key KA. If not, terminate.
2. Bill's phone computes k' = RSA-Decrypt(vB; c) and m' = AES-CBCDecrypt( k'; c').
3. Bill's phone updates Bill that Amy sent message m'.
I. Does this protocol guarantee the confidentiality of Amy's messages? Why or why not?
II. Does this protocol guarantee authentication and data integrity for every text message Bill receives? Explain Why or why not?
III. Presume that Bill is Amy's stockbroker. Bill hooks up the output of this protocol to an automatic stocktrading service, so if Amy sends a text message "Sell 100 shares MSFT" using the above protocol, then this trade will be straight away and automatically executed from Amy's account.
Recommend one reason why this might be a bad idea from a security point of view.
(d) Presume that an algorithm is found that can efficiently factorise a large number. Describe how a cryptanalyst could use this algorithm to break RSA cryptosystem.