BSc (Hons) Sofware Engineering Cohort: BSE/09/FT & BSE/07/PT Examinations for 2010-2011 / Semester 2 MODULE: Security Concepts MODULE CODE: SECU2101 Duration: 2 Hours Instructions to Candidates: 1. ALL questions are COMPULSORY 2. Start each question on a fresh page. 3. Calculators are NOT permitted in this examination. 4. Total Marks: 100 This question paper contains 3 questions and 5 pages. Page 1 of 5
QUESTION 1: (30 MARKS) (a) Distinguish between confidentiality, integrity and availability. Illustrate your answer using an example. (3+6 Marks) (b) What is the difference between a virus, a worm and a trojan horse? (3x2 Marks) (c) Why are corporate employees especially dangerous? What kinds of attacks do they perpetrate? (2+1 Marks) (d) Does using passwords with salts make attacking a specific account more difficult than using passwords without salts? Explain why or why not. (5 Marks) (e) Describe the principle of least privilege. Why is it important? (2+2 Marks) (f) Data compression is often used in data storage or transmission. Suppose you want to use data compression in conjunction with encryption. Does it make more sense to I. Compress the data and then encrypt the result, or II. Encrypt the data and then compress the result. Justify your answer. (3 Marks) Page 2 of 5
QUESTION 2: (40 MARKS) (a) Decrypt the following, which has been encrypted with a Caesar cipher: G AYKC, G QYU, G AMLOSCPCB (5 Marks) (b) Why is it important for a cipher to have a large number of potential keys? (c) Discuss the algorithm of the rail fence cipher. You may use an example to illustrate your answer. (4 Marks) (d) Discuss the need to perform a threat assessment to implement a physical security program? (e) Teardrop attacks and Ping of death attacks are methods of launching a Denial of Service attack. Explain the terms in bold. (3x3 Marks) (g) Describe five services in PGP operation. (10 Marks) (h) Explain the need for web security. Describe briefly the three different approaches to provide web security. (2+6 Marks) Page 3 of 5
QUESTION 3 (30 MARKS) (a) Describe three network threats that a firewall does not protect against. (3x2 Marks) (b) Explain the strengths and weaknesses of each of the following firewall deployment scenarios in defending servers, desktop machines, and laptops against network threats. I. A firewall at the network perimeter. II. Firewalls on every end host machine. III. A network perimeter firewall and firewalls on every end host machine. (4x3 Marks) (c) Amy wants to send a cellphone text message to Bill securely, over an insecure communication network. Amy's cellphone has a RSA public key KA and matching private key va; likewise, Bill's cellphone has KB and vb. Let's design a cryptographic protocol for doing this, assuming both know each other's public keys. Here is what Amy's cellphone will do to send the text message m: 1. Amy's phone randomly picks a new AES session key k and computes c = RSA-Encrypt(KB; k), c = AES-CBC-Encrypt(k;m), and t = RSA-Sign(vA; (c; c )). 2. Amy's phone sends (c; c ; t) to Bill's phone. Page 4 of 5
And here is what Bill's cellphone will do, upon receiving (c; c ; t): 1. Bill's phone checks that t is a valid RSA signature on (c; c ) under public key KA. If not, abort. 2. Bill's phone computes k = RSA-Decrypt(vB; c) and m = AES-CBC- Decrypt(k ; c ). 3. Bill's phone informs Bill that Amy sent message m. I. Does this protocol ensure the confidentiality of Amy's messages? Why or why not? (1+2 Marks) II. Does this protocol ensure authentication and data integrity for every text message Bill receives? Why or why not? (1+2 Marks) III. Suppose that Bill is Amy's stockbroker. Bill hooks up the output of this protocol to an automatic stocktrading service, so if Amy sends a text message Sell 100 shares MSFT using the above protocol, then this trade will be immediately and automatically executed from Amy's account. Suggest one reason why this might be a bad idea from a security point of view. (d) Suppose that an algorithm is found that can efficiently factorise a large number. Explain how a cryptanalyst could use this algorithm to break RSA cryptosystem. ***END OF QUESTION PAPER*** (4 Marks) Page 5 of 5