Introduction to Security
Supervision 1
Foreword If any of the following is unclear, please let me know.
Section 1
Question 1
Give 2 examples of real-life situations when you might wish to be completely anonymous and 2 examples of when pseudo-anonymity would be desirable.
Question 2
What is the difference between authenticity and non-repudiation?
Question 3
Give 3 examples of “Denial of service” attacks.
Question 4
How could a trustworthy shipping company, a secure and padlockable box and 1 padlock with 1 key be used to transfer secret papers whilst maintaining confidentiality and integrity? How could availability of this system be compromised? If the shipping company was untrustworthy, how could integrity be compromised? How could this be solved with 2 padlocks, each with only 1 key.
Question 5
Explain how shift, transposition and substitution ciphers can be cracked using language statistics, how the Vigenere cipher solve this problem partially, but explain why not completely.
Question 6
Give 5 examples of
assets that an organisation may wish to protect. Include both tangible assets
(easy to measure/quantify) and intangible assets (harder to quantify).
Question 7
Give 5 examples of
threats to the assets identified in question 6. What do you think is the biggest
threat?
Question 8
Give 5 examples of
countermeasures that could be adopted to protect against the threats identified
in question 7.
Question 9
Give 5 or more reasons
why keyless encryption is a bad idea? I.e. why encryption schemes that
rely on the secrecy of the algorithm are a bad idea?
Question 10
Give
5 or more examples of attacks that encryption does not handle?
Question 11
Someone suggests the
following scheme for confirming that you have the same secret key as a
collaborator. You create a random
bit string the same length as the key, XOR it with the key, and send the XORed
result over the network to your collaborator. Your collaborator XORs the incoming
message with the key (which is the same as your key) and sends the result back
to you. You check the reply message, and if what you receive is your original
random string, you would have verified that your collaborator has the same
secret key, yet neither of you has transmitted the key. What is the flaw in this scheme?
Question 12
Give two reasons why using a compression/decompression algorithm with encryption /decryption can be worthwhile. If compression is used, is it better to compress before encryption or after? Give reasons for your answer.
Question 13
Why is asymmetric cryptography bad. How can symmetric cryptography be used in
conjunction to help solve this problem?
Question
14
a) What are the characteristics of a hash function?
b) Explain how password hash chains work and why using a hash of a password is better than using the password itself. Give examples.
Question 15
Consider the following protocol for mutual
authentication and key exchange in client-server applications
(
|
Message 1 Message is sent from |
|
|
Bob |
|
Message 2 |
Bob |
|
|
|
Message 3 A key is exchanged |
|
|
Bob |
|
Message 4 The key expires at a certain time, after which,
it becomes invalid |
Bob |
|
|
a) For
each message explain what happens if the message is replayed to the recipient
by an intruder.
b) Using the
encrypted BobTrent portion of message 4, develop a protocol that can be used by
Section 2
Try the follow exercises from the notes: 5, 6, 1, 9, 10 and 11.