Introduction to Security

Supervision 1



Foreword        If any of the following is unclear, please let me know. 




Section 1



Question 1


Give 2 examples of real-life situations when you might wish to be completely anonymous and 2 examples of when pseudo-anonymity would be desirable. 



Question 2


What is the difference between authenticity and non-repudiation? 



Question 3


Give 3 examples of “Denial of service” attacks. 



Question 4


How could a trustworthy shipping company, a secure and padlockable box and 1 padlock with 1 key be used to transfer secret papers whilst maintaining confidentiality and integrity?   How could availability of this system be compromised?  If the shipping company was untrustworthy, how could integrity be compromised?  How could this be solved with 2 padlocks, each with only 1 key. 



Question 5


Explain how shift, transposition and substitution ciphers can be cracked using language statistics, how the Vigenere cipher solve this problem partially, but explain why not completely. 



Question 6


Give 5 examples of assets that an organisation may wish to protect. Include both tangible assets (easy to measure/quantify) and intangible assets (harder to quantify).



Question 7


Give 5 examples of threats to the assets identified in question 6.   What do you think is the biggest threat?



Question 8


Give 5 examples of countermeasures that could be adopted to protect against the threats identified in question 7.



Question 9


Give 5 or more reasons why keyless encryption is a bad idea?   I.e. why encryption schemes that rely on the secrecy of the algorithm are a bad idea?



Question 10


Give 5 or more examples of attacks that encryption does not handle?



Question 11


Someone suggests the following scheme for confirming that you have the same secret key as a collaborator.  You create a random bit string the same length as the key, XOR it with the key, and send the XORed result over the network to your collaborator.  Your collaborator XORs the incoming message with the key (which is the same as your key) and sends the result back to you. You check the reply message, and if what you receive is your original random string, you would have verified that your collaborator has the same secret key, yet neither of you has transmitted the key.  What is the flaw in this scheme?



Question 12


Give two reasons why using a compression/decompression algorithm with encryption /decryption can be worthwhile.  If compression is used, is it better to compress before encryption or after?  Give reasons for your answer. 



Question 13


Why is asymmetric cryptography bad.  How can symmetric cryptography be used in

conjunction to help solve this problem? 



Question 14


a)                  What are the characteristics of a hash function?

b)                  Explain how password hash chains work and why using a hash of a password is better than using the password itself.  Give examples. 



Question 15


Consider the following protocol for mutual authentication and key exchange in client-server applications

(Alice is the client, Bob is the Server, Trent is the authentication server):


Message 1


Message is sent from Alice to Bob, appears to be from Alice, and has encrypted part that can only be read by Trent and Alice, which contains a nonce for Alice



Message 2



Message 3


A key is exchanged



Message 4


The key expires at a certain time, after which, it becomes invalid




a)         For each message explain what happens if the message is replayed to the recipient by an intruder. 

b)         Using the encrypted BobTrent portion of message 4, develop a protocol that can be used by Alice for a subsequent authentication with Bob, the next time they want to communicate.






Section 2


Try the follow exercises from the notes: 5, 6, 1, 9, 10 and 11.