UNIVERSITY EXAMINATIONS: 2012/2013
THIRD YEAR EXAMINATION FOR THE BACHELOR OF
SCIENCE IN INFORMATION TECHNOLOGY
BIT 3102 INFORMATION SYSTEMS SECURITY AND
CRYPTOGRAPHY
DATE: DECEMBER, 2012 TIME: 2 HOURS
INSTRUCTIONS: Answer Question ONE and any other TWO
QUESTION ONE
a) State any five weaknesses that compromise cryptographic algorithms. (5 Marks)
b) New employees in sensitive jobs should sign employment agreements with nondisclosure provisions. Explain briefly any six specifications for this agreement.
(6 Marks)
c) Identify the three key players in a PKI system. (3 Marks)
d) State four possible attacks on message authentication. (4 Marks)
e) Discuss four developments that have led to an increase in computer fraud.
(4 Marks)
f) Identify the four major tools used to protect networks, servers, and clients
(4 Marks)
g) Discuss in detail the following:
i. Stream Cipher (2 Marks)
ii. Block Cipher (2 Marks)
QUESTION TWO
a) In public key encryption, compare and contrast RSA and Diffie-Hellman
algorithms (7 Marks)
b) SSL Handshake Protocol operates on top of the SSL Record Layer. When an SSL
client and server first start communicating, they agree on a protocol version,
select cryptographic algorithms, optionally authenticate each other, and use public
key encryption techniques to generate shared secrets. Explain how these processes
are performed in the handshake protocol. (5 Marks)
c) The use of cryptography facilitates the provision of a secure service. Many of the
disjointed situations represent scenarios that the man in the street encounters
almost every day, but probably does not appreciate either the security risks or the
role played by encryption. In this particular case we focus on a cash withdrawal
from an ATM machine.
i. When someone makes a cash withdrawal from an Automated Telling Machine
(ATM), they need to produce a plastic, magnetic stripe card and have knowledge
of the associated PIN. The customer places their card in the ATM slot and enters
their PIN. They then enter the amount requested for withdrawal. In a typical
transaction, what does the system need to check? (2 Marks)
ii. The ATM sends the card details and PIN to the host computer, and the response
message either authorizes the transaction or refuses it. Clearly these
communications need protection. Although the amount of a withdrawal may not
be secret, what is important about the amount dispensed at the machine? (1 Mark)
iii. Banks are understandably nervous about the possibility of an ATM paying out on
the same positive response message more than once. What is required in this
regard? (1 Mark)
iv. All banks instruct their customers to keep their PINs secret as anyone who knows
the correct PIN can use a stolen or lost card. Clearly the banks must ensure that
the PIN is not compromised within their system and so the PIN is encrypted
during transmission and on the database that is used for checking the validity of
the PIN. The algorithm used for this process is DES in ECB mode. Since DES
encrypts 64-bit blocks and PINs are, typically, only four digits, how do they
ensure that the block is properly encrypted? (1 Mark)
v. How do they ensure that anyone who gains access to encrypted PIN blocks would
be able to identify customers who share the same PINs? (2 Marks)
vi. This use of encryption prevents the PIN being exposed to eavesdroppers who
intercept the communications between the ATM and the host computer. They also
prevent PINs from being read by personnel who have access to the bank’s
database. However, encryption cannot prevent a fraudster guessing someone’s
PIN. Anyone who finds or steals a plastic card can enter it into an ATM and try a
lucky guess. Since there can be at most 10,000 four-digit PINs, the chances of a
successful guess are not ridiculously small. In recognition of this, how is this
problem dealt with in most ATMs? (1 Mark)
QUESTION THREE
a) Outline briefly any five important factors to consider when choosing a firewall
solution. (5 Marks)
b) Describe briefly any five IDS categories. (5 Marks)
c) Once risks are discovered, it is essential to ascertain the specific areas of an
organization that are especially vulnerable to known risks. Describe the five
specific vulnerability areas. (5 Marks)
d) Describe any five functions performed by an Information Security Officer (ISO).
(5 Marks)
QUESTION FOUR
a) Discuss any four design principles for secure systems. (8 Marks)
b) Outline any five examples of human errors which can result in security problems.
(5 Marks)
c) Suppose you are starting a new business which deals with a secret new
technology. Describe, in overview, how you would design a secure work
environment for the company. Think of physical issues, software issues and work
practices. (5 Marks)
d) Distinguish between a model for security and a security policy. (2 Marks)
QUESTION FIVE
a) A strong security process contains several layers of operational functionality.
State any six of these layers of operational functionality (6 Marks)
b) Define the following terminologies as used in information systems security:
i. Reference Monitor (RM) (1 Mark)
ii. Biometrics (1 Mark)
iii. Computer Forensics (1 Mark)
iv. Single-Sign-On (SSO) (1 Mark)
v. Emanation (1 Mark)
c) Let’s assume that there are two parties A (Alice ) and B (Bob), who exchange a
finite number of messages:
| |
| M1 |
| ———————>|
| M2 |
A| <——————– | B
| M3 |
| ———————>|
| M4 |
| <——————- |
| |.
A starts the protocol by sending a message to B, M1. B replies with M2, etc. We
assume that message N+1 is not sent until message N has been received and
understood. During or after the exchange of the messages what do we need to be
sure of? (3 Marks)
d) In general, it is not possible to satisfy the beliefs in (c) above until the protocol
has completed its exchange. The contents of the messages can be verified for their
integrity in a number of ways.
i. How do we ensure that no-one has messed with the messages in transit? (2 Marks)
ii. We must also verify that the message is not just a replay of an older message
which someone picked up by snooping on the network. List two methods used to
verify this. (2 Marks)
e) What is meant by a one-time password? (2 Marks)