Part 1: Short Answer. Answers should be no longer than a few sentences. “Bulletized” lists or small tables may be used for the sake of brevity. (4 points each; partial credit may be given if work is clearly shown)
1.Give a specific example of how inference control might be implemented in a database.
2.For a public-key encryption system (such as PGP), list some reasons for and against using the same key pair for both encryption and signature.
3.Compare and contrast PKI and Kerberos.
4.PKI has not been widely successful, partly because users don’t trust digital signatures. Give some reasons for that distrust.
5.Suggest some ways to address the “crypto dilemma,” along with the pros and cons of each.
6.A 1,000-bit message is used to generate a 512-bit hash. One the average, how many other messages could be expected to generate the same hash value? What does this tell us about the length of a hash as compared to the length of the message?
7.The following questions are worth 2 points each:
a.Bob picked N=91 for use in a RSA-encrypted message. Since N is part of the public key, Alice was able to crack Bob’s message by determining the values of p and q that Bob used. What values of p and q did she determine?
b.Is 27,182,818,284 a prime number? Why or why not?
8.Modular arithmetic is used in public key ciphers. What is the value of X for each of the following:
a.X = 1,144 mod 26
b.X = 3 mod 3,013,991
c.X = 19 mod 3
d.X = 28 mod 3
9.Compare and contrast Pretty Good Privacy, as we used it in our class this semester, and PKI.
10.You are Alice. You have agreed with your friend Bob that you will use the Diffie-Hellman public-key algorithm to exchange secret keys. You and Bob have agreed to use the public base g = 19 and public modulus p = 29. You have secretly picked the value SA = 23.You begin the session by sending Bob your calculated value of TA. Bob responds by sending you the value TB = 17. What is the value of your shared secret key?
11.What are some potential vulnerabilities of on-line shopping cart applications?
12.You’ve been tasked by your boss to design a computer program that can detect encrypted files. List some ways that you could accomplish this.
13.Using RSA, let p = 19, q = 13 and e = 5. Which of these is the complete private key:
e.None of the above.
(For full credit, please show your reasoning.)
14.Suppose that Eve runs a key server. Alice downloads a key from the key server which Eve claims is Bob’s public key. Bob downloads a key from the key server which Eve claims is Alice’s public key. Given that Alice and Bob both assume that they have the correct public keys for the other party, and assuming that Eve can intercept any messages passed between Alice and Bob, is there any way that Eve can read the encrypted communications between the two parties? If so, how could she do it, and would Bob or Alice know that Eve was reading their messages? How could Bob and Alice mitigate this situation?
15.Briefly describe a situation where cryptographic techniques can aid the battle against malware. Describe a second situation where cryptographic techniques can hinder the battle against malware.
16.How can a system for multi-level access control be implemented for government and military applications? What might access rules look like for such a system?
17.Please concur with, dispute, or qualify the following statement. Performing a frequency analysis would be a good starting point for cracking an RSA-encrypted message. (Please be sure to include your rationale.)
18.What security features could be provided without changing the mail delivery infrastructure, i.e., by only running special software at the source and destination?
19.Computer system #1 requires logon passwords to be eight upper-case letters. How many different passwords are there for system #1? Computer system #2 requires logon passwords to be eight characters, which may be upper or lower-case letters, the numbers 0 through 9, and the characters $, !, and %. How many different passwords are there for system #2?
20.How does Kerberos help with the key management problem?
Part 2: Essay Question. Maximum length: three (3) pages. (20 pts.)
An enterprising group of entrepreneurs is starting a new cloud-like data storage and retrieval business, StoreItRite, Inc. For a fee, the new company will accept digitalized data (both text and images), and store it on hard drives until needed by the customer. Customer data will be transmitted to and from StoreItRite over the Internet. StoreItRite guarantees that the data’s confidentiality and integrity will be maintained.
StoreItRite also envisions some information assurance requirements for their internal operations. Company employees will need to exchange confidential email, and will need a mechanism for verifying the integrity and originator of some email messages. Also, StoreItRite intends a daily backup of all customer data to a remote facility via a leased line. They wish to do so as economically as possible, while ensuring the data’s confidentiality and integrity.
StoreItRite is interviewing candidates for the position of Chief Information Officer (CIO). They are asking candidates to describe briefly how they would satisfy StoreItRite’s requirements as stated above. How would a successful candidate respond?