grouph_securitycrypt_july2010

8/8/2019 GroupH_SecurityCrypt_July2010

1/11

MB3H21T-0710

Section A : Basic Concepts (30 Marks)

This section consists of questions with serial number 1 - 30. Answer all questions. Each question carries one mark. Maxi mum time for answering Section A is 30 Minutes.

1. Which of the following is/are passive security threat(s)?

I. Masquerade.

II. Traffic analysis.lII. Replay.IV. Denial o f service.

(a) Only (II) above(b ) Both (I) and (I I) above(c) Both ( II ) and ( IV) above(d) Both (III) an d (IV) above(c) (II), (III) a nd ( IV ) above.

2. Ami! is part o f a big project team at RS Systems and notices an unauthorized party gaining access tothe project website. Which of the following category of attacks can be aptly applied to the above

scenario?(a ) Interruption(b ) Interception(c) Modification(d ) Fabrication(c) Concurrence.

3. In the Internet Request For Comments (RFC) publication process, which of the following s teps belongto the ser ie s 's tandards track'?

I. Proposed standard.

II. Draft standard.III. Internet standard.IV. Experimental standard.

(a) Both (I ) and ( II) above(b) Both (I) and (III) above(c) Both (II) and (Ill) above(d ) (I ), ( II ) and (II I) above(e ) (II), (III) and (IV) above.

Page 2 of 14@ 2010, ICFAI University. All rights reserved. Photocopying is strictly prohibited.


2/11

MB3H2IT-0710

4. Which of the fol lowing cri teria must be sat isfied by an RFC specification in order to be conside red asa standard?

I. Stability and clarity.

II. Technical competency.III. Multiplicity of implementations with substantial operation trials.IV. Dependency and interoperabil ity with substantial operation trials.

(a) Both (I) and (II) above(b) Both (1) and (III) above(c) Both (II) and (III) above(d) (I), (II) and (III) above(e) (II), (III) and (IV) above.

5. Das had e-mailed some vital information to Eshwar, which he had received and read. However whenDas inquired, he denied e ver receiving the message. Here, activation of which of the fol lowingsecurity services would prevent both sen der and receiver from d en yi ng delivery of a transmittedmessage?

(a) Confidentiality(b) Authentication(c) Integrity(d) Nonrepudiation(e) Access contro!'

6. Raj was se nd ing their p ro jec t' s meet ing schedule to Shruthi. Raj and Shruthi each were using d if fer cntkeys to encrypt and decrypt the message at their respect ive nodes. Here, the kind of encryption can benamed as

1. Asymmetric encryption.

II. Conventional encryption.III. Pub li c-key encrypt ion .

(a) Only (II) above(b) Only (III) above(c) Both (1) and (II) above(d) Both (1) and (III ) above(e) Both (II) and (III) above.

7. In which of the following types of attacks on encrypted messages, does the cryptanalyst needs to knowonly the encryption algorithm and the ciphertext in order to decode the message?

(a) Ciphertext only

(b) Known plaintext(c) Chosen plaintext(d) Chosen ciphertext(e) Chosen text.

Page 3 of14

2010, ICFAI University. All rights reserved. Photocopying is strictly prohibited.

(Please Turn Page)


3/11

MB3H2IT-0710

8. SSL session and SSL connection are the important components of Secure Sockets Layer (SSL). Whichof the following is/are the parameter(s) of SSL session?

I. Peer cel1 ificate.

II. Compression method.III. Server write key.

(a) Only (II) above(b) Only (III) above(c) Both (I) and (II) above(d) Both (I) and (II!) above(e) Both (II) and (III) above.

9. In the Data Encryption Standard (DES) algorithm, the length of a plaintext block is

(a) 16 bits(b) 56 bits

(c)64

bits(d) 8 bits(c) 128 bits.

10. The 3DES algorithm has an effective key length of

(a) 48 bits(b) 168 bits(c) 192 bits(d) 24 bits(c) 256 bits.

I I . Which of the following mathematical and logical operations are used in the DES algorithm?

I. Addition.II. XOR.III. Fixed S-boxes.IV. Rotation.

(a) Both (I ) and (II) above(b) Both (II) and (III) above(c) Both (Ill) and (IV) above(d) (I), (II) and (Ill) above(c) (II), (III) and (IV) above.

12. The input to an encryption algorithm is of the current plaintext block and the precedingciphertext block in the Cipher Block Chaining (CSC) mode.

(a) AND(b ) OR(c) XNOR(d ) XOR(e ) NAND.

Page 4of 14

@ 2010, ICFAI University. All rights reserved. Photocopying is strictly prohibited.


4/11


5/11

an9 chosen as the mandatory-to-implement Message

MB3112IT-0710

18. Which of the following Kerberos version 5 Flags, tells a Ticket Granting Server (TGS) that a newticket-granting ticket with a different network address may be issued based on the current one?

(a) RENEWABLE

(b) POSTDATED(c) FORWARDABLE(d) HW-AUTHENT(e) PRE-AUTHENT.

19. HMAC has been issued asAuthentication Code (MAC).

(a) RFC 2104(b) RFC 811(c) RFC 2228(d) RFC 1624(e) RFC 1542.

20. Wh ich of the following statements is/are false about Ell iptic-Curve Cryptography (ECC)?

I. IT C is easier to explain than either Rivest-Shamir-Adelman (RSA) or Diffie-Hellman.II. The confidence in ECC is not as high as that in RSA.Ill. The principal attraction of ECC over RSA is that it apparently offers equal security with a far

smaller bit size, thereby reducing processing overhead.

(a) Only (I) above(b) Only (II) above(c) Both (I) and (II) above(d) Both (I) and (III) above(e) Both (II) and (III) above.

21. l.ifetime values in Kerberos version 4 are encoded as an 8-bit quantity whieh in turn is expressed inunits 01" 5 minutes. Thus, the maximum lifetime that can be available would be

(a) 2 xx5 minutes(b) 2:i x8 minutes(c) 8 2x5 minutes(d) 8:i x2 minutes(e) 5 2x8 minutes.

22, Which of the following statements is false about Kerberos version 4 and version 5?

(a) Kerberos version 4 requires the use of DES(b) In Kerberos version 5, any encryption technique may be used(c) Kcrberos version 4 requires the use of only Internet Protocol (lP) addresses and other addresses

are not accommodated(d) Kerberos version 5 network addresses are tagged with type and length, al lowing any network

address type to be used(e) In Kerberos version 5, all message structures are defined only using Abstract Syntax Notation

One (ASN. I), which provides an unambiguous byte ordering.

Page 6of

14~ ) 2010, ICFAI University. All rights reserved. Photocopying is strictly prohibited.


6/11

MB3H2IT-0710

23. Rajeev and Shiva are deciding on a gift for a friend's birthday, when Shiva sug gest s they buy theunique scu lp ted pen he saw on the Internet. However, Ra jeev is hesit ant to use his cred it card onl inebecause of all the fraud incidents he keeps hearing about. To this objection, Shiva smiled andexplained that is an open encryption and security specification designed to protectcredit card transactions on the Internet so he need not worry.

(a) SE T(b) SSL(c) SHA(d) TLS(e) SNMP.

24. Pretty Good Privacy (PGP) compresses a message after applying the signature but before theencryption. Placement of the compression algorithm is indicated by for compression.

(a) C(b) Z(c) A(d) P(e) D.

25. In any encryption algorithm, each sess ion key produced by KDC is associated with a single messageand is used only to encrypt and decrypt that message. Th e CAST-128 and the IDEA algorithms use

(a) 64-bit keys(b) 128-bit keys(c) 168-bitkeys(d) 256-bit keys(e) 512-bitkeys.

26. In the PGP message format, which of the following components is/are optional?I. Th e message component.II. The signature component.Ill. Th e session key component.

(a) Only (I) above(b) Only (II) above(c) Both (l) and (II) above(d) Both (I) and (III) above(e) Both (II) and (III) above.

27. In the Internet Protocol version 6 (lPv6) header, the payload contains

(a) 4 bits(b) 8 bits(c) 16 bits(d) 24 bits(e) 32 bits.

Page 7 of14


(PleaseTurn

Page)


7/11

MB3H2IT-0710

28. Anand wanted to access the joint tax-returns document his wife had prepared on her laptop. It was lastday for filing them and he could not reach his wife. So he followed some strategies to crack thepassword of the system. Which of the following rules could he have applied to crack the password?

I. Try with the user's name, initials, account name and relevant personal information.II. Making first letter uppercase, making entire word uppercase.III. Reversing the word.

(a) Only (II) above(b) Only (III) above(c) Both (I) and (III) above(d) Both (II) and (III) above(e) All (I), (II) and (III) above.

29. Rcshmi found that her system was infected with virus which corrupted the master boot record or theboot record and thus spread to other parts of the system when the system was booted. Here, which ofthe following types of virus could have caused this damage?

(a) Parasitic virus(b) Memory-resident virus(c) Boot sector virus(d) Stealth virus(e) Polymorphic virus.

30. Digital immune system is a comprehensive approach to virus protection developed by

(a ) IBM(b) Microsoft(c) Intel(d) CJC(e ) CA .

END OF SECTION A

Page 8 of 14':) 2010, ICFAI University. All rights reserved. Photocopying is strictly prohibited.


8/11

VIB3H2IT-0710

Section B : Problem/Caselets (50 Marks)

This section consists of questions with serial number 1 - 8.

Answer all questions. M ar ks a re indicated against each question. Detailed workings/explanations should form part of your answer. Do not spend more than 110 - 120 minutes on Section B.

I. Ex.plain in detail the RSA algorithm with an example.

Caselet 1Answer the following questions based on the given Caselet:

2. What are the objectives ofBU?

3. Critically analyze the solution chosen by BU for data encryption.

( IOmarks)

( 3 marks)

( 4 marks)

L Discuss the scrviccs to be provided by the solution and list out the results obtained by thesecurity solution at BU. ( 10 marks)

13aylor University (BU) is the largest Baptist university in the world, with a 735-acrecampus and almost 14.000 students from aliSO states of the U.S as well as from 70 othercountries. It' s nationally recognized academic divisions offer 146 undergraduate, 73masters, and 22 doctoral degree programs plus a Juries doctorate program in the School ofI,aw.

Universities hold a great deal of personal information about their students and otherconstituents that needs to be safeguarded. BU employees had noticed the recent headlinesabout security breaches at other organizations and their impact on the organizations publicreputation. These incidents along with a range of applicable legislation and best practices inhigher education reinforced BU's need upgraded sensitive information security.

If a security breach were to occur, BU would need to immediately notify any and allindividuals affected. If thus needed, managing the notifications and resolving any issuescould have a significant financial impact on the BU and cause unwanted negative publicity.

Many staff members at BU usc laptop computers to increase their productivity andefficiency. Ilowever, the portable nature of laptops makes them more susceptible to loss ortheft. potentially leading to the exposure of sensitive information. BU needed a way tosafeguard the information and prevent such exposure or leakage.

BU required a data encryption solution that could be easily managed with a little oversightby the IT staff and would integrate well with the existing infrastructure. In addition, the BUwanted a solution that could be sealed easily as future encryption needs arose, rather than bereplaced.

Equally impol1ant that the encryption software accommodates the needs of today'ssophisticated academic users. With both PC and Mac systems as well as workstationsshared by Illultiple individuals on a daily basis, BU required an encryption solution thatwould ensure that users could work without interruption and violation of their privacy.

Page 10 of 14p 2010. ICFAI University. All rights reserved Photocopying is strictly prohibited.

{


9/11

MB3H2IT-0710

BU carefully evaluated three data encryption solutions of which they ult imately chose PGPWhole Disk Encrypt ion . Thi s was centra lly managed by PGP Universa l Serve r to protec tlaptop data using full disk encryption. "We compared all the key features and cou ld see tha tthe PGP solut ion offered the most solid technology. We knew it would make our day-to-daylives easier," said BU's Information Security Officer, Jon Allen. The BU also ident if iedPGP Universal Gateway Email as a possible solution to secure emails in the future aspeople enter and leave the network.

"W e wanted sof tware that had been tested in the real wor ld ," says Allen. " I t is well-knownthat PGP tec hnology provide s a solid security p'latform t hat has been proven e ffe ctiverepeatedly over t ime." Before making his decis ion, Allen spoke to other PGP customers andafter hearing their positive experiences, decided to test the software in the BU'senvironment. "W e t hrew every scenario we could think of at the software, and were verypleased with the results," Allen adds.

BU had already invested a significant amount of resources in a.Microsoft Active Directoryinfrast ructure . As Allen explains, "W e knew PGP Universal Server would be able to

integrate with our existing e nvironment, saving us the time and e xpe nse of c reat ing aduplicate infrastructure or being forced to replace the present setup."

A large unive rsi ty such as BU typical ly requires a wide var ie ty of c ompute rs to me et theneeds of s tudent s, staff, as we ll as faculty. "Al though PCs make up the majority of ou rworksta tions, we also have a percentage of Macs. We needed to be a ble to sa feguard bothtypes of systems, and PGP Whole Disk Encryption offered that capabili ty," says Allen.

BU was look ing for a so lut ion that will not require a good deal of ongoing support. When auser forgot his/her passphrase, for example, the BU w ant ed to resolve the issue quickly."The process for handl ing lost passphrases with PGP Whole Disk Encrypt ion is much morestreamlined than with other competing software," says Allen. "There is less room for e rrorin this situat ion, and we knew the PGP solution would make things eas ie r for us and for our

help desk."When future encryption needs arise, BU's investment in the PGP Encrypt ion Platform wil lprovide the flexibility to deploy and manage multiple encryption applications costeffectively from a single management console . For example , when email secur ity becomesa concern, BU can simply add the PGP Universal Gateway Email application to the exist ingplatform. It will not need addi tional infrastruc ture and the opera tiona l cos ts will be lowerbecause both the PGP products share common management architecture.

According to Allen, " We d id n' t want a sof tware vendor, we wanted a techno logy par tne r.We could see the commitment PGP Corporation has to technology and par tnership with us.The company understands our long- term goals and was wil ling to take on challenges of thehigher-education market. That was a very impor tant factor in our dec is ion. " .

PGP Universal Server and PG P Whole Disk Encryp tion are now an integral pa rt of BU'sinformation security system. BU acqui red the sof tware through a PGP Cert if ied Solut ionPartner (CSP). "W e do a lot of business with this resel ler, and they were extremely helpfulduring this project," says Allen.

"W e set up the se rver quickly and on time, which allowed us to focus on fine-tuning PGPWhole Disk Encryption toour specific environment."

"Overall, we were very plea sed with the performance of the software. Fe w issues a rosebecause of unique higher education requirements; however, PGP suppol1 worked with us toresolve them quickly and accurately, allowing for a smooth deployment," Allen says.

Page 11 of 14


(Please Turn Page)


10/11

( 5 marks)

( 5 marks)

( 7 marks)

( 6 marks)

to

VIB3112IT-0710

"I've had zero complaints from users," Allen reports. "They're able to do their work asbefore. and most say they don't even notice the software."

"We've had very few calls from users," says Allen. "The only reason users call is becauseof forgotten passphrases," Sealey explains, "and we're able to fix that issue easily withinminutes.

As Becky King, Blrs interim C[O, explains, "A huge weight has been lifted of f myshoulders since PGP Whole Disk Encryption was installed on my laptop. It's a tremendousbenefit to be able to take my laptop wherever [ g.o and not have to worry." Allen adds,"Now, if someone loses a laptop, we don't have to be concerned about sensitive informationbeing exposed and can avoid unnecessary costs and potential headaches both for us and ourstudents."

Allen summarizes: " ~ I nPGP Corporation, we found both a strong, long-term data securitysolution and a solid partner at the same time."

I - - E - J N - I - ) - O - F - C - A - S - F - ~ l - . J E - - "T - l -

Caselet 2

Answer the following questions based on th e given Caselet:

5. What would be the steps to design security architecture for Domino?

6. Who are attackers and why they attack?

7. Describe the Internet Protocols discussed in the caselet.

S. Describe S/MIME demonstrating how a message can be sent from one user to the other?

The convenience and ubiquitousness of the Web has many Notes/Domino customers

decide to use the Web for employee mail, particularly while they travelled.llowever, even with Domino's standard security features, there are times when additionalsecurity mcasures arc prudent-or even mandatory.

Therefore. the system providing e-mail services is required to be universally accessible andthe mechanism for accessing the e-mail is equally universal and ubiquitous. The simplestand most straightforward way of meeting these requirements was to use the Internet i.e., aWeb browser as the messaging client, and a Web application server for providing themcssaging services.

The Web browser would access a specific mail file for the employee via HTML using theIITTP protocol. The Web application server would provide access to the user's mail box viaIITML using the HTTP protocol in addition to mail store and forward services (typicallyusing SMTP). The main issue was to determine how to do this in as secure a fashion aspossible. Providing access is one thing but restricting access only to those people who areauthorized to have it is quite another thing.

Before delving into security ramifications of providing the required services, it wasimportant for Domino's to understand the details of the architecture of a ubiquitous mailaccess solution. Then it would be easy for them to add the necessary security services anddiscuss the caveats that exist, if any. Web users' access and exchange mail over the Internetto others in another department. Additionally, they are also exchanging mail with otherusers who arc using another brand of messaging server and POP or [MAP messagingclients.

Page 12 of 14

D 2010. ICFAI University. All rights reserved. Photocopying is strictly prohibited.


11/11

MB3H2IT-0710

Given the increasingly complex architecture, it is important to take it one step at a time andthink through the threat model and what security measures can be appl ied to ensure that theinformation is as safe as possible, while keeping the access as universal as possible.

In dealing with information exchanged outside the company network, attackers could beanyone on the Internet with the means to intercept packets exchanged between the Webclient and the Web applica tion server. In contrast, in deal ing w i ~ hinformation exchangedinside network, it could be only insiders who are either employees or contractors.

The various Internet protocols that are typically used for sending and receiving e-mails are:SMTP, MIME, POP3, and IMAP4. The simplicitY of these protocols means that they posesecurity issues for anyone sending and receiving mail, that is, between different types ofmessaging servers.

S /MIME offers fea tures to send a message securely. With those features, you can be surethat: from the moment the message is sent by one person to th e moment that it arr ives to theother person, no one can see the contents of the message; the message has not been

tampered with or changed on route to delivery.

END OF CASELET 2

END OF SECTION B

Section C : Applied Theory (20 Marks)

This section consists of questions with serial number 9 - 10. Answer all questions. Marks ar e indicated against each question. Do no t spend more than 25 -30 minutes on Section C.

9. Explain in detail about each of the following:

10. Enumerate the characteristics of a firewall and discuss the various types of firewalls.

I.

II .

Cipher Block Chaining Mode.

Cipher Feedback Mode. ( 10 marks)

(1 0 marks)

END OF SECTION C

END OF QUESTION PAPER

Page 13 of 14


(Please Turn Page)

grouph_securitycrypt_july2010

Documents