April 2000
SC223 : COMPUTER SECURITY

QUESTION 1 (Compulsory)

Total Marks: 30 Marks

Click here to access other questions

SUGGESTED SOLUTIONS
Solutions and allocated marks are indicated in green.
Return to Question 1

(a)Describe an attack to crack passwords based on dictionary words.[3 marks ]
Obtain a copy of the password file (1 mark) and the encryption function (1 mark). Obtain an electronic dictionary (1 mark; none for ‘directory’, as appears in the study guide, as this is nonsense). Encrypt each word in the dictionary, and compare with each encrypted password (1 mark). [3 marks]

(b)Describe the three kinds of interception of messages that encryption aims to prevent. [3 marks ]
Interception:

  • blocking, preventing the message from reaching the recipient;

  • modifying, changing the message that is sent;

  • fabricating, producing a forged message.

(1 mark each; no description, no mark) [3 marks]

(c)Suppose that a given document requires digital signatures from two different people.
(i)One method is to make two copies of the document and sign each.What is the disadvantage of this method?[1 mark ]
(ii)Another method is for one party to sign,and for the second party to sign the
resulting signed document.What is the disadvantage of this method?
[1 mark ]
(iii)Describe a better method than both of these,and explain how it avoids the
disadvantages of each of the above methods.[4 marks ]
Multiple digital signatures:

(i) Signing two separate copies results in a message of twice the size. [1 mark]

(ii) With sequential signatures, the second signature must be verified before the first. [1 mark]

(iii) Create a one-way hash of the document (1 mark), then make two copies of the hash and have one signed by each party (1 mark). Message size is not a problem, because the hash can be much smaller than the original document (1 mark), the two signatures can be verified in either order, or even in parallel, since they are independent (1 mark). [4 marks]

(d)Copyrights,patents,and trade secrets are three different methods of legally
protecting information.
(i)What do copyrights protect,and why are they inappropriate for protecting an
algorithm?[2 marks ]
(ii)What do patents protect,and why are they inappropriate for protecting object code?[2 marks ]
(iii)What do trade secrets protect,and why are they inappropriate for protecting a user interface?[2 marks ]
Legal protection for information:

(i) Copyrights protect the expression of an idea, not the idea itself; an algorithm is independent of its expression. [2 marks]

(ii) Patents protect inventions or processes; the object code is simply a description of a process. [2 marks]

(iii) Trade secrets protect secrets that give companies a competitive edge; a user interface cannot be a secret. [2 marks]

(e)What are the main security issues when running applets off the web?[2 marks ]
An applet is run on the client computer, not the server, so the code must be trusted (1 mark), or alternatively there must be some way of guaranteeing that the code can cause no harm (1 mark). [2 marks]

(f)Of the three biometric devices hand-prints,eystroke patterns,and voice patterns,
(i)which is the most secure?[1 mark ]
(ii)which is the most acceptable to users?[1 mark ]
(iii)which is the most common?[1 mark ]
Biometric devices:

(i) Hand-prints are most secure. [1 mark]

(ii) Keystroke patterns are the most acceptable. [1 mark]

(iii) Voice patterns are most common. [1 mark]

(g)Briefly explain:
(i)two procedures of use for improving PC security;[2 marks ]
(ii)two measures for protecting against software vulnerabilities.[2 marks ]
Security measures:

(i) procedures of use:

    • do not leave PCs and printers with sensitive information unattended;

    • treat magnetic media with care;

    • perform periodic backups.

(1 mark each, up to 2 marks.) [2 marks]

(ii) protection against software vulnerabilities:

    • use all software with full understanding;

    • do not use software from dubious sources;

    • be suspicious of all results.

(1 mark each, up to 2 marks) [2 marks]

(h)Explain the difference between confidentiality services and non-repudiation services provided by a network,and describe the two kinds of non-repudiation service.
[3 marks ]
Confidentiality services protect information from unauthorized disclosure (1 mark); dually, non-repudiation services provide evidence that information has been disclosed (1 mark). Non-repudiation services can apply to the sender (‘proof of origin’) or to the recipient (‘proof of delivery’) (1 mark). [3 marks]