Worth 2 Points. Each Problem

¶ … worth 2 points. Each problem is worth 4 points. There are 58 points available in this Homework set. Security service categories Authentication: This is assurance that a given communicating entity is whoever it claims to be. The authorization problem is usually confused with the authentication one. Several individuals and organizations usually adopt standard security protocols, statutes as well as obligatory regulations on the basis of this assumption.

The more precious definition and usage however describes the concept of authorization as the verification of a claim that has been made by an entity that it should be regarded as acting on behalf of a certain particular principle (computer, individual, smart card and the likes) / Authorization on the other hand is the process of verifying that a given subject which has already been authenticated is granted the authority to initiate a certain action/activity. Access control: This is the prevention of an unauthorized entity from using a given resource.

For instance, the service can be used in controlling whoever has the access to a given resource. The conditions of access are also defined by this service as well as the actions that can be initiated by those who are accessing the given resource. Data confidentiality: This is the protection of system resources from unauthorized disclosure. Data integrity: The assurance that the information/data that has been received is exactly as it was cent by the legitimate/authorized entity.

This is necessary to ensure that the information/data does not have any modification, deletion, insertion as well as replay. Nonrepudiation: This service is concerned with the provision of protection to the system resources. It protects them against any form of denial by any one of the entities that are involved in the communication process. Availability services: This service tasked with ensuring that all system resources are easily accessible upon any request by a system entity that is authorized, according to the system's performance specifications. Problem 1.3 a.

Publication containing list of employees to be retrenched as well as personally identifying employee data such as address, age, disciplinary statistics b. Publications containing results of scientific and social experiments c. Publication containing financial data relating to active and real-time currency movements (Forex systems) Problems 1.4 An organization managing public information on its Web server.

Confidentiality- it is public system so no confidentiality Availability-Needed since public information must be available at all times of the day, month and year Integrity- high since documents containing public information are subjected to scrutiny for any policy violations a.A law enforcement organization managing extremely sensitive investigative information. Confidentiality- high since a breach in confidentiality may pose danger to internal security and may compromise ongoing investigations Availability-high since the information directly affect security situation in a community Integrity- high since information contained relates to security.

b.A financial organization managing routine administrative information (not privacy- related information). Confidentiality- moderate, since information is not security related Availability- moderate since the management of the administrative information may be done monthly or yearly. Integrity- high since the information contained affect the books of accounting directly c. An information system used for large acquisitions in a contracting organization contains both sensitive, pre-solicitation phase contract information and routine administrative information.

Assess the impact for the two data sets separately and the information system as a whole, Confidentiality- moderate, since information is not security related Availability-moderate -Needed since public information must be available at all times of the day, month and year Integrity- high since the contracting information usually contains detailed financial estimates d. A power plant contains a SCADA (supervisory control and data acquisition) system controlling the distribution of electric power for a large military installation.The SCADA system contains both real-time sensor data and routine administrative information.

Assess the impact for the two data sets separately and the information system as a whole. Confidentiality-High since the information could be classifie3d due to military usage Availability-High since the system controls a real-time scenario Integrity-High since wrong parameters may lead to a meltdown.

Question 2.8: What are the principal ingredients of a public-key cryptosystem? The principle ingredients of a public-key cryptosystem are; Plaintext: This refers to the readable data as well as message that is fed into a given algorithm as the input Encryption algorithm: This refers to the algorithm that is used in performing various transformations on a given plaintext. Public and private keys: This refers to a pair of keys selected in a manner that if one is used for data encryption, the other would be used for data decryption.

The form of transformation that is carried out by the encryption algorithm is dependent on the private or public key that is employed as the input. Ciphertext: Cyphertext refers to the scrambled message that is produced as the output of an encryption process.The cyphertext depends on the key and the plaintext. For any given piece of information / message, there are two different keys that are used in producing two totally different ciphertexts.

Decryption algorithm: This refers to the algorithm that effectively accepts the provided ciphertext as well as the matching key that is used to produce the original plaintext. Question 2.11 What is digital signature? A digital signature is a form of authentication mechanism that can allow the creator of a given message to attach a code that effectively simulates or acts as a signature. The digital signature is formed by obtaining the hash of the given message and the performing an encryption using the private key of the creator.

The digital signature therefore effectively guarantees the source as well as the integrity of the message. Question 2.12.What is a public-key certificate? A public-key certificate is made up of a public key as well as a User ID of the owner of the key. The entire block is however signed by a third party who is trusted. The third party in this case is a certificate authority (CA) who is trusted by the general user community like a government agency and/or a financial institution. Problem 2.1 Yes.

This is due to that fact that the sender effectively sends; KR, in which K. denotes the key while R. denotes the random value. The message's recipient (receiver) then confirms this by effectively sending an R. If a passive eavesdropper is present, he/she would then be able to collect both KR while R. would be able to successfully recover then secret key, K = (K R) R. The scheme is therefore fundamentally flawed. Question 3.1.

In General terms, what are four means of authenticating a user's identity Something that a person (user) knows such as passwords, answers to a predetermined set of questions as well as a personal identification number (PIN). Something that a person (user) possesse like electronic keycards, physical keys and smart cards. This authentication type is called a token Something that a person (user) is (also called static biometrics) such as their finger print, face and retina patterns. Something that a person (user) does (also known as dynamic biometrics).

Includes things such as voice pattern, typing rhythm as well as characteristics of handwriting Question 3.2. List and briefly describe the principal threats to the secrecy of passwords Some of the principal threats to the secrecy of passwords are; Offline dictionary attack; In this attack, the attacker uses the system password file and then compares the hashes of the password with the commonly chosen passwords. If a match is found, then the attacker uses the username and password combination to gain access.

The success of this form of attack depends on how weak the password is Specific account attack; IN this form of attack, the attacker targets a unique and specific account with multiple password guesses until the correct one is obtained. Popular password attack; in this type of attack, a variation of the previous/preceding attack is employ a popular password and then try it against a diverse range of user IDs.

Password guessing against a specific user: In this type of attack, the attacker attempts to gain knowledge so as to guess the password Workstation hijacking: In this type of attack, the attacker waits for an opportunity to access or an unattended logged-in workstation Exploitation of user mistakes: This takes place when the attacker gains acess to a written down password Exploitation of multiple password usage: In this case, the attacker uses a previously obtained login credentials to access a different device or resource that shares the same authentication credentials Electronic monitoring: In this case, the attacker obtains the login credentials by eavesdropping for them across the network or using key loggers.

Problem 3.1 The suitability of given password is determined by and follows the following; The length of the password must never exceed eight characters The characters must contain characters that are visible ONLY This password is unsuitable since it contains a space, a non-printable character Mfmitm This is suitable because it character length does not exceed 8 characters.

It also contains printable characters only Natalie1 The password is suitable since it's character length does not exceed eight character.It also has only printable characters Washington The character is unsuitable since it contains more than 8 characters. It can be guessed by dictionary attack since it is a common name Aristotle The password is unsuitable since it has more than 8 characters.

Can be guessed by a dictionary attack since it is a common name Tv9stove The password is suitable since the character length does not exceed eight characters and it contains printable characters 12345678 The password is too obvious so it is unsuitable Dribgib The password is suitable since it does not contain more than 8 characters. It also contains printable characters. Problem 3.6 95*95*95*95*95*95*95*95*95*95 + 6.4 million =95^10/6.4 million Chapter 4 Question 4.1 DAC is used to define the basic access control policies to various objects. These are set according to the needs of the object owners.

The MAC are access control policies that are system-controlled. The system in this case dictates as well as controls the acess levels to various objects. Question 4.2 RBAC is a completely separate as well as distinct model from DAC and MAC. There are however several relationships between them. As an example, RBAC can effectively simulate DAC and MAC. MAC can also be employed in the implementation of RBAC whenever the role hierarchy is in the form of a tree as oppose to being a partial order.

Question 4.5 Access right are authorization levels that are set for files, folders, partitions and hard drives in order to dictate the level of access, data manipulation as well as general uses of the computing resources. Problem 4.3 a. The advantages of using four modes instead of two are; The ability to implement a fine-grained security policy The ability to provide a distinction within system kernel code. Disadvantages Uses too much system resources (Memory in particular) b. Yes. A case with more than four modes is achievable.

Examples are User-mode debugging, Target application execution, Sleep mode and Kernel-mode debugging. VAX, x86 can support four modes. The earlier archs (Multics) supported even more modes Chapter 5.5 The concept of cascading authorization is a security access control technique that works whenever two or more subjects are given the permission of granting as well as revoking some aspects of the access rules to other system subjects. The outcome is the creation of a cascade revocation chain.