Answers to assignment III
(Wondwossen Degefu)
1. Which of the following are true about sending a PGP message from Alice to Bob? A. B. C. D. E. F. G. H. I. J.
The plaintext is enciphered with Alice's public key. The plaintext is enciphered with Alice's private key The plaintext is enciphered with Bob's public key The plaintext is enciphered with Bob's private key The plaintext is enciphered using a secret key The plaintext is compressed before it is enciphered The plaintext is compressed after it is enciphered The plaintext is signed using Bob's public key The plaintext is signed using Alice's public key The plaintext is signed using Alice's private key Ans: E, F and J
2. Let's say that the plaintext "hello" is enciphered as "zbabh". What kind of cipher is this? (It is one of the three choices given) A. substitution B. transposition C. product (both substitution and transposition) Ans: B 3. In a Caesar cipher, the encryption function is the same as the decryption function. A. true B. false Ans : B 4. Briefly describe why a symmetric cipher is never used for a digital signature. Ans: - Symmetric cipher uses one shared secrete key for encryption and decryption. They are very much effective for message b/n two trusted individuals but they are unsuitable for digital signature. Digital signature is based on public key cryptographic technique 5. Keeping the enciphering and deciphering algorithm secret would violate which design principle? A. B. C. D.
Principle of least privilege principle of fail-safe defaults principle of open design principle of complete mediation
E. F. G. H.
principle of separation of privilege principle of psychological acceptibility principle of least common mechanism principle of economy of mechanism Ans : C
6. What is the most important difference between symmetric and asymmetric cryptography? Ans : Symmetric cryptography uses the same secret (private) key to encrypt and decrypt its data whereas asymmetric uses both a public and private key. Symmetric requires that the secret key be known by the party encrypting the data and the party decrypting the data. Asymmetric allows for distribution of your public key to anyone with which they can encrypt the data they want to send securely and then it can only be decoded by the person having the private key. This eliminates the need of having to give someone the secret key (as with symmetric encryption) and risk having it compromised. The issue with asymmetric is that it is about many times slower than symmetric encryption which makes it impractical when trying to encrypt large amounts of data. Also to get the same security strength as symmetric, asymmetric must use strong a stronger key than symmetric.
7. Which, in general, has a longer lifespan: a session key or an interchange key? A. Session key B. Interchange Key C. Lifetime of both are the same Ans : B 8. Lets say that I want my bank to wire you $1000. I encipher a message containing this request to the bank as follows: 1. 2. 3. 4.
First generate a random session key Then encipher the session key with the bank's public key Then encipher the message with the session key Finally send the enciphered message and enciphered session key to the bank
When the bank gets the enciphered message, it does the following: 1. 2. 3. 4.
Deciphers the enciphered session key using its private key Uses the session key to decipher the message Reads the plaintext of the message telling it to send you $1000 Sends you the money
This protocol is seriously flawed. It's most serious failing is that it doesn't support which one of the following? A. B. C. D.
confidentiality origin integrity data integrity availability
Ans : D 9. Kerberos was a mythical three headed dog that guarded the gates of hell. What are the 3 "heads" of the Kerberos protocol? A. B. C. D. E.
authentication server (which requires a password) internal firewall ticket-granting server client machine target server (e.g. a print server which requires a ticket to use)
Ans : A,C and E 10. It is crucial that no attacker is eavesdropping during key exchange. A. true B. false Ans: B 11. During key exchange which of the following must be kept secret A. B. C. D. E.
how the key was generated the key itself the protocol used to exchange the key who the sender is who the receiver is Ans : A and B
12. In Kerberos, the print server shares a key with the authenticating server. A. true B. false Ans : B
13. Kerberos uses public key cryptography to exchange the session key between the authenticating server and the ticket granting server. A. true B. false Ans : B 14. Which of the following are true about a certificate? A. B. C. D. E.
It associates an identity with a public key It contains the private key to use to decipher messages enciphered with the public key It is signed by the public key of a certifying authority. It is signed by the private key of a certifying authority. The content of a certificate is enciphered using the private key of a certifying authority
Ans : A and D 15. Which of the following are true statements about a digital signature? A. Part of the procedure of creating a digital signature is to hash the message using a cryptographic checksum function. B. A message that is digitally signed must be encrypted before it is signed. C. Part of the procedure of creating a digital signature is to encrypt the message hash using the private key. D. Part of the procedure of creating a digital signature is to encrypt the message hash using the public key. E. A digital signature helps assure the integrity of the message. Ans : A,C and E 16. Which of the following are acceptable ways to get the public key of a CA? A. B. C. D. E.
from a list of trusted root certification authorities that ships with a browser from an unsolicited promotional email sent by the CA from a certificate chain from a flash drive mailed to you by the CA after they have validated your identity. from the home page of the CA
Ans: A, C and D
17. The SSL protocol uses the private key of the browser to encrypt the session key. A. true B. false Ans: B 18. If you use a CA, there is no single point of failure A. true B. false Ans : A 19. When you get a certificate from a CA you must provide the CA with both your public and your private key. A. true B. false Ans : B 20. Which of the following can be used to establish the identity of an external entity (a user of the computer system)? A. B. C. D. E. F.
Where the entity is What the entity knows What the entity has The age of the entity What the entity is When the entity logged on
Ans : F 21. Why is it good that to save the hash of your password in the database rather than the plaintext of the password? Ans : It’s for security reasons one has to hash the password and put it in the database if it were a plain text it’s easily accessible to anyone who have a data base access 22. After reading all the literature on passwords, these appear to be the recommendations: 1. 2. 3. 4.
The password should be resistant to a dictionary attack The password should be changed regularly The password should not be written down Different passwords should be used on different accounts
What principle do these recommendations violate? A. B. C. D. E. F. G. H.
Principle of least privilege Principle of fail-safe defaults Principle of economy of mechanism Principle of complete mediation Principle of open design Principle of separation of privilege Principle of least common mechanism Principle of psychological acceptibility
Ans : H