CYBS 6350 Data Protection
Final Exam Spring 2020
1. What is the difference between the authentication problem and the identification problem in
data protection? (10 points)
Answer: Identification:
Identification is the method of expressing the identity of the device. It's done in the early stages
of getting access to the network, and that's what happens when the user claim to be a specific
device used. The argument may come in the form of offering the username during the
authentication process; placing the finger on the scanner; putting the name on the guest list or
any other way the user asserts the identity to access it. Identification is not mandatory for
certain schemes, such as ATM cards, where someone with the appropriate code can access the
account without being known.
Authentication:
It is the approach used to reveal the identity of the system. This includes verifying the
authenticity of the identification before the approval process. The method of verifying the
authenticity of the evidence presented in support of the asserted identity must be sufficiently
reliable to identify impostors. Authentication typically happens after an ID is completed, such as
when the user has a password to assist a username during the login phase. However, this could
happen at the same time as the recognition process.
Difference between the authentication problem and the identification problem in data
protection:
The primary distinction between them is that the identification refers to the acquisition of
identity, while the authentication refers to the tests carried out to maintain the authenticity of
the identity asserted. Simply put, an identity assertion is part of the identification process, while
an authentication process requires evidence of that identity.
Authentication Problem:
 The problems with passwords: Encryption keys are by far the most used and easily
subverted form of personal encryption. When a company introduces protocols to secure
passwords the inconvenience is so severe that such a policy would be broken in many
instances. The user knows that this is the case with the examination of data centers
containing sensitive data. When security staff adopts a policy of secure passwords,
workers can write nonsensical codes for easy access usually in areas where these paper
documents are easily compromised. If a company does not enforce stringent guidelines
on password management, easily identifiable words would be preferred.
 The problems with smartcards: There are always the risk when using smartcards is that
the machine has been compromised with a secret program routine that exploits the
user's identity after encryption has been completed. As users authenticate themselves
to an unsecured computer, they could never be safe in their corresponding computer
purchases. The biggest restraint of the use of smartcards in digital commerce is their
range. The chances of using smart cards as a standardized means of authentication for
entities in electronic commerce are null and void.
 The problems with biometrics: With biometric, a person may recognize the fingerprint
or iris scan. The methods for collecting biometric records are neither easy nor
inexpensive. Even then, biometric data do not result in a fully secure program. Having a
copy of an individual's fingerprints can be trivial. Some tools can record iris photographs
of a person walking within a few steps of a video camera so that they could be
replicated and used for unlawful purposes. The real issue with biometrics is that once
the biometrics of a person has been damaged, they are compromised for life and could
never be considered again.
Identification Problem:
 Identification is essentially the process of someone who claims to be an individual. Users
can mark themselves on the mobile as "John," flash a library card with a title on it or
have a mail address with a name in front of the @ symbol.
 When an individual engages in genetic testing, the donation of a genetic specimen also
results in the production of a large amount of personalized data. These data are
extremely difficult to identify.
 Not all price discrimination is socially appropriate. Also, some may see price
discrimination as a type of fundamental injustice and inequality. Therefore, the use of
the information to compete against prices can be viewed as a violation of privacy given
the fact that it has been aggregated and identified. Control of de-identification does not
resolve the possibility that aggregate information may be used in a manner that user
considers socially inappropriate, be it price discrimination, credit risk assessment or
policing. However, if the personal contribution is de minimums, the cumulative
contribution of all human data that have an impact on society that the user does not
want to engage in.
 Not knowing who uses sensitive data.
 Redundant regulations yield redundant compliance projects.
 Annual security awareness programs don't cut it.
Reference:
1. https://www.infosecurity-magazine.com/magazine-features/tackling-theauthentication-problem/
2. https://itstillworks.com/difference-between-identification-authentication-3471.html
3. https://dataflow.com/read/problem-de-identification-privacy-control/140
2. After infecting a system, some viruses take steps to cleanse the system of any other
malware. That is, they remove any malware that has previously infected the system, apply
security patches, update signature files, etc. Why would it be in a virus writer’s interest to
protect a system from other malware? (10 points)
Answer: The main reason for such a virus attack is to gain ongoing access to the system. These
types of attacks can be classified as Advanced Persistent Attacks. Cybercriminals usually gain
entry through a network, an infected file, junk email, or an app vulnerability to insert malware
into a target network. They implant malware that allows the creation of a network of backdoors
and tunnels used to move around in systems undetected. The malware often employs
techniques like rewriting code to help hackers cover their tracks. This is where the attacker
removes his traces and presence in the system making it hard to detect any intrusion and
network breach. This kind of virus infection in a system can be done for the reason such as:
 This type of attack is performed in a highly organized and sophisticated environment,
the viruses are designed specifically to get around the existing security measures in
place within a company, organization, and nation. This means the target is precisely
chosen and intensive planning and gathering of resources are done such that they can
achieve what they want, which is to take control of the environment.


These attacks are performed by an unauthorized user who remains in the network for
an extended period without being detected which is done solely for his agenda to enter
the system again if needed.
The evidence and traces of the attack are removed, leaving the network open so that
other cybercriminals can continue the data breach.
Reference:
1. https://www.fireeye.com/current-threats/anatomy-of-a-cyber-attack.html
2. https://www.lockheedmartin.com/en-us/capabilities/cyber/cyber-kill-chain.html
3. What are QR codes? How are security features implemented in QR codes? Provide your
responses in 100-words or more. (10 points)
Answer: Quick Response codes, commonly abbreviated as QR codes, started as an extension of
the standard UPC barcode commonly used in retail and production. Unlike a 1-D barcode, a QR
code is a 2-D matrix code that conveys information by the arrangement of its dark and light
elements in columns and rows. Originally developed for process optimization in the logistics of
the automotive industry, the QR Code has found its way into mobile marketing with the
widespread adoption of smartphones. The data in a QR code can be accessed by taking a picture
of the QR code and processing it with a QR code reader. Anybody can read or write QR code
messages with impunity. However, certain applications may require restricted access or
verification of QR codes, and thus there is a need to design QR codes that meet various security
specifications.
 Encryption: The first security standard for QR codes is Encrypted QR codes or EQRs. In
SEQRs we use asymmetric encryption schemes where both the reader and the writer of
the EQR share a secret key. The encryption scheme is extremely straightforward:
encrypt the bits of the message using AES block cipher with the shared secret key. In
PKEQRs we use the RSA public-key encryption scheme combined with AES, using a
public RSA key to encrypt the AES key and including the encrypted key in the message.
 Signing: The next security standard we have devised is Signed QR codes or SQRs. The
purpose of this encoding is to allow the reader to verify the source of the SQR before
any action is performed. If the verified source is trusted, the user can proceed to open
the URL or perform any other action the QR code initiates without fear of a security
breach. The SQR standard requires more modification than the previous encryption
methods, as the code must contain the message, the signature, and a way to identify
the public key of the signer.
 Other attempts: They were made for a “proof of work” QR code. In this scheme, which
takes its idea from Bitcoin, a QR code contains a message, a series of random bits, and
the hash of the concatenation of those two. The catch is that the bits containing the
hash are in regions usually reserved for fixed orientation patterns, namely the squares
at the corners of the QR code. If the hash does not form the proper orientation
patterns, the code will be unreadable.
Reference:
1. https://courses.csail.mit.edu/6.857/2014/files/12-peng-sanabria-wu-zhu-qr-codes.pdf
2. https://www.qr-code-generator.com/blog/qr-code-security/
4. Chapter 13 in your book talks about TLS. This problem is about the use of certificates in TLS. Read
the narrative on page 238 in your book about certificates and certificate authorities (CAs).
i.
On your favorite browser, visit the University of Dallas’s home page. Find the certificate
for this page on your browser. (You might have to do some research to find out how to
access the certificate). Provide a screenshot of the certificate details. (10 points)
Answer:
1. Certificate: University of Dallas home page certificate
2. Certificate Details of Home Page
ii.
Although security experts and cryptographers often claim that the whole certificate
system is broken by design, it is one of the best solutions we have along with trust – on
– first – use (TOFU) policy. Explain what TOFU means. (10 points)
Answer: Trust On First Use (TOFU) is a security model in which a client needs to create
a trust relationship with an anonymous server. To do that, clients will look for identifiers
stored locally. If an endpoint is found, the client can establish the connection. There are
many third-party endpoints that a user may not have used before and there may be no
security certificate available for such endpoints. If no such endpoint is found, the client
can prompt the user to determine if the client should trust the endpoint. Hence the first
experience of the client with such endpoints is completely based on the level of trust
that the client is willing to place of the new endpoint.
TOFU is used in the SSH protocol, in HTTP Public Key Pinning (HPKP) where the browsers
will accept the first public key returned by the endpoint, and in Strict-Transport-Security
(HSTS) where a browser will obey the redirection rule.
The purpose to use the Trust on first mechanism is to establishing trust where there was
none before, typically based on a user decision. In cases where an administrator is
setting up all components of the system, the TOFU is a good way to establish trust
among the different components.
5. Chapter 13 further talks about how TLS can fail (pages 247-248). Summarize these failures AND
provide a solution to each failure. (20 points)
Answer: A TLS/SSL handshake failure occurs if the protocol used by the client is not supported
by the server either at the incoming or outgoing connection.
Compromised Certificate Authority
There are hundreds of trusted CAs in our browsers, and each of them can produce certificates
for any website on the web. That means if any of them gets hacked, and their private key
released in the wild, the hacker can create a certificate for any website they want, and all of our
browsers will see it as valid. Worse, they can make certificates for any use, including signing
emails, encrypting VPN connections, etc. To be able to use such a certificate, the hacker would
need to intercept traffic and insert their fake certificate in a Man-in-the-Middle (MitM) attack.
The real solution to this is complicated, such as wide use of the Online Security Certificate
Protocol (OSCP) or using trust networks and would require a major redesign of the way the
Internet works. For now, browser makers are in the business of patching up after an event
occurs.
Compromised Server
An exploited or hacked server is one that is no longer fully under your control. Someone else is
now partially controlling your server and using it for their purposes. Here are some common
reasons to exploit a server:
 Send out a spam email.
 Launch attacks against other servers. Thus, consuming your CPU, memory, and
bandwidth resources.
 Install a phishing website on your server to gain access to sensitive information.
The steps to be taken to maintain a secure server to makes sure it is not compromised now and
in the future are:
 Use strong Password
 Use secure protocols
 Maintain regular backups
 Harden the PHP setting
Compromised Client
TLS security is compromised when the client is compromised by an attacker. The client can be
the browser, server, or anything that is used to access data. When the client is compromised,
the attacker has access to all the keys and can read the encrypted data as well. These attackers
use the opportunity to create back doors to later access other data and install rogue CA
certificates which allows them to access the TLS connection.
To save the client-side it is important to maintain regular security checks, use higher security
protocols, and make sure the CA certificates are valid.
Bugs in Implementation
Some major attack vectors arise from conceptual flaws in the TLS standard itself. Features prone
to bugs and vulnerabilities include protocol downgrades, connection renegotiation, and session
resumption. Incomplete or vague specifications, particularly when it comes to cross-protocol
interactions (i.e. between TLS and application protocols such as HTTP) engender some serious
vulnerabilities, particularly in case of cross-protocol attack vectors against TLS, of which there
are a few.
TLS vulnerabilities resulting from faulty implementations abound. Some of them give rise to
cross-layer protocol attacks and/or side-channel attacks.
Here is what you can do to mitigate any TLS vulnerabilities your tests uncover:
 deactivate all versions of SSL as well as TLS 1.0 and 1.1; activate TLS 1.2 and 1.3
 turn off header compression in TLS (SPDY 3.1 is obsolete); TLS 1.3 has no header
compression
 turn off the RC4 stream cipher (Rivest Cipher 4 also known as ARC4 or ARCFOUR, short
for Alleged RC4)
 disallow renegotiation with clients
 get rid of export-grade ciphers (this alone will safeguard your server e.g. from FREAK)
 disallow insecure padding modes in TLS 1.2 (such as RSA PKCS#1 v1.5)
 disable vulnerable CBC MAC-then-Encrypt modes to guard against Vaudenay, Lucky13,
POODLE, LuckyMinus20, and other attack vectors
 activate support for TLS_FALLBACK_SCSV, a protocol extension that prevents MITM
attackers from forcing a protocol downgrade; current versions of OpenSSL offer this
feature out of the box, but it only works if both the client and the server support it
Reference:
1. https://www.cloudinsidr.com/content/known-attack-vectors-against-tlsimplementation-vulnerabilities/
2. https://nakedsecurity.sophos.com/2015/03/04/the-freak-bug-in-tlsssl-what-you-needto-know/
6. Blockchain has been proposed as a solution for many applications. One such application is
electronic notaries. Acronis is a provider of blockchain-based notary solutions. Read their work
here https://www.acronis.com/en-us/articles/data-protection/ and summarize how data is
protected using blockchain-notaries. (20 points)
Answer: Blockchain technology has gained popularity for its role in crypto currencies. Aside
from the use of blockchain technology in cryptocurrency, developers and researchers are
working to build applications and services that leverage the power and versatility of the
blockchain technology. Blockchain technology offers secure cryptographic techniques to store
data that cannot be edited by other entities in the blockchain network.
Acronis Notary with blockchain generates a timestamped hash, or fingerprint, of protected data
and stores it in Ethereum, a public blockchain-based distributed computing platform. By
comparing two fingerprints of the same data, Acronis Storage can verify the immutability,
authenticity, and integrity of stored data.
Acronis' software-defined storage solution also offers:
 High-speed performance through SSD caching, auto load balancing, auto data
distribution, and parallel replication.
 A complete set of industry-standard storage connectivity and APIs including Amazon S3
and iSCSI.
 Configurable levels of redundancy for stored data through Acronis Cloud RAID and
allows data authenticity verification through blockchain-based immutable logging and
watermarking.

Provides high throughput solutions to store and exchange significant volumes of data in
a secure and verifiable manner
 Where anti-tampering and verification are ensured by the blockchain algorithm.
Acronis Notary protects data from being tampered and deleted as the data immutability is
protected algorithmically by using blockchain technology. A carefully designed service
architecture ensures the high throughput necessary for a wide range of industrial solutions.
Because of this, Acronis Notary can be introduced as a proxy on any existing data stream and
requires no changes in the existing processes or infrastructure.
Reference:
1. https://www.acronis.com/en-us/articles/data-protection/
7. Read the following article on quantum supremacy and how top tech companies are vying to
claim it. In your own words, explain what quantum supremacy means for data protection. (10
points) https://www.sciencenews.org/article/google-quantum-supremacy-claimcontroversy-top-science-stories-2019-yir
Answer: Quantum supremacy shows that researchers have been able to use a quantum
computer to perform a single calculation that no conventional computer, even the biggest
supercomputer, can perform in a reasonable amount of time.
In the case of Google finding, the calculation involved checking whether the output of an
algorithm for generating random numbers was truly random. The researchers were able to use
the quantum computer to perform a complex mathematical calculation in three minutes and 20
seconds. Google demonstrated that a Summit 3 an IBM built machine which is the world's most
powerful commercially available conventional computer would take about 10,000 years to
perform the same task.
Quantum Supremacy and its relation to Data Protection
The General Data Protection Regulation (GDPR) requires data controllers and processors to
process personal data in a manner that ensures the security of the personal data, including
protection against unauthorized or unlawful processing and accidental loss, destruction or
damage, using appropriate technical or organizational measures. Technological developments,
including the developments in quantum computing, may pose new challenges for data
controllers, as they should take into account emerging new technologies that may jeopardize
the long-term applicability of solutions applied by them to ensure an adequate level of data
protection in line with the state of the art. This may be especially relevant in case of data
processing activities planned for the long term since data controllers shall react to challenges on
time.
Data protection by design requires data controllers, both at the time of the determination of the
means for processing and at the time of the processing itself, to implement appropriate
technical and organizational measures, such as pseudonymization, which are designed to
implement data-protection principles, such as data minimization, effectively and to integrate
the necessary safeguards into the processing to meet the requirements of the GDPR and protect
the rights of data subjects.
The alleged achievement of quantum supremacy is a great scientific success; however, we are
still far from the everyday and widespread application of the technology.
Reference:
1. https://gdpr.blog.hu/2019/10/05/quantum_supremacy_and_data_protection
2. https://economictimes.indiatimes.com/magazines/panache/quantum-supremacy-andthe-threat-it-poses-to-data-storage-digital-economy/articleshow/71938704.cms