CUSTOMER_CODE
SMUDE
DIVISION_CODE
SMUDE
EVENT_CODE
JULY15
ASSESSMENT_CODE BT0088_JULY15
QUESTION_TYPE
DESCRIPTIVE_QUESTION
QUESTION_ID
12783
QUESTION_TEXT
Explain SET features and components.
SCHEME OF
EVALUATION
SET incorporates important features needed for secure credit card
transaction over the Internet:
*Confidentiality of information: Cardholder account and payment
information is secured as it traverses across the network. DES is used to
provide confidentiality.
*Integrity of Data: Payment information sent from cardholders to
merchants includes order information, personal data, and payment
instructions. SET guarantees that these message contents are not altered
in transit. RSA digital signatures, using SHA-1 hash codes, sometimes
HMAC, using SHA-1.
*Cardholder account authentication: SET enables merchants to verify
that a cardholder is legitimate user of a valid card account number. SET
uses digital certificates with RSA signatures for this purpose.
*Merchant Authentication: SET enables cardholders to verify that a
merchant has a relationship with a financial institution allowing it to
accept payment cards. SET uses Digital certificates with RSA signatures
for this purpose.
(1 mark each=4 marks)
Components:
*Cardholder: A cardholder is an authorized holder of a payment card
that has been issued by issuer.
*Merchant: A merchant is a person or organization with goods or
services to sell to the cardholder.
*Issuer: This is a financial institution such as bank that provides the
cardholder with the payment card.
*Acquirer: This is a financial institution that establishes an account with
a merchant and processes payment card authorization and payments.
*Payment Gateway: This is a function operated by the acquirer or a
designated third party that processes merchant payment messages.
*Certificate Authority: This is an entity that is trusted to issue X.509v3
public key certificates for cardholders, merchants, and payment
gateways.(1 mark each= 6 marks)
QUESTION_TYPE
DESCRIPTIVE_QUESTION
QUESTION_ID
12787
QUESTION_TEXT
Discuss three important aspects of security services.
SCHEME OF
EVALUATION
Information security is concerned with the confidentiality, integrity and
availability of data.
(1 mark)
Confidentiality: only the authorized parties are given access like reading,
viewing, printing etc., to the computer related assert. It is also called as
secrecy or privacy. Ensuring confidentiality can be difficult.(2 marks)
Integrity: only the authorized parties can modify the computer related
assert in authorized ways. Modification includes writing, changing,
changing status, deleting and creating. Integrity is much harder to pin
down.(2 marks)
Availability: it means that assets are accessible to authorized parties at
appropriate times. If some person or system has legitimate access to
particular set of objects, that access should not be prevented. Availability
applies both to data and to services, and it is similarly complex.
(3 marks)
A challenge is to build a secure system by having the right balance
among the three goals. It is easy to preserve a particular object’s
confidentiality in a secure system, simply by preventing everyone from
reading that object. However this system is not secure, because it does
not meet the requirement of availability for proper access.
(2 marks)
QUESTION_TYPE
DESCRIPTIVE_QUESTION
QUESTION_ID
72790
QUESTION_TEXT
Discuss the following
a. VPN
b. PKI and Certificates
SCHEME OF
EVALUATION
a. VPN:
Link encryption can be used to give a networks users the sense that
they are on a private network, even when it is a part of public network.
This approach is called a virtual Private Network (VPN). (1 mark)
Physical security and administrative security are strong enough to
protect transmission inside the perimeter of a network. Many firewalls
can be used to implement a VPN. (2 marks)
The larger network is restricted only to those given special access by
the VPN. It feels to the user that the network is private, even though it
is not. With the VPN, we say that the communication passes through
an encrypted tunnel or tunnel.
(2 marks)
PKI and Certificates:
Public Key Infrastructure, or PKI, is a process created to enable users to
implement public key cryptography, usually in a large setting. (1 mark)
PKI services:
* Create certificates associating a users identity with a public
cryptography key
* Give out certificates from its database
* Sign certificates
* Invalidate certificates for users who no longer are allowed to access
whose private key has been exposed. (2 marks)
PKI sets up entities, called certificate authorities that implement the
PKI policy on certificates.
Specific actions of certificate authorities include the following:
* Managing public key certificates for their whole life cycles
* Issuing certificates by binding a users or systems identity to a public
key with a digital signature
* Scheduling expiration dates for certificates
* Publishing certificate revocation lists. (2 marks)
QUESTION_TYPE
DESCRIPTIVE_QUESTION
QUESTION_ID
72791
QUESTION_TEXT
Explain how cryptanalyst uses different information to break the
cipher?
SCHEME OF
EVALUATION
a. Ciphertext only: The cryptanalyst decrypt messages based on
probabilities, distributions, and characteristics of the available
ciphertext, plus publicly available knowledge.
b. Full or partial plaintext: the analyst may be fortunate to have a
sample message and its decipherment. In these cases, the analyst can
use what is called a probable plaintext analysis. After doing part of the
decryption, the analyst may find places where the known message fits
with the deciphered parts, thereby giving more clues about the total
translation.
c. Ciphertext of any plaintext: the analyst might have infiltrated the
sender’s transmission process so as to be able to cause messages to be
encrypted and sent at will. This attack is called a chosen plaintext
attack. For instance, the analyst may be able to insert records into a
database and observe the change in statistics after the insertions.
Linear programming some times enables such an analyst to infer data
that should be kept confidential in the database. This attack is very
favorable to the analyst.
d. Algorithm and Ciphertext: the analyst may have both the
encryption algorithm and the ciphertext. In a chosen plaintext attack,
the analyst can run the algorithm on massive amounts of plaintext to
find one plaintext message that encrypt as the ciphertext. This
approach fails if two or more distinct keys can produce the same
ciphertext as the result of encrypting meaningful plaintext.
e. Ciphertext and Plaintext: the cryptanalyst may lucky enough to
have some pairs of plaintext and matching ciphertext. Then, the game is
to deduce the key by which those pairs were encrypted so that the
same key can be used in cases in which the analyst has only the
ciphertext. (2 marks each)
QUESTION_TYPE
DESCRIPTIVE_QUESTION
QUESTION_ID
72792
QUESTION_TEXT
List and briefly explain five types of Firewalls
Explanation about the following five types of firewalls:
i. Packet filtering gateways or screening routers
ii. Stateful inspection firewalls
SCHEME OF EVALUATION
iii. Application Proxies
iv. Guards
v. Personal Firewalls
2 x 5 = 10 marks
QUESTION_TYPE
DESCRIPTIVE_QUESTION
QUESTION_ID
118694
Explain the security features of ordinary OS.
QUESTION_TEXT
Ans:
1.
Authentication of users–1M
2.
Protection of memory–1M
SCHEME OF EVALUATION 3.
File and I/O device access control.–1M
4.
Allocation and access control to general objects–2M
5.
Enforcement of sharing–1M
6.
Guarantee of fair service–1M
7.
Interprocess communication and synchronization–2M
8.
Protection of OS protection data.–1M