CUSTOMER_CODE SMUDE DIVISION_CODE SMUDE EVENT_CODE JULY15 ASSESSMENT_CODE BT0088_JULY15 QUESTION_TYPE DESCRIPTIVE_QUESTION QUESTION_ID 12783 QUESTION_TEXT Explain SET features and components. SCHEME OF EVALUATION SET incorporates important features needed for secure credit card transaction over the Internet: *Confidentiality of information: Cardholder account and payment information is secured as it traverses across the network. DES is used to provide confidentiality. *Integrity of Data: Payment information sent from cardholders to merchants includes order information, personal data, and payment instructions. SET guarantees that these message contents are not altered in transit. RSA digital signatures, using SHA-1 hash codes, sometimes HMAC, using SHA-1. *Cardholder account authentication: SET enables merchants to verify that a cardholder is legitimate user of a valid card account number. SET uses digital certificates with RSA signatures for this purpose. *Merchant Authentication: SET enables cardholders to verify that a merchant has a relationship with a financial institution allowing it to accept payment cards. SET uses Digital certificates with RSA signatures for this purpose. (1 mark each=4 marks) Components: *Cardholder: A cardholder is an authorized holder of a payment card that has been issued by issuer. *Merchant: A merchant is a person or organization with goods or services to sell to the cardholder. *Issuer: This is a financial institution such as bank that provides the cardholder with the payment card. *Acquirer: This is a financial institution that establishes an account with a merchant and processes payment card authorization and payments. *Payment Gateway: This is a function operated by the acquirer or a designated third party that processes merchant payment messages. *Certificate Authority: This is an entity that is trusted to issue X.509v3 public key certificates for cardholders, merchants, and payment gateways.(1 mark each= 6 marks) QUESTION_TYPE DESCRIPTIVE_QUESTION QUESTION_ID 12787 QUESTION_TEXT Discuss three important aspects of security services. SCHEME OF EVALUATION Information security is concerned with the confidentiality, integrity and availability of data. (1 mark) Confidentiality: only the authorized parties are given access like reading, viewing, printing etc., to the computer related assert. It is also called as secrecy or privacy. Ensuring confidentiality can be difficult.(2 marks) Integrity: only the authorized parties can modify the computer related assert in authorized ways. Modification includes writing, changing, changing status, deleting and creating. Integrity is much harder to pin down.(2 marks) Availability: it means that assets are accessible to authorized parties at appropriate times. If some person or system has legitimate access to particular set of objects, that access should not be prevented. Availability applies both to data and to services, and it is similarly complex. (3 marks) A challenge is to build a secure system by having the right balance among the three goals. It is easy to preserve a particular object’s confidentiality in a secure system, simply by preventing everyone from reading that object. However this system is not secure, because it does not meet the requirement of availability for proper access. (2 marks) QUESTION_TYPE DESCRIPTIVE_QUESTION QUESTION_ID 72790 QUESTION_TEXT Discuss the following a. VPN b. PKI and Certificates SCHEME OF EVALUATION a. VPN: Link encryption can be used to give a networks users the sense that they are on a private network, even when it is a part of public network. This approach is called a virtual Private Network (VPN). (1 mark) Physical security and administrative security are strong enough to protect transmission inside the perimeter of a network. Many firewalls can be used to implement a VPN. (2 marks) The larger network is restricted only to those given special access by the VPN. It feels to the user that the network is private, even though it is not. With the VPN, we say that the communication passes through an encrypted tunnel or tunnel. (2 marks) PKI and Certificates: Public Key Infrastructure, or PKI, is a process created to enable users to implement public key cryptography, usually in a large setting. (1 mark) PKI services: * Create certificates associating a users identity with a public cryptography key * Give out certificates from its database * Sign certificates * Invalidate certificates for users who no longer are allowed to access whose private key has been exposed. (2 marks) PKI sets up entities, called certificate authorities that implement the PKI policy on certificates. Specific actions of certificate authorities include the following: * Managing public key certificates for their whole life cycles * Issuing certificates by binding a users or systems identity to a public key with a digital signature * Scheduling expiration dates for certificates * Publishing certificate revocation lists. (2 marks) QUESTION_TYPE DESCRIPTIVE_QUESTION QUESTION_ID 72791 QUESTION_TEXT Explain how cryptanalyst uses different information to break the cipher? SCHEME OF EVALUATION a. Ciphertext only: The cryptanalyst decrypt messages based on probabilities, distributions, and characteristics of the available ciphertext, plus publicly available knowledge. b. Full or partial plaintext: the analyst may be fortunate to have a sample message and its decipherment. In these cases, the analyst can use what is called a probable plaintext analysis. After doing part of the decryption, the analyst may find places where the known message fits with the deciphered parts, thereby giving more clues about the total translation. c. Ciphertext of any plaintext: the analyst might have infiltrated the sender’s transmission process so as to be able to cause messages to be encrypted and sent at will. This attack is called a chosen plaintext attack. For instance, the analyst may be able to insert records into a database and observe the change in statistics after the insertions. Linear programming some times enables such an analyst to infer data that should be kept confidential in the database. This attack is very favorable to the analyst. d. Algorithm and Ciphertext: the analyst may have both the encryption algorithm and the ciphertext. In a chosen plaintext attack, the analyst can run the algorithm on massive amounts of plaintext to find one plaintext message that encrypt as the ciphertext. This approach fails if two or more distinct keys can produce the same ciphertext as the result of encrypting meaningful plaintext. e. Ciphertext and Plaintext: the cryptanalyst may lucky enough to have some pairs of plaintext and matching ciphertext. Then, the game is to deduce the key by which those pairs were encrypted so that the same key can be used in cases in which the analyst has only the ciphertext. (2 marks each) QUESTION_TYPE DESCRIPTIVE_QUESTION QUESTION_ID 72792 QUESTION_TEXT List and briefly explain five types of Firewalls Explanation about the following five types of firewalls: i. Packet filtering gateways or screening routers ii. Stateful inspection firewalls SCHEME OF EVALUATION iii. Application Proxies iv. Guards v. Personal Firewalls 2 x 5 = 10 marks QUESTION_TYPE DESCRIPTIVE_QUESTION QUESTION_ID 118694 Explain the security features of ordinary OS. QUESTION_TEXT Ans: 1. Authentication of users–1M 2. Protection of memory–1M SCHEME OF EVALUATION 3. File and I/O device access control.–1M 4. Allocation and access control to general objects–2M 5. Enforcement of sharing–1M 6. Guarantee of fair service–1M 7. Interprocess communication and synchronization–2M 8. Protection of OS protection data.–1M