Sample midterm
1. (9 pts) Define the three aspects of security, each in one sentence, and provide an
example of a threat and a defense for each aspect
a) confidentiality – only people authorized for access can access certain
resource
a. breaking encryption, intrusions, sniffing passwords, cracking
passwords, sniffing messages on the network, MITM
b. encryption, patching, firewall, access control
b) integrity – system/data has not been changed from its creation
a. MITM, Trojans, Rootkits
b. Hashes/digests
c) availability – system/data is available to its authorized users with good
service quality
a. denial of service, DNS poisoning, DNS hijacking, routing prefix
hijacking
b. DDoS defense, secure DNS, secure BGP, certificates that ensure a
network is authorized to announce certain DNS name or routing
prefix
2. (3 pts) What is a polyalphabetic cipher?
Monoalphabetic cipher with multiple maps, each map is used for one portion of the
message and then replaced with another map
Cipher that maps each symbol of alphabet into one other symbol. There are multiple
mappings. (each mapping is used for one (many) symbol)
3. (10 pts) Describe how symmetric and asymmetric cryptography work and
discuss how their functionalities and costs compare.
Symmetric – both parties have the same key, use it to encrypt and decrypt
Asymmetric – each party has private and public key, use one to encrypt and another
to decrypt
Functionality – both can achieve confidentiality and integrity. Asymmetric can
achieve non-repudiation. Symmetric cannot achieve non-repudiation.
Cost – symmetric is faster 1500 times
4. (10 pts) Explain how a Diffie-Hellman key exchange works and what makes it
hard for a sniffing attacker to learn the key. Does Diffie-Hellman key exchange
produce a key for symmetric or asymmetric cipher?
Description:
1. Alice and Bob agree on g and n (large n)
2. Alice picks a random number a and sends ga mod n to Bob
3. Bob picks a random number b and sends gb mod n to Alice
4. Alice does (gb mod n)a mod n = gab mod n - this is their shared key
5. Bob does (ga mod n)b mod n = gab mod n - this is their shared key
What makes it hard to sniff a key:
No one knows a and b, they are random numbers known only to Alice and Bob
Is this symmetric or asymmetric key?
Symmetric
5. (10 pts) Describe how a server can authenticate a client using a symmetric
cipher. How can this be done using an asymmetric cipher? Which approach is
better and why?
Symmetric (one answer is enough a) or b))
a) Server stores the shared key, picks a random number r, encrypts with the key
and sends to client. Client decrypts it and sends back. Server compares with r
b) Server stores the shared key, picks a random number r, sends r to client.
Client encrypts it and sends back. Server decrypts and compares with r.
Asymmetric (one answer is enough a) or b))
a) Server stores the client’s public key, picks a random number r, encrypts with
the key and sends to client. Client decrypts it with its private key and sends
back. Server compares with r
b) Server stores the client’s public key, picks a random number r, sends r to
client. Client encrypts it with its private key and sends back. Server decrypts
with client’s public key and compares with r.
Better is … asymmetric authentication because the server only stores public info
about the client – client’s public key.
6. (10 pts) Explain how does Passport service work for single sign-on.
1.
2.
3.
4.
Merchant establishes trust with Passport service, exchanges a shared key
Browser accesses merchant server
Server redirects browser to Passport server
Passport server asks for username and password
5. Passport server sets up cookies in browser and provides a token – message
encrypted by key shared between merchant and Passport
6. Browser gives this token to merchant
7. Merchant sets up a cookie in browser