Daniel Jordan
daniel_jordan@csu.fullerton.edu
CPSC 333
Homework #1
Due September 11 (before 11:55 PM)
R-1.1
Compare and contrast the C.I.A concepts for information security with the A.A.A. concepts.
C.I.A stands for confidentiality, integrity, and availability. C.I.A. aims to secure data through confidentiality,
verify the data through integrity, and protect the data through availability. A.A.A stands for Authenticity,
assurance, and anonymity. Authenticity is used to authenticate the security token being used to access the
system. Assurance refers to how trust policies are managed on a system. And anonymity assures that certain
transaction records will not be linked to any single user. A.A.A doesn’t directly protect the data the way
C.I.A. does. Instead, it focuses on authenticating the user and system accessing the data.
R-1.4
What are some of the techniques that are used to achieve confidentiality?
Some techniques used to achieve confidentiality are encryption, access control, and authentication.
Encryption is used to protect data, ensuring only those who are allowed to see the data will be able to access
it. Access control provides rules and policies that limit which files a user can access. Authentication is used to
verify a user’s access role, and determine whether they’re authorized to access the data.
R-1.12
Compare and contract symmetric encryption with public-key encryption, including the strengths and weaknesses of
each.
A symmetric encryption requires each communicating user to share a separate private key. A public-key
encryption uses a single public key from the sender, and a private key held by the recipient. An advantage of
public-key encryption is that the key is stored locally on each users’ machine. The key is not transmitted, so
an eavesdropper would not be able to intercept the message and steal the key. An advantage of symmetric
encryption is speed, since both users are using the same shared key to encrypt and decrypt the message. A
disadvantage of symmetric encryption is that the private-key is transmitted with each message, which leaves
it open to attack.
R-1.13
List at least three security risks that could arise when someone has their laptop stolen.
The most obvious security risk is the user’s passwords that are stored on the laptop could be stolen. An
attacker could also steal private key files off the machine. Lastly, they could use personal information found
on the laptop to better guess a user’s password, or gain access to their account in other ways.
R-1.16
Give an example of the false sense of security that can come from using the “security by obscurity” approach.
An example of security by obscurity would be a user running an SSH server on their home machine, and
changing the port number. Because SSH runs by default on port 22, this may create a false sense of security,
because the attacker must find the port number before they can even attempt breaking into the system. This
has been shown to be false, as a quick port scan will reveal the open port.
R-1.19
Suppose you could use all 128 characters in the ASCII character set in a password. What is the number of 8character passwords that could be constructed from such a character set? How long, on average, would it take an
attacker to guess such a password if he could test a password every nanosecond?
128 possible characters to choose from = 128 128 128 128 128 128 128 128 = 1288 possible passwords
1 second = 1,000,000,000 nanoseconds.
1288 passwords / 1,000,000,000 = 72057594.0379 seconds.
72057594.0379 seconds / 60 = 1200959.90063 minutes
1200959.90063 minutes / 60 = 20015.9983438 hours
20015.9983438 hours / 24 = 833.999930992 days
833.999930992 days / 365 = 2.28 years to guess password