The Web Site of an Encryption Application for Mobile Phones Says: 10% RSA and ECDSA Are

2

Question 1

The web site of an encryption application for mobile phones says: [10%]
“RSA and ECDSA are used for authentication. The key pairs are generated on the phone during the installation and are unique to each phone. A private key is never shared. The Elliptic Curve Diffie-Hellman (ECDH) and RSA algorithms are used for key exchange. The session key is only valid for one phone call and securely destroyed after use.”
Explain in sufficient detail what is meant by ‘a private key is never shared’. Your answer should include a short description of public key cryptography, definitions of public key and private key, and a short description of the way these keys are generated and managed.

Question 2

A news item reports: [10%]
“A skilled hacker has shown how to hijack a smartphone via a short-range radio technology known as Near Field Communication (NFC).

He discovered that the default setting in Android (a mobile operating system) forces a handset to visit any weblink or open any file sent to it. Via this route he forced handsets to visit websites that ran code written to exploit known vulnerabilities in Android.
The software on the booby-trapped websites helped him look at and steal data held on a handset.”
Comment on this news item, using the correct terms related to security goals, attack analysis and control types.

Questions 3

Give the definition of a stream cipher, showing in detail (perhaps with a diagram) how the [10%]
plaintext and the key are handled during encryption. Name one main advantage of such ciphers. Explain for what purposes you would use such ciphers.
Question 4

Consider the statement: [10%]
“Triple DES is three times stronger than DES.”
Explain in sufficient detail what is wrong in this statement and correct it.

Question 5

Define XSS and explain in some detail how it threatens computer security. [10%]

Question 6

The following description (from the Microsoft web site) seems to suggest that malicious [10%]
software can be hidden in JPG files.
“This malware could be encountered when visiting a malicious webpage or could be installed by other malware. Viewing the crafted image file using a vulnerable computer could lead to the execution of arbitrary code. A specially crafted image file (.JPG) exploits a vulnerability which could cause a buffer overrun leading to the execution of arbitrary code.”
Explain in sufficient detail what a buffer overrun is, how it can lead to the execution of arbitrary code, and whether JPG files are dangerous.

Question 7

A company explains how their user authentication scheme works (an example is shown [10%]
in the picture below):

“Entrust's patented grid card is a credit card-sized authenticator consisting of numbers and/or characters in a row-column format. Upon login, users are presented with a coordinate challenge and must respond with the information in the corresponding cells from the unique grid card they possess.”

Explain how this user authentication scheme can be classified within the methods of user authentication and argue whether it has some advantages or disadvantages compared to traditional ways of user authentication.

Question 8

The web site of a company says: [10%]
“Industry standard hashing algorithms are used for increased integrity assurance.”
Explain briefly what a hashing algorithm is, name an example of an industry standard hashing algorithm, and justify the use of such algorithms for integrity assurance.

Question 9

Solve the following risk analysis problem. Comment in sufficient detail on each step of [10%]
your solution.
Suppose you have a 0.5% chance of a single power outage lasting more than a few seconds in any given year. The expected loss as a result of personnel not being able to work is £25,000, and the cost of recovery (handling reboots and disk checks) is expected to be another £10,000 in downtime and personnel costs.
You are considering buying a UPS (uninterruptible power supply) system for your organisation. The yearly repayments for it will be £150. You expect that the UPS system will be effective in 80% of the cases. Decide whether you should buy the UPS system.

Question 10

A news item reports: [10%]
“In January, Latvian Deniss Calovskis was named by the US as one of the creators of the Gozi virus.
Security analyst Graham Cluley said Gozi was a very successful trojan that pilfered huge sums from bank accounts.”

Find an inconsistency in this news item and explain in sufficient detail what is incorrect, giving all necessary definitions.