Midterm 1 Intro Network Security
Authenticity Assurance Anonymity
Please list the three A words in the A.A.A model.
2,097,152
Suppose you could use all 128 characters in the ASCII character set in a password. What is the number of 3-character passwords that could be constructed from such a character set? Please provide the numerical value (with no comma).
True
Many security administrators view strong security as an impediment to efficient and user-friendly operation of an information system.
high
A ________ level breach of security could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
digital signature
A __________ is data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery.
vulnerability
A flaw or weakness in a system's design, implementation, or operation and management that could be exploited to violate the system's security policy is a(n) __________.
confidentiality
A loss of _________ is the unauthorized disclosure of information.
attack
A(n) _________ is a threat that is carried out and, if successful, leads to an undesirable violation of security, or threat consequence.
countermeasure
A(n) __________ is an action, device, procedure, or technique that reduces a threat, a vulnerability, or an attack by eliminating or preventing it, by minimizing the harm it can cause, or by discovering and reporting it so that correct action can be taken.
attack
An assault on system security that derives from an intelligent act that is a deliberate attempt to evade security services and violate the security policy of a system is a(n) __________.
something you have
Authentication via your mobile phone leverages: something -you are -something you know -none of the above -something you have
625
Benny is a thief who tried to break into an Automated Teller Machine (ATM) using a screwdriver, but was only able to break five different keys on the numeric keypad (i.e. there are 10 numeric keys in total) and jam the card reader, at which point he heard Alice coming, so he hid. Alice walked up, put in her ATM card, successfully entered her 4-digit PIN, and took some cash. But she was not able to get her card back, so she drove to get help. Benny then went back to the ATM, and started entering numbers to try to discover Alice's PIN and steal money from her account. What is the worst-case number of PINs that Benny has to enter before correctly discovering Alice's PIN?
True
Computer security is the protection of the integrity, availability, and confidentiality of information system resources. T/F
CIA
Confidentiality, Integrity, Availability
social engineering
During the 2008 U.S. Presidential campaign, hackers were able to gain access to an email account of Vice Presidential candidate, Sarah Palin. Their attack is said to have involved tricking the mail system to reset Governor Palin's password, claiming they were really Palin and had forgotten this password. The system asked the hackers a number of personal questions regarding Palin's identity, including her birthday, zip code, and a personal security question - "Where did you meet your spouse?" - all of which the hackers were able to answer using data available on the Internet. What kind of attack is this an example of?
Ciphertext-only attack
Eve has an antenna that can pick up Alice's encrypted cell phone conversations. What type of attack is Eve employing?
Chosen-plaintext attack
Eve has bet Bob that she can figure out the AES secret key he shares with Alice if he will simply encrypt 20 messages for Eve using that key. For some unknown reason, Bob agrees. Eve gives him 20 messages, which he then encrypts and emails back to Eve. What kind of attack is Eve using here?
Known-plaintext attack
Eve has tricked Alice into decrypting a bunch of ciphertexts that Alice encrypted last month but forgot about. What type of attack is Eve employing? (Hint: Please consider whether Eve has control over what ciphertexts Alice has encrypted last month.)
Fail-safe defaults
Facebook's user default setting on "Who can see your friend list - public" may not follow which of the following security principles?
has
Fingerprint can be used for authentication as it is something the person
20,000
Given a system that does not use salt, if an attacker launches a dictionary attack with the dictionary containing 20,000 words, what is the search space size for the attack? Assume that the attacker is interested in compromising a specific user's account. You can also assume that the user's password is included in the dictionary. Please provide the exact numerical value
20,000
Given a system that has 1000 users and does not use random salt, if an attacker launches a dictionary attack with the dictionary containing 20,000 words, what is the search space size for the attack? Assume that the attacker obtains the password file and is interested in getting the passwords of all users. You can also assume that all the 1000 users' passwords are included in the dictionary. Please provide the exact numerical value.
20,000,000
Given a system that has 1000 users and uses 10 bits for the random salt, if an attacker launches a dictionary attack with the dictionary containing 20,000 words, what is the search space size for the attack? Assume that the attacker obtains the password file and has the salt value for each user. The attacker is interested in getting all users' passwords. You can also assume that all the 1000 users' passwords are included in the dictionary. Please provide the exact numerical value.
20,480,000
Given a system that uses 10 bits for the random salt, if an attacker launches a dictionary attack with a dictionary containing 20,000 words, what is the search space size for the attack? Assume that the attacker is interested in compromising a specific user's account, but does not know the salt value for this user. You can also assume that the user's password is included in the dictionary. Please provide the exact numerical value
True
If a crypto system always has its encryption key equal to its decryption key, it is a symmetric cryptosystem. T/F
64
Show the result of encrypting M = 4 using the public key (e; n) = (3; 77) in the RSA cryptosystem
Availability
Suppose an Internet service provider (ISP) has a voice over IP (VoIP) telephone system that it manages and sells. Suppose further that this ISP is deliberately dropping 25% of the packets used in its competitors VoIP system when those packets are going through this ISP's routers. With respect to the C.I.A. model, what properties of the communication is attacked by this malicious ISP?
False
The "A" in the CIA triad stands for "authenticity" T/F
integrity
The assurance that data received are exactly as sent by an authorized entity is __________.
True
The more critical a component or service, the higher the level of availability required.
False
We can ensure a system's security by hiding the fact that the system is using Caesar Cipher. T/F
WKHODCBIRA
What is the encryption of the following string using the Caesar cipher: THELAZYFOX
6
What is the next number in the pseudo-random number generator 3xi +2 mod 11, starting from 5?
P!$$w9rd;t
What is the strongest password in the following options? TD2k5secV5 A1ke03W7tl California P!$$w9rd;t
Security by obscurity
Which of the following choices is NOT one of the ten security principles? -Open design -Compromise recording -Separation of privilege -Security by obscurity
The simplicity in the design and implementation of security measures.
Which of the following choices is related to the economy of mechanism? -Each program and user of a computer system should operate with the bare minimum privileges necessary to function properly. -The default configuration of a system should have a conservative protection scheme. -The security architecture and design of a system should be made publicly available. -The simplicity in the design and implementation of security measures.
Permanence Distinctiveness Universality
Which of the following properties should be required by a biometric identification solution?
-Should be hard to predict x_{i+1} from previous numbers in the sequence -Period is defined as the number of values that are output by the sequence generated by PRNG before it repeats. -An encryption algorithm based on PRNG can simply obtain the ciphertext by the exclusive-or of the pseudo-random numbers with the plaintext message.
Which of the following statements about a secure Pseudo Random Number Generator (PRNG) is(are) correct? Please choose all that apply. -A secure PRNG algorithm should have a short period. -Should be hard to predict x_{i+1} from previous numbers in the sequence -Period is defined as the number of values that are output by the sequence generated by PRNG before it repeats. -An encryption algorithm based on PRNG can simply obtain the ciphertext by the exclusive-or of the pseudo-random numbers with the plaintext message.
-If an attacker can specify a set of ciphertexts and obtain the corresponding plaintext, this is a chosen ciphertext attack.
Which of the following statements about attacks against cryptosystem is correct? Choose all that apply. -If an attacker can specify a set of plaintexts and obtain the corresponding ciphertext, this is a chosen ciphertext attack. -If an attacker can specify a set of plaintexts and obtain the corresponding ciphertext, this is a known-plaintext attack. -If an attacker can specify a set of ciphertexts and obtain the corresponding plaintext, this is a chosen ciphertext attack. -If an attacker can choose a set of ciphertext and obtain the corresponding plaintext in an iterative way, where each ciphertext choice can be based on information learned from previous ciphertext decryption, this is an adaptive chosen plaintext attack.
In a cryptosystem with n users, each user only needs one pair of keys to communicate with all other users.
Which of the following statements about public-key based cryptography is correct? Choose all that apply. -In a cryptosystem with n users, each user only needs one pair of keys to communicate with all other users. -The encryption key is always identical to the decryption key -The encryption/decryption algorithms are typically faster than symmetric cryptosystem. -In a cryptosystem with n users, each user needs to hold (n-1) keys so that he/she can communicate with all other users.
-Symmetric cryptography can be used to protect message confidentiality. -The encryption key is always identical to the decryption key. -To achieve the same level of security, the key length required for symmetric cryptographic algorithms is typically smaller than that required by public-key cryptographic algorithms.
Which of the following statements about symmetric cryptography is correct? Choose all that apply. -Symmetric cryptography can be used to protect message confidentiality. -The encryption key is always identical to the decryption key. -Symmetric cryptography can be used for digital signature. -To achieve the same level of security, the key length required for symmetric cryptographic algorithms is typically smaller than that required by public-key cryptographic algorithms.
-CTR mode can be used for stream cipher -ECB mode supports parallel encryption and decryption
Which of the following statements about the block cipher modes is(are) correct? Please choose all that apply. -CTR mode can be used for stream cipher -ECB mode supports parallel encryption and decryption -CBC mode does not require a decryption algorithm -CBC mode cannot hide patterns in plaintext
-Collision-resistant, meaning that it is extremely difficult to identify two messages sharing an identical hash value. -One-way computation, meaning that given an original message, it's very easy/fast to compute the corresponding hash value, while given a hash value, it is very difficult to compute its corresponding message. -Can be used for password protection.
Which of the following statements for a cryptographic hash function is(are) correct? Choose all that apply. -Collision-resistant, meaning that it is extremely difficult to identify two messages sharing an identical hash value. -Bi-directional computation, meaning that given an original message, it's very easy/fast to compute the corresponding hash value, meanwhile, given a hash value, it is also very easy/fast to compute its corresponding message -One-way computation, meaning that given an original message, it's very easy/fast to compute the corresponding hash value, while given a hash value, it is very difficult to compute its corresponding message. -Can be used for password protection.
something the person knows has is
Which one of the following options can be used for authentication?
The user Tom, identified by [email protected] and a password is who he says he is
Which one of the following two statements is related with authentication? -The user Tom, identified by [email protected] and a password is who he says he is -The user Tom can perform a write operation on the file xxx.txt.
Availability
With respect to the C.I.A. concepts, what risks are posed by Denial of Service attacks?
Confidentiality
With respect to the C.I.A., what risks are posed by eavesdropping?
System Integrity
_____assures that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
Confidentiality
is the avoidance of the unauthorized disclosure of information
Physical security
the establishment of physical barriers to limitaccess to protected computational resources
Integrity
the property that information has not been alteredin an unauthorized way