Question 1
The web site of an encryption application for mobile phones says:
[10%]
“RSA and ECDSA are used for authentication. The key pairs are generated on the phone
during the installation and are unique to each phone. A private key is never shared. The
Elliptic Curve Diffie-Hellman (ECDH) and RSA algorithms are used for key exchange. The
session key is only valid for one phone call and securely destroyed after use.”
Explain in sufficient detail what is meant by ‘a private key is never shared’. Your answer
should include a short description of public key cryptography, definitions of public key and
private key, and a short description of the way these keys are generated and managed.
Question 2
A news item reports:
[10%]
“A skilled hacker has shown how to hijack a smartphone via a short-range radio technology
known as Near Field Communication (NFC).
He discovered that the default setting in Android (a mobile operating system) forces a
handset to visit any weblink or open any file sent to it. Via this route he forced handsets to
visit websites that ran code written to exploit known vulnerabilities in Android.
The software on the booby-trapped websites helped him look at and steal data held on a
handset.”
Comment on this news item, using the correct terms related to security goals, attack analysis
and control types.
Questions 3
Give the definition of a stream cipher, showing in detail (perhaps with a diagram) how the
plaintext and the key are handled during encryption. Name one main advantage of such
ciphers. Explain for what purposes you would use such ciphers.
Question 4
Consider the statement:
“Triple DES is three times stronger than DES.”
Explain in sufficient detail what is wrong in this statement and correct it.
Question 5
Define XSS and explain in some detail how it threatens computer security.
Question 6
The following description (from the Microsoft web site) seems to suggest that malicious
software can be hidden in JPG files.
“This malware could be encountered when visiting a malicious webpage or could be installed
by other malware. Viewing the crafted image file using a vulnerable computer could lead to
the execution of arbitrary code. A specially crafted image file (.JPG) exploits a vulnerability
which could cause a buffer overrun leading to the execution of arbitrary code.”
Explain in sufficient detail what a buffer overrun is, how it can lead to the execution of
[10%]
[10%]
[10%]
[10%]
2
arbitrary code, and whether JPG files are dangerous.
Question 7
A company explains how their user authentication scheme works (an example is shown
in the picture below):
[10%]
“Entrust's patented grid card is a credit card-sized authenticator consisting of numbers and/or
characters in a row-column format. Upon login, users are presented with a coordinate challenge and
must respond with the information in the corresponding cells from the unique grid card they
possess.”
Explain how this user authentication scheme can be classified within the methods of user
authentication and argue whether it has some advantages or disadvantages compared to
traditional ways of user authentication.
Question 8
The web site of a company says:
[10%]
“Industry standard hashing algorithms are used for increased integrity assurance.”
Explain briefly what a hashing algorithm is, name an example of an industry standard
hashing algorithm, and justify the use of such algorithms for integrity assurance.
Question 9
Solve the following risk analysis problem. Comment in sufficient detail on each step of
your solution.
[10%]
Suppose you have a 0.5% chance of a single power outage lasting more than a few seconds in any
given year. The expected loss as a result of personnel not being able to work is £25,000, and the cost
of recovery (handling reboots and disk checks) is expected to be another £10,000 in downtime and
personnel costs.
You are considering buying a UPS (uninterruptible power supply) system for your organisation. The
yearly repayments for it will be £150. You expect that the UPS system will be effective in 80% of the
cases. Decide whether you should buy the UPS system.
Question 10
A news item reports:
“In January, Latvian Deniss Calovskis was named by the US as one of the creators of the Gozi virus.
Security analyst Graham Cluley said Gozi was a very successful trojan that pilfered huge sums from
bank accounts.”
Find an inconsistency in this news item and explain in sufficient detail what is incorrect,
giving all necessary definitions.
[10%]