You are not allowed to use any means of aid. However, according to general rules printed English language dictionaries are allowed.

Similar documents
DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

AUTHENTICATION APPLICATION

What is Authentication? All requests for resources have to be monitored. Every request must be authenticated and authorized to use the resource.

CSCE 813 Internet Security Kerberos

Key distribution and certification

13/10/2013. Kerberos. Key distribution and certification. The Kerberos protocol was developed at MIT in the 1980.

User Authentication. Modified By: Dr. Ramzi Saifan

Computers Gone Rogue. Abusing Computer Accounts to Gain Control in an Active Directory Environment. Marina Simakov & Itai Grady

Security and Privacy in Computer Systems. Lecture 7 The Kerberos authentication system. Security policy, security models, trust Access control models

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Outline Key Management CS 239 Computer Security February 9, 2004

CIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries

CPSC 481/681 SPRING 2006 QUIZ #1 7 MAR 2006 NAME:

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Introduction. Trusted Intermediaries. CSC/ECE 574 Computer and Network Security. Outline. CSC/ECE 574 Computer and Network Security.

Information Security CS 526

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

In any of these cases, an unauthorized user may be able to gain access to services and data that he or she is not authorized to access.

SEMINAR REPORT ON BAN LOGIC

User Authentication. Modified By: Dr. Ramzi Saifan

CPSC 467b: Cryptography and Computer Security

Kerberos. Pehr Söderman Natsak08/DD2495 CSC KTH 2008

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

INFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2

Trusted Intermediaries

AIT 682: Network and Systems Security

Summary. Final Week. CNT-4403: 21.April

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

CSC 774 Network Security

CSC/ECE 774 Advanced Network Security

Fall 2010/Lecture 32 1

A Modified Approach for Kerberos Authentication Protocol with Secret Image by using Visual Cryptography

CSC 474/574 Information Systems Security

CHAPTER 3. ENHANCED KERBEROS SECURITY: An application of the proposed system

Exam in Computer Networks

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

Background. Network Security - Certificates, Keys and Signatures - Digital Signatures. Digital Signatures. Dr. John Keeney 3BA33

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

CS 155 Final Exam. CS 155: Spring 2006 June 2006

Network Security and Cryptography. December Sample Exam Marking Scheme

Chapter 9: Database Security: An Introduction. Nguyen Thi Ai Thao

Study Guide for the Final Exam

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Security Architecture

U N IV ERS IT Y O F O S LO

CS 591: Introduction to Computer Security. Lecture 3: Policy

Exercises with solutions, Set 3

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

EXAM PREPARATION GUIDE

Network Security Essentials

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Network Security (NetSec)

Access Control Models

Security Handshake Pitfalls

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

EXAM PREPARATION GUIDE

Authentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi

Network Security. Kerberos and other Frameworks for Client Authentication. Dr. Heiko Niedermayer Cornelius Diekmann. Technische Universität München

CS /29/17. Paul Krzyzanowski 1. Fall 2016: Question 2. Distributed Systems. Fall 2016: Question 2 (cont.) Fall 2016: Question 3

Authentication Part IV NOTE: Part IV includes all of Part III!

The Kerberos Authentication Service

Course Outline. CISSP - Certified Information Systems Security Professional

MarkLogic Server. Common Criteria Evaluated Configuration Guide. MarkLogic 9 May, Copyright 2019 MarkLogic Corporation. All rights reserved.

Authentication Protocols

Computer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018

Security+ SY0-501 Study Guide Table of Contents

Computer Security 3/20/18

Network Security and Cryptography. 2 September Marking Scheme

IMPLEMENTATION OF KERBEROS BASED AUTHENTICATED KEY EXCHANGE PROTOCOL FOR PARALLEL NETWORK FILE SYSTEMS IN CLOUD

Strong Password Protocols

Lecture 9. Authentication & Key Distribution

Security issues in Distributed Systems

Chapter 4 Protection in General-Purpose Operating Systems

Datasäkerhetsmetoder föreläsning 7

Exam in Computer Networks

Cryptology Part 1. Terminology. Basic Approaches to Cryptography. Basic Approaches to Cryptography: (1) Transposition (continued)

Radius, LDAP, Radius, Kerberos used in Authenticating Users

Vendor: Microsoft. Exam Code: Exam Name: MTA Security Fundamentals Practice Test. Version: Demo

Operating systems and security - Overview

Operating systems and security - Overview

Hashes, MACs & Passwords. Tom Chothia Computer Security Lecture 5

Quiz 1: Next Wednesday Walker during regular class time

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

CSci 530 Midterm Exam. Fall 2013

Radius, LDAP, Radius used in Authenticating Users

CNT4406/5412 Network Security

Access control models and policies

Overview of Authentication Systems

A Protocol for Secure Public Instant Messaging

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

1. Out of the 3 types of attacks an adversary can mount on a cryptographic algorithm, which ones does differential cryptanalysis utilize?

Kerberos Introduction. Jim Binkley-

Massachusetts Institute of Technology Handout : Network and Computer Security October 23, 2003 Professor Ronald L. Rivest.

IMPLEMENTING MICROSOFT CREDENTIAL GUARD FOR ISO 27001, PCI, AND FEDRAMP

Authentication Technology Alternatives. Mark G. McGovern Chief Technologist Smart Cards, Crypto, Stego, PKI Lockheed Martin

Transcription:

CHALMERS UNIVERSITY OF TECHNOLOGY Department of Computer Science and Engineering Examination in Computer Security EDA263 (DIT641) for the International Master s Program in Computer Systems and Networks, Wednesday 28 August 2013, 14:00 18:00 Examiner: Assistant professor Magnus Almgren, Ph.031-772 1702, email: magnus.almgren@chalmers.se Teacher available during exam: Magnus Almgren, Ph.031-772 1702 Solutions: No solutions will be posted. Language: Answers and solutions must be given in English. Grades: will be posted before Tuesday 17 September, 2013. You are not allowed to use any means of aid. However, according to general rules printed English language dictionaries are allowed. Grade: The grade is normally determined as follows: 30 p grade 3 < 38 p grade 4 < 46 p grade 5 (EDA263) 30 p pass < 46 p pass with distinction (DIT641)

1 Personnel security It is well known that security in a company could not only rely on technical features, but soft and human factors play an important role. Discuss the concept personnel security from this viewpoint. Give examples of relevant security methodology related to personnel and the different phases of an employment. (10p) 2 Security and dependability concepts a) List the traditional security and dependability attributes/aspects. b) Group the attributes in protective and behavioural, where applicable. Explain their functionality and relation to the object system. Draw an illustrating figure. c) Explain the interaction between attacks, vulnerabilities and failures and the object system in terms of its protective and behavioural attributes. (8p) 3 Cryptography Let's say that Alice, Bob and Charles would like to communicate separately with each other. That is, any two of the people in the group should be able to communicate without the third being able to read the messages. In the course we discussed (i) symmetric encryption and (ii) public-key encryption and your answer below should refer to these schemes. a) In the course, we said that the key exchange needs to take place over a (possibly abstract) channel X, which then in turn needs to have a certain property depending on the encryption scheme, (i) or (ii). If Alice, Bob and Charles communicate using (i), what general property must the channel X have? If they are going to communicate using (ii), what general property must the channel X then have? b) How many keys are needed for Alice, Bob, and Charles above using (i). How many keys are needed using (ii)? Include all types and motivate your answer. Also in your answer talk about scalability and how the number of keys grows as a function of n, where n is the number of group members. c) Specify if (i) is commonly used to distribute keys for (ii), or the opposite. Why? Motivate! Is this a common application? d) Explain how Bob can verify whether a certain public key really belongs to Alice in (ii). Why is this an important problem? In the course we spoke about trust and three schemes about trust to check whether a key belongs to a person. Explain these with advantages and disadvantages. (11 p)

4 Security Models You are working for a law firm with the following eight clients: New York Times, Bank of Scotland, Scandinavian Airlines, Bank of England, Air France, Los Angeles Times, American Airlines, The law firm is using the Chinese Wall Model. a) Draw a picture, showing how this (general) model would look in the specific example for this law firm. Show in the picture the three levels information is organized into and explain them with a possible concrete example. b) Define the simple security rule formally in the following way: Simple Security Rule: A subject S can read object O only if... c) Alice and Bob works for the law firm. State whether the following read accesses (performed in the order shown here) will be accepted or denied. Use your answer in (b) to explain how you reason. 1) Alice reads a document outlining which new offices will open in 2014 for 2) Alice reads a document outlining which new offices will open in 2014 for Bank of England. 3) Alice reads a document outlining which new offices will open in 2014 for Air France. 4) Bob reads a document outlining which new offices will open in 2014 for Air France. 5) Alice reads a document outlining which new offices will open in 2014 for Bank of England. 6) Bob reads a document outlining which new offices will open in 2014 for New York Times. 7) Alice reads a document outlining the yearly summary of earnings / losses for 8) Alice reads a document outlining the yearly summary of earnings / losses for 9) Bob reads a document outlining the yearly summary of earnings / losses for 10) Alice reads a document outlining the yearly summary of earnings / losses for Air France. 11) Bob reads a document outlining the yearly summary of earnings / losses for Air France. 12) Alice reads a document outlining which new offices will open in 2014 for (10 p)

5 Authentication using Kerberos Below is a somewhat simplified version of the steps in a Kerberos v.4 authentication procedure. In this, the client C is using the Kerberos authentication server (AS) to access a service from the server V. (1) C => AS: ID C ID TGS TS 1 (2) AS => C: E K(C) [K(C,TGS) ID TGS TS 2 Lifetime 2 Ticket TGS ] (3) C => TGS: ID V Ticket TGS Authenticator C (4) TGS => C: E K(C,TGS) [K(C,V) ID V TS 4 Ticket V ] (5) C => V: Ticket V Authenticator C (6) V => C: E K(C,V) [ TS 5 + 1] (7) Ticket TGS = E K(TGS) [K(C,TGS) ID C AD C ID TGS TS 2 Lifetime 2 ] (8) Ticket V = E K(V) [K(C,V) ID C AD C ID V TS 4 Lifetime 4 ] (9) Authenticator C = E K(C,TGS) [ ID C AD C TS 3 ] Describe briefly the following elements in the procedure and explain their function: a) (2), E K(C) b) (2), K(C,TGS) and (7), K(C,TGS) c) (2), Lifetime 2 and (7), Lifetime 2 d) (6), TS 5 + 1 (8p)

6 Software Security When users login to a site, their credentials are checked by accessing a database with the following code, where iuserid and ipassword are two variables set by the user trying to login to the site. query = SELECT userid from tusers where userid= + iuserid + AND password= + ipassword + ; (example of the) User Credential Database tusers: UserID Username Password Name 1 admin $#kaoefor Admin 1824 jsmith demo1234 John Smith From the course, you know that passwords should be stored as salted hash values to make it more difficult to perform dictionary attacks or extracting the passwords if you are an insider. However, in this particular example, the actual code is also vulnerable to attacks. a) What is the name for such attacks? b) Give a (concrete) example on how the code can be misused. c) Discuss mitigation strategies. (6p) 7 Miscellanous Questions Give a short (i.e. less than ca 10 lines) but exhaustive answer to each of the following questions: (The answer must include not only the function, usage, principle etc, but also the (security) context into which the object of the question would be applicable.) a) Explain what the "no-write-down" property means in Bell-LaPadula. Give an example why it is important. b) Suggest an overall method that would reduce commercial spam messages and motivate why your method should work. c) Where in the system (e.g. in which system layers) do you suggest that security should be enforced? Motivate your answer. d) Describe the term Reference Monitor. e) Describe the term Trusted Computing Base (TCB). What is the relation between the TCB and the TOE Security Function (TSF) in the Common Criteria. f) What is meant by an organisational security policy? g) What is the benefit of Incident handling and what is the goal with it? (7p)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback