Computer Security module

Similar documents
Cryptography and Network Security

Security protocols and their verification. Mark Ryan University of Birmingham

Introduction to Modern Cryptography. Benny Chor

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

Written Communication

Learner. Help Guide. Page 1 of 36 Training Partner (Learner Help Guide) Revised 09/16/09

21 Lessons Learned From Sending Over 110,000 s

CS 425 / ECE 428 Distributed Systems Fall 2017

The PGP Trust Model. Alfarez Abdul-Rahman

Office 365 Training For the

Introduction to SSL. Copyright 2005 by Sericon Technology Inc.

Outline Key Management CS 239 Computer Security February 9, 2004

In our first lecture on sets and set theory, we introduced a bunch of new symbols and terminology.

Skill 1: Multiplying Polynomials

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Instructor: Craig Duckett. Lecture 04: Thursday, April 5, Relationships

The 21 WORD . That Can Get You More Clients. Ian Brodie

Instructor: Craig Duckett. Lecture 03: Tuesday, April 3, 2018 SQL Sorting, Aggregates and Joining Tables

Objective and Subjective Specifications

Letter writing Pattern and tips

Emma for Students Lesson 2: Peer Review and Graded Documents

An Introduction to How PGP Works

District 5910 Website Quick Start Manual Let s Roll Rotarians!

CS3 Midterm 1 Fall 2006

CS Computer Networks 1: Authentication

This factsheet intends to provide guidance on how you can manage your s. You will discover:

Successful Implementation

Full file at

Chapter 9: Key Management

STUDY GUIDE: MASTER S DEGREE IN INTERNATIONAL ECONOMICS AND PUBLIC POLICY

Midterm II December 4 th, 2006 CS162: Operating Systems and Systems Programming

Managing Groups Using InFellowship. A guide for Small Group Leaders

CS 161 Computer Security

EPORTFOLIO CHECK-IN & FINAL ASSIGNMENTS

Spring 2010: CS419 Computer Security

INSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:

10 Tips For Effective Content

1 Identification protocols

ECE646 Fall Lab 1: Pretty Good Privacy. Instruction

4:40pm - 6:10pm (90 min)

Expressing Human Trust in Distributed Systems: the Mismatch Between Tools and Reality

STUDY GUIDE: MASTER S DEGREE IN ECONOMIC POLICY

The Internal Market Information System. Frequently Asked Questions

Privacy Policy. How we handle your information you provide to us. Updated: 14 March 2016

1) Moving About Between Different Levels

Instructor: Craig Duckett. Lecture 07: Tuesday, April 17 th, 2018 Conflicts and Isolation, MySQL Workbench

VERSION Lab 3: Link Layer

BTEC Nationals IT - Unit2 FAQs

IAE Professional s (02)

Computer Security Spring 2010 Paxson/Wagner HW 4. Due Thursday April 15, 5:00pm

Cryptography (Overview)

SYLLABUS. CISS 300 Introduction to Information Systems Security Section UNIT CLASS NAME AND TITLE (COURSE CODE):

Your security on click Jobs

Hi Bob, I got this from my colleagues near the end of last week and unfortunately lost track of it in my inbox to send you.

ITS310: Introduction to Computer Based Systems Credit Hours: 3

Public-Key Infrastructure NETS E2008

What did we talk about last time? Public key cryptography A little number theory

Concordia University. Engineering & Computer Science WRITING ABOUT NUMBERS BCEE 6961 GRADUATE SEMINAR IN BUILDING AND CIVIL ENGINEERING

College Board IDOC Frequently Asked Questions

Week 5: Background. A few observations on learning new programming languages. What's wrong with this (actual) protest from 1966?

Syllabus for HPE 451 Directed Study 1-3 Credit Hours Spring 2014

6 Public Key Infrastructure 6.1 Certificates Structure of an X.509 certificate X.500 Distinguished Name and X.509v3 subjectalternativename

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Keep Track of Your Passwords Easily

ECA Trusted Agent Handbook

Asking for information (with three complex questions, so four main paragraphs)

EXAM PREPARATION GUIDE

COLÁISTE NA hollscoile, CORCAIGH UNIVERSITY COLLEGE, CORK

FAQ: Crawling, indexing & ranking(google Webmaster Help)

ALL DEFERRED EXAMINATION APPLICATIONS MUST BE SUBMITTED WITHIN 7 DAYS OF THE SCHEDULED EXAM DATE

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

INFORMATION SYSTEMS EXAMINATIONS BOARD

Learning PHP, MySQL, JavaScript, And CSS: A Step-by-Step Guide To Creating Dynamic Websites PDF

BCS Examination Guidance for the Practitioner Software Asset Management Examination

Chapter 4 The Companion Website A Unique Online Study Resource 4.1 Locating Companion Web sites

During the first 2 weeks of class, all students in the course will take an in-lab programming exam. This is the Exam in Programming Proficiency.

ETSF05: Internet Protocol Routing Project Assignment

News English.com Ready-to-use ESL / EFL Lessons

Frequently Asked Questions about PowerSchool

Solutions to Final. Solutions to Final. May 18th CS170 David Wolfe ALWAYS TRUE SOMETIMES TRUE NEVER TRUE

Cryptography III Want to make a billion dollars? Just factor this one number!

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

ÓBUDA UNIVERSITY, BUDAPEST SSL CERTIFICATES

Aula 6 BODY PARAGRAPH II: TRANSITIONS. Marcle Vanessa Menezes Santana. META This class aims at practising body paragraphs.

How to Apply Online. Guidance for Pre-sessional Students

Instructions for Exam Entry May 2012

EXAM PREPARATION GUIDE

INCOGNITO TOOLKIT: TOOLS, APPS, AND CREATIVE METHODS FOR REMAINING ANONYMOUS, PRIVATE, AND SECURE WHILE COMMUNICATING, PUBLISHING, BUYING,

Azon Master Class. By Ryan Stevenson Guidebook #5 WordPress Usage

Chapter 3. Set Theory. 3.1 What is a Set?

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Azon Master Class. By Ryan Stevenson Guidebook #7 Site Construction 2/3

Creating accessible forms

SYLLABUS. CISN 308 Internetworking with TCP/IP Section Units CISN 302 CLASS NAME AND TITLE (COURSE CODE): Prerequisites:

A Remote Biometric Authentication Protocol for Online Banking

UCD School of Information and Library Studies. IS30020: Web Publishing

Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)

Main area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation

Presenting Online in Elluminate Live!

Transcription:

Computer Security module Revision notes Mark D. Ryan June 2010 There won't be a revision lecture for the Computer Security module. Instead, these notes are provided to help you prepare for the exam. Revision advice Focus on understanding principles, not learning boring details. You don't need to be able to recall a lot of detail that you would normally access in books or on the web. However, you do need to demonstrate thorough understanding. In exams that I set, if lot of detail is needed to answer a question, that detail will be given as part of the question. Example: You don't need to know the details of the FOO'92 protocol. An exam question that asks about FOO'92 would remind you of the details. However, you need to demonstrate thorough understanding. (Exam question 3, 2009.) Similarly, you don't need to remember all the details of the attestation protocol from trusted computing, but you have to demonstrate understanding of it (Exam question 3, 2008). Working on past exam questions is a good idea. Past questions are available on the module web page. But please bear in mind that the set of topics covered in each year varies considerably. Only topics of this year will be in this year's exam. They are marked with * on the module page. Exam advice Answer the question posed (and only the question posed). Try to make your answer as simple as possible, while ensuring it fully answers the question. You won't get credit for saying things that are not asked for in the question. DO: Read the question fully. Don't guess what it says. DO: If the question asks for a yes/no answer, be sure you say "yes" or "no", unambiguously. DO: If the question asks you to "give your reasons" or "explain your answer", give the reasons or the explanation. DON'T: Don't write random facts that you think are vaguely related to the question. It is just wasting your time. DON'T: Write hurriedly, or change your mind while writing. It will result in an answer that is not intelligible, and you will get 0. DON'T: Write a long essay. A short answer that directly addresses the question is worth much more than a long waffly one, and will be marked accordingly. Your answer must be abolutely clear, totally legible, and precise and concise.

Getting advice from me Instead of attending a revision lecture, you are invited to ask me questions by email during Revision Week 1 (26-30 April 2010). I will send my replies to the entire set of students on the module (but I will remove your name, so people won't know who asked what question). I will provide model answers for up to three exam questions. To vote on which ones you would like, use this doodle poll. You must vote by 30 April 2010. http://www.doodle.com/p75mnpa3qx8qypfn Past exam question Here, we look at a past exam question, and some answers that were submitted. Try yourself to mark the answers, before looking at the marks they actually got. The question... 3. Key certificates (a) What is a certificate authority? Explain a scenario in which they are useful. [9%] (b) What is the web of trust model in PGP? [8%] (c) Alice receives an email, apparently signed using a PGP private key by Bob. She does not know Bob's public key, but she knows and has signed the public keys of Carol and Dave. Dave has signed the keys of Alice, Bob and Eve. Eve has signed Carol's and Dave's keys. Alice has "complete trust" in Dave, and "part trust" in Carol and Eve. Should Alice accept the signature on Bob's email? Explain your answer, specifying any assumptions you make about PGP. [8%] (d) Sally has gone to the police with an email she says is from Richard, in which he threatens to kill her. Richard denies writing the email, even though it is signed with his PGP key, and plenty of Richard's friends have digitally signed Richard's key certificate confirming that it is indeed his PGP key. The police consult you in order to find out whether it can be proved beyond reasonable doubt that Richard wrote the email. Advise them. [8%] The answers... We look at some answers to part (a) only.

Answer 1 : The examiner will spend 3 seconds to come to the conclusion that this answer is nonsense. The examiner will not try to make sense of it or find parts of it that have a snippet of truth. He will simply give it zero. Note that it doesn't say what a CA is, and it doesn't give anything like what one could call a scenario in which CAs are useful. Mark awarded: 0/9

Answer 2 It does not make sense to say "assures that A's public key is A's". It is necessarily the case that what belongs to A belongs to A. However, the definition is basically correct. The example scenario is nonsense. Firstly, it is not a scenario in which a CA is useful; it is rather an elaboration of how the writer thinks a CA is used. Secondly, it seems to want to conclude that a CA helps an agent B to trust an agent A. This is incorrect. A CA merely testifies to A's public key; it does not help you decide whether to trust A or not. Marks awarded: 3/9.

Answer 3 A certificate authority is not an assertion. "Your browser needs to verify that the web site is secure" -- too vague. What exactly does it verify, and how? "If you want...", "your browser..." -- it is better to use professional language rather than colloquial language. The scenario isn't properly detailed. What is the exact security guarantee? Trust in the target web site (yahoo above) is not the issue. Mark awarded: 3/9

Answer 4 Since the word "authority" is part of what we are trying to define, we should avoid using it in the definition. "Ensure" is an inappropriate word here. A CA testifies, asserts, or signs, or states; but it doesn't ensure. The scenario given seems to have the right idea about the possibility that someone might be pretending to be someone else, but it suggests that the CA can directly assure that information comes from an entity, which is incorrect. The answer doesn't mention public keys, which are a crucial aspect of certificate authorities. Mark awarded: 5/9. That was probably too generous.

Answer 5 A good answer. The definition and the scenario are clear. One might quibble about the word "document". Mark awarded: 9/9.

Answer 6 Another good answer. The definition and the scenario are clear. Mark awarded: 9/9 My answer (a) What is a certificate authority? Explain a scenario in which they are useful. [9%] A certificate authority is an entity that issues public key certificates -- that is, digitally signed statements asserting that a certain key is the public key of a certain entity. A certificate authority is useful if one entity A wishes to reliably ascertain the public key of another, B, say in order to send B a message encrypted with its public key. The entity A can obtain B's public key certificate from a certificate authority that it trusts. A certificate authority is useful if, for example, a user A wishes to obtain a secure web session with her bank B. A's browser software can obtain B's public key certificate from a certificate authority, and thereby be sure that the session really is with B and not with an imposter. : The question is of the form "What is X?". Therefore the answer should begin "X is...". It is quite difficult to construct a good sentence that begins "A certificate authority is...", but that is what is required.

The two bullet points are alternatives. I would award full marks to the first paragraph plus either of the bullet points. (b) What is the web of trust model in PGP? [8%] The web of trust model is a mechanism for confirming that a certain entity owns a certain public key. It works by adding up degrees of trust from several other entities. The evidence that entity Alice has that entity Bob's public key is a certain value is computed by adding up the evidence she has about the public key of each person who has signed key certificates linking Bob to that key. : Again, a "what is X?" question, so the answer must begin "X is...". You probably cannot say exactly what it is in a single sentence, though, so you can add more sentences. Make sure each of your additional sentences contributes directly to explaining what it is. (c) Alice receives an email, apparently signed using a PGP private key by Bob. She does not know Bob's public key, but she knows and has signed the public keys of Carol and Dave. Dave has signed the keys of Alice, Bob and Eve. Eve has signed Carol's and Dave's keys. Alice has "complete trust" in Dave, and "part trust" in Carol and Eve. Should Alice accept the signature on Bob's email? Explain your answer, specifying any assumptions you make about PGP. [8%] Yes, Alice should accept the signature, assuming that the signature is valid. She trusts Dave completely and knows his key. Dave has signed Bob's key, so according to the rules of PGP, Alice should accept the value for Bob's key. She can use it to verify the signature on his email. If the signature is valid using Bob's public key, then she should accept it. : The question demands a yes/no answer, so you should almost always begin "Yes" or "No". In this case, the question didn't say whether the signature is valid, so we can add that proviso. If a question demands a yes/no answer but there are circumstances that you need to take into account that are not defined in the question, you could explain those rather than give a direct "yes"/"no". (d) Sally has gone to the police with an email she says is from Richard, in which he threatens to kill her. Richard denies writing the email, even though it is signed with his PGP key, and plenty of Richard's friends have digitally signed Richard's key certificate confirming that it is indeed his PGP key. The police consult you in order to find out whether it can be proved beyond reasonable doubt that Richard wrote the email. Advise them. [8%] Whether this evidence is sufficient or not depends on some circumstances which are not specified in the question -- e.g., whether other people could have sent the email on behalf of Richard, by using his computer while he is logged in but temporarily absent, by obtaining his private key from a disk, by coercion, etc. The police should be advised to investigate these possibilities. It is also possible that the public key is not Richard's, even though other people have signed saying it is. The police should also consider that possibility.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback