IT Cryptography

Part 1: Short Answer. Answers should be no longer than a few sentences.
“Bulletized” lists or small tables may be used for the sake of brevity. (4
points each; partial credit may be given if work is clearly shown)

1.(4
points) Give a specific example of how inference control might be implemented
in a database.

2.(4
points) For a public-key encryption system (such as PGP), list some reasons for
and against using the same key pair for both encryption and signature.

3.(4
points) Compare and contrast PKI and Kerberos.

4.(4
points) PKI has not been widely successful, partly because users don’t trust
digital signatures. Give some reasons
for that distrust.

5.(4
points) Suggest some ways to address the “crypto dilemma,” along with the pros
and cons of each.

6.(4
points) Please concur with, dispute, or qualify the following statement: “The strong
ciphers produced by the Enigma machine are the result of complex mathematical
trapdoor functions used to encrypt messages.”
Be sure to state your reason(s).

7.(4
points) What can be done to prevent wayward system administrators from simply
looking up user passwords in a host machine password file?

8.(6
points) Give a specific example (and a reason) of data for which:

a. Confidentiality is more important than
integrity.

b. Integrity is more important than
confidentiality.

c. Availability is more important than
confidentiality.

9.(4
points) Compare and contrast Pretty Good Privacy, as we used it in our class
this semester, and PKI.

10.(4 points) What
challenges must be addressed to provide email security?

11.(4 points) A particular cipher is
implemented by using the XOR function.
It can be even implemented with triple-XORed. In the process of
encrypting a message, a character is XORed three times with the three different
keys (pseudorandom bytes). If the three keys are 01101101, 10011100, and
11001010,

a.(2 pts) What is
the ciphertext (in binary form) generated by the encryption of character B? (Please show your work.)

b.(2
pts) How is the plaintext if the ciphertext is 01111101? (Please show your
work.)

1.(4
points) You have been hired to provide advice about the use of cryptography to
the developer of new two products within a company.

a. Group A is developing a product which will
encrypt each user’s data before storing it on the hard disk, and decrypt it as
it is accessed. Confidentially should be
preserved. They want to know what
encryption algorithms to use, and how it should be used to achieve their
goals. What advice would you give this
group?

b. Group B is developing a product which will
allow users to send encrypted messages to other users around the world. Users typically do not know each other
directly, but they should be able to send messages for which integrity and
confidentiality are preserved. They want
to know what encryption algorithm(s) to use, and how it (they) should be used
to achieve the goals. What advice would
you give this group?

2.(4
points) You’ve been tasked by your boss to design a computer program that can
detect encrypted files. List some ways that you could accomplish this.

3.(4
points) Given that each PEM message is encrypted with its own per-message key,
why is an initialization vector (IV) also provided? What RFC specifies the use
of an IV?

4.(4
points) Substantiate or refute the following statement: If there is a
revocation process, public-key infrastructure (PKI) certificates do not need to
contain an expiration date.

5.(4
points) Give a specific example of how a computer virus might be implemented
using cryptography.

6.(4
points) How can multi-level access control be implemented for government and
military applications?

7.(4
points) Compare and contrast CALEA and PDD 63.

8.(4
points) What security features could be provided without changing the mail
delivery infrastructure, i.e., by only running special software at the source
and destination?

9.(4
points) Computer system #1 requires logon passwords to be five upper-case
letters. How many different passwords
are there for system #1? Computer system
#2 requires logon passwords to be five characters, which may be upper or
lower-case letters, the numbers 0 through 9, and the characters $ and %. How many different passwords are there for
system #2?

10.(4 points) How
does Kerberos help with the key management problem?

Part 2: Essay Question.
Maximum length: three (3) pages. (10 pts.)

An enterprising group
of entrepreneurs is starting a new data storage and retrieval business, StoreItRite,
Inc. For a fee, the new company will accept digitalized data (both text and
images), and store it on hard drives until needed by the customer. Customer
data will be transmitted to and from StoreItRite over the Internet. StoreItRite guarantees that the data’s
confidentiality and integrity will be maintained.

StoreItRite also
envisions some information assurance requirements for their internal
operations. Company employees will need to exchange confidential email, and
will need a mechanism for verifying the integrity and originator of some email
messages. Also, StoreItRite intends a daily backup of all customer data
to a remote facility via a leased line. They wish to do so as economically as
possible, while ensuring the data’s confidentiality and integrity.

StoreItRite is
interviewing candidates for the position of Chief Information Officer (CIO).
They are asking candidates to describe briefly how they would satisfy StoreItRite’s
requirements as stated above. How would a successful candidate respond?