CSCI5233 Fall 2011 Midterm Exam 10/6/2011 p.1/5
Test time: 100 minutes (maximum, no extension)
Your name: Score: / 50.
Note:
This is a closed-book exam.
You may use a calculator, but sharing a calculator (or anything else) is NOT allowed.
If you write your answers on the back of a page, make sure it is clearly indicated on the front page.
Try to provide precise answers. Always answer directly in response to the given questions.
Budget your time over the questions!
Important: Your writing should be easy to read. When possible, try to print your answers.
1. Suppose your company is the provider of a popular online application, which allows users to share personal information and files with a group of selected users. A vendor is trying to sell your company a security appliance, which the vendor claims can provide user authentication and data integrity. You are required to evaluate the security appliance with respect to its security properties.
1.1. (5 pts) Explain what data integrity is in your application, and how you’ll determine whether the security appliance would provide such a property.
1.2. (5 pts) Explain what user authentication is in your application, and how you’ll determine whether the security appliance would provide such a property.
2. In a messaging protocol, where users send messages to each other, is it possible that the protocol provides creator origin integrity but not sender origin integrity?
2.1. (5 pts) First of all, explain what creator origin integrity and sender origin integrity respectively mean.
2.2. (5 pts) Explain how the protocol would provide creator origin integrity.
2.3. (5 pts) Explain why the mechanism that provides creator origin integrity may not provide sender origin integrity.
3. (5 pts) In general, a security mechanism is adopted in order to enforce certain security policy. Suppose a company allows its employees to access the company’s database and application servers using a mobile device. One of the policies concerning mobile devices is that all data exchanges between a mobile device and a server must be tamper-proof. Furthermore, because the limited power of a mobile device, only symmetric ciphers are allowed to be used. Explain how this policy may be enforced. Give details of the enforcing mechanism.
4. Consider a computer system with three users: Alice, Bob, and Cindy. Suppose each of them has a pair of private and public keys, that is, (Alicepriv, Alicepub) for Alice, and so on. The following questions should be answered in the context of public key cryptography.
4.1. (5 pts) Suppose Alice wants to send a session key to Cindy such that Cindy can be sure that the session key actually comes from Alice, and not anybody else. Alice decides to use her own private key to encrypt the session key, and then send the ciphertext over to Cindy. When receiving the ciphertext, Cindy can decrypt it using Alice’s public key in order to retrieve the session key. Would such a protocol enable Cindy to trust that the session key was indeed created by Alice? Justify your answer.
4.2. (5 pts) Does there exist a mechanism that allows Alice and Cindy to share a session key but does not require the key to be transmitted over the network? Explain what that mechanism is.
5. Suppose that Alice has selected her RSA public key (n = 45; e = 7).
5.1. (5 pts) Bob has encrypted the plaintext message m using Alice’s RSA public key. The resulting ciphertext c was sent to Alice. Show how Alice would decrypt c using her RSA private key.
5.2. (5 pts) What is Alice's private key d? Use the Extended Euclidian Algorithm (EEA) discussed in the class to derive the answer. Clearly show how you would derive the private key by using the method.