WRES3301 Sample Answer 1

1. What and why cryptography? Cryptography is the study of ways to convert information from its normal, comprehensible form into an obscured guise, unreadable without special knowledge. For the most part, people use cryptography to protect information. Sometimes they are trying to keep something secret; sometimes they are trying to keep something from being changed; sometimes they are trying to ensure that the person responsible for something is clearly identifiable. 2. Define the CIA security terms. Confidentiality Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. Integrity Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. Availability Ensuring timely and reliable access to and use of information. 3. What could result from the loss of CIA? A loss of Confidentiality is the unauthorized disclosure of information. A loss of Integrity is the unauthorized modification or destruction of information. A loss of Availability is the disruption of access to or use of information or an information system. 4. Differentiate between passive and active attacks. Passive attacks have to do with eavesdropping on, or monitoring, transmissions. Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems.

Solving the problem. Consider an implanted medical device that monitors and records data about a patients health and stores the information locally. To access the data, authorized personnel must transmit a PIN to the implanted device, and once authorized, electronically request specific portions of the data. Give examples of confidentiality, integrity and availability requirements associated with the system.
Confidentiality Only authorized personnel must be able to obtain information from the implanted unit. This is of high importance, since personal health information in the wrong hands can, in some cases, lead to severe health risks to the patient. In this case, confidentiality implies that a valid PIN is not easy to forge, nor is it possible to copy one from an authorized source. Integrity - The information collected by the implanted unit must not be tampered with, and when data is requested from the unit, the retrieved data must match that which was collected by the implanted unit. This is of high importance, since incorrect information might lead to incorrect or untimely treatment, which can result in severe health risks to the patient. Availability Collected data must be retrievable at all times by an authorized party. The importance of this requirement depends on the type of information that is being collected. For example, availability is of high importance for heart rate monitors, while information regarding sleep patterns can be accessed less frequently without much loss of utility to the system.