SS ZG513 (EC-2 Regular) Second Semester 2009-2010 Page 1 of 2
Birla Institute of Technology & Science, Pilani
Work-Integrated Learning Programmes Division Second Semester 2009-2010
Comprehensive Examination (EC-2 Regular)
Course No. : SS ZG513 Course Title : NETWORK SECURITY Nature of Exam : Open Book Weightage : 60% Duration : 3 Hours Date of Exam : 03/04/2010 (FN) Note: 1. Please follow all the Instructions to Candidates given on the cover page of the answer book. 2. All parts of a question should be answered consecutively. Each answer should start from a fresh page. 3. Mobile phones and computers of any kind should not be used inside the examination hall. 4. Use of any unfair means will result in severe disciplinary action.
Q.1. Consider a situation where cryptography is used in virtual elections. Computerized voting would become quite common in the next few decades. In this system, each voter will cast his vote virtually and send his vote to the Election Authority (EA).
(a). Suppose if you are assigned the task of designing a secure system for virtual voting. What security properties would you like to provide for? [5] (b). Consider the following protocol. i. Each voter casts the vote and encrypts it with the public key of the EA ii. Each voter sends the encrypted vote to the EA. iii. The EA decrypts all the votes to retrieve the original vote, tabulates all the votes, and announces the result of the election. What are the merits and demerits of this protocol? [5] (c). Write a secure protocol that will overcome the demerits in part b and preserve the merits. [10]
Q.2. The purpose of the following protocol is to distribute securely a session key K s to A and B. KDC is the Key Distribution Centre. K a and K b are shared keys between KDC and A and B respectively. [10]
(a). Explain each step in terms of what the purpose is and how it does? (b). What are the flaws of this protocol? How the protocol can be improved to overcome that? 1. A KDC: ID A ||ID B ||N 1
2. KDC A: E(K a , [K s ||ID B ||N 1 ||E(K b , [K s ||ID A ])]) 3. A B: E(K b , [K s ||ID A ]) 4. A A: E(K s , N 2 ) 5. A B: E(K s , f(N 2 )) No. of Pages = 2 No. of Questions = 6
SS ZG513 (EC-2 Regular) Second Semester 2009-2010 Page 2 of 2 SS ZG513 (EC-2 Regular) Second Semester 2009-2010 Page 2
Q.3. How does SET protect customers payment information from the merchant and still allow the merchant to present the credit card information to the payment gateway? [5]
Q.4. Consider the following problems in regard to passwords. [10]
(a). Generally systems dont store user passwords in clear text. What are the problems associated if they are stored in clear text? How are they overcome? (b). Consider a client-server architecture. Clients authenticate to server by providing a login and password. If the clients send login and passwords to server, it is possible for the attacker to know the password. One way to overcome this problem is to let the server store the message digest of the password and the client will always send message digest of the password, not the actual password. In this case, there is a possibility that an attacker can catch the login and message digest by listening to traffic and resend them later to the server. Server will authenticate the attacker as well. Propose a solution that will not allow such attacks? Clearly give the justifications.
Q.5. Assume a stateless packet-filter firewall is installed between an enterprise network and the external Internet, for the purpose of protecting users on the enterprise network. Explain which of the following attacks that can be detected and mitigated (to a significant degree) by the firewall. Justify? [8]
(a). Port sweep: to scan multiple hosts for a specific listening port (b). Syn flooding: a form of denial-of-service attack in which an attacker sends a succession of TCP SYN requests to a target's system (c). Phishing: attack in which users are asked to visit a known bad web site. phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication (d). viruses in incoming email addressed to enterprise users
Q.6. Given the plaintext MESSAGE, compute the cipher text for the following algorithms with the specified keys. In all cases, map the alphabetic characters to their numeric position in the alphabet (e.g., A=1, B=2, Z=26). [7]
(a). Caesar cipher with key = 8 (b). RSA cipher with block length 1 character and public key (3, 899)