CS 417 Exam 3
Spring 2007
Part I - 24 points
- 6 points
(a) How is a nonce used for authentication in public-key cryptography? Give a simple example of Alice authenticating Bob.
(b) How is a nonce used for authentication in symmetric cryptography? Give a simple example of Alice authenticating Bob.
- 6 points
What is the purpose of a ticket (sealed envelope) in Kerberos?
- 6 points
How do you use an X.509 digital certificate to validate signed software?
- 6 points
Northrup Grumman developed a mobile electronic fingerprinting system for use by the UK police. A search of 6.6 million prints takes under five minutes. An index into a database of 6.6 million records generally takes only a few milliseconds. Why does the fingerprint search take so long?
PART II - 76 points
For each statement, select the most appropriate answer.
- Strict two-phase locking differs from two-phase locking in that it:
(a) Relies on atomic multicasts.
(b) Ensures that other transactions do not have to abort because they read data that was modified.
(c) Has a shrinking phase that does not start until the growing phase is complete.
(d) Requires mandatory locks rather than advisory locks.
- Optimistic concurrency control schemes do not assume:
(a) All data that may potentially be used by a transaction should be locked.
(b) Transactions are likely to complete and not abort from accessing resources out of order.
(c) Locking is not necessary because the chance of transactions accessing the same data is low.
(d) It is more efficient to put effort into restoring data from aborted transactions than to keep it from getting corrupt in the first place.
- TCP/IP achieves fault tolerance through:
(a) Information redundancy.
(b) Time redundancy.
(c) Physical redundancy.
(d) Triple modular redundancy.
- A k-fault-tolerant system (one that withstands k faults) with fail-silent faults requires:
(a) k+1 components.
(b) 2k+1 components.
(c) k2 components.
(d) k2+1 components.
- A k-fault-tolerant system (one that withstands k faults) with Byzantine faults requires:
(a) k+1 components.
(b) 2k+1 components.
(c) k2 components.
(d) k2+1 components.
- A challenge/response authentication system uses:
(a) Your PIN, a seed/password on the authenticator device, and a value from the remote system.
(b) Your PIN, a seed/password on the authenticator device, and the time of day.
(c) Your PIN and a seed/password on the authenticator device.
(d) A seed/password on the authenticator device and the time of day.
- An X.509 digital certificate contains:
(a) Your public key and your encrypted private key.
(b) Your public key and the certificate issuer's public key.
(c) Your public key and your digital signature.
(d) Your public key and the certificate issuer's digital signature.
- Secure Sockets Layer (SSL or TLS) is an example of:
(a) A public-key cryptosystem.
(b) A symmetric cryptosystem.
(c) A hybrid cryptosystem.
(d) A restricted cryptosystem.
- A null cipher is:
(a) A cipher that does no encryption, used for testing protocols.
(b) A cipher that uses an empty key, essentially a restricted cipher.
(c) A technique for transposing data to make it unintelligible.
(d) A technique for hiding a message inside irrelevant data.
- Extracting a message that is hidden with chaffing and winnowing requires:
(a) Being able to validate a signature on a message.
(b) A brute force attack to extract the key.
(c) Figuring out the pattern of good and bad messages.
(d) Being able to decrypt the message.
- To allow traffic to your web server (port 80) but not your mail server (port 25), you need:
(a) A stateless packet filter.
(b) A stateful packet filter.
(c) An application proxy.
(d) A screened subnet.
- The following machines belong inside a DMZ:
(a) Systems offering services to the external network.
(b) Systems offering services to the internal network.
(c) User machines inside an organization.
(d) Secure systems inside an organization, such as logging servers and backup servers.
- Getting a password by masquerading as the system administrator is an example of:
(a) A dictionary attack.
(b) A Trojan horse.
(c) Social engineering.
(d) Brute-force attack.
- What can a personal firewall block that a network firewall cannot?
(a) Packets that are masqueraded to look as if they are from the internal network.
(b) Corrupt software making network connections from your computer.
(c) Attempts to access the mail server on your system.
(d) Users on your system surfing the web.
- A tunnel relies on:
(a) Packet encapsulation.
(b) Address/port translation.
(c) Encryption of the packet header.
(d) Encryption of the entire packet.
- Limiting the rate of incoming TCP packets per source address requires:
(a) A stateless packet filter.
(b) A stateful packet filter.
(c) An application proxy.
(d) A screened subnet.
- SYN flooding is used to:
(a) Allow a TCP session to be hijacked.
(b) Cause a machine to stop responding to the network.
(c) Cause a machine to stop accepting TCP connections.
(d) Cause a machine to crash.
- Which security approach is not practical under Microsoft Windows Server 2003?
(a) Authentication.
(b) Authorization.
(c) Accounting.
(d) Auditing.
- The purpose of a sandbox is to:
(a) Validate code before executing it.
(b) Ensure that only authenticated users have access to code within the sandbox.
(c) Provide an interpreted environment for executing code.
(d) Provide a restricted environment for code execution.