Part A : 60 Marks
Answer the following questions :
1. The total processing speed of microprocessors (based on clock rate and number of circuits) is doubling roughly every year. Today, a symmetric session key needs to be 100 bits long to be considered strong. How long will a symmetric session key have to be in 30 years to be considered strong? – 5 Marks
2. How do NIST criteria for selection of DES and AES relate to Shanon’s original standards of a good cryptographic system? What are the significant differences? How do these standards reflect a changed environment many years after Shannon wrote his standards? – 15 Marks
3. A program is written to compute the sum of the integers from 1 to 10. The programmer, well trained in reusability and maintainability, writes the program so that it computes the sum of the numbers from k to n. However, a team of security specialists scrutinizes the code. The team certifies that this program properly sets k to 1 and n to 10; therefore, the program is certified as being properly restricted in that it always operates on precisely the range 1 to 10.
(a) Explain different ways that this program can be sabotaged so that during execution it computes a different sum, for example, 3 to 20. – 10 Marks
(b) One means of limiting the effect of an untrusted program is confinement: controlling what processes have access to the untrusted program and what access the program has to other processes and data. Explain how confinement would apply to the above example. – 15 Marks
4. The distinction between a covert storage channel and a covert timing channel is not clear-cut. Every timing can be transformed into an equivalent storage channel. Explain how this transformation could be done. – 15 Marks
Part B : 20 Marks
1. Research the TJX data breach case on the web and answer the following questions.
a. Was the TJX break-in due to a single security weakness or multiple security weaknesses? Explain.
b. Suggest a set of measures which probably would have prevented the TJX data breach. Justify your answer.
c. Which of the CIA goals did TJX fail to achieve in this attack?
This assessment task is based on the following topics discussed in the subject: the overview of Information security fundamentals, security threats, cryptography, malicious software and its countermeasures, operating system security and software security .
The assessment task is aligned with the following learning outcomes of the subject:
On successful completion of this subject, students will
be able to justify security goals and the importance of maintaining the secure computing environment against digital threats;
be able to explain the fundamental concepts of cryptographic algorithms;
be able to examine malicious activities that may affect the security of a computer program and justify the choice of various controls to mitigate threats.