Answers to assignment III (Wondwossen Degefu)

1. Which of the following are true about sending a PGP message from Alice to Bob?

A. The plaintext is enciphered with Alice's public key.

B. The plaintext is enciphered with Alice's private key
C. The plaintext is enciphered with Bob's public key
D. The plaintext is enciphered with Bob's private key
E. The plaintext is enciphered using a secret key
F. The plaintext is compressed before it is enciphered
G. The plaintext is compressed after it is enciphered
H. The plaintext is signed using Bob's public key
I. The plaintext is signed using Alice's public key
J. The plaintext is signed using Alice's private key

Ans: E, F and J

2. Let's say that the plaintext "hello" is enciphered as "zbabh". What kind of cipher is this? (It is
one of the three choices given)

A. substitution
B. transposition
C. product (both substitution and transposition)

Ans: B

3. In a Caesar cipher, the encryption function is the same as the decryption function.

A. true
B. false

Ans : B

4. Briefly describe why a symmetric cipher is never used for a digital signature.

Ans: - Symmetric cipher uses one shared secrete key for encryption and decryption. They
are very much effective for message b/n two trusted individuals but they are unsuitable for
digital signature. Digital signature is based on public key cryptographic technique

5. Keeping the enciphering and deciphering algorithm secret would violate which design
principle?

A. Principle of least privilege

B. principle of fail-safe defaults
C. principle of open design
D. principle of complete mediation
 E. principle of separation of privilege
F. principle of psychological acceptibility
G. principle of least common mechanism
H. principle of economy of mechanism

Ans : C

6. What is the most important difference between symmetric and asymmetric cryptography?

Ans : Symmetric cryptography uses the same secret (private) key to encrypt and decrypt its
data whereas asymmetric uses both a public and private key. Symmetric requires that the
secret key be known by the party encrypting the data and the party decrypting the data.
Asymmetric allows for distribution of your public key to anyone with which they can encrypt
the data they want to send securely and then it can only be decoded by the person having the
private key. This eliminates the need of having to give someone the secret key (as with
symmetric encryption) and risk having it compromised.

The issue with asymmetric is that it is about many times slower than symmetric encryption
which makes it impractical when trying to encrypt large amounts of data. Also to get the same
security strength as symmetric, asymmetric must use strong a stronger key than symmetric.

7. Which, in general, has a longer lifespan: a session key or an interchange key?

A. Session key
B. Interchange Key
C. Lifetime of both are the same

Ans : B

8. Lets say that I want my bank to wire you $1000. I encipher a message containing this request
to the bank as follows:

1. First generate a random session key

2. Then encipher the session key with the bank's public key
3. Then encipher the message with the session key
4. Finally send the enciphered message and enciphered session key to the bank

When the bank gets the enciphered message, it does the following:

1. Deciphers the enciphered session key using its private key

2. Uses the session key to decipher the message
3. Reads the plaintext of the message telling it to send you $1000
4. Sends you the money
This protocol is seriously flawed. It's most serious failing is that it doesn't support which one of
the following?

A. confidentiality
B. origin integrity
C. data integrity
D. availability

Ans : D

9. Kerberos was a mythical three headed dog that guarded the gates of hell. What are the 3
"heads" of the Kerberos protocol?

A. authentication server (which requires a password)

B. internal firewall
C. ticket-granting server
D. client machine
E. target server (e.g. a print server which requires a ticket to use)

Ans : A,C and E

10. It is crucial that no attacker is eavesdropping during key exchange.

A. true
B. false

Ans: B

11. During key exchange which of the following must be kept secret

A. how the key was generated

B. the key itself
C. the protocol used to exchange the key
D. who the sender is
E. who the receiver is

Ans : A and B

12. In Kerberos, the print server shares a key with the authenticating server.

A. true
B. false

Ans : B
13. Kerberos uses public key cryptography to exchange the session key between the
authenticating server and the ticket granting server.

A. true
B. false

Ans : B

14. Which of the following are true about a certificate?

A. It associates an identity with a public key

B. It contains the private key to use to decipher messages enciphered with the public key
C. It is signed by the public key of a certifying authority.
D. It is signed by the private key of a certifying authority.
E. The content of a certificate is enciphered using the private key of a certifying authority

Ans : A and D

15. Which of the following are true statements about a digital signature?

A. Part of the procedure of creating a digital signature is to hash the message using a
cryptographic checksum function.
B. A message that is digitally signed must be encrypted before it is signed.
C. Part of the procedure of creating a digital signature is to encrypt the message hash using
the private key.
D. Part of the procedure of creating a digital signature is to encrypt the message hash using
the public key.
E. A digital signature helps assure the integrity of the message.

Ans : A,C and E

16. Which of the following are acceptable ways to get the public key of a CA?

A. from a list of trusted root certification authorities that ships with a browser
B. from an unsolicited promotional email sent by the CA
C. from a certificate chain
D. from a flash drive mailed to you by the CA after they have validated your identity.
E. from the home page of the CA

Ans: A, C and D
17. The SSL protocol uses the private key of the browser to encrypt the session key.

A. true
B. false

Ans: B

18. If you use a CA, there is no single point of failure

A. true
B. false

Ans : A

19. When you get a certificate from a CA you must provide the CA with both your public and
your private key.

A. true
B. false

Ans : B
20. Which of the following can be used to establish the identity of an external entity (a user of
the computer system)?

A. Where the entity is

B. What the entity knows
C. What the entity has
D. The age of the entity
E. What the entity is
F. When the entity logged on

Ans : F

21. Why is it good that to save the hash of your password in the database rather than the
plaintext of the password?

Ans : It’s for security reasons one has to hash the password and put it in the database if it were a plain
text it’s easily accessible to anyone who have a data base access

22. After reading all the literature on passwords, these appear to be the recommendations:

1. The password should be resistant to a dictionary attack

2. The password should be changed regularly
3. The password should not be written down
4. Different passwords should be used on different accounts
What principle do these recommendations violate?

A. Principle of least privilege

B. Principle of fail-safe defaults
C. Principle of economy of mechanism
D. Principle of complete mediation
E. Principle of open design
F. Principle of separation of privilege
G. Principle of least common mechanism
H. Principle of psychological acceptibility

Ans : H