Network Security and Cryptography

7 March 2018

Marking Scheme
This marking scheme has been prepared as a guide only to markers. This is not a set of
model answers, or the exclusive answers to the questions, and there will frequently be
alternative responses which will provide a valid answer. Markers are advised that, unless a
question specifies that an answer be provided in a particular form, then an answer that is
correct (factually or in practical terms) must be given the available marks.

If there is doubt as to the correctness of an answer, the relevant NCC Education materials
should be the first authority.

Throughout the marking, please credit any valid alternative point.

Where markers award half marks in any part of a question, they should ensure
that the total mark recorded for the question is rounded up to a whole mark.
.
 Answer ALL questions

Marks
Question 1

a) Briefly explain the general actions performed during the encryption process. 4

Encryption is the process of converting readable clear-text/plain-text (1

mark) using an algorithm and a key (1 mark) to cipher-text (1 mark) which is
an obscured / unrecognisable form (1 mark).

b) ‘Successful encryption, depends on the key and algorithm being kept secret’. Is 2
this statement valid or misleading? Explain your answer.
The Algorithm does not have to be kept secret, (1 mark) but in symmetric
key cryptography the key must be kept secret (1 mark)

c) Cryptanalysis is the art or process of deciphering coded messages without being

told the key. A form of Cryptanalysis is the Brute Force Attack.

i. Briefly explain how a Brute Force Attack works. 2

In a Brute Force Attack every possible key is tried until correct
translation (1 mark) of the encrypted text into plaintext is obtained (1
mark.

ii. Outline the effect of different key sizes in relation to a Brute Force Attack. 2

The length of the key is a factor in determining how difficult it will be

to decrypt the text in a given message as longer keys have more
combinations (1 mark), and thus takes more time (1 mark).

Total: 10 Marks

Page 2 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Question 2

a) Public Key Infrastructure (PKI) is a security architecture that has been introduced 5
to provide an increased level of confidence for exchanging information. E-
Commerce makes use of Public Key Infrastructure using TLS when you make a
purchase.

Spell out the acronym TLS and explain how a browser uses TLS to ensure that
the E-commerce server is authentic and not a spoof website.

Award 1 mark for each bullet point up to a maximum of 5 marks:

•TLS: Transport Layer Security.
•The browser makes an HTTPS connection to the web server
•The web server sends its Digital Certificate to the browser.
•The browser checks the validity of the Digital Certificate.
•This is with trusted 3rd party (Certificate Authority) that the DC was
issued to an identity that the issuing CA is willing to vouch for.

b) PKI uses ‘Public Key Cryptography’ rather than ‘Symmetric Key Cryptography’. 1
Explain the weakness of Symmetric Key cryptography that Public Key
Cryptography overcomes.

The problem of securely distributing the secret (Symmetric Key).

c) Alison wants to send a secure message to Jason. Describe how Alison would 2
use Public Key Infrastructure to send a send a secure message to Jason.

Alison encrypts her message with Jason’s Public Key and transmits it to
Jason. (1 mark). Jason decrypt with his Private Key. (1 mark)

d) Public Key encryption has limitations. What is the disadvantage of Public Key 2
encryption compared to Symmetric Key encryption? Explain how can this
disadvantage be overcome?

PK is much slower than Symmetric (1 mark) this is overcome by using PK

to exchange Symmetric Key then use Symmetric encryption for speed (1
mark).

Total 10 Marks

Page 3 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Question 3

a) State what TCP/IP stands for and its core purpose. 2

Transmission Control Protocol/Internet Protocol (1 mark) The basic
purpose is as a communication language or protocol of the Internet
(1 mark)

b) Produce a diagram to demonstrate how TCP/IP fits with other common Internet 6
protocols in a protocol stack. Your table should be illustrated by showing named
protocols.

Award 1 mark for each correctly named element placed in the correct
position within the diagram.

HTTP FTP SMTP

SSL or TLS

TCP

IP

c) TLS is typically implemented as Secure Sockets Layer (SSL). What is a SSL 2

Connection?

Award 1 mark for each bullet point up to a maximum of 2 marks:

• SSL connections are peer-to-peer relationships
• These SSL connections are transient, only last for a certain length of
time and each connection is associated with a session

Total 10 Marks

Page 4 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Question 4

a) State THREE (3) uses of cryptographic methods in email messaging. 3

Award 1 mark for including any of the following bullet points up to a
MAXIMUM of 3 marks:

▪ To sign an email message to ensure its integrity.

▪ To confirm the identity of its sender.
▪ To encrypt the body of an email message to ensure its confidentiality.
▪ To encrypt the communications between mail servers to protect the
confidentiality of both the message body and message header

b) Explain how the OpenPGP protocol is used to encrypt an email message. 7

Award 1 mark for each point up to a maximum of 7 marks:

1. The plaintext message is compressed

2. A random session key is created
3. A digital signature is generated for the message using the sender’s
private key and then added to the message
4. The message and signature are encrypted using the session key and
a symmetric algorithm
5. The session key is encrypted using the recipient’s public key and
added to the encrypted message
6. The encrypted message is sent to the recipient
7. The recipient reverses these steps

Total 10 Marks

Page 5 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Question 5

a) State THREE (3) ways to ensure passwords are secure. 3

Award a maximum of 3 marks for including any of the following;

▪ Include a mix of upper/lower case numbers and /or symbols (1 mark)
▪ Change it regularly (1 mark)
▪ Don’t write it down (1 mark)
▪ Don’t share it with others (1 mark)
▪ Don’t include anything personal (1 mark)

b) To ensure password database entries are protected Hashing Functions are used. 2
MD5 and SHA-1 are two common Hashing Functions. Explain how they are
used to protect the password entries.

Award a maximum of 2 marks for including any of the following examples:

▪ The system hashes the password (1 mark)

▪ The database stores a username, h(password) pair (1 mark)
▪ h(password) is the result of applying the hashing function to the
password (1 mark)

c) Describe a typical user authentication process that uses a password for 4

authentication.

Award 1 mark for each bullet point up to a maximum of 4 marks:

• The user supplies a username and password to the system
• The system looks up the username in the relevant database table
• The system checks that username, password pair exists
• The system provides system access to the user usually via some
form of token or session variable

d) State ONE (1) reason why it is important that users are not allowed to create their 1
own passwords without ensuring that the password they create is strong?

Award a maximum of 1 mark for the following, or any other valid relative
reason:

▪ Weak passwords are very easy to crack via dictionary attack

Total 10 Marks

Page 6 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Question 6

a) Penetration Testing aims to locate vulnerabilities in systems. One of the first 3

activities is to locate open ports. Explain what is meant by the term port and why
an open port can indicate a vulnerability.

Award 1 mark for each bullet point up to a maximum of 3 marks:

• Connections to computers are made using TCP or UDP.

• An open port is used to mean a TCP or UDP port number that is
configured to accept packets.
• In contrast, a port which rejects connections or ignores all packets
directed at it is called a closed port.
• An open port enables a connection to be made to the computer,
hence these should be minimised.

b) Explain how you would detect open ports and provide ONE (1) example of a tool 2
that can be used.

Award 1 mark for each bullet point up to a maximum of 2 marks:

• A port scan or port scanner attempts to connect to all 65536 ports on

a server to see whether there are services listening (that is, waiting
for connections) on those ports.
• There is a lot of port scanning software, you may need to check what
they enter. A widely used free utility is nmap.

c) A further aspect of penetration testing is to use brute force attacks and dictionary 5
attacks.

i) Explain how a dictionary attack works and give ONE (1) advantage of
using a dictionary attack.

Award 1 mark for each bullet point up to a maximum of 2 marks:

▪ Dictionary attack is typically, a guessing attack which uses
precompiled list of options. Rather than trying every option,
only try complete options which are likely to work. ( 1 mark)
▪ Dictionary much faster but cannot guarantee a solution( 1
mark)

ii) State THREE (3) similarities between brute force and dictionary
attacks.
Award 1 mark for each bullet point up to a maximum of 3 marks:
▪ Both a dictionary and brute force attack are guessing attacks;
▪ they are not directly looking for a flaw or bypass.
▪ Both are ways of obtaining passwords
▪ Either can be an offline attack or an online attack.

Total 10 Marks

Page 7 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks

Question 7

a) Briefly explain FOUR (4) key functions of a Virtual Private Network (VPN). 4

Award 1 mark for each bullet point up to a maximum of 4 marks:

• Authentication - validates that the data was sent from the sender
• Access Control - preventing unauthorized users from accessing the
network
• Confidentiality - preventing the data from being read or copied as the
data is being transported
• Data Integrity - ensuring that the data has not been altered

b) Explain the purpose and operation of a Remote Framebuffer Protocol (RFB). 6

Award 1 mark for each bullet point up to a maximum of 6 marks:

• Purpose: To facilitate remote access to graphical user interfaces
(GUI’s).
• RFB sends simple graphic messages to the client and input actions to
the server
• It sends information regarding rectangles of screen display
• The colour information of rectangles for display are transmitted as a
framebuffer
• It includes compression techniques and security features
• Client uses port 5900 for server access
• Server may connect in listening mode on port 5500

Total 10 Marks

Page 8 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Question 8

a) Explain what is meant by the term Network Firewall. 4

Award 1 mark for each bullet point up to a maximum of 4 marks:

• A Firewall examines traffic sent between two networks to determine if it

meets rules for acceptance.
• A firewall is the first line of defence for your network, the purpose of a
firewall is to keep intruders from gaining access to your network.
• Usually placed at the perimeter of network to act as a gatekeeper for
incoming and outgoing traffic.
• It protects your computer from Internet threats by erecting a virtual
barrier between your network or computer and the Internet. (1 mark)

Note: Don’t give marks for personal firewall.

b) Draw a diagram which shows how a single network firewall could be used with a 4
Demilitarized Zone, Internal network and Internet. Show where a Web Server
and Domain Controller would be positioned.

Award 1 mark for each bullet point up to a maximum of 4 marks:

• Firewall at perimeter of LAN/DMZ (1 mark)

• Firewall at perimeter of LAN /Internet (1 mark)
• DC in LAN (1 mark)
• Web Server in DMZ (1 mark)

c) Provide TWO (2) examples of Access (Firewall) rules for your network in 2
Question 8(b).

Award 1 mark for each valid example up to a maximum of 2 marks:

• Expected rules to show source, destination networks, Access
(Deny/Allow), Port/ protocol, possibly users.
• E.g. Allow Port80/HTTP from All networks to DMZ

Total 10 Marks

Page 9 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Question 9

Wireless networking is inherently less secure than a wired LAN, since the Wireless
network broadcasts its existence and the signal can be received by devices not authorised
to join the network.

a) What security technique would you use to ensure confidentiality of data across a 1
wireless network?

• Encryption for confidentiality

b) State TWO (2) protocols you could use to provide confidentiality of traffic across 4
the network. Which of the two protocols you have chosen is the most secure?
You should justify your answer.
The maximum number of marks awarded to this question is 4.
Award up to 2 marks for stating two protocols. Award up to 2 marks for a
choice and justification of a security protocol.

Protocol examples:
WEP; WPA; WPA-2 EAP/ IEEE802.1X (2 marks)

Choice and justification:

WPA-2 simple but secure (1 mark) good for small
business (1 mark) or EAP best (1 mark) since doesn’t require secret key to
be distributed. (1 mark)

c) MAC address filtering is sometimes used as a security measure in Wireless 4

LANs. What is a MAC address and what does MAC address filtering mean?

Award 1 marks for each bullet point up to a maximum of 4 marks:

▪ Each device connected to a network has a hardware address (48-bit

Media (1 mark)
▪ Access Control address) (1 mark)
▪ It is assigned by the manufacturer (1 mark)
▪ MAC address Filtering is applied by the Wireless Access point (1
mark) to allow only specific MAC addresses to connect. (1 mark)

d) Whilst a MAC address approach provides some security, it is regarded as weak. 1

Explain why this is the case.

The MAC address can be spoofed

Total 10 Marks

Page 10 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Question 10

Ransomware is malware that prevents you from using your files or your computer, and
then extorts money from you in exchange for a promise to unlock them. Ransomware is
one of the most prolific cybercrime problems. One of the best known, most recent and
most devastating examples is ‘WannaCry’, which attacked many businesses in 2017.

a) The WannaCry typically uses phishing techniques to trick the user into running it. 3
Briefly describe the term phishing and provide ONE (1) example of the term.

Award 1 mark for the example and up to 2 marks for explaining phishing.
Example: email from an ecommerce site with attachment of ‘invoice’.

Explanation of phishing: Posing as authorised emails (1 mark) from

trustworthy institutions (1 mark). It is an attempt to get recipients to open
an attachment (1 mark). Most are aimed at individuals (1 mark)

b) WannaCry exploited vulnerabilities in Microsoft and encrypted MS office and PDF 2

files using AES. It then contacts its command and control centre for a public key
and encrypts the AES key with RSA, which displays the ransom screen. Once
the ransom is paid, the matching private key is released to enable decryption.

What is AES and RSA?

Award 1 mark for each of the following:

• AES : Advanced Encryption Standard – Symmetric Key Encryption
• RSA : Rivest Shamir and Adleman – Asymmetric Key Encryption

Page 11 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
c) If you were a Company Chief Information Security Officer, what action would you 5
take to improve security from this type of cyberattack? You must justify your
recommendations.

The maximum number of marks awarded to this question is 5. The aim here
is to see security in context of the business and to provide students with
more opportunity to elaborate an argument rather than recall knowledge
and facts.

Award 1 mark for each valid point up to a maximum of 5 marks

• Initiating a training programme to establish a security culture in the

company to combat phishing
o This could be done by regular staff training
o This could be done by enforcement of policies
• Review technical controls which include:
o Spam filters
o Frequent backups
o Only allowing minimum access to files to reduce possible
impact.
o Patching o/s
o Anti-malware – kept up to date.
o Disabling hidden file extensions in Windows will also help
recognize this type of attack. (attachments often appear as
invoice.pdf.exe)
o Immediately isolate infected devices

Total 10 Marks

End of paper

Page 12 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Learning Outcomes matrix

Question Learning Outcomes Marker can differentiate

assessed between varying levels of
achievement
1 1 Yes
2 2 Yes
3 3 Yes
4 4 Yes
5 5.3 and 5.4 Yes
6 6 Yes
7 8 Yes
8 7 Yes
9 9 Yes
10 5.1 Yes

Page 13 of 14
Network Security and Cryptography © NCC Education Limited 2018
 Marks
Grade descriptors

Learning Outcome Pass Merit Distinction

Understand the Demonstrate Demonstrate Demonstrate highly
most common types adequate robust comprehensive
of cryptographic understanding of understanding of understanding of
algorithm common types of common types of common types of
cryptographic cryptographic cryptographic
algorithm algorithm algorithm
Understand the Demonstrate Demonstrate Demonstrate highly
Public-key adequate level of robust level of comprehensive level
Infrastructure understanding understanding of understanding
Understand security Demonstrate Demonstrate Demonstrate highly
protocols for adequate robust comprehensive
protecting data on understanding of understanding of understanding of
networks security protocols security protocols security protocols
Be able to digitally Demonstrate ability Demonstrate ability Demonstrate ability to
sign emails and files to perform the task to perform the task perform the task to
consistently well the highest standard
Understand Demonstrate Demonstrate Demonstrate highly
Vulnerability adequate level of robust level of comprehensive level
Assessments and understanding understanding of understanding
the weakness of
using passwords for
authentication
Be able to perform Demonstrate ability Demonstrate ability Demonstrate ability to
simple vulnerability to perform the task to perform the task perform the task to
assessments and consistently well the highest standard
password audits
Be able to configure Demonstrate Demonstrate Demonstrate highly
simple firewall adequate level of robust level of comprehensive level
architectures understanding and understanding and of understanding and
ability ability ability
Understand Virtual Demonstrate Demonstrate Demonstrate highly
Private Networks adequate level of robust level of comprehensive level
understanding understanding of understanding
Be able to deploy Demonstrate ability Demonstrate ability Demonstrate ability to
wireless security to perform the task to perform the task perform the task to
consistently well the highest standard

Page 14 of 14
Network Security and Cryptography © NCC Education Limited 2018