I (30)
II (40)
III (30)
Bonus (5)
Total

 Test 2

2015 – CSCE 201

Name:

 

Answer the following questions.  Be brief and precise!

 

I. 30 points

1.     (10) Recommend 3 activities to secure your web browser:

 

 

 

 

 

 

 

 

 

            Can cookies represent a threat to web browser security?

 

 

 

 

 

 

 

 

 

2.    (20) Assume you have been hired by the CSE department to establish an Access Control specification for the computer labs.  Describe the advantages and disadvantages of using Discretionary Access Control (DAC) or Role-Based Access Control (RBAC) to implement your policy.  Give a sample specification of access permission for each.

 

DAC:

 

 

 

 

 

 

Sample specification:

 

 

RBAC:

 

 

 

 

 

 

 

 

 

 

Sample specification:

 

II. 40 points  Short answers

1.      (20)  What is the main aim of Denial of Service attacks?

 

 

 

 

 

 

 

 

 

Briefly describe how the Ping-of-Death attack achieves this aim.

 

 

 

 

 

 

 

 

 

 

2.      (20) Briefly explain how secret (symmetric) key encryption supports

·         Confidentiality

 

 

 

·         Integrity

 

 

 

·         Availability

 

 

 

 

·         Authenticity

 

 

 

What is the key distribution problem of symmetric key encryption?

 

•   

 

 

•    

 

III.       30 points Exercises

1.      (20)  Assume Bob and Alice decide to establish a new secret key to be used for secure communication in a following way.  

 

 

Alice and Bob agree on a large number securely, e.g., 999,999 before the communication.    That is, only Bob and Alice know that the number they wanted to use is 999,999. 

 

Bob → Alice: B= 999,999 + sum(Bob’s birthday)    

Note: sum of a birthday is calculated by adding the values for day, month, and year.  E.g.,  sum of June 15, 2002 is 6+15+2002= 2023.

 

Alice → Bob:  A= 999,999 + sum(Alice’s birthday)  

 

Alice calculates the key by : B + sum(Alice’s birthday)

Bob calculates the key by : A + sum(Bob’s birthday)

 

           

     Would this method allow Bob and Alice to agree on a key secretly?  Show the key value using the following birthdays:

            Bob:  July 22, 1978

            Alice: May 24, 1981

 

 

 

 

 

 

 

Show a malicious attack against the protocol where the attacker will know the secret key.

 

 

 

 

 

 

 

2.      (10)  Briefly explain what is a misuse (abuse) case during software development. 

 

 

 

 

 

Assume you are developing an application for a mobile device that allows parents track the GPS location of their children’s phone.  Show an malicious attack (misuse case) against the application. 

 

 

Bonus question (5 points)

Briefly explain why web browser based attacks are serious.