Homework 1

docx

School

Georgia State University *

*We aren’t endorsed by this school

Course

2920

Subject

Information Systems

Date

Feb 20, 2024

Type

docx

Pages

7

Uploaded by JudgeSeaLion4109

Report
Stuti Patel Fundamentals of Cybersecurity Homework 1 1. 1. Concepts of CIA and tools to achieve CIA CIA stands for Confidentiality, Integrity, and Availability. Confidentiality is the avoidance of the unauthorized disclosure of information. It also involves the protection of data, providing access for those who are allowed to see it while disallowing others from learning anything about it. The various tools used to achieve confidentiality are encryption, access control, authentication, authorization and physical security. Encryption is to transform the original message in a way, where only the sender and the receiver can read it using the shared key. Access control includes the rules and the policies limiting access to confidential information to only those who need to know. Authentication is the determination of the identity that someone has. Authorization is to determine if a person or system is allowed access to resources based on an access control policy. Integrity is the property that information has not been altered in an unauthorized way. The various tools used are backups, checksums, and data correcting codes. Backups mean the periodic archiving of data. Checksums are used to ensure the file is not manipulated without the knowledge of the owner or the sender or the receiver. It maps the contents of a file to a numerical value and is designed in a way such that a small change to the input file is highly likely to result in a different output value. Data correcting codes are the methods for storing data in such a way that small changes can be easily detected and automatically corrected. Availability is the property that the information is accessible and modifiable in a timely fashion by those authorized to do so. The various tools used are physical protection and computational redundancies. Physical protection includes the infrastructure maintained to keep the information available in the event of physical challenges. Computational redundancies include the computers and storage devices that serve as fallbacks in the case of failures. 2. Message confidentiality is the assurance that the only the people who have the authorization to see the message, that is, the sender of the message and the designated receivers can see the message. It can’t be viewed by a third party. Message integrity is the assurance that the message information has not been altered by any unauthorized person. The receivers should view the same message that the sender intended to send via that message channel.
Confidentiality without integrity is not possible, as if the message has been altered by a third party who was not authorized to view the message. It is highly likely that the third party now knows the content of the message, making the message not confidential, and it cannot be trusted by the receivers. However, integrity without confidentiality is still possible. If the third party has intercepted the secure line and are only allowed to view the confidential information not change it in any way possible. This indicates that the message still has integrity but is no longer confidential as the third party now knows the content of the message. 3. a. Confidentiality is violated. The homework is supposed to be seen only by John, and not by Mary. Mary breaks the confidentiality while copying the homework. b. Paul violates integrity and availability as he changes the system settings to crash Linda’s system. He shouldn’t have access to it in the first place. c. Carol violates integrity by changing the data on the check. d. Gina violates confidentiality and integrity by forging Roger’s signatures, as nobody has a right to copy another person’s signature. e. Rhonda violates the availability by registering for the domain name. f. Jonah violates confidentiality, integrity and availability. He should not have access to Peter’s credit card information. He violates integrity as he changes the confidential information of Peter’s bank account. He violates availability as Peter will not be able to use his card now as Jonah changed his account information. g. Henry violates confidentiality and integrity. Henry should not access Julie’s computer without her permission. In doing so, he violates the integrity of her computer, making her computer vulnerable to anything Henry decides to do. h. Jonah violates confidentiality and availability as he knew Peter only had some space left and he decided to use it by sending an unimportant file attachment. Peter won’t be able to have more than 0.1 MB data on his email now. i. Anna violates availability by registering for that domain name, as John Smith won’t be able to use that domain name anymore. 2. In symmetric key algorithms, the sender and the receiver both share a secret key that is being used for both encryption and decryption. There are two types of ciphers, stream ciphers and block ciphers. If there are n people talking to each other, this algorithm would require each pair to have their own key. Hence, the total number of keys used by n people would be n(n-1)/2 keys. In public key algorithms, there are two keys for each user, a public key and a private key. The public key is broadcasted widely, and can be used by other user to send him an encrypted message. The user will then his private key to decrypt the given message. If there are n people communicating with each other, each user will need one pair of key, one private key and one public key. Hence, for n people, n key pairs will be used.
Public key algorithms are very powerful and may make the use of symmetric key cryptography obsolete. However, the flexibility comes at a computational cost and is not free. So, public key methods should not be used for encrypting large quantities of data. 3. Authenticity is the ability to determine whether the statements, policies and permissions issued by people or systems are genuine or not. Digital signatures are cryptographic computations that allow a person to commit to the authenticity of documents. The signed authentic documents cannot be denied. Bob cannot violate an agreement with his digital signature as it is considered to be authentic. 4. Alteration: It is defined as the unauthorized modification of information. An example of this attack would be man in the middle attack, where a network stream is intercepted, modified, and retransmitted. Denial-of-services: It is defined as the interruption or degradation of a data service or information access. An example of this would be to email spam to the receiver to the extent that it is meant to simply fill up a mail queue and slow down an email server. Correlation and traceback: It is the integration of multiple data sources and information flows to determine the source of a particular data stream or a piece of information. 5. When a newly designed system without: a. Fail-Safe Default: This states that the default configuration of a system should have a conservative protection scheme. When adding a new user to an OS, the default group of the user should have minimal access rights to files and services. As, operating systems and applications often have default options that favor usability over security, if the system is built without the Fail-Safe default, it would be very prone to certain security threats. b. Complete Mediation: This states that every access to a resource must be checked for compliance with a protection scheme. Because of this, one should be a wary of performance improvement techniques that save the results of previous authorization checks since permissions can change over time. If a system is built without this, on public computers it would be difficult maintain the users’ authenticity. c. Separation of Privilege: This principle dictates that multiple conditions should be required to achieve access to restricted resources or have a program perform some action. This is required for a system, because double authentication would be more secure than having just a password. If another person gets to know your password, you still have dual authentication to protect someone else for entering your account.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
6. a. No, it is not possible to decrypt a hash of a message to get the original message. Also, for a given hash, there are multiple messages that could be the possible inputs. The client receives the original message and the hash value by using the secret key shared by both. If the hash value generated by the original message is same as the hash value, only then the client decrypts the original message. Hence, it would be impossible to decrypt a hash of the message, given only the hash with no other information. b. We can reduce the time and space needed for a user to perform digital signature by giving them message M, having them hash the value h(M) and then have them sign this value. Signing the cryptographic digest is efficient than signing the message itself is mostly because it defends against the man in the middle attacks. 7. The choices impact the security of the salted passwords if they use a cryptographic hash of the userid as its salt. Salt is added to increase the randomness in the hash function output. By using the userid, we are consequently decreasing the randomness, making it more vulnerable in case of an attack or data breach attempt. If an attacker is not able to find the salt associated with each userid, the search space for the dictionary attack would be 2 B *D, where B is the number of bits of the random salt and D is the size of the list of words for the dictionary attack. 8. By using all 128 characters in the ASCII character set to form 8-character passwords, the number of possible ways to form passwords will be 128 8 = 2 56 . If an attacker could guess a password every nanosecond, it would take them 2 56 *10 -9 seconds to guess the password, which is equal to about 2.3 years. 9. a. Barack should use public key cryptography by signing the message with the private key and distributing the public key for all the users. A digital certificate will be used to verify Barack’s identity. And since the message will be encrypted, Bill won’t be able to modify it. b. d = h(k||x) k = secret key shared between Barack and Hillary x = joke h = cryptographic hash function As, Hillary knows the secret code k and has received d, she can compute the authentication code for herself for the received joke x. If the computed MAC is equal to the received MAC, then she can be assured that the joke x is sent by Barack and was not modified by Bill in the middle.
10. This feature allows the admin to block any specific service for the provided connection. This feature allows the admin to block particular websites. Additionally, you can also schedule to block websites at specific times do the day, or some days of the week. You need to enter a keyword or domain name, which the provider will then use to restrict access to certain sites,
This is access control. From this page, the admin can block certain devices from registering to the internet. It can also give the permission to admins to not allow new devices form registering on that network.
Your preview ends here
Eager to read complete document? Join bartleby learn and gain access to the full version
  • Access to all documents
  • Unlimited textbook solutions
  • 24/7 expert homework help
This gives the admins various security permissions, like disabling the firewall protection, disabling port scan and DoS protection. The firewall rules block and prevents any unnecessary access to the Local Area Network. This also gives the admin the ability to disable Port scan and DoS protection. This helps guard a network against those attack that inhibit or stop network availability. A DOS attack is a denial of service attack, which is an attempt to make a computer or network resource unavailable to its intended user.

Related Documents

Gurao_Adityavikram_Tutorial_Two.docx
HW1.docx
Ass Tool_SITXCCS016 Develop Manage Quality Customer Service v 1.1.docx
1.3.4 Lab - Visualizing the Black Hats.docx
IFSM304 Week 4 Discussion.docx
IFSM 304 Week 4 Discussion (3).docx
activity2-Questions.docx
IFSM 304 Week 4 Discussion (4).docx
1-23 CSIA Week 2 Disc.docx
week 5 discussion 2 edu 650.docx
Presentation #2 RAB.pptx
Nencetty_K_Mod4_Wiki.docx