1>Whatarebasiccomponentsofcomputersecurity?trytogivetheconnotationof

eachiteminyourlist.

Ans:Confidentiality:Keepingdataandresourceshidden.

Integrity:referstothetrustworthinessofdataorresources,anditisusuallyphrasedintermsof

preventingimproperorunauthorizedchange.Integrityincludesdataintegrityandoriginintegrity.

Availability:referstotheabilitytousetheinformationorresourcedesired,enablingaccesstodata

andresources.

2、Whalaresecuritypolicyandsecurilymechanism?

Ans:Asecuritypolicyisastatementofwhatis,andwhatisnot,allowed.

Asecuritymechanismisamethod,tool,orprocedureforenforcingasecuritypolicy.

3、WhataredifferencesbetweenMACandDAC?Ppi」|WhatareMACandDAC

Ans:MAC:identityisirrelevant,systemmechanismcontrolsaccesstoobject,andindividual

cannotalterthataccess

DAC:isbasedonuseridentity,individualusersetsaccesscontrolmechanismtoallowordeny

accesstoanobject

,DiscretionaryAccessControl(DAC,IBAC)

-individualusersetsaccesscontrolmechanismtoallow

ordenyaccesstoanobject

,MandatoryAccessControl(MAC)

-systemmechanismcontrolsaccesstoobject,and

individualcannotalterthataccess

4>Consideracomputersystemwiththreeusers:Alice,BobandCyndy.Aliceownsthefilealicerc,

andBobandCyndycanreadit.CyndycanreadandwriteBob'sfilebobre,butAlicecanonly

readit.OnlyCyndycanreadandwriteherfilecyndyrc.Assumethattheownerofeachofthese

filescanexecuteit.

?createthecorrespondingaccesscontrolmatrix.

?CyndygivesAlicepermissiontoreadcyndyrc.AndAliceremovesBob'sabilitytoread

alicerc.Showthenewaccesscontrolmatrix.

?(必考)

Ans:

(Read>writeOwns>execute)

aliceiccyndy尸c

oxr

/I/ice

rox

Reb

rrworwx

CTxzyrZv

alice丁cCncJyp-u

oxrr

4lice

ox

Bob

rrworwx

Uyndy

Ans：

theCaesarcipherisaclassicalcipher.Sender,receiversharecommonkey

Keysmaybethesame,ortrivialtoderivefromoneanother

Twobasictypes：TranspositionciphersandSblem：Keyistooshort

(Transpositionciphers：

PlaintextisHELLOWORLD

Rearrangeas

HLOOL

ELWRD

CiphertextisHLOOLELWRD

Substitutionciphers：PlaintextisHELLOWORLD

Changeeachlettertothethirdletterfollowingit(XgoestoA,YtoB,ZtoC)

Keyis3,usuallywrittenasletter

CiphertextisKHOORZRUOG)

VigenereCipherLikeCaesarcipher,butuseaphrase

Example

MessageTHEBOYHASTHEBALL

KeyVIG

EncipherusingCaesarcipherforeachletter:

keyVIGVIGVIGVIGVIGV

plainTHEBOYHASTHEBALL

cipherOPKWWECIYOPKWIRG

6、Whataredefinitionsofobjectandsubject?(很有可能會考)

Ans:

Thesetofallprotectedentities(thatis,entitiesthatarerelevanttotheprotectionstateofthe

system)iscalledthesetofobjectsO.

ThesetofsubjectsSisthesetofactiveobjects,suchasprocessesandusers.

Subjectcanbeobject,Andnotviceversa

7、Specifythealgorithmofpublickeydigitalsignatures(數?■M

Ans:

Senderuseshashfunctiontocompresstheplaintexttogeneratethehashvalue,andthen

senderusestheprivatekeytoencryptthehashvalue,thehashvalueafterencryptionand

plaintextpassedtothereceiver,thenthereceiverusesthepublickeyofthesenderto

decrypt,andthereceiveruseshashfunctiontocompresstheplaintext,andgenerateanother

hashvalue,finallycomparetwohashvalues,iftheyequal,soitistherealsignature,

otherwisenot.

8、Listthebasicrequirementsofcryptographicchecksumfunction.

Ans:

Cryptographicchecksumh:AfB:

ForanyxeA,h(x)iseasytocompute

ForanyyGB,itiscomputationallyinfeasibletofindxeAsuchthath(x)=y

Itiscomputationallyinfeasibletofindtwoinputsx,xzGAsuchthatx#x'andh(x)=h(x')

Alternateform(stronger):GivenanyxeA,itiscomputationallyinfeasibletofindadifferentx'e

Asuchthath(x)=h(x').

9、Whataredifferencesbetweentheclassicalkeycryptographyandpublickeycryptography?(必

號)

Ans:

theclassicalkeycryptographyhasonekey,Sender,receiversharecommonkey,Keysmaybethe

same,ortrivialtoderivefromoneanother.

publickeycryptographyhasTwokeys,Privatekeyknownonlytoindividual,Publickeyavailable

toanyone.

II"ibiIcprimenumber:.」

點：答案可能不唯一)

Ans:

n=pq=917(|)(H)=(p-1)(^-1)=72,e*dmod(|)(n)=l,e=5,d=29.

Publickey(e,n)=(5,91)

privatekey:d=29

11、ClassesofThreats

Ans:

?Disclosure

-Snooping

?Deception

-Modification,spoofing,repudiationoforigin,denialofreceipt

?Disruption

-Modification

?Usurpation

-Modification,spoofing,delay,denialofservice

12、GoalsofSecurity

Ans:

?Prevention

-Preventattackersfromviolatingsecuritypolicy

?Detection

-Detectattackers*violationofsecuritypolicy

?Recovery

-Stopattack,assessandrepairdamage

-Continuetofunctioncorrectlyevenifattacksucceeds

13、AccessControlMatrixModel

Ans:

SubjectsS={Si,…,s〃}

ObjectsO={Oi，...,Om}

Rights

EntriesA[sho.]cR

A回oy]={rx，…,ry]

meanssubjects;has

rightsq,&over

objecta.

14、TypesofSecurityPolicies

Ans:

?Military(governmental)securitypolicy

-Policyprimarilyprotectingconfidentiality

?Commercialsecuritypolicy

-Policyprimarilyprotectingintegrity

?Confidentialitypolicy

-Policyprotectingonlyconfidentiality

?Integritypolicy

-Policyprotectingonlyintegrity

15、IntegrityandTransactions

Ans:

?Begininconsistentstate

-"Consistent“definedbyspecification

?Performseriesofactions(transaction)

-Actionscannotbeinterrupted

-Ifactionscomplete,systeminconsistentstate

-Ifactionsdonotcomplete,systemrevertsto

beginning(consistent)state

16>Securitylevels

Ans:

-TopSecret:highest

-Secret

-Confidential

-Unclassified:lowest

ReadingInformation

?Informationflowsup,notdown

-"Readsup"disallowed,“readsdown"allowed

?SimpleSecurityCondition(Step1)

-SubjectscanreadobjectoifTL(o)<L(s)and

shaspermissiontoreado

?Note:combinesmandatorycontrol(relationshipof

securitylevels)anddiscretionarycontrol(the

requiredpermission)

-Sometimescalled“noreadsup"rule

WritingInformation

?Informationflowsup,notdown

-"Writesup“allowed,''writesdown"disallowed

?*-Property(Step1)

SubjectscanwriteobjectoiffL(s)WL(o)and

shaspermissiontowriteo

?Note:combinesmandatorycontrol(relationshipof

securitylevels)anddiscretionarycontrol(the

requiredpermission)

-Sometimescalled“nowritesdown^^rule

17、LevelsandLattices

Ans:

?(4,C)dorn(AiffArWAand。

?Examples

-(TopSecret,{NUC,ASI})dom(Secret,{NUC})

-(Secret,{NUC,EUR})dom(Confidential,{NUC,EUR})

-(TopSecret,{NUC})—\dom(Confidential,{EUR})

?LetCbesetofclassifications,Ksetofcategories.

SetofsecuritylevelsL=CxK,domformlattice

-lub(L)=(max(A),C)

partialordering

—glb(L)=0)

18、Biba'sModel

Ans:

1.seScanreadoOifff(s)Wz(o)

2.s￡ScanwritetooG(9iffz(o)W/(s)

3.當￡Scanexecutes?eSiffz(52)W/(sj

19、OperationalIssues

Ans:

?Cost-BenefitAnalysis

-Isitcheapertopreventorrecover?

?RiskAnalysis

-Shouldweprotectsomething?

-Howmuchshouldweprotectthisthing?

?LawsandCustoms

-Aredesiredsecuritymeasures（安全措施）illegal?

一Willpeopledothem?

20>HumanIssues

Ans:

?OrganizationalProblems

-Powerandresponsibility

-Financialbenefits

?Peopleproblems

-Outsidersandinsiders

-Socialengineering

21>Mapping

Ans:

SiS2*S4

SiAown

S2Bown

$3Ckown

S4Dend

ABXY力$2S3S4S5

力Aown

head

S2Bown

S3Xown

After3（自，D）=（k2,Y,R）

whereisthecurrentS4Yown

stateandk2thenextstate

S5bk-,end

S1S2S3S4

力Aown

S2Bown

S3Xown

AfterS(k,C)=(4X,R)

wherekisthecurrentS4Dend

stateandk、thenextstate

22、ALL

TheVigeneretableau

ABCDEFGHfJKLMNOPQPSrUVWXYZ

AABCDEFGHIJKLMNOPORSTUVWXYZ

BBCDEFGHIJKLMNOPORSTUVWXYzA

CCDEFGHIJKLMNOPORSTUVWXYZAB

DDEFGHIJKLMNOPORSTUVWXYZAB

FFGHIJKLMNOPQRTUVWXYZABCDE

GGHIJKLMNOPORUVWXYZABCOEF

HHIJKLMNOPORSUVWXYZA6CDEFG

IJKLMNOPORTUVWXYZABCDEFGH

JKLMNOPORSUWXYZABCDEFGKI

KKLMNOPORSTuVWXYZABODEF

LMNOPORSTUVWXYZABCDEFGHIJK

MMNOPORSTUVWXYzABCDEFGHIJKL

NNOPORSTUVWXZABCDEFGHIJKLM

OPQRSTUWXYA8CDEFGHIJKLMN

PPORSTUVWXYzABCDEFGHIJKLMNO

ORSTUVWXZABCDEFGHIJKLMNOP

RRTUVWXYABCDEFGHIJKLMNOPO

SUVWXYZABCDEFGHIJKLMNOPOR

TuWXYZABCDEFGHIJKLMNOPORS

UWXZABCOEFGHIJKLMNOPORST

VWXZABCDEFGHIJKLMNOPORSTU

WXYZABCDEFGHIJKLMNOPQRSTUV

XXYZA8CDEFGHIJKLMNOPORSTUV隊

YZABCDEFGHIJKLMNOPORSTUVWX

ZABCDEFGHIJKLMNOPORSTUVWXY

AttackingtheCipher

?Exliaustivesearch

Ifthekeyspaceissmallenough,tryallpossible

keysuntilyoufindtherightone

—Caesarcipherhas26possiblekeys

?Statisticalanalysis

—Compareto1-grammodelofEnglish

ClassicalCryptography

?Sender,receiversharecommonkey

-Keysmaybethesame,ortrivialtoderivefrom

oneanother

-Sometimescalledsymmetriccryptography

?Twobasictypes

-Transpositionciphers

-Substitutionciphers

Combinationsarecalledproductciphers

Attacks

?Opponentwhosegoalistobreakcryptosystemis

theadversary

-KerckhoffsAssumption:adversaryknowsalgorithm

used,butnotkey.

?Threetypesofattacks:

ciphertextonly:adversaryhasonlyciphertext;goalisto

findplaintext,possiblykey

-knownplaintext',adversaryhasciphertext,

correspondingplaintext;goalistofindkey

-chosenplaintext,adversarymaysupplyplaintextsand

obtaincorrespondingciphertext;goalistofindkey

Algorithm

?Choosetwolargeprimenumbersp,q

-Letn=pq\then=(p-1)(^-1)

-Choosee<nsuchthateisrelativelyprimeto

帕2).

-Computedsuchthatedmod弧〃)=1

?Publickey:(e,/7);privatekey:d

?Encipher:c=memodn

?Decipher:m=cdmodn

Assurance（背背）

?Specification

-Requirementsanalysis

-Statementofdesiredfunctionality

?Design

-Howsystemwillmeetspecification

?Implementation

-Programs/systemsthatcarryoutdesign

*124.必8勺

TyingTogether（背背）

SecurityPolicy

?Policypartitionssystemstatesinto:

-Authorized(secure)

?Thesearestatesthesystemcanenter

Unauthorized(nonsgauw)

,Ifthesystementersanyofthesestates,it'sa

securityviolation

?Securesystem

-Startsinauthorizedstate

-Neverentersunauthorizedstate

Problems

?HowdoesBobknowheistalkingtoAlice?

Replayattack:EverecordsmessagefromAlice

toBob,laterreplaysit;Bobmaythinkhe's

talkingtoAlice,butheisn't

Sessionkeyreuse:Evereplaysmessagefrom

Ali