INFT 865/INFS 766

SPRING 2000, RAVI SANDHU

`SAMPLE QUESTIONS

 

1.      Give one example each of a confidentiality, integrity, availability and usage security requirement.

 

2.      Is it possible for the same firewall, identically configured, to result in high risk for one organization and low risk for another?  Explain.

 

3.       Explain the most important (one or two) advantages and disadvantages of packet-filtering firewalls and application gateways.

 

4.      What is the problem of IP spoofing?

 

5.       Many firewalls are configured to forbid any UDP traffic across the firewall.  What do you think is so?

 

6.      Outline the steps involved in a web browser on a desktop PC on the internal network getting access to a web server on the external internet via a proxy on the firewall.

 

7.       Outline the steps involved in allowing a specific user Telnet access to a specific server on the internal network via a telnet proxy on the firewall.

 

8.      Explain the difference between authentication and non-repudiation.

 

9.      Discuss the claim that dictionary attacks are computationally infeasible against a 128 bit secret-key cryptosystem.

 

10.   Why are message digests needed?

 

11. Explain how transport and tunnel modes of IPSEC can be profitably used together.  Identify what threats are addressed by each one.  Argue that the overall result cannot be achieved by one mode alone.

 

12. Explain the difference in security service between a packet protected by (a) ESP followed by AH and (b) a packet protected by ESP w/Auth.

 

13. Pick any key-establishment protocol that uses cookies to foil resource-clogging attacks.  For this protocol, explain how a resource-clogging attack would be carried out in the absence of cookies, and then show how cookies prevent this attack.

 

14.   Consider any key-establishment protocol that allows perfect forward secrecy by means of ephemeral Diffie-Hellman.  Pick one protocol.  Explain how the loss of a long-term key does not cause previous session keys to be compromised.

 

15.   Phase 1 of IKE has two modes (Main and Aggressive) and 4 authentication alternatives for each mode (public-key signature, preshared-key, public-key encryption, and revised public-key encryption).  This gives a total of eight alternatives.  Describe what security services are provided by each of these 8 alternatives.

 

16. Explain the concept of perfect forward secrecy (PFS).  It is claimed that PFS is important for confidentiality services but not for authentication services.  Give arguments for and against this claim.

 

17. Consider a MAC algorithm constructed from a message digest (also known as keyed message digest or integrity check value).  Explain how a brute-force attack would be carried out on a MAC.  Is the weak or strong nature of the underlying message digest important in this situation?

 

18. Assume that every computer on the Internet is fully capable to do IPSEC along with key management and security association management.  Will there be any need for firewalls?  Discuss.

 

19.   It is claimed that a large-scale open cryptographic infrastructure requires long term public keys and short term secret keys.  Give arguments in support of this claim.  Can you identify situations where short term public keys are useful?  How about situation where long term secret keys are useful?

 

20.   Briefly explain the following concepts from IPSEC: (a) Replay prevention, (b) Security association, (c) Security Parameter Index.