INFS 766
RAVI SANDHU
SAMPLE QUESTIONS
1. Give one
example each of a confidentiality, integrity, availability and usage security
requirement.
2. Is it
possible for the same firewall, identically configured, to result in high risk
for one organization and low risk for another?
Explain.
3.
Explain the most important (one or two) advantages and
disadvantages of packet-filtering firewalls and application gateways.
4. What is
the problem of IP spoofing?
5.
Many firewalls are configured to forbid any UDP traffic
across the firewall. What do you think
is so?
6. Outline
the steps involved in a web browser on a desktop PC on the internal network
getting access to a web server on the external internet via a proxy on the
firewall.
7.
Outline the steps involved in allowing a specific user
Telnet access to a specific server on the internal network via a telnet proxy
on the firewall.
8. Explain
the difference between authentication and non-repudiation.
9. Discuss
the claim that dictionary attacks are computationally infeasible against a 128
bit secret-key cryptosystem.
10.
Why are message digests needed?
11. Explain
how transport and tunnel modes of IPSEC can be profitably used together. Identify what threats are addressed by each
one. Argue that the overall result
cannot be achieved by one mode alone.
12. Explain
the difference in security service between a packet protected by (a) ESP
followed by AH and (b) a packet protected by ESP w/Auth.
13. Pick any
key-establishment protocol that uses cookies to foil resource-clogging attacks. For this protocol, explain how a
resource-clogging attack would be carried out in the absence of cookies, and
then show how cookies prevent this attack.
14.
Consider any key-establishment protocol that allows perfect
forward secrecy by means of ephemeral Diffie-Hellman. Pick one protocol.
Explain how the loss of a long-term key does not cause previous session
keys to be compromised.
15.
Phase 1 of IKE has two modes (Main and Aggressive) and 4
authentication alternatives for each mode (public-key signature, preshared-key,
public-key encryption, and revised public-key encryption). This gives a total of eight
alternatives. Describe what security
services are provided by each of these 8 alternatives.
16. Explain
the concept of perfect forward secrecy (PFS).
It is claimed that PFS is important for confidentiality services but not
for authentication services. Give
arguments for and against this claim.
17. Consider a
MAC algorithm constructed from a message digest (also known as keyed message
digest or integrity check value).
Explain how a brute-force attack would be carried out on a MAC. Is the weak or strong nature of the
underlying message digest important in this situation?
18. Assume
that every computer on the Internet is fully capable to do IPSEC along with key
management and security association management. Will there be any need for firewalls? Discuss.
19. It is
claimed that a large-scale open cryptographic infrastructure requires long term
public keys and short term secret keys.
Give arguments in support of this claim. Can you identify situations where short term public keys are
useful? How about situation where long
term secret keys are useful?
20. Briefly
explain the following concepts from IPSEC: (a) Replay prevention, (b) Security
association, (c) Security Parameter Index.