Answer to Tutorial 10 – Information Security

1. What are cryptography, cryptanalysis, and cryptology?

Answer:

Cryptography is the study of mathematical techniques to provide the security of informationover insecure channels.

Cryptanalysis is the study of mathematical techniques for attempting to defeat informationsecurity services.

Cryptology is the study of cryptography and cryptanalysis.

2. What were some of the first uses of cryptography?

Answer:

Concealing military and political secrets while they were transported from place to place.

3. What is a key, and what is it used for?

Answer:

The information used in conjunction with an algorithm to create the ciphertext from theplaintext or derive the plaintext from the ciphertext; the key can be a series of bits used bya computer program, or it can be a passphrase used by humans that is then converted into aseries of bits for use in the computer program.

4. What is a hash function, and what can it be used for?

Answer:

Hash functions are mathematical algorithms that generate a message summary or digest(sometimes called a fingerprint) to confirm the identity of a specific message and to confirmthat there have not been any changes to the content.

5. What is the fundamental difference between symmetric and asymmetric encryption?

1

Answer:

Asymmetric encryption is also known as public key encryption. It uses two different keys toencrypt messages, the public key and the private key. The public key is stored in a publiclocation where anyone can use it.

Symmetric encryption is different because it uses only one key to encrypt and decrypt mes-sages. Symmetric encryption is much faster for the computer to process, however it raisesthe costs of key management. Symmetric encryption, also called private key encryption, iswhere the same key is used to conduct both the encryption and decryption of the message.Both the sender and receiver must own encryption of the key. The problem with symmetricencryption is getting a copy of the key to the sender.

6. What are the five components of PKI?

Answer:

(i) A certificate authority (CA), which issues, manages, authenticates, signs, and revokesusers digital certificates, which typically contain the users name, public key, and otheridentifying information.

(ii) A registration authority (RA), which operates under the trusted collaboration of thecertificate authority and can be delegated day-to-day certification functions, such asverifying registration information about new registrants, generating end-user keys, re-voking certificates, and validating that users possess a valid certificate.

(iii) Certificate directories, which are central locations for certificate storage that provide asingle access point for administration and distribution.

(iv) Management protocols, which organize and manage the communications between CAs,RAs, and end users. This includes the functions and procedures for setting up new users,issuing keys, recovering keys, updating keys, revoking keys, and enabling the transferof certificates and status information among the parties involved in the PKIs area ofauthority.

(v) Policies and procedures that assist an organization in the application and managementof certificates, the formalization of legal liabilities and limitations, and actual businesspractice use.

7. What is the difference between digital signatures and digital certificates?

Answer:

A certificate is a wrapper for a key value. A signature is a combination of a message digestand other information used to assure non-repudiation.

2

8. What is steganography, and what may it be used for?

Answer:

Steganography is a process used to hide messages within digital encoding of pictures andgraphics. This is a concern for the security professional because hidden messages are noteasily detected and can contain sensitive information that needs to be protected.

9. What security protocols are predominantly used in Web-based electronic commerce?

Answer:

S-HTTP, SET, SSL, SSH-2, and IPSec.

10. What security protocols are used to protect e-mail?

Answer:

S/MIME, PEM and PGP.

11. IPSec can be used in two modes. What are they?

Answer:

Transport and tunnel modes.

12. Which kind of attack on cryptosystems involves using a collection of pre-identified terms?

Answer:

A dictionary attack uses pre-identified terms.

13. Which kind of attack involves sequential guessing of all possible key combinations?

Answer:

A brute-force attack tries all possible combinations.

3

14. What is the average key size of a strong encryption system in use today?

answer:

Web-based SSL has standardized on 128 bits as of late 2004.

15. What is the standard for encryption currently recommended by NIST?

Answer:

AES, the Advanced Encryption Standard.

4