Unit 10 Flashcards
For each of the following scenarios, which type of interference is taking place?
(a) Alice alters Bob’s file without permission.
(b) A hacker deploys software to observe packets travelling on a network.
(c) A website receives a flood of requests for a web page, preventing callers from
viewing the site.
(d) A user receives an email appearing to be from his supervisor, who did not send
the email.
(a) Modification
(b) Interception
(c) Interruption
(d) Fabrication
How many possible Caesar ciphers are there in English?
Assuming a 26-character alphabet (ignoring, for example, punctuation), there are 25
possible substitutions.
How would you decode an English message encoded in ROT13, assuming an 26-character alphabet?
You would apply the same function again! The cipher is its own inverse. Two shifts of 13 return you to your starting point in the English alphabet. In this case the
encryption key and the decryption key have the same value.
Why is public key cryptography called asymmetric and private key cryptography called symmetric?
In public key cryptography there are two different keys, the public key and private key, one used for encryption and the other for decryption.
In private key cryptography there is one key, the secret key suitable for both encryption and decryption.
What classes of cipher might you be likely to use in the following circumstances?
(a) Storing passwords in a local file
(b) Proving you sent an email
(c) Using a wireless connection on your laptop
(d) Encrypting files on a file system
(a) **Hash **- hash function provides a quick way of associating an input with a numerical output
(b) Public key and hash (for signing) -
(c) Stream - encrypt communications of unknown length ‘on the fly’
(d) Block cipher - which transforms fixed-length blocks of plaintext into ciphertext
What is a secure channel?
A secure channel is a communication channel between a pair of processes that can authenticate each other and provides confidentiality and integrity services, including
time stamping.
Give an example of a handshake in SSL.
Cipher negotiation and certificate exchange are examples.
Why would a class loader check for overriding of final methods, when this check is already performed by a compiler before producing a class file?
The class loader is examining bytecode, which could have been altered since compilation.
Why would a security policy require that the security manager could only be set once?
This means that another manager cannot be substituted, so the ways in which checks are performed cannot be altered.
State the two steps required to implement permissions-based security for an application.
1 A security manager must be installed for the application, either on the command line
or in the code.
2 A policy must be specified, either dynamically (by executing some code) or statically (using default policy files or a specified policy file).
Explain the purpose of the following entry in a policy file. Identify the target and the action.
grant codeBase “http://www.gggg.com”
{
permission java.io.FilePermission “C:\database.dat”, “read”;
};
This is a policy entry granting FilePermission to code from the code base
http://www.gggg.com
allowing that code to carry out “read” actions on the file database.dat.
In the following scenario, identify possible subject(s) and principal(s).
Jane Doe wishes to make an online purchase. Jane will first need to authenticate herself to her computer by logging in. Once online, she logs in to her shopping website account and makes a purchase using her credit card. Later she visits the website of the department of motor vehicle licences and enters her driving licence number to check that her contact information is correct.
The user Jane is the subject.
The principals are her user IDs for her computer and for the online shop. (The passwords in each case are credentials used to authenticate her.)
Another principal is the driving licence number Jane used to login to the motor vehicle licensing website.
Why would you normally want to implement the equals method of an implementation
of Principal?
You need to implement equals so that the system can compare one principal to another. If you do not do this, your principal will inherit equals from Object, and equality will be determined based on principal references rather than their contents.
Why do you think the PrivilegedAction interface is required?
An instance of a class implementing the PrivilegedAction interface encapsulates and demarcates the work to be done with a set of privileges.
This means that there is less chance of accidentally invoking code with certain privileges, and also it is clear when that set of privileges stops applying and we go back to using the thread’s context.
Distinguish between a subject and a principal.
A subject is an entity that can be authenticated, that is, a source of a request to perform some action.
A principal is an identity associated with an authenticated subject.