CS419 Exam 1

Fall 2024

Paul Krzyzanowski

October 7, 2024

100 Points - 25 Questions - 4 Points each

For each statement, select the most appropriate answer.

  1. An attack that modifies data without permission violates which part of the CIA Triad?
    (a) Authentication.
    (b) Confidentiality.
    (c) Availability.
    (d) Integrity.
  2. What is a vulnerability in computer security?
    (a) The intentional release of malicious software.
    (b) A protective measure to secure a system.
    (c) A bug or weakness that can be used by attackers.
    (d) An attack on a computer system that bypasses protection mechanisms.
  3. Why is threat modeling important in designing secure systems?
    (a) It helps identify areas where software bugs may exist.
    (b) It enables the monitoring of network traffic to determine suspicious activities.
    (c) It can help prioritize risks and identify areas to focus on securing.
    (d) It allows security engineers to assess the end-to-end security of a system.
  4. A trusted computing base (TCB) is:
    (a) The set of all hardware and software components that work together to keep a system secure.
    (b) A separate processor on a system used for security operations, such as storing biometric data.
    (c) An isolated, highly secure computing environment used for security-critical tasks.
    (d) A system specifically engineered to withstand attacks.
  5. What does Kerckhoffs's Principle state about cryptographic systems?
    (a) The algorithm should remain secret for maximum security.
    (b) Only the key must remain secret, but the algorithm can be public.
    (c) The encryption method should be reversible.
    (d) Encryption keys should be updated periodically.
  6. Polyalphabetic ciphers are an improvement over monoalphabetic ciphers because:
    (a) The same plaintext character may be encoded to different ciphertext characters based on its position.
    (b) They are not restricted to supporting a single language.
    (c) They are faster for encryption and decryption while providing greater security.
    (d) They require shorter keys.
  7. For an encryption scheme to achieve perfect secrecy, which of the following must be true?
    (a) The algorithm must be well-tested, with only the key being secret.
    (b) The key must be long enough to make a brute-force search impractical.
    (c) The algorithm should be secure even if the same key is used to encrypt multiple messages.
    (d) The key must be randomly generated, be as long as the plaintext, and never reused.
  8. The property of confusion in a cipher refers to:
    (a) Making the relationship between the key and the ciphertext as complex as possible.
    (b) An attacker not being able to identify what encryption algorithm was used.
    (c) Mixing false data into the message so the attacker cannot tell which parts are valid.
    (d) Applying a transposition to the generated ciphertext to break up digraphs and trigraphs.
  9. How does an SP-Network achieve both confusion and diffusion in encryption?
    (a) By using S-boxes for substitution and key expansion for diffusion.
    (b) Via private keys to create confusion and public keys for diffusion.
    (c) By applying multiple rounds of substitution and permutation.
    (d) By applying a cipher mode such as counter (CTR) mode.
  10. Why is AES considered secure against brute-force attacks?
    (a) It uses a secure key exchange algorithm.
    (b) It uses large key sizes, making brute-force infeasible.
    (c) It operates with unbreakable keys.
    (d) It is a symmetric algorithm.
  11. How does CBC mode ensure that identical plaintext blocks do not produce identical ciphertext blocks?
    (a) By XORing the previous ciphertext block with the current plaintext block.
    (b) By changing the encryption key for each block.
    (c) By encrypting a different counter value for each block of plaintext.
    (d) By rearranging the plaintext blocks based on an initialization vector (IV) before encryption.
  12. A trapdoor function differs from a one-way function in that:
    (a) It is created through the application of symmetric key cryptography.
    (b) It is easy to compute both the function and its inverse.
    (c) Its output is not always a fixed size.
    (d) Its inverse can be computed only with knowledge of a secret parameter.
  13. For Alice to send data securely to Bob, Alice will encrypt the data with:
    (a) Alice's private key.
    (b) Alice's public key.
    (c) Bob's private key.
    (d) Bob's public key.
  14. How is forward secrecy typically achieved in secure communication protocols?
    (a) By using ephemeral session keys, often generated through protocols like Diffie-Hellman.
    (b) By encrypting the data with a symmetric key and using an X.509 certificate to encrypt the key.
    (c) By using pre-shared keys and a symmetric algorithm to encrypt all communication data.
    (d) By requiring data to be encrypted only in one direction during the communication session.
  15. Approximately how many bits do you expect will change in the 256-bit hash of a 256-byte message if you modify the last byte of the message?
    (a) 1
    (b) 8
    (c) 128
    (d) 256
  16. How does a MAC (Message Authentication Code) differ from a hash?
    (a) A MAC uses a secret key in combination with the message.
    (b) A MAC generates a larger output than a hash function.
    (c) A hash function uses a MAC to provide integrity.
    (d) A MAC is a hash of an encrypted message.
  17. Why are hash functions important in digital signatures?
    (a) They provide message confidentiality.
    (b) They convert large messages into fixed-size digests before signing.
    (c) They generate the encryption key used for signing.
    (d) They enable authentication without using keys.
  18. What is the primary purpose of an X.509 certificate?
    (a) To bind a public key to an identity and provide trust in that identity.
    (b) To encrypt messages between two parties.
    (c) To generate session keys for symmetric encryption.
    (d) To sign digital documents.
  19. What is one way that Kerberos improves the security of the Needham-Schroeder protocol?
    (a) Kerberos eliminates the need for a trusted third party.
    (b) Kerberos uses timestamps to protect against replay attacks.
    (c) Kerberos uses public key cryptography.
    (d) Kerberos does not need session keys for secure communication.
  20. Why is a salt used in combination with password hashes?
    (a) To reduce the size of the password hash.
    (b) To protect against attacks via precomputed hashes.
    (c) To serve as a unique encryption key for the password.
    (d) To add a message authentication code to a stored password.
  21. How does a passkey system authenticate a user?
    (a) By generating a random password for each login attempt.
    (b) By using public key cryptography without the need for a user's password.
    (c) By encrypting a traditional password with a unique key for that service.
    (d) By storing a hash of the password on the server.
  22. In HOTP, (Hash-based One-Time Passwords), what happens each time a new password is generated?
    (a) The shared secret key is updated.
    (b) A counter is incremented.
    (c) The server accepts it as valid for a short time, typically 30 seconds.
    (d) The server sends a different challenge value the next time the user logs in.
  23. Why is MFA (Multi-Factor Authentication) considered more secure than using just a password?
    (a) MFA uses stronger encryption algorithms.
    (b) MFA reduces the complexity of passwords, making them easier to remember.
    (c) MFA uses time-based passwords that change every 30 seconds.
    (d) MFA adds additional layers of authentication.
  24. Why is number matching (NMA) considered more secure than a standard push notification?
    (a) It uses symmetric encryption for all communication, avoiding eavesdropping attacks.
    (b) It allows the user to avoid two-factor authentication.
    (c) It doesn't require an internet connection.
    (d) It avoids unintentional approvals by requiring the user to actively transcribe data.
  25. How does a ROC curve assist in selecting the threshold for a biometric system?
    (a) It helps determine the trade-off between false acceptances and false rejections.
    (b) It optimizes the system for faster processing.
    (c) It helps prioritize authentication performance over user enrollment.
    (d) It makes it possible to normalize biometric data for efficient matching.
Last modified February 19, 2025.

© Paul Krzyzanowski. All rights reserved.

For questions or comments about this site, contact Paul Krzyzanowski, gro.kp@ofnibew

recycled pixels

The entire contents of this site are protected by copyright under national and international law. No part of this site may be copied, reproduced, stored in a retrieval system, or transmitted, in any form, or by any means whether electronic, mechanical or otherwise without the prior written consent of the copyright holder. If there is something on this page that you want to use, please let me know. Any opinions expressed on this page do not necessarily reflect the opinions of my employers and may not even reflect my own.

Page design derived from: HTML5 UP.