[All Rights Reserved]

SLIATE
SRI LANKA INSTITUTE OF ADVANCED TECHNOLOGICAL EDUCATION
(Established in the Ministry of Higher Education, vide in Act No. 29 of 1995)

Higher National Diploma in Information Technology

Second Year, First Semester Examination – 2016
HNDIT 2301 – Operating System and Information Security /

IT 3004 – Operating System and Computer Security /

HNDIT 2301 - Operating System and Cryptography

Marking Scheme
Instructions for Candidates: No. of Questions: 05
Answer only 04 Questions No. of Pages : 04
Time: Two (02) hours

Q1 i. There are 3 basic concepts associated in information security.

Those are called security triads. One of them is Confidentiality.
Name other two factors. (02 Marks)

Integrity 01 mark
Availability 01 mark

ii. Write the definition of a Security Service given in X.800 OSI

Security Architecture. (03 Marks)
X.800 defines it as: a service provided by a protocol layer
of communicating open systems, which ensures adequate
security of the systems or of data transfers.

iii. Some description used in Information Security are given below.

Write suitable term that matches with those descriptions.
a) A week point in a system where a threat can sneak in.
.
b) Any procedure that is in place to assure security of a
. system.

c) a potential damage that can be materialized through some

. flaw in the system.
(06 Marks)
a) A week point in a system where a threat can
. sneak in.
 Vulnerability 02 marks
b) Any procedure that is in place to assure
. security of a system
Control 02 marks
c) a potential damage that can be materialized
. through some flaw in the system
Threat 02 marks

iv. X.800 OSI Security Architecture categorized security

mechanisms in two ways. Name two categories and give
examples for each. (08 Marks)
specific security mechanisms: 02 marks
encipherment,
digital signatures,
access controls,
data integrity,
authentication exchange,
traffic padding,
routing control, 01 mark
notarization x2
(any two ) 02 marks
pervasive security mechanisms: 02 marks
trusted functionality,
security labels,
event detection,
security audit trails, 01 mark
security recovery x2
(any two ) 02 marks

v. Assume you are the Network Administrator of your

organization. You want to improve Access Security. Briefly
explain how you implement it according to Model for Network
Access Security. (06 Marks)
select appropriate gatekeeper functions to
identify users
02 marks
01 mark
provide a suitable example
implement security controls to ensure only
authorised users access designated
information or resources 02 marks

provide a suitable example 01 mark

(25 Marks)

HNDIT 2301 Operating system & Information Security (new) 2016 1st semester
2
Q2 i. There are two requirements for secure use of symmetric
encryption. Name them. (02 Marks)
a strong encryption algorithm 01 mark
a secret key known only to sender / receiver 01 mark
ii. state three components related to Symmetric Cipher Model with
a suitable diagram. (06 Marks)
• plaintext
• ciphertext
• cipher
• Security key
• encipher (encrypt)
• decipher (decrypt) 01x3
any 03 component 03 marks

03 marks

iii. Cryptographic techniques can be characterized in three ways.

One of them is” how the plain text is processed”. Give two
cryptographic algorithm types, used to process plain text, with
examples for each type. (04 Marks)
two algorithms types:
Block Cipher 01 mark
Stream Ciphers 01 mark
Example for Block Cipher:
Blowfish algorithm 01 mark
Examples for Stream Ciphers:
RC4 algorithm 01 mark

iv. Briefly explain any four from the following list. (08 Marks)
a) Brute Force Search
.
b) Substitution Ciphers
.
c) One-Time Pad
.
d) Rail Fence cipher
.
e) Product Ciphers
.
f). Steganography

Brute Force Search:

• always possible to simply try every key
• most basic attack, proportional to key
size
HNDIT 2301 Operating system & Information Security (new) 2016 1st semester
3
 • assume either know / recognise
plaintext
02 marks
Or any relevant answer
Substitution Ciphers:
• where letters of plaintext are replaced
by other letters or by numbers or
symbols
02 marks
Or any relevant answer
One-Time Pad:
• a random key as long as the message
is used called a One-Time pad
• is unbreakable since cipher text bears
no statistical relationship to the
plaintext
• usually the key is changed every time 02 marks
a message is sent.

Or any relevant answer

Rail Fence cipher:
• is a Transposition Ciphers
• write message letters out diagonally
over a number of rows
• then read off cipher row by row
or
• explain it by example 02 marks

Or any relevant answer

Product Ciphers:
Using several ciphers together like:
– two substitutions make a more
complex substitution
– two transpositions make more
complex transposition
– but a substitution followed by a
transposition makes a new much
harder cipher
Or any relevant answer 02 marks
Steganography:
• This an alternative to method for
encryption
• Hide the message in image, sound or
video.
Or any relevant answer
02 marks
HNDIT 2301 Operating system & Information Security (new) 2016 1st semester
4
 v. Convert following word “block” into cipher text using Cesar
Cipher algorithm as given below:
C = ( P + 3 ) mod ( 26 ) (05 Marks)
Plain P P + 3 ( P + 3 ) mod ( 26 ) Cipher
text text
b 2 5 5 E 01
mark
l 12 15 15 O 01
mark
o 15 18 18 R 01
mark
c 3 6 6 F 01
mark
k 11 14 14 N 01
mark
(25 Marks)

Q3 i. Name the keys used in for encryption and decryption process in

Symmetric and Asymmetric Encryption. (04 Marks)
Symmetric Encryption
Encryption process: Secrete key- 01 mark
decryption process: Secrete key- 01 mark

Asymmetric Encryption
Encryption : public key- 01 mark
decryption : private key- 01 mark

ii. Name four methods used for distribution of Public Keys (04 Marks)
– public announcement
– publicly available directory
– public-key authority
– public-key certificates
01mark for one method x 4

iii. Lahiru and Raj are two friends who has obtained public key
algorithms from a key distribution Centre. They both have
public keys known by everyone, and a private key known only
by him. mention which key they can use in following situations: (08 Marks)
a). Raj wants to encrypt the message using Asymmetric
Encryption, and send to Lahiru.
b). Raj wants to include digital signature for message.
c). Lahiru wants to decrypt the chipper text he received from
Raj using asymmetric encryption.
d). Lahiru wants to verify the digital signature of the message
he has received from Raj.
a). Raj wants to encrypt the message using
Asymmetric Encryption:
Lahiru’s public key 02
marks
b). Raj wants to include digital signature for
HNDIT 2301 Operating system & Information Security (new) 2016 1st semester
5
 message
Raj’s private key 02
marks
c). Lahiru wants to decrypt the chipper text he
recived
Lahiru’s private key 02
marks
d). Lahiru wants to verify the digital signature
of the message he has recived.
Raj’s public key 02
marks

iv. Why message authentication is important? Give three reasons. (03 Marks)
message authentication is concerned with:
• protecting the integrity of a message
• validating identity of originator 01 mark
• non-repudiation of origin (dispute for one
resolution) reason
X3
v. Compare and contrast hash function and Message
Authentication Code (MAC). (06 Marks)
Hash function MAC
Assures integrity of Assures integrity of 01
information information mark
Not reversible Not reversible for 1
Does not need a key Needs a key point
to use X6

(25 Marks)

Q4 i. State four protection features for databases. (04 Marks)

a. Two phase update 01mark
b. Redundancy control X4
c. Concurrency control
d. Monitor

ii. Describe “Intruder” in terms of an information system, giving

three examples for different types of intruders. (06 Marks)
Intruder is an unauthorized user of an For
information system. Intruders are description
classified generally in to following 03 marks
categories based on their behavior with the One
system example 01
 Masquerader mark x3
 Misfeasor
 Clandestine user

HNDIT 2301 Operating system & Information Security (new) 2016 1st semester
6
 iii. A multi-level database is a specially designed database to (03 Marks)
enhance security of data. Give three factors that should be
considered in designing multi-level databases.
Efficiency
Flexibility
Simplicity
Trustworthiness
Any 3 : one mark for each x 3

iv. State three implementation mechanisms for multi-level

databases. (06 Marks)
Partitioning
Encryption
Integrity locks
Sensitivity locks
Any three: 02 marks x3

v. “Program security is equally important as data and database (06 Marks)

security measures in software applications.” critically discuss the
above statement.
Data and database security deals with the data stored in the
data base and the tools and procedures available in the
database management system to manipulate the stored data.
Measures designed to secure the data and paths to access and
perform transactions is very important. In the same time, it is
equally important to protect the data, while it is being used by
the application program, during processing. Program security
measures are exclusively designed to handle protection of data
while they are being processed by the front end application
program.

(25 Marks)

Q5 Write short notes on any five topics from the following list. (05 Marks
X 5)
i. Limitations of firewalls
cannot protect from attacks bypassing it
eg sneaker net, utility modems, trusted organisations, trusted
services (eg SSL/SSH)
cannot protect against internal threats
eg disgruntled or colluding employees
cannot protect against transfer of all virus infected programs
or files
because of huge range of O/S & file types
or any relevant answer
05 marks

HNDIT 2301 Operating system & Information Security (new) 2016 1st semester
7
 ii. Password Security
Password protection is one of the basic methods used for data
authentication. Password confirms whether a particular user is who
he/she really claims to be. But hackers and crackers have different
ways of capturing or guessing passwords and break the protection
provided by them. A good password usually has high work factors
hence difficult to crack. Users should be educated and aware of good
passwords and their characteristics to enhance password security.

or any relevant answer

05 marks

iii. Honey Pots

These are decoy systems to lure attackers
a. away from accessing critical systems
b. to collect information of their activities
c. to encourage attacker to stay on system so
administrator can respond
Honey ports are filled with fabricated information instrumented to
collect detailed information on attackers’ activities.
Single or multiple networked systems

or any relevant answer

05 marks

iv. Stateful Inspection Firewall

 traditional packet filters do not examine higher layer context

 ie matching return packets with outgoing flow
 stateful packet filters address this need
 they examine each IP packet in context
 keep track of client-server sessions
 check each packet validly belongs to one
 hence are better able to detect bogus packets out of context

or any relevant answer

05 marks

v. Buffer Overflow
Buffer is a temporary data store used by the programmers to store
data within the software applications to enhance application
performance and avoid database over heads. The size of the buffer is
sometimes predefined and sometimes not. In some cases when the
buffer is not pre-defined, intruders or attackers can use the unused
buffers for malicious purposes. This is called buffer overflow attack.

HNDIT 2301 Operating system & Information Security (new) 2016 1st semester
8
 or any relevant answer
05 marks

vi. Information Security Policy

The comprehensive document prepared by all the users of
information stems in organization. The consent and the
collaboration of the higher management and all the organizational
stakeholders should be given to this document. All of the security
mechanisms and services used in the organization and the used the
application controls are stated in the policy document. This should
be distributed to all the organizational members and educated to
follow it strictly.

or any relevant answer

05 marks

vii. Role Based Access Control

The model of controlling access using the job descriptions of the
members of the organization. Different user accounts are privileges
are given to users based on the rights designated to them by the job
description.

or any relevant answer

05 marks

viii. Design principles for trusted operating systems

o Least privilege-User , Program
o Economy of mechanism-Design of the protection
should be small, simple
o Open design-Potential attackers
o Complete mediation-Permission based. (default
condition for denial of access)
o Separation of privilege-More than one condition
o Authentication plus a cryptographic key

or any relevant answer

05 marks

(25 Marks)

HNDIT 2301 Operating system & Information Security (new) 2016 1st semester
9