CS3273 2023-24 Sem B

Midterm
NOTE:
• Time allowed: 120 mins. Total marks: 20 marks towards the final grade.
• This is a closed-book examination. No materials or aids (such as calculators) are allowed.
• The question papers will NOT be graded. Write ALL answers on the answer papers.
• Write your name and ID on ALL answer papers.

1. Multiple Choices [5 marks]

(1) [1 mark] Which encryption scheme uses a key that is as long as the plaintext and provide perfect
secrecy if used correctly?
A. One-time pad
B. Stream cipher
C. AES-ECB
D. AES-CBC
(2) [1 mark] What are the primary purposes of a Message Authentication Code (MAC)?
A. Data confidentiality
B. Data integrity
C. Data authenticity
(3) [1 mark] Which of the following statements about Diffie-Hellman key exchange are true?
A. Diffie-Hellman key exchange is designed to protect data confidentiality in the presence of man-in-
the-middle attackers.
B. Diffie-Hellman key exchange allows two parties to establish a shared secret over an insecure channel.
C. Diffie-Hellman key exchange provides authentication of the communicating parties.
D. Diffie-Hellman key exchange requires the use of digital certificates.
(4) [1 mark] Consider the following data table, where Age and Gender are QID, and disease is the
sensitive attribute. Which statements are TRUE?

Age Gender Disease

20 < Age < 30 Female Cancer
20 < Age < 30 Female Viral infection
20 < Age < 30 Female Tuberculosis
20 < Age < 30 Male Heart-related
20 < Age < 30 Female Tuberculosis
Age <= 20 Male Cancer
20 < Age < 30 Male Heart-related
Age <= 20 Male Heart-related
Age <= 20 Male Viral Infection

1
A. The data is 4-anonymous.
B. The data is 2-anonymous.
C. The data is 3-diverse.
D. The data is 1-diverse.
(5) [1 mark] Which of the following statements about access control list and capability are TRUE?
A. Access control list relies on a list of permissions attached to an object to determine access rights.
B. Access control list requires authentication to mitigate the refused deputy problem.
C. Capability does not perform authentication and therefore has the refused deputy problem.
D. In discretionary access control (DAC), the owners typically have the authority to determine who can
access their resources.
E. Mandatory access control (MAC) relies on security labels assigned by system administrators and
therefore is more difficult to implement than DAC.

2. Analysis [15 marks]

(1) [2 marks] A company hired an intern who is responsible for downloading and analyzing data of a
database. The company grants this intern both read and write access to the database containing relevant
data. Please explain what security principle this company violates and suggest a rectification.
(2) [3 marks] The following diagrams are the encryption diagrams of the CBC and CTR mode of block
cipher. Compare them in terms of the following aspects.
a. Encryption/decryption efficiency.
b. Impact of block loss on decryption.
c. Impact of key and nonce/iv reuse.
(2) [1 mark] Alice uses the following Python code to sign data. Identify the problem of the code and
suggest a correction.
data = b’To be signed’
PK = RSA.import_key(open(“rsa_public_key.bin”, “rb”).read())
h = SHA256.new(data)
sig = pkcs1_15.new(PK).sign(h)

(3) [2 mark] The following code implements a hybrid encryption scheme that encrypt a data file and
store the result into another file.
aes_key = get_random_bytes(16)
rsa_public_key = RSA.import_key(open(‘rsa_public_key.bin’, “rb”).read())
rsa_enc = PKCS1_OAEP.new(rsa_public_key)
aes_cipher = AES.new(aes_key.AES.MODE_ECB)
file = open(“aes_key.bin”, “wb”)
file.write(aes_cipher.encrypt(rsa_public_key))
file.close()
plaintexct = b”012345678”*80000
file = open(“ciphertext.bin”, “wb”)
file.write(rsa_enc.encrypt(plaintext))
file.close()
a. Briefly explain the idea of hybrid encryption.
b. Identify the problems of the code and suggest a correction.

(4) [2 marks] Is TLS secure against the following attacks? Please explain your answers.

2
(a) A man-in-the-middle attacker who knows the public key of the server
(b) A man-in-the-middle attacker who has stolen the private key of the certificate authority.

(5) [1 mark]

(6) [1 mark]

(7) [2 marks]

(8) [2 marks] The following table shows the access control list of a UNIX filesystem. a.out is an
executable program which reads and writes files allowed by the access control policy.
Permission Owner Group File
-rwx--x--- 7 Alice CS … a.out
-rwx------ 1 Alice CS … a.txt
-r-------- 1 Bob CS … b.txt

a [1 mark] Write a chmod command for Bob to change the permission of b.txt, such that b.txt can be
read, written, and executed by all users, and the setuid bit is set.
b [1 mark] Is it possible for Bob to know the content of a.txt and why?

------------------------ END ------------------------