SS ZG513 (EC-2 Regular) Second Semester 2009-2010 Page 1 of 2

Birla Institute of Technology & Science, Pilani

Work-Integrated Learning Programmes Division
Second Semester 2009-2010

Comprehensive Examination
(EC-2 Regular)

Course No. : SS ZG513
Course Title : NETWORK SECURITY
Nature of Exam : Open Book
Weightage : 60%
Duration : 3 Hours
Date of Exam : 03/04/2010 (FN)
Note:
1. Please follow all the Instructions to Candidates given on the cover page of the answer book.
2. All parts of a question should be answered consecutively. Each answer should start from a fresh page.
3. Mobile phones and computers of any kind should not be used inside the examination hall.
4. Use of any unfair means will result in severe disciplinary action.

Q.1. Consider a situation where cryptography is used in virtual elections.
Computerized voting would become quite common in the next few decades. In this
system, each voter will cast his vote virtually and send his vote to the Election
Authority (EA).

(a). Suppose if you are assigned the task of designing a secure system for
virtual voting. What security properties would you like to provide for? [5]
(b). Consider the following protocol.
i. Each voter casts the vote and encrypts it with the public key of the EA
ii. Each voter sends the encrypted vote to the EA.
iii. The EA decrypts all the votes to retrieve the original vote, tabulates all
the votes, and announces the result of the election.
What are the merits and demerits of this protocol? [5]
(c). Write a secure protocol that will overcome the demerits in part b and
preserve the merits. [10]

Q.2. The purpose of the following protocol is to distribute securely a session key K
s
to
A and B. KDC is the Key Distribution Centre. K
a
and K
b
are shared keys between
KDC and A and B respectively. [10]









(a). Explain each step in terms of what the purpose is and how it does?
(b). What are the flaws of this protocol? How the protocol can be improved to
overcome that?
1. A KDC: ID
A
||ID
B
||N
1

2. KDC A: E(K
a
, [K
s
||ID
B
||N
1
||E(K
b
, [K
s
||ID
A
])])
3. A B: E(K
b
, [K
s
||ID
A
])
4. A A: E(K
s
, N
2
)
5. A B: E(K
s
, f(N
2
))
No. of Pages = 2
No. of Questions = 6

SS ZG513 (EC-2 Regular) Second Semester 2009-2010 Page 2 of 2
SS ZG513 (EC-2 Regular) Second Semester 2009-2010 Page 2


Q.3. How does SET protect customers payment information from the merchant and
still allow the merchant to present the credit card information to the payment
gateway? [5]

Q.4. Consider the following problems in regard to passwords. [10]

(a). Generally systems dont store user passwords in clear text. What are the
problems associated if they are stored in clear text? How are they
overcome?
(b). Consider a client-server architecture. Clients authenticate to server by
providing a login and password. If the clients send login and passwords to
server, it is possible for the attacker to know the password. One way to
overcome this problem is to let the server store the message digest of the
password and the client will always send message digest of the password,
not the actual password. In this case, there is a possibility that an attacker
can catch the login and message digest by listening to traffic and resend
them later to the server. Server will authenticate the attacker as well.
Propose a solution that will not allow such attacks? Clearly give the
justifications.

Q.5. Assume a stateless packet-filter firewall is installed between an enterprise network
and the external Internet, for the purpose of protecting users on the enterprise
network. Explain which of the following attacks that can be detected and mitigated
(to a significant degree) by the firewall. Justify? [8]

(a). Port sweep: to scan multiple hosts for a specific listening port
(b). Syn flooding: a form of denial-of-service attack in which an attacker sends
a succession of TCP SYN requests to a target's system
(c). Phishing: attack in which users are asked to visit a known bad web site.
phishing is the criminally fraudulent process of attempting to acquire
sensitive information such as usernames, passwords and credit card details
by masquerading as a trustworthy entity in an electronic communication
(d). viruses in incoming email addressed to enterprise users

Q.6. Given the plaintext MESSAGE, compute the cipher text for the following
algorithms with the specified keys. In all cases, map the alphabetic characters to
their numeric position in the alphabet (e.g., A=1, B=2, Z=26). [7]

(a). Caesar cipher with key = 8
(b). RSA cipher with block length 1 character and public key (3, 899)

*********