信息安全技术复习题目最终版
1.In the movie Office Space, software developers attempt to modify company software so that for each financial transaction, any leftover fraction of a cent goes to the developers, instead of going to the company. The idea is that for any particular transaction, nobody will notice the missing fraction of a cent, but over time the developers will accumulate a large sum of money. This type of attack is sometimes known as a salami attack. Now, find a real-world example of a salami attack and expound how it works.
The most typical scheme portrayed by a salami attack is that which involves an automated modification to financial systems and their data. For example, the digits representing currency on a bank's computer(s) could be altered so that values to the right of the pennies field ( < 0.01 ) are always rounded down (fair arithmetic routines will calculate in both directions equally).
最典型的意大利腊肠攻击方案,包括自动修改财务系统和数据描述。例如,在银行的计算机上表示货币的数字可以被改变,使便士字段的右边的值(< 0.01)总是四舍五入(公平的算术程序将在两个方向上计算相等)。
The essence of this mechanism is its resistance to detection. Account owners rarely calculate their balances to the thousandths or ten-thousandths of a cent, and, consequentially remain oblivious. Even if the discrepancies are noticed, most individuals have better things to do (like preserve their pride) than complain about an erroneous digit in some far off decimal place. The following (alleged) scenarios will demonstrate that "slices" need not always be tiny to evade detection. In fact, they can be rather large, as long as unsuspecting and/or ignorant victims are plentiful.
这种机制的本质是它的电阻检测。帐户所有者很少计算余额的千分之几或千分之十分,必然继续无视。即使这些差异被发现,大多数人有更好的事情要做(如保持他们的自豪感)比抱怨在一些
遥远的小数点错误的数字。以下(所谓)的情况将表明,“片”不一定总是很小,以逃避检测。事实上,他们可以是相当大的,只要不知情的和/或无知的受害者是丰富的。
2 In the field of information security, Kerckhoffs’Principle is like motherhood and apple pie, all rolled up into one.
*Define Kerckhoffs’Principle in the context of cryptography.
(1)即使密码系统的任何细节已为人悉知,只要密钥未泄漏,它也应是安全的。
Any details even if the cryptography system has informed all too often, as long as the key does not leak, it should also be safe *Give a real-world example where Kerckhoffs’Principle has been violated.
Did this cause any security problem?
(2)自动取款机使用了DES数据加密,相当于一个加密系统,有时候密码未泄露,但犯罪份子知道了身份信息和银行卡号后能够盗取卡里的钱。这个案例中的安全问题有:
个人信息泄露,财产的损失。
ATM using DES data encryption, is an cryptography system, sometimes the password does not leak, but criminals steal the money after know the identity information and bank card number .The security problem in this case are: personal information leakage, the loss of the property.
3. Among the fundamental challenges in
information security are confidentiality, integrity, and availability, or CIA.
A. Define each of these terms: confidentiality, integrity, availability.
B. Give a concrete example where confidentiality is more important than integrity.
C. Give a concrete example where integrity is
more important than confidentiality.
D. Give a concrete example where availability is the overriding concern.
Answer:
A.Confidentiality is of the information with a certain degree of secrecy only for authorized person to read and change it; Integrity is to prevent or at least to detect unauthorized changes to information; Availability is that the legally ownes and users for information, they have access to the information at any time if they need.
B.The document about State secrets.
C.Test scores.
D.E-commerce site. T o avoid service interruption, lead to users and their own interests is damaged, its availability is the most important。
翻译:信息安全领域的基本挑战包括机密性、完整性和可用性,或者简称CIA。
A.请给出机密性、完整性、可用性的术语定义。答:机密性具有一定保密程度的信息只能让有授
权的人读取和更改;完整性是防止或至少检测出对信息进行未授权的修改;可用性是对于信息的合法拥有和使用者,在他们需要这些信息的任何时候,都应该保障他们能够及时得到所需要的信息。
4.Suppose that we have a computer that can test 240 keys each second.
*What is the expected time (in years) to find a key by exhaustive search if the keyspace is of size288?
*What is the expected time (in years) to find a key by exhaustive search if the keyspace is of size2112?
*What is the expected time (in years) to find a key by exhaustive search if the keyspace is of size2256?
Anwser:(1)288/240=248 second 248/(60*60*24*365)=8.923*106
(2)2112/240=272 second 272/(60*60*24*365)=1.497*106
(3)2256/240=2216 second
2216/(60*60*24*365)=3.339*1057
5.Give four strong passwords derived from the passphrase “Gentlemen do not read other gentlemen’s mail.”And describe how to derive your answer from the passphrase.
6.Give four strong passwords derived from the passphrase “Are you who you say you are?”. And describe how to derive your answer from the passphrase.
答:
根据Are you who you say you are随便构造4个强密码并解释构造方法。例如1Re@NwNs1yNA 此题要求独创性
强密码长度至少有8 个字符,不包含全部或部分用户帐户名,不包含完整的单词,至少包含以下四类字符中的三类:大写字母、小写字母、数字,以及键盘上的符号(如!、@、#)。
7.For each of the following passwords, give two
passphrase that the password could have been derived from.
A: PokeGCTall B: 4s&7vrsa
C: gimmeliborD D: IcntgetNOsat
例如:
A.PokeGCTall
Person or kids end Good Cat Tall
Play on kid Great Cool Top are like like
8.Consider the ciphertext FALSZ ZTYSY JZYJK YWJRZ TYJZT YYNAR YJKYS WARZT YEGYY J, which was generated using an affine cipher with parameter a=7 and b=22. Decipher the message please.
加密过程为:E(m)=(am+b)mod26
解密过程为:c(m)=a^-1(c-b)mod26=7^-1(c-22)mod26=15(c-22)mod26
所以仿射码解密相对应的字母为
0 1 2 3 4 5 6 7 8 9 1
0 1
1
1
2
明文
A B C D E F G H I J K L M 密文
W D K R Y F M T A H O V C 13 14 15 16 17 18 19 20 21 22 23 24 2
5
明文
N O P Q R S T U V W X Y Z 密文 J Q X E L S Z G N U B I P
密文:FALSZ ZTYSY JZYJK YWJRZ TYJZT YYNAR YJKYS WARZT YEGYYJ
明文: first the sentence and then the evidence said the queen.
4443261771++++=
9. Consider the ciphertext QJKES REOGH GXXRE OXEO, which was generated using an affine cipher. Determine the constants a&b and decipher the message. Hint: Plaintext “t ” encrypts to ciphertext “H ” and plaintext “o ” encrypts to ciphertext “E ”.
加密过程:
a,b are constants(常数),p is plaintext (明文),
C is ciphertext (密文)
So a= 11 ,b= 6
解密过程:c (m )=a^-1(c-b)mod26=11^-1(c-6)mod26
Ciphertext (密文) :QJ KES REOGH GXXRE OXEO
Plaintext (明文) :If you bow at all bow low. 序
号
0 1 2 3 4 5 6 7 8 9 10 11 12 明
文
a b c d e f g h i j k l m 密
文
G R C N Y J U F Q B M X I 序
号 13 14 15 16 17 18 19 20 21 22 23 24 25 明
文
n o p q r s t u v w x y z 密
文
T E P A L W H S D O Z K V
10. Please give three examples of authentication based on “something you know”, “something you have”and “something you are”;
a.Password authentication(something you know)
b.Security token and a smart card(something you have)
c. Biometric authentication is the use of fingerprints or face scanning and iris(虹膜)or voice recognition,iris type or fingerprints scanned(something you are)
a.密码验证
b.安全令牌和智能卡
c.生物特征识别
11. Two-factor authentication requires that two of the three authentication methods (something you know, something you have, something you
are) be used. Give two examples from everyday life where two-factor authentication is used. Which two of the three are used?
答:
https://www.doczj.com/doc/931181295.html,e the bank card to withdraw money in ATM. Bank card is something you have and password is something you know.
https://www.doczj.com/doc/931181295.html,e the ID card and the admission notice to verify identity,when entering the university. ID card and the admission notice are something you have, oneself is something you are .
翻译:双重认证要求的两三个身份验证方法(你知道的东西,你拥有的东西,你是什么)被使用。给两个例子从日常生活使用双重认证。使用了其中的哪两个因素?
First example,ATM card, of which the user must hold a card and PIN number.”something you have” and “something you know” are used on ATM cards.Other examples of two-factor authentication include credit card with
handwritten signature. “something you have” and “something you are” are used on this method.
12.RFID tags are extremely small devices capable of broadcasting a number over the air that can be read by a nearby sensor. RFID tags are used for tracking inventory, and they have many other potential uses. For example, RFID tags are used in passports and it has been suggested that they should be put into paper money to prevent counterfeiting. In the future, a person might be surrounded by a cloud of RFID number that would provide a great deal of information about the person.
*Discuss some privacy concerns related to the widespread use of RFID tags.
*Discuss security issues, other than privacy,
that might arise due to the widespread use of RFID tags.
Anwser:(1)Illegal to read the information(非法读取信息)、Position location tracking(位置定位跟踪)
(2)Interfere with the correct receiving information(干扰正确信息接收)、counterfeiting (伪造假币)
1.非法读取信息;
RFID tags offer way to illegal read of the information about customers.
位置定位跟踪.
RFID tags could be used to track people's movements, determine their identities or make inferences about their habits(用来追踪人们的动作,确定他们的身份或推断他们的习惯)
2.拒绝服务:人为的信号干扰使合法的阅读器不能正常读取标签数据;
Denial of service :Artificial interference make the legal reader can’t read the label data properly.
重放:根据窃听到的阅读器和标签之间的数据通信,重复之前的通信行为从而获得信息数据。The replay: According to hacking into the data communication between the reader and the tag, repeat previous data communication behavior in order to gain information.
13.Decrypt the following message that was encrypted using a simple substitution cipher: WB WI KJB MK RMIT BMIQ BJ RASHMWK RMVP YJERYRKB
MKD WBI IWOKWXWVMKVR MKD IJYR YNIB URYMWK
NKRASHMWKRD BJ OWER M VJYSHRBR RASHMKMBWJK JKR
CJNHD PMER BJLR FNMHWXWRD MKD WKISWURD BJ INVP
MK RABRKB BPMB PR VJNHD URMVP
BPR IBMBR JX
RKHWOPBRKRD YWKD VMSMLHR JX URVJOKWGWKO
IJNKDHRII IJNKD MKD IPMSRHRII IPMSR W DJ KJB DRRY
YRIRHX BPR XWKMH MNBPJL WBT LNB YT RASRL WRKVR
CWBP QMBM PMI HRXB KJ DJNLB BPMB BPR XJHHJCWKO WI
BPR SUJSRU MSSHWVMBWJK MKD WKBRUSURBMBWJK W
JXXRU YT BPRJUWRI WK BPR PJSR BPMB BPR RIIRKVR JX
JQWKMCMK QMUMBR CWHH URYMWK WKBMVB
14.This problem deals with digital signatures. *Precisely how is a digital signature computed and verified.
*Show that a digital signature provides integrity protection.
*Show that a digital signature provides non-repudiation.
答:
1.When Sending a message, the sender use a hash function to generate a message digest from the message text , and then the sender use his private key to encrypt it .The encrypted digest will as a digital signature with the message to sent to the receiver. The receiver use the same hash function to compute the message digest from the original message.Then use the sender's public key to decrypt the additional digital signature. If the two the same, then the receiver can verify the digital signature is the sender.
https://www.doczj.com/doc/931181295.html,ing the algorithm (hash),Ensuring that once the message is changed or replaced,even if only has changed a data,will lead the digest to change.Thus protect the integrity and authenticity of the message.
3.Because only the sender has the private key, so
it cannot deny the electronic file is not sent by it. 翻译:1.数字签名是如何计算和验证:计算:发送报文时,发送方用一个哈希函数从报文文本中生成报文摘要,然后用自己的私人密钥对这个摘要进行加密,这个加密后的摘要将作为报文的数字签名和报文一起发送给接收方。验证:接收方首先用与发送方一样的哈希函数从接收到的原始报文中计算出报文摘要,接着再用发送方的公用密钥来对报文附加的数字签名进行解密,如果这两个摘要相同、那么接收方就能确认该数字签名是发送方的。
2.表明数字签名提供完整的保护:使用了摘要算法(hash),确保一旦原文还改动或替换(哪怕只已改动了一位数据),都会导致摘要的变化,从而保护报文的完整性和真实性。
3.表明数字签名提供不可抵赖性:由于只有发文者拥有私钥,所以其无法否认该电子文件非由其所发送.
a.计算:报文的发送方用一个哈希函数从报文文本中生成报文摘要(散列值)。发送方用自己的私人密钥对这个散列值进行加密。然后,这个加密后的散列值将作为报文的附件和报文一起
发送给报文的接收方。
验证:报文的接收方首先用与发送方一样的哈希函数从接收到的原始报文中计算出报文摘要,接着再用发送方的公有密钥来对报文附加的数字签名进行解密。如果两个散列值相同、那么接收方就能确认该数字签名是发送方的。通过数字签名能够实现对原始报文的鉴别。
Computing:The sender of a message using a hash function to generate the message digest (hash) from the message text. The sender use its own private key to encrypt the hash value. Then, the encrypted hash value will be sent to the receiver of a message as the attachment of a message with a message.
Verifying:The receiver of a message calculate the message digest of the original message by using the same hash function as the sender from receiving, and then use the sender's public key to decrypt the digital signature of message attached.If the two hash values are the same, then the receiver can verify the digital signature is the sender’s. The identification of the original