CSCU9Y7 – Computer Security
1. (a)
Route ciphers and substitution ciphers aim to encrypt a message with
two different goals.
(i) What are these goals and how does each type of cipher achieve them? (ii) Show how you would encrypt the following message with a columnar
(b)
cipher using the key: south
taking four steps to the north
(iii) Show how your answer to (i) is supported by the cipher text you produced above.
A colleague has recommended switching your company’s account verification process to a pure biometric approach. You are not convinced this is an ideal method.
Discuss the problems of biometric authentication and why it requires an often difficult balancing act.
Ideally, what form of authentication process should you use for:
-
A public discussion forum that enables moderated comments to be added to published articles.
-
A web based on-line banking system.
Justify each of your answers and describe the advantages and disadvantages of your chosen approaches.
(c) You have been asked to help redesign the account registration and subsequent login process for an online banking system. To register for the current system, the user enters an email address that will be used as their specific user ID. A 5 character computer-generated password is then emailed to this address in a message that contains a link back to the registration system. The page presented to the user after clicking this link asks the user to enter the password after which the registration process is completed. The system database stores the email address and password such that if a user forgets their password, they can request that the password be emailed to their registered email address again.
The designers of this system said they decided to use this registration approach
to prove that a user had access to a particular email address and that it allowed
users to easily retrieve their password if they had forgotten it.
When the user subsequently logs in to the system, they type their username
and password into a single login page. This information is then sent via HTTP to
the bank’s web server where it is compared directly with the information stored
in the database. If the details match, the user is able to view their banking
details and manage their financial transactions. If the details do not match, they
are prompted to log in again and this process is repeated until a successful
match is made.
-
(i) Identify four security flaws in the above design and indicate how the flaws
might be exploited to break into this system or another system that a user
may have registered with. -
(ii) Describe in detail an alternative high security design for the registration and subsequent login process that protects against the flaws you identified above . Ensure that you describe what each stage of your registration and login process is intended to achieve and how it will prevent relevant exploits. Note that your description should cover detail down to the level of how and why you might use ‘salts’ and the relevant processes involved. Please break down the description as follows:
-
External Registration: User interaction with the web site during registration.
-
Internal Registration: What happens internally in the system when the registration data has been collected.
-
External Login: User interaction with the web site during login.
-
Internal Login: What happens internally in the system when the
login data has been collected.
-
咨询 Alpha 小助手,获取更多课业帮助