The University of Adelaide 阿德莱德大学
COMP SCI 1500 - Cyber Security

Question 1 – Cryptography

1. Study the three encryption methods given below and their weaknesses.

2. Solve the following three exercises, in each case your task is to recover the plaintext.

• Mono-alphabetic substitution: You are given a ciphertext “ex1.enc” encrypted using the mono-

alphabetic substitution method. Hint: the key is a mapping of 26 plaintext English characters to

26 ciphertext English characters.

• Poly-alphabetic shift (Vigenère cipher): You are given a ciphertext “ex2.enc” encrypted using

the poly-alphabetic shift method. Hint: the key consists of 4 English characters, and the

plaintext contains the name of the day of the week.

• Textbook RSA: You are given (1) Python3 script “textbook_rsa.py” which contains functions

related to the Textbook RSA encryption scheme (2) RSA public key “rsa_key.pub” (3)

Ciphertext “ex3.enc” encrypted using the given RSA public key. Hint: the plaintext consists of

only 3 English characters.

3. Write a report on how you solved those exercises and the weaknesses you exploited. If you

cannot recover the plaintext, explain what method you have tried and why you couldn't recover

them (for example, if it is infeasible due to computing resources). A report that contains only

plaintexts without further explanation will not be marked.

4. Tips about how I would go about doing this activity: I would familiarize myself with frequency

analysis and cryptanalysis based on the validity of English words. Study the given Python script

and write some scripts to check your understanding regarding the rsa_keygen(), rsa_encrypt()

and rsa_decrypt() functions – you may need to use some of this code. Then, solve the exercises.

Finally, explain how you tried to solve those exercises, what methods or techniques you used,

plaintexts (and keys, if possible) that you recovered. Include the information in the report and

submit to Canvas.

Question 2 - Common Vulnerability Scoring System

The Common Vulnerability Scoring System is a method of objectively scoring security vulnerabilities so

that their severity can be assessed, understood and compared.

Read this explanation of CVSS -> https://www.first.org/cvss/specification-document

Given the following hypothetical vulnerability, apply the CVSS v.3.1 or v.4 scoring system to get a CVSS

base score and CVSS base vector string. Referencing the description of the hypothetical vulnerability

below, describe why you have chosen each of the fields in the vector string.

A remote vulnerability has been discovered in the BitMessage desktop messaging application

which allows an unauthenticated person to delete a BitMessage message of their victim. The

attacker can trigger this vulnerability by sending a BitMessage message to the victim

containing the text 'deletemessage?message=2' where '2' is the message ID. When the

desktop application receives this message any message matching the specified message ID is

deleted. There is no indication to the victim that anything has happened and the application

continues to operate, the victims message just disappears permanently.

Hint: You might want make use of this link to generate the base score and vector string-->

https://www.first.org/cvss/calculator/3.1

https://www.first.org/cvss/calculator/4.0

Question 3 - Risk Management

a) The risk of security incidents can be managed in one of four different ways. Risk can be mitigated,

transferred, avoided or accepted. Describe what each of these strategies entail and describe how the

risk is modified by applying each approach.

b) The NIST Cyber Security Management Framework segments security management activities into 5

functions: Identify, Protect, Detect, Respond and Recover

Describe each of these functions, their purpose and describe an example of a security activity typically

performed for each of these functions.