CS166 Section 02, Fall 2014
Assignment 01
Due: Thursday, September 4th

** Read Chapter 1 (from the manuscript) and work the following problems.  Cite all sources you use to formulate your answers.

1) Among the fundamental challenges in information security are confidentiality, integrity, and availability, or CIA.
a) Define each of these terms: confidentiality, integrity, availability.
b) Give a concrete example where confidentiality is more important than integrity.
c) Give a concrete example where integrity is more important than confidentiality.
d) Give a concrete example where availability is the overriding concern.
2) When you want to authenticate yourself to your computer, most likely you type in your username and password. The username is considered public knowledge, so it is the password that authenticates you. Your password is something you know.
a) It is also possible to authenticate based on something you are, that is, a physical characteristic. Such a characteristic is known as a biometric. Give an example of biometric-based authentication.
b) It is also possible to authenticate based on something you have, that is, something in your possession. Give an example of authentication based on something you have.
c) Two-factor authentication requires that two of the three authentication methods (something you know, something you have, something you are) be used. Give an example from everyday life where two-factor authentication is used. Which two of the three are used?
12) CAPTCHAs are often used in an attempt to restrict access to humans (as opposed to automated processes).
a) Give a real-world example where you were required to solve a CAPTCHA to gain access to some resource. What do you have to do to solve the CAPTCHA?
b) Discuss various technical methods that might be used to break the CAPTCHA you described in part a.
c) Outline a non-technical method that might be used to attack the CAPTCHA from part a.
d) How effective is the CAPTCHA in part a? How user-friendly is the CAPTCHA?
13) Suppose that a particular security protocol is well designed and secure. However, there is a fairly common situation where insufficient information is available to complete the security protocol. In such cases, the protocol fails and, ideally, a transaction between the participants, say, Alice and Bob, should not be allowed to occur. However, in the real world, protocol designers must decide how to handle cases where protocols fail. As a practical matter, both security and convenience must be considered. Comment on the relative merits of each of the following solutions to protocol failure. Be sure to consider both the relative security and user-friendliness of each.
a) When the protocol fails, a brief warning is given to Alice and Bob, but the transaction continues as if the protocol had succeeded, without any intervention required from either Alice or Bob.
b) When the protocol fails, a warning is given to Alice and she decides (by clicking a checkbox) whether the transaction should continue or not.
c) When the protocol fails, a notification is given to Alice and Bob and the transaction terminates.
d) When the protocol fails, the transaction terminates with no explanation given to Alice or Bob.
16) Malware is software that is intentionally malicious, in the sense that it is designed to do damage or break the security of a system. Malware comes in many familiar varieties, including viruses, worms, and Trojans.
a) Has your computer ever been infected with malware? If so, what did the malware do and how did you get rid of the problem? If not, why have you been so lucky?
b) In the past, most malware was designed to annoy users. Today, it is often claimed that most malware is written for profit. How could malware possibly be profitable?

End of Document