Objective Question

1. A session symmetric key between two parties is used:

a. only once b. twice
c. multiple times d. depends on situation

2. Encryption and decryption provide secrecy, or confidentiality, but not

a. Authentication b. Integrity
c. Keys d. Frames

3. A sender must not be able to deny sending a message that he or she, in fact, did send, is known
as:
a. Message Nonrepudiation b. Message Integrity
c. Message Confidentiality d. Message Sending

4. Programs that attach themselves to legitimate programs on the victim’s machine are called
_____.
a. root kits b. Trojan horses
c. viruses d. worms

5. Message authentication is a service beyond.

a. Message Confidentiality b. Message Integrity
c. Message Splashing d. Message Sending

6. A system or product that provides encryption and decryption is referred to as a _________.

a. Plaintext b. Algorithm
c. cryptology d. cryptosystem

7. __________is a range of values that can be used to construct a key.

a. algorithm b. keyspace
c. key d. variable

8. A cryptosystem consists of:

a. Software, algorithms, protocols, and keys
b. PGP
c. An algorithm used for encryption and decryption
d. Is software used for testing security of applications?

9. Cryptanalysis is:
a. The practice of analyzing secret codes but not breaking them
b. The technique used by forensic investigators to trace the source of malware infection
c. The science related to research and development of cryptography
d. The practice of breaking cryptic systems

10. _____________________ uses two instances of the same key while encrypting and
decrypting messages.
a. Scytale b. Symmetric Cryptography
c. Asymmetric Cryptography d. SSL

11. In Network Security CIA stands for:

a. Confidentiality, integrity, and. availability
b. Central Investigation Agency
c. Confidentiality, Intelligence, and Accountability
d. Ciphers, Initiation Vectors, Algorithms

12. Examples of asymmetric key algorithms are:

a. Diffie Hellman, RSA and El-Gamal b. RC4, RC5, and RC6
c. DES, 3DES, and AES d. MD4, MD5, and MD6
13. Rootkits are a type of ____________________.
a. Virus b. Worm.
c. Trojan Horse d. None of above

14. An attempt to make a computer resource unavailable to its intended users is called:
a) denial-of-service attack b) virus attack
c) worms attack d) botnet process

15. In cryptography, what is cipher?

a) algorithm for performing encryption and decryption
b) encrypted message
c) both (a) and (b)
d) none of the mentioned

16. In asymmetric key cryptography, the private key is kept by

a) sender b) receiver
c) sender and receiver d) all the connected devices

17. Cryptanalysis is used

a) to find some insecurity in a cryptographic scheme b) to increase the speed
c) to encrypt the data d) none of the mentioned

18. In computer security, ……………………. means that computer system assets can be modified
only by authorized parities.
a) Confidentiality b) Integrity
c) Availability d) Authenticity

19. In computer security, ……………………. means that the

information in a computer system only be accessible for reading by authorized
parities.
a) Confidentiality b) Integrity
c) Availability d) Authenticity

20. Which of the following is independent malicious program that need not any host program?
a) Trap doors b) Trojan horse
c) Virus d) Worm

21. A __________ is anything that can cause harm.

a) vulnerability b) phish
c) threat d) spoof

22. A hacker contacts you my phone or email and attempts to acquire your password.
a) spoofing b) phishing
c) spamming d) bugging

23. The phrase __________ describes viruses, worms, Trojan horse attack applets, and attack
scripts.
a) malware b) spam
c) phish d) virus

24. Hackers often gain entry to a network be pretending to be at a legitimate computer.

a) spoofing b) forging
c) IP spoofing d) ID theft

25. Message confidentiality is using

a) Cipher Text b) Cipher
c) Symmetric-Key d) Asymmetric-Key
26. The first encryption standard was ______.
a. DES b. AES
c. IDEA d. 3DES

27. ________ involves hiding the existence of a message.

a. Cryptography b. Steganography
c. Cryptology d. Hashing

28. The ______________ is code that recognizes some special sequence of input or is triggered by
being run from a certain user ID of by unlikely sequence of events.
a. Trap doors b. Trojan horse
c. Logic Bomb d. Virus

29. Which of the following malicious program do not replicate automatically?

a. Trojan Horse b. Virus
c. Worm d. Zombie

30. Security protection for personal computers includes_______________

a. Internal components b. Locks & cables
c. Software d. All

31. Message authentication is a service beyond _____________________________

a. Message confidentiality b. Message integrity
c. Message splashing d. Message sending

32. A hash function guarantees that message has not be_________________________

a. Replaced b. Overviewed
c. Violated d. Changed
33. ______ assures that information and programs are changed only in a specified and authorized
manner.
a. Data integrity b. System integrity
c. Availability d. Data confidentiality

34. The DES algorithm requires _____ Bit Key and _____long plain text.
a. 56 bit , 64 bit b. 64 bit , 64 bit
c. 64 bit , 56 bit d. None of above

35. Any action that compromises the security of information owned by an organization is known
as _______.
a. Security attack b. Security mechanism
c. Security services d. All above

36. If both sender and receiver use the different key system for Encryption and Decryption
process is referred to as ____.
a. asymmetric encryption b. Symmetric encryption
c. transposition encryption d. none of above

37. A ______ attack attempts to learn are make use of information from the system but does not
affect system resources.
a. Active attacks b. Passive attack
c. Symmetric attack d. Asymmetric attack

38. The ________is the encrypted message before transformation.

a) Cipher text
b) Plaintext
c) Secret-text
d) None of the above

39. The _______ is a number or a set of numbers on which the cipher operates.
a) Cipher
b) Secret
c) Key
d) None of the above

40. A modern cipher is usually a complex _____cipher made of a combination of different

simple ciphers.
a) Round
b) Circle
c) Square
d) None of the above

41. DES is a(n) ________ method adopted by the U.S. government.

a) Symmetric key
b) Asymmetric key
c) Either (a) or (b)
d) Neither (a) nor (b)

42. What is the most significant difference between a symmetric and an asymmetric
cryptosystem?
a) The key distribution.
b) The mode of operation.
c) The strength against attacks.
d) None of the above.

43. The _________ attack can endanger the security of the Diffie-Hellman method if two parties
are not authenticated to each other.
a) man-in-the-middle
b) ciphertext attack
c) plaintext attack
d) none of the above
 After Mid

A hash function guarantees integrity of a message. It guarantees that message has

not be.
a. Replaced b. Over view
c. Changed d. Left

The standard used in digital certificates that defines its structure, fields, and values
is ____.
a. X.509 b. Kerberose
c. Cryptography d. PKI

Diffie Hellman is an example of _____________ key algorithms.

a. Symmetric b. Asymmetric
c. Skytale d. Enigma

A hash value encrypted by the sender’s private key is ______________

a. AES b. Digital signature
c. DES d. 3DES algorithms

One of protocols to provide security at application layer is

a. Pretty Good Privacy b. Handshake Protocol
c. Alert Protocols d. Record Protocol

In end-to-end encryption:
a. only the header is encrypted, not the payload
b. Packets do not need to be decrypted and then encrypted at each hop
c. Only decryption takes place at each hop
d. The data link and physical layers are involved

Key management is a practice that requires:

a. Choosing a key that is extremely random and the algorithm should use
the full range of the key-space
b. Labeling keys so that they are not lost or stolen
c. Returning the key to the CA after it has completed its lifetime
d. At least two senior officers of the company to issue and maintain a record of the
keys

A mathematical function that is easier to compute in one direction than in the other
direction, and forms the basis for all asymmetric algorithms
a. One-Way Function
b. Two Way Function
c. A mathematical function used in cryptanalysis
d. A technique used by forensic experts to lock all hard disk sectors of a computer

A practice of Choosing a key that is extremely random and the algorithm should use
the full range of the key-space is called ______________________.
a. Cipher management b. Key combination
c. Key management d. None of above

A digital signature is best described as:

a. An electronic verification system used for transactional integrity in banking
b. A hash value encrypted by the sender’s private key
c. An electronic verification system used for encryption and hashing
d. A hash value encrypted with the DES, 3DES, or AES algorithms

Pretty good privacy (PGP) is used in

a) browser security b) email security
c) FTP security d) none of the mentioned
 In Message Confidentiality, the transmitted message must make sense to only
intended
a. Receiver b. Sender
c. Modulor d. Translator

Digital signature cannot provide ________ for the message.

a. integrity b. confidentiality
c. nonrepudiation d. authentication

A(n) _________ can be used to preserve the integrity of a document or a message.

a. message digest b. message summary
c. encrypted message d. none of the above

A digital signature needs a(n)_________ system.

a. symmetric-key b. asymmetric-key
c. either (a) or (b) d.neither (a) nor (b)

Subjective Question
Define the following terms:
Malicious Code
Denial of Service Attack
Malware
Spyware

Discuss the strength of Cryptosystem on basis of different parameters.

Explain important security goals (CIA) and Foundations of IT Security?

Define Asymmetric Cryptography? What are the attributes that make the Asymmetric
cryptography so powerful, also write its strengths and weaknesses?

What is the Difference between block cipher and stream cipher? Also write the What are
the characteristics of strong stream cipher.

Describe the Anatomy of a Hack

Briefly describe CRYPTOGRAPHY

After Mid

Q. Discuss the strength of Cryptosystem on basis of different parameters.

Q. Define Symmetric Cryptography? What are the attributes that make the
symmetric cryptography so powerful, also write its strengths and weaknesses?

Q. What is the Difference between block cipher and stream cipher?

Q. Explain different types of Trojan Horses and Rootkits in detail.

Q. What are the categories of security services? Briefly explain them.

 Q. Explain ECE and CBC Operation Modes for Block ciphers.

Q. What Is the Difference Between Public Key Cryptography and Public Key
Infrastructure?

Q. Explain “Public Key Cryptography” and explain “RSA Algorithm” with the help of
example?

Q. What is DES? How does it work?

Q. What is e-mail security? What are different protocols for e-mail security? Explain
PGP for E-mail security with operation mode. Describe the use SMIME also.

Q. Explain important security goals (CIA)?

Q. Discuss the strength of Cryptosystem on basis of different parameters

Q. Briefly explain the term triple DES. Why are multiple DES encryptions genuinely

stronger than a single DES encryption?

Q. Briefly describe the principles behind the construction of the AES S-box.

Q. what is e-mail security? What are different protocols for e-mail security? Explain
PGP for

E-mail security with operation mode. Describe the use SMIME also.

What is X.509 standard?

PKI is an ISO authentication framework that uses public key cryptography and the X.509 standard.
In cryptography, X.509 is an ITU-T standard for a public key infrastructure (PKI) and Privilege Management
Infrastructure (PMI). X.509 specifies, amongst other things, standard formats for public key certificates,
certificate revocation lists, attribute certificates, and a certification path validation algorithm.
The standard for how the CA creates the certificate is X.509, which dictates the different fields used in the
certificate and the valid values that can populate those fields
We are currently at version 4 of this standard, which is often denoted as X.509v4. Many cryptographic protocols
use this type of certificate, including SSL.

The certificate includes the serial number, version number, identity information, algorithm information, lifetime
dates, and the signature of the issuing authority.

Define and discuss various components of PKI infrastructure.

The comprehensive system required to provide public-key encryption and digital signature services is known as a
public-key infrastructure. The purpose of a public-key infrastructure is to manage keys and certificates. By
managing keys and certificates through a PKI, an organization establishes and maintains a trustworthy
networking environment. A PKI enables the use of encryption and digital signature services across a wide variety
of applications.
A PKI may be made up of the following entities and functions:
• CA (Certificate Authority)
• RA (Registration Authority)
• Certificate repository
• Certificate revocation system
• Key backup and recovery system
• Automatic key update Management of key histories
• Timestamping
• Client-side software
The detail of each component is as follows:
1. CA (Certificate Authority)
A CA is a trusted organization (or server) that maintains and issues digital certificates. When a person requests a
certificate, the registration authority (RA) verifies that individual’s identity and passes the certificate request off
to the CA.
The CA constructs the certificate, signs it, sends it to the requester, and maintains the certificate over its
lifetime.
When another person wants to communicate with this person, the CA will basically vouch for that person’s
identity
2. RA (Registration authority)
The registration authority (RA) performs the certification registration duties. The RA establishes and confirms
the identity of an individual, initiates the certification process with a CA on behalf of an end user, and performs
certificate life-cycle management functions.
The RA cannot issue certificates, but can act as a broker between the user and the CA. When users need new
certificates, they make requests to the RA, and the RA verifies all necessary identification information before
allowing a request to go to the CA.
3. Certificate repository
Certificate repositories store certificates so that applications can retrieve them on behalf of users. The term
repository refers to a network service that allows for distribution of certificates. Over the past few years, the
consensus in the information technology industry is that the best technology for certificate repositories is
provided by directory systems that are LDAP (Lightweight Directory Access Protocol)-compliant.
4. Certificate revocation system
Certificates that are no longer trustworthy must be revoked by the CA. There are numerous reasons why a
certificate may need to be revoked prior to the end of its validity period. For instance, the private key (that is,
either the signing key or the decryption key) corresponding to the public key in the certificate may be
compromised. Alternatively, an organization’s security policy may dictate that the certificates of employees
leaving the organization must be revoked. In these situations, users in the system must be informed that
continued use of the certificate is no longer considered secure. The revocation status of a certificate must be
checked prior to each use. As a result, a PKI must incorporate a scalable certificate revocation system. The CA
must be able to securely publish information regarding the status of each certificate in the system. Application
software, on behalf of users, must then verify the revocation information prior to each use of a certificate. The
combination of publishing and consistently using certificate revocation information constitutes a complete
revocation system.
CRL: The most popular means for distributing certificate revocation information is for the CA to create secure
certificate revocation lists (CRLs) and publish these CRLs to a directory system. CRLs specify the unique serial
numbers of all revoked certificates. Prior to using a certificate, the client-side application must check the
appropriate CRL to determine if the certificate is still trustworthy. Client-side applications must check for
revoked certificates consistently and transparently on behalf of users.
5. Key backup and recovery system
To ensure users are protected against loss of data, the PKI must support a system for backup and recovery of
decryption keys. With respect to administrative costs, it is unacceptable for each application to provide its own
key backup and recovery. Instead, all PKI-enabled client applications should interact with a single key backup
and recovery system. The interactions between the client-side software and the key backup and recovery
system must be secure, and the interaction method must be consistent across all PKI-enabled applications.
6. Key update and management of key histories:
Cryptographic key pairs should not be used forever. They must be updated over time. As a result, every
organization needs to consider two important issues:
Updating users’ key pairs, and Maintaining, where appropriate, the history of previous key pairs.
Updating users’ key pairs: The process of updating keys pairs should be transparent to users. This transparency
means users do not have to understand that key update needs to take place and they will never experience a
“denial of service” because their keys are no longer valid. To ensure transparency and prevent denial of service,
users? key pairs must be automatically updated before they expire.
Maintaining histories of key pairs: When encryption key pairs are updated, the history of previous decryption
keys must be maintained. This “key history” allows users to access any of their prior decryption keys to decrypt
data. (When data is encrypted with a user’s encryption key, only the corresponding decryption key—the paired
key—can be used for decrypting). To ensure transparency, the client-side software must automatically manage
users? histories of decryption keys.
7. Timestamping
Trusted Timestamping is the process of securely keeping track of the creation and modification time of a
document. Security here means that no one — not even the owner of the document — should be able to change
it once it has been recorded provided that the times tamper’s integrity is never compromised.
The administrative aspect involves setting up a publicly available, trusted timestamp management infrastructure
to collect, process and renew timestamps
8. Client-side software
A consistent, easy-to-use PKI implementation within client-side software lowers PKI operating costs. In addition,
client-side software must be technologically enabled to support all of the elements of a PKI discussed earlier in
this paper. The following list summarizes the requirements client-side software must meet to ensure that users
in a business receive a usable, transparent (and thus, acceptable) PKI.
9. Support for Non-repudiation
Repudiation occurs when an individual denies involvement in a transaction. (For instance, when someone claims
a credit card is stolen, this means that he or she is repudiating liability for transactions that occur with that card
any time after reporting the theft).

Non-repudiation means that an individual cannot successfully deny involvement in a transaction. In the paper-
world, individuals’ signatures legally bind them to their transactions (for example, credit card charges, business
contracts …). The signature prevents repudiation of those transactions. In the electronic world, the replacement
for the pen-based signature is a digital signature. All types of electronic commerce require digital signatures
because electronic commerce makes traditional pen-based signatures obsolete.

What are the attributes that make the symmetric cryptography so powerful? Also give
the limitations while using the symmetric key cryptography. 10
Symmetric Cryptography
• In a cryptosystem that uses symmetric cryptography, the sender and receiver use two instances of the same
key for encryption and decryption, as shown in the Figure
• So, the key has dual functionality, in that it can carry out both encryption and decryption processes

Attributes that make it so Powerful

• Much faster (less computationally intensive) than asymmetric systems
• Hard to break if using a large key size
• It is relatively inexpensive to produce a strong key for these ciphers.
• The keys tend to be much smaller for the level of protection they afford.
• The algorithms are relatively inexpensive to process

Therefore, implementing symmetric cryptography (particularly with hardware) can be highly effective because
you do not experience any significant time delay because of the encryption and decryption. Symmetric
cryptography also provides a degree of authentication because data encrypted with one symmetric key cannot
be decrypted with any other symmetric key. Therefore, if the symmetric key is kept secret by the two parties
using it to encrypt communications, each party can be sure that it is communicating with the other as long as
the decrypted messages continue to make sense.
Limitations
• Secure key distribution
• Scalability
• Security services

• Symmetric cryptosystems have a problem of key transportation. The secret key is to be transmitted to the
receiving system before the actual message is to be transmitted. Every means of electronic communication is
insecure as it is impossible to guarantee that no one will be able to tap communication channels. So, the only
secure way of exchanging keys would be exchanging them personally.
• Each pair of users’ needs a unique key, so as the number of individuals increases, so does the number of keys,
possibly making key management overwhelming.
• Provides confidentiality but not authenticity or non-repudiation
• Cannot provide digital signatures that cannot be repudiated.

What is an asymmetric key algorithm?

Symmetric vs. asymmetric algorithms:
When using symmetric algorithms, both parties share the same key for en- and decryption. To provide privacy,
this key needs to be kept secret. Once somebody else gets to know the key, it is not safe anymore. Symmetric
algorithms have the advantage of not consuming too much computing power. A few well-known examples are:
DES, Triple-DES (3DES), IDEA, CAST5, BLOWFISH, TWOFISH.

Asymmetric algorithms use pairs of keys. One is used for encryption and the other one for decryption. The
decryption key is typically kept secretly, therefore called ``private key'' or ``secret key'', while the encryption key
is spread to all who might want to send encrypted messages, therefore called ``public key''. Everybody having the
public key is able to send encrypted messages to the owner of the secret key. The secret key can't be reconstructed
from the public key. The idea of asymmetric algorithms was first published 1976 by Diffie and Hellmann.

29. Strengths & Weaknesses of Asymmetric Encryption

Strengths
• Better key distribution than symmetric systems
• Better scalability than symmetric systems
• Can provide authentication and nonrepudiation

Weaknesses
• Works much more slowly than symmetric systems
• Mathematically intensive tasks
Q. Explain important security goals (CIA)?
Q. Define Symmetric Cryptography? What are the attributes that make the symmetric cryptography so
powerful, also write its strengths and weaknesses?
Q. What is the Difference between Block Cipher and Stream Cipher
Q. Define the following terms:
a) Denial of Services
b) Man in middle Attack
c) Steganography

Q. Explain ECE and CBC Operation Modes for Block ciphers.

Q. What Is the Difference Between Public Key Cryptography and Public Key Infrastructure?
Q. Explain the working of “RSA Algorithm” with the help of example?

Q. What is DES? How does it work also write the key differences between DES and AES
Q. What is e-mail security? What are different protocols for e-mail security?
Q. Define and discuss various components of PKI infrastructure.
Q. Differentiate between cryptography and cryptanalysis, also explain cryptosystem (classical &
Modern).
Q. Define and explain symmetric and asymmetric key cryptography.
Q. Explain AES algorithm in detail.
Q. Discuss stream cipher and explain it with RC4.
Q. What is message authentication, explain.
Q. Explain key management system in detail.
Q. Describe the working and implementation of pretty good privacy, MIME & S/MIME.
Write the difference between the following term used below:
1) Active Attack and Passive Attack
2) Symmetric and Asymmetric cryptography
3) Authentication and Authorization

Q. What is the difference between Mono alphabetic cipher and Polyalphabetic cipher?
Q. Discuss the different type of security issues including physical security issues and personal security
Issues in detail.
Q. Explain the concept of the digital signature and discuss the significance of the digital signature.
Q. Define the key management and explain Diffie-Hellman Key Exchange
Q. Describe hash function and their collision properties?