Cryptography and Network Security
Principles and Practice – 8th Edition
UV
SOLUTIONS
IA
_A
MANUAL
PP
William Stallings
RO
Comprehensive Solutions Manual for Instructors
VE
and Students
D?
© William Stallings
??
All rights reserved. Reproduction or distribution without permission is prohibited.
??
©Medexcellence ✅��
, CHAPTER 1 INTRODUCTION
UV
ANSWERS TO QUESTIONS
1.1 The OSI Security Architecture is a framework that provides a systematic
way of defining the requirements for security and characterizing the
IA
approaches to satisfying those requirements. The document defines
security attacks, mechanisms, and services, and the relationships
among these categories.
_A
1.2 Passive attacks: release of message contents and traffic analysis.
Active attacks: masquerade, replay, modification of messages, and
denial of service.
1.3 Authentication: The assurance that the communicating entity is the
PP
one that it claims to be.
Access control: The prevention of unauthorized use of a resource (i.e.,
this service controls who can have access to a resource, under what
conditions access can occur, and what those accessing the resource are
allowed to do).
RO
Data confidentiality: The protection of data from unauthorized
disclosure.
Data integrity: The assurance that data received are exactly as sent by
an authorized entity (i.e., contain no modification, insertion, deletion, or
replay).
VE
Nonrepudiation: Provides protection against denial by one of the
entities involved in a communication of having participated in all or part
of the communication.
Availability service: The property of a system or a system resource
being accessible and usable upon demand by an authorized system
D?
entity, according to performance specifications for the system (i.e., a
system is available if it provides services according to the system design
whenever users request them).
1.4 Cryptographic algorithms: Transform data between plaintext and
??
ciphertext.
Data integrity: Mechanisms used to assure the integrity of a data unit
or stream of data units.
Digital signature: Data appended to, or a cryptographic
??
transformation of, a data unit that allows a recipient of the data unit to
prove the source and integrity of the data unit and protect against
forgery.
-5-
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved. This material is protected under all copyright laws as they currently exist.
No portion of this material may be reproduced, in any form or by any means, without permission in writing from the publisher.
, Authentication exchange: A mechanism intended to ensure the
identity of an entity by means of information exchange.
Traffic padding: The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts.
Routing control: Enables selection of particular physically or logically
secure routes for certain data and allows routing changes, especially
UV
when a breach of security is suspected.
Notarization: The use of a trusted third party to assure certain
properties of a data exchange.
Access control: A variety of mechanisms that enforce access rights to
resources.
IA
1.5 Keyless: Do not use any keys during cryptographic transformations.
Single-key: The result of a transformation are a function of the input
data and a single key, known as a secret key.
_A
Two-key: At various stages of the calculate two different but related
keys are used, referred to as private key and public key.
1.6 Communications security: Deals with the protection of
communications through the network, including measures to protect
PP
against both passive and active attacks.
Device security: Deals with the protection of network devices, such as
routers and switches, and end systems connected to the network, such
as client systems and servers.
RO
1.7 Trust: The willingness of a party to be vulnerable to the actions of
another party based on the expectation that the other will perform a
particular action important to the trustor, irrespective of the ability to
monitor or control that other party.
Trustworthiness: A characteristic of an entity that reflects the degree
VE
to which that entity is deserving of trust.
ANSWERS TO PROBLEMS
D?
1.1 The system must keep personal identification numbers confidential, both
in the host system and during transmission for a transaction. It must
protect the integrity of account records and of individual transactions.
Availability of the host system is important to the economic well being
??
of the bank, but not to its fiduciary responsibility. The availability of
individual teller machines is of less concern.
1.2 The system does not have high requirements for integrity on individual
??
transactions, as lasting damage will not be incurred by occasionally
losing a call or billing record. The integrity of control programs and
configuration records, however, is critical. Without these, the switching
-6-
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved. This material is protected under all copyright laws as they currently exist.
No portion of this material may be reproduced, in any form or by any means, without permission in writing from the publisher.
, function would be defeated and the most important attribute of all -
availability - would be compromised. A telephone switching system must
also preserve the confidentiality of individual calls, preventing one caller
from overhearing another.
1.3 a. The system will have to assure confidentiality if it is being used to
UV
publish corporate proprietary material.
b. The system will have to assure integrity if it is being used to laws or
regulations.
c. The system will have to assure availability if it is being used to publish
a daily paper.
IA
1.4 a. An organization managing public information on its web server
determines that there is no potential impact from a loss of
confidentiality (i.e., confidentiality requirements are not applicable), a
_A
moderate potential impact from a loss of integrity, and a moderate
potential impact from a loss of availability.
b. A law enforcement organization managing extremely sensitive
investigative information determines that the potential impact from a
loss of confidentiality is high, the potential impact from a loss of
PP
integrity is moderate, and the potential impact from a loss of
availability is moderate.
c. A financial organization managing routine administrative information
(not privacy-related information) determines that the potential impact
RO
from a loss of confidentiality is low, the potential impact from a loss of
integrity is low, and the potential impact from a loss of availability is
low.
d. The management within the contracting organization determines that:
(i) for the sensitive contract information, the potential impact from a
loss of confidentiality is moderate, the potential impact from a loss of
VE
integrity is moderate, and the potential impact from a loss of
availability is low; and (ii) for the routine administrative information
(non-privacy-related information), the potential impact from a loss of
confidentiality is low, the potential impact from a loss of integrity is
D?
low, and the potential impact from a loss of availability is low.
e. The management at the power plant determines that: (i) for the
sensor data being acquired by the SCADA system, there is no
potential impact from a loss of confidentiality, a high potential impact
from a loss of integrity, and a high potential impact from a loss of
??
availability; and (ii) for the administrative information being
processed by the system, there is a low potential impact from a loss
of confidentiality, a low potential impact from a loss of integrity, and a
low potential impact from a loss of availability. (Examples from FIPS
??
199.)
-7-
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved. This material is protected under all copyright laws as they currently exist.
No portion of this material may be reproduced, in any form or by any means, without permission in writing from the publisher.
Principles and Practice – 8th Edition
UV
SOLUTIONS
IA
_A
MANUAL
PP
William Stallings
RO
Comprehensive Solutions Manual for Instructors
VE
and Students
D?
© William Stallings
??
All rights reserved. Reproduction or distribution without permission is prohibited.
??
©Medexcellence ✅��
, CHAPTER 1 INTRODUCTION
UV
ANSWERS TO QUESTIONS
1.1 The OSI Security Architecture is a framework that provides a systematic
way of defining the requirements for security and characterizing the
IA
approaches to satisfying those requirements. The document defines
security attacks, mechanisms, and services, and the relationships
among these categories.
_A
1.2 Passive attacks: release of message contents and traffic analysis.
Active attacks: masquerade, replay, modification of messages, and
denial of service.
1.3 Authentication: The assurance that the communicating entity is the
PP
one that it claims to be.
Access control: The prevention of unauthorized use of a resource (i.e.,
this service controls who can have access to a resource, under what
conditions access can occur, and what those accessing the resource are
allowed to do).
RO
Data confidentiality: The protection of data from unauthorized
disclosure.
Data integrity: The assurance that data received are exactly as sent by
an authorized entity (i.e., contain no modification, insertion, deletion, or
replay).
VE
Nonrepudiation: Provides protection against denial by one of the
entities involved in a communication of having participated in all or part
of the communication.
Availability service: The property of a system or a system resource
being accessible and usable upon demand by an authorized system
D?
entity, according to performance specifications for the system (i.e., a
system is available if it provides services according to the system design
whenever users request them).
1.4 Cryptographic algorithms: Transform data between plaintext and
??
ciphertext.
Data integrity: Mechanisms used to assure the integrity of a data unit
or stream of data units.
Digital signature: Data appended to, or a cryptographic
??
transformation of, a data unit that allows a recipient of the data unit to
prove the source and integrity of the data unit and protect against
forgery.
-5-
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved. This material is protected under all copyright laws as they currently exist.
No portion of this material may be reproduced, in any form or by any means, without permission in writing from the publisher.
, Authentication exchange: A mechanism intended to ensure the
identity of an entity by means of information exchange.
Traffic padding: The insertion of bits into gaps in a data stream to
frustrate traffic analysis attempts.
Routing control: Enables selection of particular physically or logically
secure routes for certain data and allows routing changes, especially
UV
when a breach of security is suspected.
Notarization: The use of a trusted third party to assure certain
properties of a data exchange.
Access control: A variety of mechanisms that enforce access rights to
resources.
IA
1.5 Keyless: Do not use any keys during cryptographic transformations.
Single-key: The result of a transformation are a function of the input
data and a single key, known as a secret key.
_A
Two-key: At various stages of the calculate two different but related
keys are used, referred to as private key and public key.
1.6 Communications security: Deals with the protection of
communications through the network, including measures to protect
PP
against both passive and active attacks.
Device security: Deals with the protection of network devices, such as
routers and switches, and end systems connected to the network, such
as client systems and servers.
RO
1.7 Trust: The willingness of a party to be vulnerable to the actions of
another party based on the expectation that the other will perform a
particular action important to the trustor, irrespective of the ability to
monitor or control that other party.
Trustworthiness: A characteristic of an entity that reflects the degree
VE
to which that entity is deserving of trust.
ANSWERS TO PROBLEMS
D?
1.1 The system must keep personal identification numbers confidential, both
in the host system and during transmission for a transaction. It must
protect the integrity of account records and of individual transactions.
Availability of the host system is important to the economic well being
??
of the bank, but not to its fiduciary responsibility. The availability of
individual teller machines is of less concern.
1.2 The system does not have high requirements for integrity on individual
??
transactions, as lasting damage will not be incurred by occasionally
losing a call or billing record. The integrity of control programs and
configuration records, however, is critical. Without these, the switching
-6-
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved. This material is protected under all copyright laws as they currently exist.
No portion of this material may be reproduced, in any form or by any means, without permission in writing from the publisher.
, function would be defeated and the most important attribute of all -
availability - would be compromised. A telephone switching system must
also preserve the confidentiality of individual calls, preventing one caller
from overhearing another.
1.3 a. The system will have to assure confidentiality if it is being used to
UV
publish corporate proprietary material.
b. The system will have to assure integrity if it is being used to laws or
regulations.
c. The system will have to assure availability if it is being used to publish
a daily paper.
IA
1.4 a. An organization managing public information on its web server
determines that there is no potential impact from a loss of
confidentiality (i.e., confidentiality requirements are not applicable), a
_A
moderate potential impact from a loss of integrity, and a moderate
potential impact from a loss of availability.
b. A law enforcement organization managing extremely sensitive
investigative information determines that the potential impact from a
loss of confidentiality is high, the potential impact from a loss of
PP
integrity is moderate, and the potential impact from a loss of
availability is moderate.
c. A financial organization managing routine administrative information
(not privacy-related information) determines that the potential impact
RO
from a loss of confidentiality is low, the potential impact from a loss of
integrity is low, and the potential impact from a loss of availability is
low.
d. The management within the contracting organization determines that:
(i) for the sensitive contract information, the potential impact from a
loss of confidentiality is moderate, the potential impact from a loss of
VE
integrity is moderate, and the potential impact from a loss of
availability is low; and (ii) for the routine administrative information
(non-privacy-related information), the potential impact from a loss of
confidentiality is low, the potential impact from a loss of integrity is
D?
low, and the potential impact from a loss of availability is low.
e. The management at the power plant determines that: (i) for the
sensor data being acquired by the SCADA system, there is no
potential impact from a loss of confidentiality, a high potential impact
from a loss of integrity, and a high potential impact from a loss of
??
availability; and (ii) for the administrative information being
processed by the system, there is a low potential impact from a loss
of confidentiality, a low potential impact from a loss of integrity, and a
low potential impact from a loss of availability. (Examples from FIPS
??
199.)
-7-
© 2020 Pearson Education, Inc., Hoboken, NJ. All rights reserved. This material is protected under all copyright laws as they currently exist.
No portion of this material may be reproduced, in any form or by any means, without permission in writing from the publisher.
