An example of an exam
I part
The first part of the exam consists of 20 questions, where each correct answer gives two points. Therefore, it is possible to collect up to 20 points from the first part. The questions do not require a long answer but the answer has to be precise.
Note. In real exam, the first part consists of 10 such questions, 2 points each.
- Explain the concept of availability? Give an example of a system where availability is important. (2p)
- How do the block ciphers and stream ciphers differ? Name one symmetric encryption algorithm. (2p)
- Briefly describe two categories of cookies. (2p)
- What is a VPN? Give two different use cases for it. (2p)
- What is jailbreaking? Why does jailbreaking of a smart device make the device less secure? (2p)
- How do the policies BYOD and COPE differ? Which one provides better security for the company? (2p)
- What is currently the standard key length in public key cryptography? Name one public key encryption algorithm. (2p)
- How is public key cryptography used for encryption and transportation of large amounts of data? Name a system or a protocol where this approach is used. (2p)
- What is a certificate? How is the browser able to verify the validity of certificates used by websites? (2p)
- How is the integrity of data maintained in HTTPS protocol? Which cryptographic method is used for that? (2p)
- Why is email protocol insecure? Which cryptographic idea helps to secure the exchange of emails? The answer should be more specific than just saying that it is done by PGP. (2p)
- Which security properties are the basis for the security of Estonian ID-card? (2p)
- Which parties are involved when Mobile-ID is used? There are four of them. (2p)
- How does the two envelope system work in Estonian i-voting? You will have to specify which encryption keys are used in the two envelope system. (2p)
- What is the most significant problem related with the password based authentication? How it can be solved? (2p)
- Lets say that passwords could be saved into a database by using either bcrypt, PBDKF2, MD5 or SHA256. What is the advantage of bcrypt & PBKDF2 when compared with MD5 and SHA256? Name one security property of a cryptographic hash function. (2p)
- Which techniques are used in phishing attacks to lure the target into clicking a link. Describe two different techniques that could be used for that. (2p)
- How do XSS and CSRF differ? (2p)
- Why was Stuxnet significant compared to other cyber attacks? You will have to give at least two reasons. (2p)
- Should the SSID of router be unique? Can it affect the security of the wifi network? (2p)
II part
The second part of the exam consists of four questions, where each question gives 5 points. Therefore, it is possible to collect up to 20 points from the second part. In order to answer these questions it is necessary to understand the underlying problem as the answer has to contain reasoning. The answer should combine logical thinking and knowledge gathered during the course.
- Question 1 (5p) - How would it be possible to attack two-factor authentication? Describe one attack scenario in detail.
- Question 2 (5p) - The certificates of Estonian ID-card / Digi-ID / Mobile-ID are signed by AS Sertifitseerimiskeskus. Is it possible for the root CA to authenticate in the name of the ID-card owner or to sign documents in the name of the ID-card owner? Explain why it could be done or why it can not be done.
- Question 3 (5p) - PGP has several security issues that can either lower the security level, leak some information or break the security. Describe these security issues.
Lets assume that an attacker would like to read the emails of a target that is assigned to him. How could the attacker get access to the emails? What does the attacker have to do first and how does the attack depend on the security awareness of the target? Describe at least two independent attack scenarios. - Question 4 (5p) - Which security properties are required from an e-voting system? Why are these requirements controversial? Describe the controversy. Is this issue solved in the Estonian e-voting system?