CSCD 434 Network Security
Assignment 5

Crytography in Security

50 Points

Due Date: May 27th 2009

The purpose of this assignment is to fill in the gaps with cryptography and security. To learn more about how cryprography is actually used in the real world and what some of the strengths and weaknesses are with regards to how its used.

Public Key Infrastructure

Public Key Infrastructure is the set of hardware, software, people and policies that work together to help manage how public key cryptography works in the real world. Answer the questions below using any resources you find. Preferably outside of Wikipedia.

  1. Describe how PKI is typically used say by an on-line merchant. Include how a reputable merchant chooses a Certificate Authority (CA), costs of using certificates.
  2. What are the advantages and disadvantages of using PKI?
  3. Are there competing models than Certificate Authority for implementing PKI?
  4. What is Kerberos and how does it relate to PKI? What are some products or real implementations?

Limitations of Crypto

Read the following two papers, and answer the questions below. Anderson points out specific instances of failure in mostly banking systems. Keep in mind as you read the paper how these failures are common to other systems that rely on security.
Why cryptosystems fail? by Ross Anderson, link here: Ross Anderson Paper
Read the paper, Ten Risks of PKI: What You're Not Being Told About Public Key Infrastructure by C. Ellison and B. Schneier, link here: Ellison and Schneier Paper

  1. Ross Anderson's paper was written in 1994. Do you feel his criticisms are still valid? Can you provide evidence that ATM machines and other banking systems are still vulnerable or not? Is this problem more general than just banking systems? Why or why not?
  2. Bruce's paper discusses PKI and some of the problems. Do you agree with any of Bruce's criticisms? Are there existing solutions to some of the problems with PKI? If so, describe them.

Human Subject Research

For this last part of the assignment, you are trying to assess how non-technical people view SSL certificate security. Ask at least two people whom you are reasonably sure are not very computer savy and have them answer some questions about failed SSL certificates. Be sure to get information about them, like their age range, computer familiarity, gender, education, perhaps knowledge of security

  1. Have they ever shopped on-line or visited a bank web site and had the browser tell them the SSL certificate is bad?
  2. What did they do in response to the security warning? Did they understand what the warning meant?
  3. Show them the following page, where there are a number of failure messages. Ask them if they have ever seen any of these warnings before? Do they understand what any of them mean? SSL Failure Certificate Site

Writeup

You should hand this in as hard copy!! Your writeup should be about 2-3 pages in length (longer is okay).