CS7NS5/CSU44032 Security and Privacy

Network Security Assignment Question

Assignment#1, Document the security and privacy

considerations of your FYP/Dissertation topic(Copulas Theory in Finance). Should be ~3-4 pages that you can use in your writeup.Security & Privacy Considerations for your FYP/Dissertation – 3-4 pages usually; use in dissertation/FYP – Discuss the security

& privacy issues of your dissertation/FYP topic – See RFCs 3552, 6973 and W3C tech report on sec/privacy considerations

https://tools.ietf.org/html/rfc3552

https://tools.ietf.org/html/rfc6973

https://www.w3.org/TR/security-privacy-questionnaire/ and You can see one student answer in the attachment (ass1.pdf)

But My topic is Copulas Theory in Finance

Assignment 2

Below there are 5 question but If you answer 3 question would be enough

Q1) It seems likely that some form of vaccination certificate will be deployed in the European Union (EU) during 2021, but there is currently a dearth of technical detail describing the data formats, databases, administration and opera3on of such certificates. You are tasked by a human rights organisation to do a partly speculative risk and human-rights analysis of the technology aspects of such a scheme so that the organisation can react quickly when details of the actual scheme emerge. You can assume that the scheme will cover vaccination information (dates, places, dose details), that a mobile App or a printed-paper version will be supported and that vaccination certificate ought be verifiable at any EU member-state border, e.g., in an airport. In addition to vaccinations, the system may also support details of those who were infected but are now recovered and of (presumably negative) tests. In addition to potential privacy and human-rights issues, you also need to take into account that the proportions of populations that have been vaccinated will vary from country to country and over 3me which could have a major impact on the probability that forgery will be an interesting attack.

Note: If additional technical detail of the real EU system emerges as you are completing this assignment, it is en3rely fine to make use of that, so long as you provide references. Similarly, you could

base your work on one of the current proposals for such certification schemes, so long as proper references are provided.

  1. Describe the (possibly speculative) design for overall system, that will form the basis for your analysis, and the process you would follow to evaluate that design. [10 marks]
  2. Describe three of the most significant risks you see in this scenario, including their potential impact and likelihood of occurrence, and outline the countermeasures you would recommend that the human-rights organisation ought lobby to see implemented either at national or EU level. [25 marks]
  3. Describe the criteria you would propose be used in order to phase out use of these vaccination certificates? [5 marks]

Q2)

  1. For any real Internet key exchange protocol (e.g. TLS, IPsec, or Kerberos) describe the key management and application data protection aspects of the protocol in detail. Describe how your chosen protocol behaves in the face of misconfiguration for at least two common examples of misconfiguration.

    Your answer may describe any widely used version of your chosen protocol, but you need to explicitly state which version you are describing. [25 marks]

  2. Research and describe an open-source implementation of your chosen protocol highlighting the external APIs used by applications and how those map to the key management and application data details you described in part (a). For example you might describe the OpenSSL or BoringSSL implementations of TLS, or the MIT Kerberos implementation.
  3. Considering the implementation you chose for part (b), what guidance would you offer today to a maintainer concerned about aIacks based on quantum computing?

Q3)

You are part of a team developing a web-based messaging and email service designed for medium-scale deployments (of approx. 10,000 users) for use in sports clubs and associations of sports clubs. The system is intended to allow coaches to communicate with teams/panels, and with other club members. The system will also support person to person communication between members of different clubs that have signed up to the service. You could think of the service being based around a Whatsapp equivalent such as element/matrix.org or similar, with the addition of standard email services and abuse-reporting, but with users limited to paid-up members of affiliated clubs. The particular subsystem you are responsible for deals with reporting undesirable content, for example if a member of one club finds a posting from a competitor club objectionable, they might click on a “report posting” buIon or similar. Clearly, there is scope for abuse of this feature, just as there is scope for personal or other abuse in message content.

  1. Outline a design for the overall system (include a network diagram), and state the security and privacy requirements the overall system and the abuse-reporting subsystem must meet. Note that this part of your answer should only discuss security and privacy requirements and not describe how to meet those requirements. [15 marks]
  2. Describe, in detail, the solution you would propose for the abuse-reporting subsystem with a focus on the security and privacy mechanisms used to meet the requirements from part (a). [20 marks]
  3. While this service is mainly intended for use in relatively controlled environments, where users are paid-up club members and so there is some existing disciplinary system in place, it could also be deployed in less controlled situations, e.g., where there is no overarching association to which clubs are affiliated. What additional measures would you consider for such an environment? [5 marks]

Q4)

  1. Outline a design for the overall system (include a network diagram), and state the security and privacy requirements the overall system and the abuse-reporting subsystem must meet. Note that this part of your answer should only discuss security and privacy requirements and not describe how to meet those requirements. [15marks]
  2. Describe, in detail, the solution you would propose for the abuse-reporting subsystem with a focus on the security and privacy mechanisms used to meet the requirements from part (a). [20 marks]
  3. While this service is mainly intended for use in relatively controlled environments, where users are paid-up club members and so there is some existing disciplinary system in place, it could also be deployed in less controlled situations, e.g., where there is no overarching association to which clubs are affiliated. What additional measures would you consider for such an environment?

Q5)

  1. Describe and criticise the design of DNSSEC (RFC4035) with a focus on trade-offs between security and ease of deployment. 15 marks
  2. Given the current deployment situation with DNSSEC (about 3% of names signed, less than 2% of .com second level domains), how would you propose to achieve a radical improvement in the security of the globally deployed DNS? Describe a plan to achieve that and justify your chosen plan versus other possibilities. [15 Marks]
  3. There are many DNSSEC private keys in the world. If you were dishonest, which three of all those private keys would you most like to have a copy of? Say why and what you would do with those private keys. [10 Marks]