1.

In a public-key system using RSA, you intercept the

ciphertext C = 20 sent to a user whose public key is e = 13, n
= 77. predict the plaintext M ----- 16 Marks
2.Explain the critical characteristics of information. – 8 Marks
1. Confidentiality
2. Integrity
3. Availability
4. Privacy
5. Identification
6. Authentication
7. Authorization
8. Accountability
9. Accuracy

1. Confidentiality means that information is only accessible to

authorized individuals. This is important for protecting
sensitive information, such as financial records, medical
data, and trade secrets.
2. Integrity means that information is accurate, complete, and
consistent. This is important for ensuring that information
can be relied upon to make informed decisions.
3. Availability means that information is accessible to
authorized individuals when they need it. This is important
for ensuring that businesses and organizations can operate
efficiently and effectively.
4. Privacy means that individuals have control over their
personal information. This is important for protecting
people's right to privacy and preventing the misuse of their
data.
5. Identification is the process of verifying the identity of an
individual or entity. This is important for ensuring that only
authorized individuals have access to information and
resources.
6. Authentication is the process of verifying that an individual
or entity is who they claim to be. This is important for
preventing fraud and identity theft.
7. Authorization is the process of granting or denying access
to resources based on an individual's or entity's identity and
permissions. This is important for ensuring that only
authorized individuals have access to sensitive information
and systems.
8. Accountability means that individuals or entities can be
held responsible for their actions. This is important for
deterring misuse of information and systems.
9. Accuracy means that information is free from errors and
reflects the real world correctly. This is important for
 ensuring that information can be relied upon to make
informed decisions.

3.Explain SecSDLC in detail. – 8M

The SecSDLC is a process for incorporating security into all phases of
the software development life cycle (SDLC). It is a framework that
helps organizations to identify, assess, and mitigate security risks
throughout the development process.
The SecSDLC typically includes the following phases:
1. Investigation
2. Analysis
3. Logical design
4. Physical design
5. Implementation
6. Maintenance and change
Investigation
• Directive from upper management
• Enterprise information security policy
• Team organization
• Problem analysis
• Scope definition
• Organizational feasibility analysis
Analysis
• Study of documents from the investigation phase
• Preliminary analysis of existing security policies or programs
• Risk management
Logical design
• Creation and development of blueprints for information
security
• Examination and implementation of key policies
• Incident response planning
• Business response to disaster planning
• Feasibility of continuing and outsourcing the project
Physical design
 • Evaluation of information security technology needed to
support the logical design
• Generation of alternative solutions
• Creation of designs for physical security measures
• Feasibility study
Implementation
• Acquisition of security solutions
• Testing of security solutions
• Implementation of security solutions
• Evaluation of personnel issues
• Training and education of personnel
• Presentation of the tested package to upper management for
final approval
Maintenance and change
• Constant monitoring, testing, modification, updating, and
repairing of security solutions to meet changing threats
The SecSDLC is an iterative process, meaning that it can be repeated
as needed to address new security threats or to improve the security
of the system. It is important to note that the SecSDLC is not a silver
bullet for security. However, it can help organizations to reduce the
risk of security breaches and to protect their information assets.

4.Explain the components of an information system. - 8 M

COMPONENTS OF AN INFORMATION SYSTEM
Software
Hardware
Data
People
Procedures
Networks
Software
The software components of IS comprises applications, operating
systems, and assorted command utilities.
Software programs are the vessels that carry the lifeblood of
information through an organization. These are often created under
the demanding constraints of project management, which limit time,
cost, and manpower.
Hardware
• Hardware is the physical components of a computer system.
• Physical security policies are used to protect hardware from theft, damage,
and unauthorized access.
• A breach of physical security can result in a loss of information.
• Traditional physical security tools can be used to restrict access to hardware
components.
• Most hardware platforms do not guarantee information security if unrestricted
access to the hardware is possible.

Data
Data stored, processed, and transmitted through a computer system
must be protected.
Data is often the most valuable asset possessed by an organization
and is the main target of intentional attacks.
The raw, unorganized, discrete(separate, isolated) potentially-useful
facts and figures that are later processed(manipulated) to produce
information.
People
There are many roles for people in information systems. Common ones
include
Systems Analyst
 Programmer
Technician
Engineer
Network Manager
MIS ( Manager of Information Systems )
Data entry operator
Procedures
A procedure is a series of documented actions taken to achieve
something. A procedure is more than a single simple task. A procedure
can be quite complex and involved, such as performing a backup,
shutting down a system, patching software.
Networks
When information systems are connected to each other to form
Local Area Network (LANs), and these LANs are connected to other
networks such as the Internet, new security challenges rapidly
emerge. Steps to provide network security are essential, as is the
implementation of alarm and intrusion systems to make system
owners aware of ongoing compromises.

5.Illustrate (G,*) is a cyclic group, where G={1,ω,ω2}. – 8

Marks
6.Construct fermat's theorem that holds true for p=13 and
a=11. – 8 Marks

7.Construct and prove fermat's theorem does not hold true

for p=6 and a=2.--- 8 marks
8.Explain how PGP encryption is implemented with suitable
diagram - 16 M
PGP encryption is implemented using a hybrid cryptosystem,
which combines the strengths of both symmetric-key and
public-key cryptography.

*Symmetric-key cryptography* uses the same key to encrypt

and decrypt data. This type of cryptography is very fast, but it
requires both the sender and the receiver to share the same
key. This can be a problem if the key is lost or compromised.

*Public-key cryptography* uses two different keys: a public key

and a private key. The public key can be shared with anyone,
but the private key must be kept secret. Public-key
cryptography is slower than symmetric-key cryptography, but
it is much more secure.

PGP encryption works by first generating a random symmetric

key, which is called a session key. The session key is used to
encrypt the message using a symmetric-key encryption
algorithm. The encrypted message is then encrypted using the
receiver's public key using a public-key encryption algorithm.

The sender then sends the encrypted message and the

encrypted session key to the receiver. The receiver uses their
private key to decrypt the session key, and then uses the
session key to decrypt the message.

Here is a step-by-step explanation of how PGP encryption is

implemented:

1. The sender generates a random session key.

2. The sender encrypts the message using the session key and
a symmetric-key encryption algorithm.
3. The sender encrypts the session key using the receiver's
public key and a public-key encryption algorithm.
4. The sender sends the encrypted message and the encrypted
session key to the receiver.
5. The receiver uses their private key to decrypt the session
key.
6. The receiver uses the session key to decrypt the message.

PGP encryption is a very secure way to protect sensitive

communication. It is used by individuals, businesses, and
governments to protect their data from unauthorized access.

Here are some additional details about the implementation of

PGP encryption:

* PGP uses a variety of symmetric-key encryption algorithms,

such as AES and CAST.
* PGP uses the RSA algorithm for public-key encryption.
* PGP also supports other features, such as digital signatures
and message compression.
* PGP is implemented in a variety of software applications,
such as GPG and Enigmail.

PGP encryption is a powerful tool for protecting your

communication. By understanding how it works, you can
better use it to protect your data.

11.Explain in detail about email security - 16 M

Email security
Email security is the practice of protecting email accounts and
communications from unauthorized access, loss, or compromise.
Organizations can enhance their email security posture by establishing
policies and using tools to protect against malicious threats such as
malware, spam, and phishing attacks. Cybercriminals target email
because it is an easy entry point to other accounts and devices—and
it relies in large part on human error. All it takes is one misguided click
to cause a security crisis for an entire organization.
The benefits of email security
Businesses of all sizes are realizing the importance of prioritizing email
security. An email security solution that safeguards employee
communication and reduces cyberthreats is important because it
helps to:
Protect a company’s brand, reputation, and bottom line. Email
threats can lead to devastating costs, operational disruption, and other
severe consequences.
Enhance productivity. With a robust email security solution in place,
businesses can reduce potential disruptions to operations and
downtime because of a cyberattack. An effective solution helps
security teams streamline response and stay ahead of increasingly
sophisticated threats.
Ensure compliance with data protection laws such as the General
Data Protection Regulation (GDPR) and help circumvent the many
intangible costs of a cyberattack such as business disruption, legal fees,
regulatory fines.
Email security best practices
In response to the fast-changing email threat landscape, enterprises
have established email security best practices to support
communication and guard against threats. Top email security best
practices include:
Educate employees with periodic training to minimize the risk of
human error and ensure that employees—often considered a
company’s first line of defense—understand the importance of email
security.
Invest in user awareness training so users can learn how to recognize
the signs of a phishing attack and other indicators of malicious intent.
Upgrade to an email security solution that provides advanced threat
protection.
Implement multifactor authentication (MFA) to prevent account
compromise. Asking users to provide more than one way to sign into
accounts is an easy way to help secure organizational data.
Review protections against business email compromise attacks
through methods like spoofing and impersonation.
Move high-risk processes and transactions to more authenticated
systems.
Types of email threats(only headings)
Data exfiltration
Malware
Spam
Impersonation
Phishing
13.Perform encryption and decryption using RSA algorithm
for the following values: p=7, q=11, e=7, M=9.----- 16 Marks
12.Explain the various types of firewalls with neat diagrams -
16 Marks
Types of Network Firewall :

Packet Filters –
It is a technique used to control network access by monitoring
outgoing and incoming packets and allowing them to pass or
halt based on the source and destination Internet Protocol (IP)
addresses, protocols, and ports. This firewall is also known as
a static firewall.

Stateful Inspection Firewalls –

It is also a type of packet filtering which is used to control how
data packets move through a firewall. It is also called dynamic
packet filtering. These firewalls can inspect that if the packet
belongs to a particular session or not. It only permits
communication if and only if, the session is perfectly
established between two endpoints else it will block the
communication.

Application Layer Firewalls –

These firewalls can examine application layer (of OSI model)
information like an HTTP request. If finds some suspicious
application that can be responsible for harming our network
or that is not safe for our network then it gets blocked right
away.

Next-generation Firewalls –
These firewalls are called intelligent firewalls. These firewalls
can perform all the tasks that are performed by the other types
of firewalls that we learned previously but on top of that, it
includes additional features like application awareness and
control, integrated intrusion prevention, and cloud-delivered
threat intelligence.

Circuit-level gateways –
A circuit-level gateway is a firewall that provides User
Datagram Protocol (UDP) and Transmission Control Protocol
(TCP) connection security and works between an Open
Systems Interconnection (OSI) network model’s transport and
application layers such as the session layer.

Software Firewall –
The software firewall is a type of computer software that runs
on our computers. It protects our system from any external
attacks such as unauthorized access, malicious attacks, etc. by
notifying us about the danger that can occur if we open a
particular mail or if we try to open a website that is not secure.
Hardware Firewall –
A hardware firewall is a physical appliance that is deployed to
enforce a network boundary. All network links crossing this
boundary pass-through this firewall, which enables it to
perform an inspection of both inbound and outbound network
traffic and enforce access controls and other security policies.

Cloud Firewall –
These are software-based, cloud-deployed network devices.
This cloud-based firewall protects a private network from any
unwanted access. Unlike traditional firewalls, a cloud firewall
filters data at the cloud level.