HINF 6220 - Assignment 3

Note: You may have to do some research to answer these questions. All your answers should be self-contained and aimed at a non-technical audience, for example a non-technical health professional, that has no more than the basic experience of using email, word processing and browsing and searching the Web. Make sure your answers are free of acronyms, and technical jargon, which should be defined in intuitive terms when it is used for the first time. Do not exceed the indicated page limit, measured based on an 8.5x11 page, single spaced, with 1in margins, 12pt size in Times-new-roman font. Use Web search to find the information you require. Wikipedia may be useful. Remember to use your own words in all your answers. Paraphrase, do not copy from Web sources. Reference all your sources. The page limit does not include references.

Submission instructions:
Please submit your assignment electronically by emailing it to the instructor. Due time is 12 midnight on the due date posted. If no due date is posted, the date when the next assignment is posted is the due date of the previous assignment.
Use the following format for the subject line:
Subject: HINF6220 - Assignment N (where N=1,2,3,4)
Your submission should consist of one file in pdf format.
Use Acrobat (the full version, not the Reader), if you already have it, or one of the free converters (1 2). About the Portable Document Format ( pdf)
The name of the file should be the following:
HINF6220-AN-loginname.pdf , where loginname is your cs login name, and the N in AN is 1,2,3,4

Grading:
Each question will be graded with a letter grade, based on quality of content, quality of writing and demonstration of understanding of key concepts discussed in the lectures. Your answer should be self-contained and easy to read. The overall grade for the assignment will be a weighted average of the individual grades, where the weight is proportional to the size limit of each question (not counting program outputs, if any). Letter grades are being averaged using their GPA equivalent. No rounding takes place.
The meaning of the grades is as per the University Calendar, section 17.1.
This style of grading will be used in all evaluation components of this course.

1. Visit the Paypal security centre and the eBay security centre and explain to a layperson whether it is safe to buy from eBay and pay by Paypal (1 page max).

2. Research the concept of Phishing on the Web and give a description of it for a lay person (1 page max).

3. Spyware is a new security threat. It involves unauthorized installation of programs on a user's computer that record and transmit user actions over the Internet. Research Spyware on the Web and provide a summary of the main features of spyware, ways they are installed on the user's computer, and how the threat is currently being addressed. (1 page max)

4. On the UNIX/Linux systems there is an infinite precision arithmetic calculator, that can help you with your understanding of public key cryptography. Bc is also available on Windows as part of the GnuWin32 package, that includes an implementation of a collection of useful UNIX commands on the Windows Operating System. On bc, you can name values, for example:
p=5 (assigns name p to the value 5)
q=7
n=35
z=24
e=5
d=29
m=12
c = (m^e) % n

assigns name c to the result of the calculation m^e % n. m^e is raising m to the power of e, i.e. m x m x ... x m (e times)
then divides the result by n (integer division) and returns the remainder of the division (mod operation)
To view the value of a variable or expression, just type the name of the variable or the expression and then key ENTER.
c
17

c^d % n
12

Before any calculations, you need to force bc to do integer arithmetic by setting the number of digits after the decimal to 0, by setting the variable scale = 0.
This makes bc into an infinite precision integer arithmetic calculator. If you set scale to another number, e.g. 10, bc will perform arithmetic up to that number of digits after the decimal point, discarding all subsequent digits, i.e. act like a pocket calculator.

Bob and Alice each generate a public/private key pair following the method described in the lectures. You can use the above values as Bob's public/private key pair. Repeat the process with different numbers to generate Alice's public/private key pair. Use bc with trial and error.
Bob sends Alice letter "l".
a. What is the encrypted version of "l"?
b. What is the signed version of "l" by Bob?
c. What is the encrypted and signed version of "l" by Bob (do you sign first or encrypt first? Explain your rationale).
For each of a, b, c show the calculations performed on bc by Bob to compute the message to send and by Alice to retrieve the original message.
Clearly specify which party (Bob and Alice) executes which calculations and in what order.

Hint: to save yourself typing, you may want to define functions for encryption, decryption and signing. For the bc documentation and examples, go here.

5. Browse through the PGP web site and find out how much you have to pay for a product that provides the following services:
- create self-extracting or self-decrypting encrypted archives (files)
- completely delete (''shred'') files by erasing them from the hard disk
Describe how to use these and other options in the PGP suite of products to protect patient records that you have downloaded to your laptop.
(1 page max)
Hint: You may add the keyword site:pgp.com to your Google search to restrict search to the pgp.com web site.

6. Question on lab material