Question One [25 Marks]

The Tanzania Police Force discovers that someone accessed their Criminal
Records Database and modified the criminal history of a known gang member.
No clear audit trail was found.
a) List five (5) examples of "Something You Are" authentication. [5 Marks] b)
The phrase "Trust, but verify" is often used in discussions about security.
Briefly explain how this principle applies to information security. [5 Marks] c)
Explain how the CIA Triad was violated in this incident. [15 Marks] Question
Two [25 Marks]
a) List seven (7) stages of the Cyber Kill Chain. [7 Marks] b) Explain how an
authorization system could prevent privilege creep. [3 Marks] c) Discuss the
principles of least privilege and separation of duties. [10 Marks] Question Three
[25 Marks]
a) List five (5) stages of the Cryptographic Lifecycle. [5 Marks] b) Differentiate
between Confusion and Diffusion in cryptography. [6 Marks] c) Compute how
many keys are required for secure communication in a group of:
2 people

3 people

10 people

100 people
[4 Marks]
d) Explain the two (2) main types of Cryptography. [4
Marks]
e) You are a software engineer working on a mobile
banking app. Your team is debating whether to
implement 4096-bit RSA encryption or stick with 2048-
bit RSA. Some argue for stronger encryption, while
others are concerned about performance on low-end
devices. Discuss the trade-offs and recommend an
appropriate approach. Justify your answer. [6 Marks]

Question Four [25 Marks]

a) Encrypt "HELLO" using the Caesar cipher with a key = 15. [5 Marks] b) Use
the Playfair Cipher to encrypt "SECURITY" with the key "SECRET". [9
Marks] c) Compute n and ϕ(n), then find the private key d. Use it to encrypt and
decrypt using RSA with the given parameters: p=3, q=11, e=7, M=5. [4 Marks]
d) Encrypt "ITSCOOL" using the Affine cipher with k1=5 and k2=8. [7 Mark

Question One [25 Marks]

a) List five (5) examples of "Something You Are" authentication. [5 Marks]
"Something You Are" refers to biometric authentication methods. Here are five
examples:
1. Fingerprint Recognition: Uses the unique patterns of an individual's
fingerprints.
2. Facial Recognition: Analyzes facial features to verify identity.
3. Iris Recognition: Scans the unique patterns in the iris of the eye.
4. Voice Recognition: Identifies individuals based on the unique
characteristics of their voice.
5. Retina Scanning: Analyzes the unique pattern of blood vessels at the
back of the eye.

b) The phrase "Trust, but verify" is often used in discussions about

security. Briefly explain how this principle applies to information security.
[5 Marks]
The principle of "Trust, but verify" in information security emphasizes the
importance of establishing trust with users, systems, or entities, but also
emphasizes the need to continuously monitor and validate their actions. This
means:
• Trust: Granting permissions and access based on credentials and roles,
assuming that users and systems are acting in good faith.
• Verify: Implementing monitoring, auditing, and validation mechanisms to
ensure that trust is not misplaced. This includes checking for unauthorized
activities, verifying the integrity of data, and ensuring that security
policies are being followed.
This approach helps balance security with usability, ensuring that security
measures do not overly impede legitimate activities while still providing robust
protection against threats.
c) Explain how the CIA Triad was violated in this incident. [15 Marks]
The CIA Triad consists of three core principles of information security:
Confidentiality, Integrity, and Availability. In the given incident, where
someone accessed the Tanzania Police Force's Criminal Records Database and
modified a gang member's criminal history, the CIA Triad was violated as
follows:
1. Confidentiality:
• Violation: The unauthorized access to the database represents a
breach of confidentiality. Confidential information, such as criminal
records, was accessed by an unauthorized individual or entity.
• Impact: This breach could expose sensitive information, potentially
leading to harm for individuals involved or compromising ongoing
investigations.
2. Integrity:
• Violation: The modification of the gang member's criminal history
is a direct violation of data integrity. The integrity of the database
was compromised as the information was altered without
authorization.
• Impact: Altered criminal records can undermine the legal process,
affect court proceedings, and damage the credibility of the police
force. It can also lead to wrongful arrests or releases.
3. Availability:
• Violation: While the scenario does not explicitly mention a denial
of service or loss of access, the unauthorized access and
modification could indicate that the system was compromised,
potentially affecting its availability.
• Impact: If the system was taken offline or altered significantly, it
could disrupt police operations and access to critical information.
Summary: The incident primarily violated the principles of confidentiality and
integrity. The unauthorized access breached confidentiality, while the
modification of data violated integrity. The potential impact on availability
depends on the specifics of the attack, but it is possible that the system was
rendered partially or fully unavailable during the breach.
Question Two [25 Marks]
a) List seven (7) stages of the Cyber Kill Chain. [7 Marks]
The Cyber Kill Chain is a model developed by Lockheed Martin to describe the
stages of a cyber attack. The seven stages are:
1. Reconnaissance: Gathering information about the target, such as network
infrastructure, employee details, and system vulnerabilities.
2. Weaponization: Creating a malicious payload, such as malware or a
phishing email, tailored to exploit identified vulnerabilities.
3. Delivery: Distributing the malicious payload to the target, often through
email attachments, malicious links, or compromised websites.
4. Exploitation: Exploiting vulnerabilities in the target system to execute
the malicious payload.
5. Installation: Installing malware or other malicious tools on the target
system to establish a foothold.
6. Command and Control (C2): Establishing communication channels
between the compromised system and the attacker's infrastructure to
control the malware and exfiltrate data.
7. Actions on Objectives: Carrying out the attacker's intended goals, such
as data theft, data destruction, or disruption of services.

b) Explain how an authorization system could prevent privilege creep. [3

Marks]
Privilege creep occurs when users accumulate unnecessary permissions and
access rights over time, often due to changes in job roles or responsibilities. An
authorization system can prevent privilege creep by:
1. Regular Access Reviews: Implementing periodic reviews of user access
rights to ensure that permissions are aligned with current job roles and
responsibilities.
2. Least Privilege Principle: Granting users the minimum level of access
required to perform their duties, reducing the accumulation of
unnecessary permissions.
 3. Automated Provisioning and Deprovisioning: Automatically granting
and revoking access rights based on changes in job roles or employment
status, ensuring that users have the appropriate permissions at all times.

c) Discuss the principles of least privilege and separation of duties. [10

Marks]
1. Principle of Least Privilege:
• Definition: The principle of least privilege states that users,
processes, or systems should be granted the minimum level of
access or permissions necessary to perform their legitimate
functions.
• Application: This principle is applied by limiting user access to
only the resources and data required for their specific tasks. For
example, a junior accountant may have access to financial records
but not to HR files.
• Benefits: Reduces the risk of unauthorized access, limits the
potential damage from compromised accounts, and minimizes the
attack surface for cyber threats.
2. Separation of Duties:
• Definition: The separation of duties is a security principle that
divides critical tasks and responsibilities among multiple
individuals to prevent any single person from having enough
information or access to commit fraud or other malicious acts.
• Application: This principle is applied by requiring multiple people
to complete a task or approve a transaction. For example, in
financial systems, one person may initiate a payment, while another
approves it.
• Benefits: Deters fraud, reduces the risk of errors, and enhances
accountability by ensuring that no single individual has complete
control over critical processes.
Comparison:
• Least Privilege focuses on limiting access to the minimum necessary,
while Separation of Duties focuses on dividing critical tasks to prevent
abuse.
 • Both principles aim to enhance security by reducing the risk of
unauthorized access and malicious activities.

Question Three [25 Marks]

a) List five (5) stages of the Cryptographic Lifecycle. [5 Marks]
The Cryptographic Lifecycle consists of the following stages:
1. Initiation: Defining the security requirements and selecting appropriate
cryptographic algorithms and protocols.
2. Development: Designing and implementing cryptographic systems,
including key management and encryption mechanisms.
3. Operation: Deploying and using the cryptographic systems in real-world
applications.
4. Review: Regularly assessing the effectiveness of the cryptographic
systems and identifying any vulnerabilities or weaknesses.
5. Decommissioning: Retiring outdated or compromised cryptographic
systems and securely disposing of cryptographic keys and data.

b) Differentiate between Confusion and Diffusion in cryptography. [6

Marks]
In cryptography, Confusion and Diffusion are two fundamental concepts
introduced by Claude Shannon to describe the properties of secure encryption
algorithms.
1. Confusion:
• Definition: Confusion refers to the obscuring of the relationship
between the plaintext and the ciphertext. It makes it difficult for an
attacker to deduce the key or plaintext from the ciphertext.
• Implementation: Confusion is typically achieved through
substitution ciphers, where each character or bit of the plaintext is
replaced with a different character or bit based on the key.
• Example: The Caesar cipher, which shifts letters by a fixed number
of positions, is a simple form of confusion.
2. Diffusion:
 • Definition: Diffusion refers to the spreading out of the influence of
each plaintext character over many ciphertext characters. It ensures
that a small change in the plaintext results in a significant change in
the ciphertext.
• Implementation: Diffusion is typically achieved through
transposition ciphers or permutation ciphers, where the positions of
characters or bits are rearranged.
• Example: The Rail Fence cipher, which writes the plaintext in a
zigzag pattern and then reads it off in rows, is a simple form of
diffusion.
Summary:
• Confusion obscures the relationship between plaintext and ciphertext,
while Diffusion spreads the influence of each plaintext character across
the ciphertext.
• Both concepts are essential for creating strong encryption algorithms that
are resistant to cryptanalysis.

c) Compute how many keys are required for secure communication in a

group of: [4 Marks]
To determine the number of keys required for secure communication in a group,
we need to consider the number of unique pairwise connections.
1. 2 People:
• Calculation: 2 people = 1 pairwise connection.
• Keys Required: 1 key.
2. 3 People:
• Calculation: 3 people = 3 pairwise connections (AB, AC, BC).
• Keys Required: 3 keys.
3. 10 People:
• Calculation: 10 people = (10 × 9) / 2 = 45 pairwise connections.
• Keys Required: 45 keys.
4. 100 People:
• Calculation: 100 people = (100 × 99) / 2 = 4,950 pairwise
connections.
 • Keys Required: 4,950 keys.
Summary:
• The number of keys grows quadratically with the number of people, as
each new person adds connections to all existing members.

d) Explain the two (2) main types of Cryptography. [4 Marks]

1. Symmetric Cryptography:
• Definition: Symmetric cryptography uses the same key for both
encryption and decryption. This key must be shared securely
between the sender and the receiver.
• Examples: Advanced Encryption Standard (AES), Data Encryption
Standard (DES), and Blowfish.
• Advantages: Fast and efficient, making it suitable for encrypting
large amounts of data.
• Disadvantages: Key distribution is a challenge, as the key must be
shared securely.
2. Asymmetric Cryptography:
• Definition: Asymmetric cryptography uses two different keys: a
public key for encryption and a private key for decryption. The
public key can be freely distributed, while the private key must be
kept secret.
• Examples: RSA, Elliptic Curve Cryptography (ECC), and Diffie-
Hellman.
• Advantages: Solves the key distribution problem, as the public key
does not need to be kept secret.
• Disadvantages: Slower and less efficient than symmetric
cryptography, making it unsuitable for encrypting large amounts of
data.
Summary:
• Symmetric cryptography is fast and efficient but requires secure key
distribution.
• Asymmetric cryptography solves the key distribution problem but is
slower and less efficient.
e) You are a software engineer working on a mobile banking app. Your
team is debating whether to implement 4096-bit RSA encryption or stick
with 2048-bit RSA. Some argue for stronger encryption, while others are
concerned about performance on low-end devices. Discuss the trade-offs
and recommend an appropriate approach. Justify your answer. [6 Marks]
Trade-offs:
1. Security:
• 4096-bit RSA: Offers higher security compared to 2048-bit RSA. It
provides a larger key space, making it more resistant to brute-force
attacks and other cryptographic attacks.
• 2048-bit RSA: While still considered secure for most applications,
it has a shorter effective lifespan and is more vulnerable to future
advances in cryptanalysis.
2. Performance:
• 4096-bit RSA: Slower and more computationally intensive than
2048-bit RSA. It requires more processing power and memory,
which can impact the performance of low-end devices.
• 2048-bit RSA: More efficient and faster, making it suitable for
mobile devices with limited resources.
3. Key Size and Storage:
• 4096-bit RSA: Larger key size means more storage space is
required for keys and certificates.
• 2048-bit RSA: Smaller key size reduces storage requirements.
Recommendation: Sticking with 2048-bit RSA is the appropriate approach for
a mobile banking app, especially if targeting low-end devices. The reasons are:
• Performance: Mobile devices, particularly low-end ones, have limited
processing power and battery life. 2048-bit RSA provides a good balance
between security and performance.
• Compatibility: 2048-bit RSA is widely supported and compatible with
most mobile platforms and devices.
• Security: While 4096-bit RSA offers higher security, 2048-bit RSA is still
considered secure for the foreseeable future. The additional security
benefits of 4096-bit RSA may not outweigh the performance costs.
Justification: The primary goal of a mobile banking app is to provide secure
and efficient transactions. 2048-bit RSA offers sufficient security while
maintaining acceptable performance levels. Implementing 4096-bit RSA could
lead to slower transaction times, increased battery consumption, and potential
user frustration. Therefore, 2048-bit RSA is the recommended choice.

Question Four [25 Marks]

a) Encrypt "HELLO" using the Caesar cipher with a key = 15. [5 Marks]
The Caesar cipher is a type of substitution cipher where each letter in the
plaintext is shifted by a fixed number of positions down the alphabet.
Key: 15
Alphabet Shift:
• A→P
• B→Q
• C→R
• D→S
• E→T
• F→U
• G→V
• H→W
• I→X
• J→Y
• K→Z
• L→A
• M→B
• N→C
• O→D
• P→E
• Q→F
• R→G
• S→H
• T→I
• U→J
 • V→K
• W→L
• X→M
• Y→N
• Z→O
Encryption:
• H→W
• E→T
• L→A
• L→A
• O→D
Encrypted Text: "WTAAD"

b) Use the Playfair Cipher to encrypt "SECURITY" with the key

"SECRET". [9 Marks]
The Playfair Cipher is a substitution cipher that uses a 5x5 grid of letters
derived from the key.
Key: "SECRET"
Step 1: Create the Key Grid:
1. Remove duplicate letters from the key: "SECRT".
2. Fill the grid with the remaining letters of the alphabet, skipping "I" or "J"
(we'll use "I").
3. The grid is:
S E CR T
AB DF G
HI KL M
NO P QU
V WXYZ
Step 2: Prepare the Plaintext:
• Break the plaintext into pairs: "SE CU RI TY".
• If a pair contains the same letter, insert a filler letter (e.g., "X"): "SE CX
UI TY".
Step 3: Encrypt the Pairs:
1. SE:
• Both letters are in the same row: Replace each with the letter to the
right (wrap around if necessary).
• S→C
• E→R
• Encrypted pair: "CR"
2. CX:
• Both letters are in the same column: Replace each with the letter
below (wrap around if necessary).
• C→R
• X→A
• Encrypted pair: "RA"
3. UI:
• The letters are in different rows and columns: Replace with the
letters on the other corners of the rectangle formed by the pair.
• U→P
• I→K
• Encrypted pair: "PK"
4. TY:
• The letters are in different rows and columns: Replace with the
letters on the other corners of the rectangle formed by the pair.
• T→M
• Y→Z
• Encrypted pair: "MZ"
Encrypted Text: "CR RAX PK MZ"
Note: The Playfair Cipher is typically written without spaces: "CRRAXPKMZ"

c) Compute n and ϕ(n), then find the private key d. Use it to encrypt and
decrypt using RSA with the given parameters: p=3, q=11, e=7, M=5. [4
Marks]
Step 1: Compute n and ϕ(n):
 • n = p × q = 3 × 11 = 33
• ϕ(n) = (p - 1) × (q - 1) = 2 × 10 = 20
Step 2: Find the private key d:
• The private key d is the multiplicative inverse of e modulo ϕ(n).
• d = e⁻¹ mod ϕ(n) = 7⁻¹ mod 20
• d = 7⁻¹ mod 20 = 3 (since 7 × 3 = 21, and 21 mod 20 = 1)
Step 3: Encrypt the message M:
• C = M^e mod n = 5^7 mod 33
• C = 5^7 mod 33 = 14
Step 4: Decrypt the ciphertext C:
• M = C^d mod n = 14^3 mod 33
• M = 14^3 mod 33 = 5
Result:
• Encrypted Message: 14
• Decrypted Message: 5

d) Encrypt "ITSCOOL" using the Affine cipher with k1=5 and k2=8. [7
Marks]
The Affine cipher is a type of substitution cipher that uses a mathematical
function to encrypt each letter.
Key: k1=5, k2=8
Step 1: Define the Encryption Function:
• E(M) = (k1 × M + k2) mod 26
• where M is the numerical value of the letter (A=0, B=1, ..., Z=25)
Step 2: Encrypt Each Letter:
1. I (8):
• E(8) = (5 × 8 + 8) mod 26
• E(8) = 48 mod 26 = 22
• 22 → W
2. T (19):
 • E(19) = (5 × 19 + 8) mod 26
• E(19) = 103 mod 26 = 25
• 25 → Z
3. S (18):
• E(18) = (5 × 18 + 8) mod 26
• E(18) = 98 mod 26 = 20
• 20 → U
4. C (2):
• E(2) = (5 × 2 + 8) mod 26
• E(2)