Hello, dear friend, you can consult us at any time if you have any questions, add WeChat: daixieit

CP3404 Assignment 2
SP53, Singapore (2021)
Due by January 23rd, 2022 (no later than 9:00pm)
Aim: This assignment is designed to help you improve your critical thinking and problem solving skills, as
well as your information literacy skills (i.e. the ability to select and organise information and to communicate it
effectively and ethically).
Requirements, Method of Submission, and Marking Criteria:
Answer questions 1, and 3, and one of 2a or 2b in a single document. Each question should begin on a new
page.
Include your name on the first page.
Include list of references for each question with proper in-text citations.
For each of the first two (2) questions, write a report of approximately 750 words in the structure of a
scientific paper (e.g., articles and/or conference papers).
In your answer to question 3 (i.e., cryptanalysis), show all your work. Note that using the Internet for
deciphering the cryptogram and/or learning the key from any other sources is an instance of plagiarism. You
have to show (step-by-step) how did you achieve the plaintext and key.
For marking criteria, see the included rubrics.
Upload your solution to the Assignment Box, located in the subject’s site.
1. Combating Typo Squatting
What can organizations do to fight back against typo squatting? Research the Internet to find out how
companies are combating this growing problem. How can these typo squatting sites be taken down? What
must a company do in order to stop these sites? And why has it been so difficult to do this? What proactive
steps can a company take? Write a short report on your research.
[4 marks]
2a. Case Exercise – See You in Court1
”Just before 8 a.m. on Feb. 1, 2001, C.I. Host, a Web-hosting company with 90,000 customers, was hit with a
crippling denial-of-service attack. By the day after the outage, the CEO, Christopher Faulkner, reported that
complains had come in from ’countless’ customers, so the Fort Worth, Texas-based company got its lawyers
involved.”
In a strange twist of fate, the company hit with this attack dragged not a hacker, but another company, an
ISP, and five of its customers into court. The ISP claimed to be the victim not the perpetrator of the attacks
and therefore not liable. The Suit was referred to a U.S. District Court, but never made it to trial. C.I. Host’s
attorneys convinced a judge to issue a restraining order shutting down three of the ISP’s Web servers until
the ISP could prove that the vulnerabilities had been rectified. The attacks lasted a few days; to resolve the
1 Adapted from Whitman and Mattord’s book, which in turn adapted from S. Scalet’s article, CIO Magazine, November 1. 2001.
issue, the lawsuit took over seven months, and several hundreds of thousands of dollars in legal fees, time,
and effort.
The question is, when information security fails, who’s to blame? Or in the court’s eyes, who’s liable?
Even though the hacker is the culprit, with the standards of due care and due diligence, the companies
that are being hacked and then used in other attacks are becoming increasingly liable for damage to other
companies.
”It’s not a ’sky is falling’ issue,” says one CIO when asked about likelihood of such lawsuits. ”This is what an
intelligent, forward-thinking company is thinking about. We believe that we’ve taken every possible
precaution, and we’re looking at every possible thing on the horizon.”
The lawmakers are paying attention as well. A new bill is being drafted in the U.S. Senate that could exempt
businesses from the Freedom of Information Act (FOIA), in order to protect businesses from being required
to disclose the results of attacks and their information security protection strategies. Another bill in the
House, would prohibit the use of voluntarily provided information from being used in a lawsuit in
information security related cases.
Although no direct liability lawsuits have been tried yet, it’s just a matter of time. What can companies do?
”The best defense for the impending legal hassle is a much-advised, often-ignored list of best practices. The
question is whether the gathering clouds will have the proverbial silver lining and generate an incentive for
companies to act on security best practices. In the process of doing so, they just might prevent hackers from
doing damage in the first place.” ”There’s always going to be that rare group of people who want to take
advantage of the system,” says Bette Walker, CIO of Energy and Chassis Systems for Delphi Automotive
Systems in Flint, Michigan.
”Security can become a legal problem, I think of it first as preventing a problem from occurring. Then the
next step, I don’t have to worry about.”
(a) How can standards of due care and due diligence protect a company from being used in this type of
situation?
(b) Why would a company want to go after an ISP in a situation like this, when clearly the ISP is a victim
as much as the attacked organization?
Choose: 2a OR 2b
2b. Law challenges
Read article “Continuity and change in internet law”, by James Grimmelmann, in Communications of the
ACM. May 2019, Vol. 62 Issue 5, p24-26 as an inspiration about how new applications and uses of the
Internet challenge the sufficiency of existing laws and regulations, and using additional references for
further information, write a short report on your findings of these challenges and the solutions that have
been implemented or suggested.
[4 marks]
3. Cryptanalysis of a Polyalphabetic Cipher:
In this question you learn a classical polyalphabetic substitution cipher (known as Vigenère Cipher), and are
required to cryptanalysis a given cryptogram.
Cryptanalysis of an information system is the study of mathematical techniques for attempting to defeat
information security services. A cryptographic system is said to be breakable if a third party (i.e.,
cryptanalyst), without prior knowledge of the key, can systematically recover plaintext from corresponding
ciphertext within an appropriate time frame.
Background
Julius Caesar used a cipher which moved each letter of the alphabet to the letter three to the left in the
predetermined order of the letters of the alphabet. Figure 1 shows original English alphabet and
corresponding cryptogram alphabet in Caesar cipher:
a b c d e f g h i j k l m n o p q r s t u v w x y z
d e f g h i j k l m n o p q r s t u v w x y z a b c
Figure 1: English alphabet letter and their corresponding cryptograms in the Caesar cipher
In order to use mathematical notations, let convert letters of the alphabet to integers. The most natural
conversion is to assign to each letter an integer which indicates the position of the letter in the alphabet.
That is, assign 0,1,···,24,25 to a,b,···,y,z, respectively. Using this conversion, Caesar cipher can be expressed
as:
C = Ek(M) = M + 3 (mod 26)
where ‘C’ is the cryptogram, ‘E’ is the encryption algorithm, ‘k’ is the key, ‘M’ is the message/plaintext (one
may replace integer 3 by letter ‘d’).
Caesar cipher is from the family of shift ciphers, in which the cryptogram is a shifted version of the original
alphabet. Cryptanalysis of the Caesar (and all shift ciphers) is easy because there are 26 possible keys/shift.
Vigenère Cipher
In Vigenère cipher the key is more than one letter. That is, Vigenère cipher can be considered as a
combination of n shift ciphers, where n is the key-length (i.e., the number of letters in the keyword). Let the
message/plaintext be ‘individual character’ and the keyword is ‘host’. Vigenère cipher encrypts the message
as follows:
Plaintext: i n d i v i d u a l c h a r a c t e r
Keyword: h o s t h o s t h o s t h o s t h o s
Cryptogram: p b v b c w v n h z u a h f s v a s j
That is, the first four letters of cryptogram computed as:
‘i’ + ‘h’ = 8 + 7 = 15 (mod 26) i.e., p
‘n’ + ‘o’ = 13 + 14 = 1 (mod 26) i.e., b
‘d’ + ‘s’ = 3 + 18 = 21 (mod 26) i.e., v
‘i’ + ‘t’ = 8 + 19 = 1 (mod 26) i.e., b
Since the plaintext is longer than the keyword, keyword is repeated till all letters of the plaintext are
encrypted. As it can be seen, a particular letter of the plaintext may be encrypted with different letters from
the keyword. For example, the first occurrence of letter ‘i’ from the plaintext is encrypted with ‘h’, where its
second and third occurrences are encrypted with letters ‘t’, and ‘o’ respectively. That is, Vigenère cipher is
a polyalphabetic substitution cipher.
To break a polyalphabetic substitution cipher, the cryptanalyst must first determine the key-length of the
cipher. This can be done using Kassiski method. The Kassiski method uses repetitions of patterns in the
ciphertext in order to get a good guess about the keylength. For example, suppose the plaintext ‘to be or not
to be’ has been enciphered using the key ‘now’, producing the ciphertext below:
Plaintext: t o b e o r n o t t o b e
Keyword: n o w n o w n o w n o w n
Cryptogram: g c x r c n a c p g c x r
In this cryptogram (i.e., g c x r c n a c p g c x r) a repeated pattern is g c x r, where the distance between
these repetitions (i.e., the number of characters from the first letter of the pattern in its first occurrence to
the first letter of its second occurrence) is 9. This could be the sign in which the same letters from plaintext
is encrypted with the same letters from the keyword. Since in Vigenère cipher the keyword is repeated, the
key-length is probably 9 or a divisor of 9 (i.e., 3, because 9 has no other divisor). Assuming that the key
length is 3, we split the cryptogram into three cryptogram. That is, the 1st, 4th, 7th, ... characters of the
cryptogram are the result of encrypting the 1st, 4th, 7th, ... characters of the plaintext with the first letter of
the keyword (in other word, they are shifted with the same number, as in the Caesar cipher). Similarly, the
2nd, 5th, 8th, ... characters are the result of encrypting the corresponding letters in the plaintext with the
second letter of the key. and the same for the third file. That is, this Vigenère cipher is a combination of 3
Caesar ciphers, where the cryptogram of each Caesar cipher is given as below:
Cryptogram 1: g r a g r
Cryptogram 2: c c c c
Cryptogram 3: x n p r
In order to break each of these Caesar ciphers, we use the letter frequency in the English text. As it is
Figure 2: Letter frequency in English texts
shown in Figure 2, ’e’ is the most common letter in English texts. That is:
In Cryptogram 1, we can guess that either ’g’ or ’r’ could be the corresponding letter to ’e’ in the plaintext.
If ’g’ corresponds to ’e’, then the first letter of the key should be 0g0 −0 e0 = 6 − 4 = 2, which is ’c’.
If ’r’ corresponds to ’e’, then the first letter of the key should be 0r0 −0 e0 = 17 − 4 = 13, which is ’n’.
In Cryptogram 2, we can guess that ’c’ is the corresponding letter to ’e’ in the plaintext.
If ’g’ corresponds to ’e’, then the first letter of the key should be 0c0 −0 e0 = 2 − 4 = −2 = 24 (calculation mod
26), which is ’y’.
In Cryptogram 3, each character is appeared only once, and thus letter frequency does not work.
Remark: This example is just to show the mechanism of the Kassiscy attack. This attack is very effective for
large cryptograms (e.g., in the size of cryptograms given in this assignment).
Your Task:
In the following you can find 10 cryptograms, that are created by Vigenère cipher, where the plaintext is
English text and the keyword is a meaningful English word. You are required to decipher the cryptogram
that matches with your Student-ID.
[12 marks]