 And, of course, we don't have time to go through everything, but the topics that we have give you an idea of what you need to know. This first topic, Introduction to Security, the questions on that are really about the concepts and definitions. What does this mean? What's the difference between this and this? So just quickly, from our first topic, CIA, confidentiality, integrity and availability, you need to know what they are. What do they mean? The extensions, authenticity and accountability are not so important, but you should still know what they mean. We spent some time talking about assets, vulnerabilities, policy, threats, attacks, countermeasures. What are those things? And that's a relationship between them. There's another example of threats. If you recall in the lecture we went and looked at some detailed document about all these types of threats. Of course, you don't need to remember all of them. You just need to know what a threat is. You don't need to remember what disruption and deception type threats are. This detail was in this standard and you don't need to remember that standard. Although we presented it in the lecture, you don't need to remember. Assets, what type of assets we have, hardware, software, data, communication lines and the examples of them. Then in terms of communication security, we distinguish like network security. We distinguish between an attack, a mechanism and a service. We went through the six main types of services. You need to know what they are, maybe examples of each. You need to remember this. You need to know this information about these. What is data integrity? What is non-repudiation? They're important concepts to understand the rest of the course. We talked about attacks, passive versus active. What's the difference? Within them there were six types of attacks and they were covered on these slides. What is a masquerade attack? You've had some quiz questions, online quiz questions which ask about these. What else? Security mechanisms, well that's really what's covered in the next topic on cryptography. What are the mechanisms we have available, like signatures, encryption, access control? What do we say about strategy? I think this is general information. I think there's nothing specific we can say about that. Generally we have some policy and we need to implement that policy and then make sure that the policy is actually implemented. That's all there. Although we went through some of these, I think I don't require you to remember all of these. Any of these that we've covered in other topics that may come up, but you don't need to remember them. I think we should understand the idea of privileges and separation of privileges. This privilege, that is when we spoke about access control, we'd give the privileges that are minimal for what's required to do the job. That's the concept of least privilege. I don't think we've seen any others, not yet in our topics. We'll see them in other topics. Separation of privileges is saying that okay, this user, this is where access control is applied. This user can do these things. This other user can do these things. We separate what people can do based upon their job functions. And that's related to access control. Ask questions as we go, otherwise I'll just flick through slides to give you an idea of what may be in the exam. In the first topic, concepts and definitions. In the second topic, 77 slides, what do you need to know? This is summarized in the exam hints, but we'll go through here. Similar to your quizzes, the online and your in-class quizzes, the concepts of what cryptographic techniques do we use, public key and symmetric key encryption. What's the difference between them? The general model, you should know. What is plain text? What is cipher text? What do these mean? You should know them. What are the general operations that we use? What are the two different types, symmetric versus public key cryptography? What's the difference between them? We mentioned a block cipher and a stream cipher. Most of the ciphers we looked at in examples were block ciphers. Stream ciphers usually apply on a continuous input of plain text. And the main advantage is that they are implemented such that they run faster than block ciphers. They have some limitations. But I think that just the difference between them is that we really cover it. No questions about how to use the classical ciphers. Caesar, rail fence, and I think visionnaire, we did in the lecture. There will not be a question about them in the exams. Attacks, you should know about the approaches for brute force attack. How to do a brute force attack, what it is, how long one takes, because you've had questions in the quizzes about brute force attacks. If we can calculate at this speed the key length is this number of bits, how long does it take on average or in worst case? Symmetric key versus public key. Understand how we use the keys differently. I don't require you to understand and even remember the names of the algorithms. So you should know that des is a block cipher. We're not going to ask about the details of des though. You don't need to remember that des is 64-bit block or 56-bit key, so you don't need to remember that. Similar for triple des and the others we may have mentioned. So there will not be an exam question to ask you what's the difference between AES and des or what block size does AES use? There will not be a question on that. Okay, brute force attacks. We've had quiz questions about them, so you should know them. You don't need to remember these attacks. That was just examples of different attacks. There will be no questions about the details of modes of operation, but I think when you used OpenSSL to encrypt, you had to choose a mode of operation. So just remember a mode of operation is a way to take a block cipher that worked on 64 or 128-bits and apply it to an input which is much larger, a way to break the plaintext into multiple blocks and encrypt the blocks one at a time. And there are different to choose from, but you don't need to know about the difference between them in the exam. Just know the general structure or stream cipher. Basically, we generate a random value and X or with the plaintext to encrypt and to decrypt the opposite of X or is X or when we work in binary. So decrypt, we use the same approach as encryption. That's all about stream ciphers. Not the example of RC4. You need to know about authentication and hash functions. What is authentication? How is it achieved? Let me just bring up the hints I gave on the midterm and you can find them online just so I remember. So this is on the website, the exam, 18 pages, closed book, no dictionary. Calculator is allowed, but I think you don't need a calculator. Even say for brute force attacks or password calculating, you can, I think, do it just by expressions like X to the power of Y. You don't need to solve it when it's a large number. 10 questions, each with multiple parts, 100 marks total. Introduction to security. The terminology definitions and concepts are listed there. Cryptography, the topic that we're just starting on. What's not covered? Classical ciphers, modes of operation, not covered. Details of desks or RSA, not covered. Message authentication codes. We mentioned them in the lecture, but they will not be asked about in the exam. And we didn't have time to cover key management or much of random numbers. So those sort of subtopics are not covered. So if you see key management, random numbers, not in the exam. Signatures, yes. You've seen some quiz questions about what is a signature. Public key trick,ography, yes. Symmetric key, yes. Application except for max, yes. So using a map, no. Hash functions, yes. What's a hash function? What are the properties of hash functions? And why are they important when we use them? The one-way property and the collision-free property. They are important because we use them in signatures, we use them in passwords, and in other applications of security. So they are important. You should know that MD5 and SHA are hash functions. I don't think you need to know any more details than that, just that they are hash functions. And you should know the properties. Know about public key cryptography, how the concept works. We encrypt with one, decrypt with the other key in a key pair. Public-private key pair. There are different algorithms, and that's about all on public key cryptography. I think the concepts here, you should know that it's okay. If we have a private key for it to be secure, someone shouldn't be able to take the public key and the algorithm and find the private key. The private key must be kept private. It's almost obvious requirement. It's just stated. It should be impossible or computationally infeasible for the attacker if they know the public key and the ciphertext. They shouldn't be able to determine the private key. Otherwise, it's no longer private and it's not secure. This detail will not be asked about, nor about RSA. So there's a few slides here on RSA. We did not and will not ask about that in the exam. Just know RSA is a public key cipher. Key management, no. Signatures, yes. If I have a look at signatures, you had some quiz questions about signatures, so know what one is. Encrypt using the private key, the hash of a message. That's the signature and we attach the signature with a message normally and send them both. Send the message and the signature so that the receiver can verify the message. They can verify the signed message. That is, they receive a message and a signature and they can check, does the signature match the message or has something been modified along the way? How do they verify? Decrypt with the corresponding public key, that signature. You decrypt this and you shall get the hash value back and if this matches the hash of the received message then you assume everything's okay. If they don't match, something's gone wrong. Okay, so cryptography. Next topic, user authentication. Mainly passwords and in fact in the exam the only thing covered will be about passwords. We mentioned briefly other forms of authentication using tokens and biometrics. No questions about that in the exam. But basically everything that we've covered on passwords can be in the exam. And if we have time we may give an example from the quizzes. Then access control, again concepts mainly. Let's bring up the lecture notes on access control. So malicious software that we just went through, again concepts, compare one against another. What is this? What is that? Not covered is how the detailed viruses work. Access control just as a reminder. What is access control? What's the purpose? What are the three types? What are their differences? And that's all the main thing of this topic. It covers those three techniques. How are they different? I think you should understand that we need reliable input. That is we need authentication techniques. These privileges comes up here. What does that mean? Separation of duty, separation of privileges. This concept comes up again. Understand that that's a general requirement. That we have subjects, objects and access rights. And then compare and understand the differences between the three approaches. Understand what is an access matrix, access control list and capability list. So there were three examples here. The matrix, access control list, capability list. So I may ask you, draw or here's a capability list. Answer some questions about what each user can do. So given this information, answer some questions. And this may come back to your homework. Given this information, map it to how it works in Linux. Or given a command, a change ownership or a change mod, C-H-M-O-D that you use in the homework, how does that affect the access control list or the capability list? And the other form, the authorization table. Then understand what is role-based, really. And really we need two tables. One that defines the roles, one that defines the access control per role. And understand what is mandatory access control, this concept of levels. We define some levels which have strict relationships. And then subjects have some clearance and objects have some classification at that same set of levels. And we have these two properties of no read-up and no write-down. Understand what they are and why they're needed. And I think that's about all with mandatory access control. That one slide. Questions? What's in the exam? What's not? Other hints? All right, so there are about five topics covered, about 20% each. I think malware, I did the calculation, is less than 20%. So a few more for the others. There's no past exam because this is the first time I've taught the course. So your only practice material you have really are the online quizzes and the in-class quiz. So plus the lecture notes, you need to... the homeworks, the online quizzes and that one in-class quiz. You may need to know, based on your homework, something about OpenSSL and the permissions, although you won't need to remember details of commands. You should be able to read, usually. Given this command, what does it do? It won't be testing your memory of Linux commands. Not the exact details, but understanding what they do. Yeah, the last point about calculator. I think you will survive without a calculator. There may be some questions if you remember back to passwords and brute force attacks. If it takes... where's the question? The last few minutes. The online quiz about password schemes. You have a... a password scheme. A user, or in this question, the system generates passwords for users. It generates random passwords from this set of characters. So we have 26 lower-case, 26 uppercase, 10 digits, and 10 other characters. So we have, what, 72 characters to choose from. So when the system creates a password for the user, it chooses randomly from each letter in the password is one of those 72 characters. If the password is 8 characters, how long is our... How many possible passwords? What's the answer? How many possible passwords? Not answer to this question, but if just from here. 8 characters long, 72 characters. What's the answer? Common exam question. This would be an easy exam question. 72 to the power of 8. So 72 to the power of 8. So here's where, you could use your calculator, but you don't need your calculator. You could give the answer as 72 to the power of 8, and that would be marked correct. You don't need to solve that in the exam. And then, you'll see in this practice quiz there are several questions which extend upon that. Given that there are 72 to the power of 8 passwords, what does it go on? This is about storage. How much storage space do we need? If we need to store the 8 character password, there's 8 bytes, and a 512 bit hash of that password, then how many... How much storage space do we need to store all of the possible passwords? So we have 72 to the power of 8 passwords. Each password we store an 8 byte password plus a 512 bit hash. So from that, you can calculate the total storage space required. And that practice quiz gives you a few related questions about password and calculations that you should try and understand them. Okay, that's all I've got to say about the exam. Any last questions? When's the exam? Monday. A few days. So get started on the study. Go back over the concepts from these different topics. The concepts. The operations in cryptography. The details about passwords, how we store them and why. The difference was between the different access control systems. If you've done your homework, you should be fine with any questions about that. And the differences and the concepts about malicious software.