The following guidance applies to all questions. Specific guidance to each question is given within the
1. In all the questions, the marks are awarded for the quality of your discussion and
justification of your assumptions, choices, and conclusions.
2. You are expected to research your answers and to cite appropriate academic and/or other
sources; it is not sufficient to use only the module notes.
3. Each question has a specific page limit associated with it. Answers must not exceed the
indicated number of sides of A4 in each case. Page limits do not include any covering page,
visual aids (e.g., Figures and Tables), or the reference list. Excess pages will not be marked.
4. All references should be presented together at the end of your script.
5. The IEEE format of citation and referencing must be used.
6. For each major reference (say, the top 5 or so most used sources per question), a brief
explanation must be included (within the References section) as to why the reference is a
good-quality and credible source.
7. Appropriate use of visual aids is encouraged. They should be included to help the marker
understand the content.
8. The visual aids must be closely relevant to the text and act as complementary material to
make the material more reader-friendly. They must be of good quality and designed by the
student (not simply copied from other sources).
9. The visual aids must be appropriately labelled , explained and referenced within the text.
10. Abbreviations should be defined at first mention and used consistently thereafter.
Page 2 of 7
Q1 [30 Marks] Identification, Authentication & Authorisation (IAA) for
rented recording studio space
Following their experiences with the COVID-19 pandemic, the island nation of Freedonia
has decided to instigate changes to the way bars and restaurants operate. In future,
citizens will only be permitted to visit those establishment with which they have already
registered as “members”, and must book in advance before visiting. The scheme will be
extended to cover “pop-up” bars, cafes etc. at festivals and sporting events. These
pop-ups will be run by existing businesses on the island.
Members need to be able to
a) book a visit at any time up to 1 hour before they need to use it, and allow up
to 3 guests (who do not need to be members) to accompany the member on a
booked visit. Up to 3 members may be included in any group booking – giving
a maximum of 6 in any party (3 members, 3 guests)
b) modify an existing booking to change the time of their booking or the number
of guests they wish to bring.
The government and venues want to ensure that
c) only registered members can use the system.
d) members cannot “sub-let” booked visits to non-members.
e) it does not exceed government mandated limits on capacity at the venue – this
means that each party is, in effect, allocated to a table or group of tables for
the duration of their visit. Visit start times are known, but end times will vary
depending on the nature of the establishment (you may make reasonable
assumptions about what this means in practice).
f) staff can check table usage to ensure that they are being used only in
accordance with the rules stated in this document.
g) Once a table has been vacated, it must not be available for re-booking until
staff have confirmed that it has been cleaned and is considered safe.
You have been asked to advise on identification and authentication features which
will allow the venues to ensure that only their members will be able to make
bookings and access the facilities, in the ways described above, and to ensure that
the authorised member is present while their tables are occupied.
i. Cost effectiveness is an important criterion. Given the context (i.e., that the
system is for a subset of customers of a bar or restaurant) identify the four
Page 3 of 7
most important further criteria that you believe a suitable IAA system must
satisfy. [4 Marks]
ii. Provide an IAA system design and assess it against the five criteria identified in
(i) above. (Your system may use as many IAA mechanisms, in isolation or in
combination, as you consider appropriate, but you must justify why each one is
used) [16 Marks]
iii. Provide an outline of how your system, above, could be adapted to cope with
tourists (temporary visitors to the island, staying in government licenced
hotels).Up to 4 tourists may be present in any party. Your adaptation needs to
cope with the fact that most tourists will not know any island residents (and
therefore will not know any registered members) prior to their visit, and that
their ability to book visits must be terminated when they leave the island..[10
Further Marking Guidance. Throughout, you should seek to provide justification for any choices
you make. You should quote from or refer to the literature to provide evidence of costs and
capabilities of particular approaches. Costs should not be restricted solely to equipment costs.
You must justify choices for the system context, i.e. for the context of the office space rental
company. This applies to your choice of initial criteria, and to the assessment of any proposed
system. Thus any system architecture and technologies deployed should be reasonable choices
based on plausible assessments of risk. (Your system must give value for money.) You can
assume that the venues already have an appropriate system in place to deal with table
Your answer must not exceed 4 pages.
Q2 [20 marks] Reputation Management
The Ruritanian Brewing Co. has been trading for about 3 years at food fairs and
markets around Ruritania and has seen a substantial growth in sales and customer
loyalty. As the company is about to move into a new brewery they are investigating
the potential for online sales and sales through pubs, clubs and other shops. They
are aware that customer feedback can assist with increasing sales. However, they
have become aware that some online feedback services (e.g. travel/hotel reviews)
can result in a false impression being given. They have asked for your assistance to
design an online feedback system and to give advice on how they can manage
feedback posted on other review sites. Your proposal should take the form of an
initial report and must include :
i. [10 Marks] A scheme for ensuring that in-person (i.e. customers who
purchase from the company at food festivals/markets) and online customers
can enter their reviews and ratings into the system. Include in the report an
Page 4 of 7
analysis of alternative options for this scheme, and a clear justification of the
option you recommended.
ii. [ 10 Marks ] An analysis of the security threats
a) to your proposal from part i of the question,
b) posed by other feedback/review sites
c) and the controls that can be used to mitigate these threats.
Your answer must not exceed 2 pages .
Q3 [26 Marks] BAN Logic and Protocol Correctness
Below are the assumptions and messages of a security protocol, expressed in BAN
The initial protocol assumptions:
The idealised protocol:
i) Describe briefly what the assumptions mean. [2 Marks]
ii) Using the inference rules of BAN logic, derive the goals achieved by the protocol.
Your solution must clearly state what inference rules are being applied to what
beliefs and what deductions are made at each step. [8 Marks]
Page 5 of 7
iii) Explain informally what the protocol achieves. [3 Marks]
iv) Provide a standard notation description of the protocol and explain any actions
(e.g., checks) that the receiver of any message is expected to carry out. [6 Marks]
v) Remove one assumption of your choice, such that the protocol cannot achieve
one or more goals. Demonstrate that using BAN logic. [4 Marks]
vi) Discuss briefly the main limitations of BAN logic. [3 Marks]
Further Marking Guidance. The level of detail provided in your BAN proof should be similar
to that demonstrated in class and in the classic paper “A Logic of Authentication” by
Burrows, Abadi, and Needham. In part (iv) you should remember that the BAN protocol
description is an abstract one and that a standard notation description need not follow the
structure of the abstract one exactly. Furthermore, there may be several correct designs
implementing the BAN description.
Your answer must not exceed 4 pages.
Q4 [24 marks] Delivering Packages by Drones
Consider a company that uses a system to deliver packages by drones. Customers
may order and pay for items online; then the company delivers these items to the
customer’s home address. Assume that you are a security engineer working at the
i) Identify potential adversaries and threats (as many as possible). [6 marks]
ii) Design an appropriate package delivery system considering both security and
efficiency. State any assumptions and trust models. [6 marks]
iii) Identify the risks associated with the above system and potential vulnerabilities. [6
iv) How can the above risks and vulnerabilities be mitigated? [6 marks]
Further Marking Guidance. You may use ideas from the literature (and elsewhere) but you
must cite all sources (and indicate the extent to which you have drawn own ideas). Some
degree of original thinking is expected.
Your answer must not exceed 4 pages.
Such a cheap price for your free time and healthy sleep
All online transactions are done using all major Credit Cards or Electronic Check through PayPal. These are safe, secure, and efficient online payment methods.