PAST PAPER PRACTICE

Question 1:
Internet banking has gained wide acceptance internationally and seems to be fast
catching up in Kenya with more and more banks and Saccos entering the online banking
This system enables customers to access their accounts and general information of bank
products and services anywhere anytime i.e. the model of banking has transformed
from brick and mortar to all pervading through ‘Anywhere and Anytime Banking’
through PCs or other mobile devices using browser software such as Microsoft Internet
Explorer: Chrome or Firefox. But Online banking continues to present challenges to
financial security and personal privacy. Billions of financial data transactions occur
online every day and bank cybercrimes take place every day when bank information is
compromised by skilled criminal hackers by manipulating a financial institution's online
information system. This causes huge financial loses to the banks and customers.
According to cybersecurity reports: security of banking transactions is one of the most
important areas of concerns to the regulators. Security issues include questions of
adopting internationally accepted state-of-the art minimum security technology and
standards.
a. Using the above case, explain the processes of verification of digital signatures using
RSA Approach (6 Marks)
First, the sender’s public and private RSA keys are generated. Next, the data M to be
signed, in this case transaction data, is hashed and encrypted using the private key with
RSA to create a signature S. The signature S is then attached to the original data
contained and sent. To verify the data received, we apply the RSA function with the public
key to the signature S, and compare that the result against the hashed data H which we
obtain by hashing the data. If the two match, then the data is verified.
However, if the digital signature has been altered, the message changed after signing or
the public key does not correspond to the private key used for signing, then the two values
will not match and the data cannot be verified. For transaction details such as account
transfers, this could mean that the message was intercepted and details of the receiving
account or the amount changed.
b. What are the two possible best Public key Infrastructure (PKI) Implementations
that can be adopted by the banking industry and explain the advantages and
disadvantages of each implementation (5 Marks)
Both RSA and Elliptic Curve have encryption and decryption, digital signing and key
exchange. They can be used for generating digital certificates for both the bank and the
clients which can be used to configure the SSL certificate that will be used to validate the
connection and ensure traffic flowing to and from the bank servers is encrypted.
Advantages of RSA are that it is stronger than most other symmetric key algorithms
because it offers both authenticity and confidentiality. It is also much easier to implement
than other infrastructures like ECC and it is widely used and accepted. Disadvantages
include the complex arithmetic required to implement RSA which requires more time and
computing power to perform. A brute force attack, though not highly probable, is still
possible.
Advantages of ECC are that is offers stronger encryption than RSA given the key sizes in
use. RSA keys must expand to stay ahead of attackers which means more computing power
is needed to perform the encryption and decryption while for ECC, typical key size is 256
bits. ECC is therefore also faster than other infrastructures since it uses a smaller key and
less computing power. The main disadvantage of ECC is that although it is faster and
lighter than most other PKCs, it is still not fully supported by all browsers, particularly on
mobile devices. This is a major drawback considering the growth of e-banking, e-
commerce and mobile transactions.
c. Describe how SET dual signature can be used to Implement E-commerce linked to
Bank E-Payment API (6 Marks)
SET dual signature performs e-payments on a need to know basis. It lets the customer
agree on the order details with the merchant while hiding those details from the bank and
at the same time, share his or her card details with the bank while hiding them from the
merchant. This involves connecting the 2 separate pieces of information. Assuming the
customer has obtained a card from a bank that supports SET and received a digital
certificate from the bank and that the merchant has the 2 necessary certificates:
The merchant sends the order details to the customer to verify together with a copy of the
merchant certificate to verify the merchant is legitimate. The customer responds with
order information, payment information and their certificate so that the merchant can
verify the customer is legitimate. The merchant cannot read the payment information. The
merchant requests payment authorization which checks if the customer’s card is valid and
has sufficient funds. On confirmation, the merchant sends order confirmation to the
customer and requests payment from the payment gateway.
By keeping only the needed details, this affords the customer some privacy and the
certificate authentication ensures that the merchant and the client are who they claim to
be.
d. Show how transparency data encryption can be used to secure the data at rest (5
Marks)
TDE offers encryption at file level by encrypting the physical files (data and log files) both
on the hard drive and consequently on backup media. You can set up TDE when you first
create a database, or you can apply it to an existing database. It performs real-time I/O
encryption and decryption of data and log files to protect data such that even if a
malicious party would be able to steal the drives or data files, they still would not be able
to use them at all because they would need the keys as well.
e. Describe the most appropriate VPN protocols that can be used for Access Internet
Banking (5 Marks)
Layer Two Tunneling Protocol (L2TP) uses a 256-bit key and has support for mobile
devices as well. It is complicated to setup but encryption is accomplished via IPSec and it is
complex enough to handle online banking securely. Additionally, it prevents data from
being altered between the sender and the receiver.
Secure Socket Tunneling Protocol (SSTP) routes all traffic through SSL protocol meaning
that the connection is not only secure but it is less likely to be blocked by a firewall or
proxy. It is also not open source and this makes it more secure. It is designed for remote
access.
OpenVPN TCP is considered the most reliable and most secure protocol and it can also
bypass firewalls since it uses the TCP protocol to disguise itself as regular traffic. However,
like L2TP, it is difficult to configure.

Question 2:
Vuss E-commerce application stores customer's sensitive data including credit card
number, CVV, ID number, financial history, credit limit etc. Based on the sensitivity of
the data, it needs to be secured and protected from unauthorized access. A user can
have multiple payment cards.
a. Using the above case, write SQL statement for two tables i.e. payment details and
user’s login table (4 Marks)
b. Using the attributes identified in section a to identify sensitive data and write SQL
and PHP Insert statement for Inserting encrypted data into the payment details
table (6 Marks)
c. Write SQL statement for hashing user's passwords using SHA2 (4 Marks)
d. Write a query that Will display decrypted data from the table payment details for
two different users (6 Marks)

a. Describe at least four security protocols that can be used for Customers to access
Internet Banking (10 Marks)

Transport Layer Security (TLS) protocol is between the transport layer and the
application layer and provides a layer of additional security for the protection of data.
It ensures secure data transfer over the Internet, avoiding diversion or alteration of
the data in transit. TLS uses asymmetric cryptography for generating and
exchanging a session key which is used for encrypting the data transmitted by the
sender, and then decrypting the data received. When the session is over, the
session key is discarded.

HTTPS is HTTP over SSL (Secure Sockets Layer) and it refers to the combination of
HTTP and SSL to implement a secure communication between a browser and a web
server. HTTPS is built into most browsers and it depends on the web server being
able to support HTTPS communication.

Secure Shell (SSH) is a protocol for secure network communications designed to be

cost effective and easy to implement. SSH is organized as three protocols that run
on top of TCP, that is the Transport Layer Protocol which provides server
authentication and data integrity, User Auth Protocol which authenticates the user to
the server and Connection Protocol which multiplexes communication channels over
a single underlying SSH connection.

Secure Real-Time Transport Protocol (SRTP) is intended to provide encryption and

message authentication in order to reduce the possiblitity of attacks like denial of
service attacks.

b. Using the above case, explain the processes of verification of digital signature
using RSA Approach (6 Marks)

With RSA, we first generate the public and private RSA keys that we can use for
encryption and decryption. Next, the data to be signed, let's call it M, which could be
transaction data such as the amount and the account number to receive in the case
of bank transfers, is hashed and put through the RSA encryption function using the
private key to create a signature S. This signature is then attached to the original
data contained therein and sent.

To verify the data, we apply the RSA decryption function on the signature to obtain
the hash of the data. We then hash the data sent itself and compare it with the hash
obtained from the signature. If the two hashes match then the data is verified.
However, if the digital signature has be modified or altered or the message has been
altered or changed or the public key received doesn't correspond to the private key
used to encrypt the data, then the data cannot be verified. For transactions such as
account transfers, this could mean that the account number to receive the funds
transfer or the amount have been changed by a third party.

c. What are the two possible best Public Key Infrastructure (PKI) implementations
that can be adopted by the banking industry and explain the advantages and
disadvantages of each implementation (8 Marks)

The two best PKI implementations are RSA and Elliptic curve since both of them
offer encryption, decryption, key exchange and digital signing whereas most other
public key infrastructures are only useful for specific tasks. RSA and ECC can be
used for generating digital certificates for both the bank and the clients which are
used to configure the SSL certificates necessary for validating the connections and
ensuring the data flowing to and from the bank is encrypted.

RSA is stronger than most other symmetric key algorithms because it offers both
confidentiality and authentication. It is much easier to implement than some other
structures like ECC and it is widely used and accepted on all browsers which makes
it easy for customers to access their online banking platforms on their mobile
devices. Its main disadvantages are that complex arithmetic is required to implement
it with the application needing to generate larger and larger key sizes to stay ahead
of attackers. This means it takes more time and computing power to perform. RSA
has also been proven to be vulnerable in recent years, meaning that although
cracking it is unlikely, it is still possible.

ECC offers faster encryption than RSA given that RSA keys have to expand in size
to provide the same protection while ECC keys have a typical size of 256 bits. This
means encryption with ECC is faster and uses less computing power than
encryption with RSA. However, despite being faster than RSA, ECC is not fully
supported by all browsers, especially on mobile devices. This is a major drawback
when one considers the growth of online banking, e-commerce and the fact that
most people primarily use their mobile devices to perform transactions. Despite this,
ECC is gaining traction on mobile devices with banks developing secure banking
applications that utilize the infrastructure.

d. Using the above case, describe how SET dual signature that can be used to
implement E-commerce linked to Bank E-payment API (6 Marks)

SET dual signature performs e-payments on a need to know basis which means that
it lets the customer agree on the order details with the merchant while hiding the
particulars from the bank and at the same time, share his or her card details with the
bank while hiding them from the merchant. This involves connecting the 2 separate
pieces of information. Assuming the customer has obtained a card from a bank that
supports SET and received a digital certificate from the bank and that the merchant
has the 2 necessary certificates:

The merchant sends the order details to the customer to verify together with a copy
of the merchant's certificate to verify that the merchant is legitimate.

The customer responds with order information, payment information and their
certificate so that the merchant can verify the customer is legitimate. The merchant
cannot read the payment information.

The merchant then requests payment authorization which checks if the customer’s
card is valid and has sufficient funds. On confirmation, the merchant sends order
confirmation to the customer and requests payment from the payment gateway.

By keeping only the needed details on the merchant's and the bank's side, the
customer is able to maintain some privacy while the certificate authentication
ensures that both the merchant and the customer are who they claim to be.