Bob has a good understanding of cryptography, having worked with it for many years. Cryptography is used to secure data from specific threats, but it does not secure the application from coding errors. It can provide data privacy; integrity and enable strong authentication but it cannot mitigate programming errors. What is a good example of a programming error that Bob can use to explain to the management how encryption will not address all their security concerns?
A.
Bob can explain that using a weak key management technique is a form of programming error
B.
Bob can explain that using passwords to derive cryptographic keys is a form of a programming error
C.
Bob can explain that a buffer overflow is an example of programming error and it is a common mistake associated with poor programming technique
D.
Bob can explain that a random number generator can be used to derive cryptographic keys but it uses a weak seed value and this is a form of a programming error
the correct answer is C.
Answer C is a perfect example of programming error, but nothing to do with cyptography.
Agreed. That is a very good way to show that unsanitized user input, created by bad programmers, can lead to BO, which is a serious threat not related to cryptography at all. I’ve had to actually use this example, in real life, to prove a case like this example. An old company I did work for, programmed everything in-house, and programmers ran programs susceptible to BOs that were listening on open ports on their computers. FAIL!
c