QCAA Digital Solutions Digital methods for exchanging data
15 sample questions with marking guides and sample answers · Avg. score: 100%
In an online silent auction, items are posted on a public website and participants post a secret bid on the items they would like to purchase. Bidders cannot see each other’s bids. The bidding period is 7 consecutive days.
At the end of the auction, all bid values are revealed on the website and the highest bidder pays the amount they posted to obtain the item.
Explain how checksums, encryption and authentication would improve the security of the data exchange in this scenario.
Reveal Answer
A checksum algorithm would be used to inspect the binary representation of auction data. If the checksum from the user is different from the checksum on the server, it means that the data has been corrupted or manipulated.
Encryption would be used to scramble the auction data to make it impossible to read in transit, but allowing it to be decrypted by the authorised recipient with a secret key.
Authentication would be used to verify the identity of the participant by using a digital signature or authentication code. A digital signature confirms that the bidder is who they say they are.
| Descriptor | Marks |
|---|---|
Explains how the security of the data exchange would be improved through checksums | 1 |
Explains how the security of the data exchange would be improved through encryption | 1 |
Explains how the security of the data exchange would be improved through authentication | 1 |
Recommend one encryption method to securely store auction data and justify your response.
Reveal Answer
I would recommend AES for encrypting auction data to avoid a security breach. AES supersedes DES and 3DES and uses 128-bit blocks with 128, 192 and 256-bit encryption keys, whereas DES and 3DES use 64-bit blocks and key encryption. DES and 3DES are older ciphers and easily cracked in as little as one day, which would provide an opportunity for a hacker to gain access to auction data before the bids are revealed.
| Descriptor | Marks |
|---|---|
Recommends a valid encryption method | 1 |
Effectively justifies the recommended encryption method | 1 |
A distributed denial-of-service (DDoS) attack is a malicious cyber attack in which a server is overloaded with incoming traffic from multiple sources, preventing some or all legitimate requests.
This is a risk to data
privacy.
integrity.
availability.
confidentiality.
Reveal Answer
privacy.
Privacy relates to the control and protection of personal information from unauthorized collection or exposure, whereas a DDoS attack focuses on disrupting access to a service.
integrity.
Integrity ensures that data remains accurate and is not altered by unauthorized parties. A DDoS attack prevents access to the system but does not typically modify the data stored within it.
availability.
Availability guarantees that systems and data are accessible to authorized users when needed. A DDoS attack specifically targets this by overwhelming the server to prevent legitimate access.
confidentiality.
Confidentiality ensures that sensitive information is not disclosed to unauthorized individuals. While a DDoS attack disrupts service, its primary goal is denial of service rather than data theft.
A Vigenère cipher has the keyword ‘BANANA’, a Gronsfeld cipher has the key number ‘123456’ and a Caesar cipher has the key number ‘7’.
Rank the encryption algorithms from least secure to most secure, based on their vulnerability to brute force attacks.
Vigenère, Caesar, Gronsfeld
Gronsfeld, Vigenère, Caesar
Caesar, Gronsfeld, Vigenère
Caesar, Vigenère, Gronsfeld
Reveal Answer
Vigenère, Caesar, Gronsfeld
This option incorrectly lists Vigenère as the least secure. Vigenère is actually the most secure of the three because a 6-letter keyword provides possible keys, which is much larger than the other key spaces.
Gronsfeld, Vigenère, Caesar
This option incorrectly lists Caesar as the most secure. The Caesar cipher is the least secure because it only has 25 possible shift keys, making it trivial to brute force.
Caesar, Gronsfeld, Vigenère
This is the correct order. The Caesar cipher has only 25 possible keys, the Gronsfeld cipher with a 6-digit key has possible keys, and the Vigenère cipher with a 6-letter key has possible keys, ranking them from least to most secure.
Caesar, Vigenère, Gronsfeld
While Caesar is correctly identified as the least secure, Vigenère is more secure than Gronsfeld. A 6-letter Vigenère key has possibilities, which is significantly larger than the possibilities of a 6-digit Gronsfeld key.
In a data dictionary where all the item types are numeric, which item would be stored as a float?
shoeID
quantity
numSold
wholesalePrice
Reveal Answer
shoeID
IDs are typically unique whole numbers used for identification, so they are best stored as integers.
quantity
Quantity represents a count of discrete items (you cannot have half a shoe in inventory), so it is stored as an integer.
numSold
The number of items sold is a discrete count, which requires an integer data type rather than a float.
wholesalePrice
Prices represent currency values that often contain decimal fractions (e.g., $10.99), requiring a floating-point data type to capture the cents.
A digital ticketing system has been created to manage ticket sales for a popular event, where thousands of people are expected to log in over a short timeframe. To reduce load and keep user data secure, the system follows the criteria:
- data size in data stores should be kept to a minimum
- data should be securely transmitted.
Describe how data size and security can be managed to fulfil these criteria.
Reveal Answer
Data size: Use data compression to reduce the size of data being stored, preventing the system from overloading to ensure user access is unaffected.
Data security: Use encryption to maintain data security and integrity. Data that is encrypted when entered cannot be compromised if intercepted during transmission.
| Descriptor | Marks |
|---|---|
Describes how data size can be managed | 1 |
Describes how data security can be managed | 1 |
Complete the algorithm using pseudocode to symbolise securing the user password and verifying the account username and password for the system. The algorithm must demonstrate the useability principle of safety.
BEGIN
INPUT username
INPUT password
Reveal Answer
BEGIN
INPUT username
INPUT password
HASH password
IF username exists in Datastore THEN
IF hashed password matches field Datastore for username THEN
[[Enter System]]
ELSE
OUTPUT "Wrong password, try again"
ENDIF
ELSE
OUTPUT "Wrong username and/or password, try again"
ENDIF
END
| Descriptor | Marks |
|---|---|
Symbolises hash password | 1 |
Symbolises username verification | 1 |
Symbolises password verification | 1 |
Symbolises successful account verification | 1 |
Symbolises unsuccessful account verification | 1 |
Demonstrates safety for incorrect username | 1 |
Demonstrates safety for incorrect password | 1 |
Two novice programmers who live in different locations want to develop a method for securing their email communication. They have decided to:
- meet in the same location
- use a generic code library that contains functions relating to a set of cryptology algorithms called ‘Blowfish’
- use only UTF-8 data encoding, e.g. the character ‘%’ is considered to have a length of 8 bits in total
- create their own programs using different languages
- generate encrypted text using their programs
- copy and paste encrypted text into their emails.
| Function name | Blowfish key expansion | Blowfish crypt |
|---|---|---|
| Function code | BlowfishInitiate(key) | Blowfish(Value, KeySet, Process-Type) |
| Purpose | Completes the initial key expansion processes. Returns a data structure called Blowfish KeySets. | Completes the block algorithm process for encryption or decryption. Accepts a 64-bit–length set of values in the form of text, along with the pre-processed Blowfish KeySets. |
| Inputs | Key: text-based, 64-bit in length | Value: text-based, 64-bit in length KeySet: returned data structure from the BlowfishInitiate function Process-Type: 1 for encrypt, 2 for decrypt |
| Returns | KeySet | Text-based value |
| Example | BlowfishInitiate("J$8%*$#d") | Blowfish("abcdefg",MyKeySet,1) |
Note: If any input does not meet a function’s length requirements, the function will fail and potentially cause a runtime error.
Symbolise an algorithm that the programmers could use to encrypt their Unicode set of text. The algorithm should use the function library calls in the table as required.
Reveal Answer
BEGIN
INPUT key;
IF key contains letter characters AND
Length of key = 8 THEN
MyKeySet = Blowfish_Initiate(key)
INPUT user_text
SET cipher_text = ""
IF Length of user_text >= 8 THEN
IF Length of user_text MOD 8 > 0 THEN
FOR index = 1 TO Length of user_text MOD 8
user_text = user_text + " "
NEXT index
ENDIF
FOR EACH set of 8 character BlockSet in user_text
cipher_text = Blowfish(BlockSet, MyKeySet, 1)
ENDFOR
OUTPUT cipher_text
ENDIF
ENDIF
END
| Descriptor | Marks |
|---|---|
Solves the problem without errors | 6 |
Could have solved the problem except for 1 logic error OR could have solved the problem except for syntax errors | 5 |
Could have solved the problem except for 2 logic errors OR could have solved the problem except for 1 logic error and syntax errors | 4 |
Could have solved the problem except for 3 logic errors OR could have solved the problem except for 2 logic errors and syntax errors | 3 |
Could have solved the problem except for 4 logic errors OR could have solved the problem except for 3 logic errors and syntax errors | 2 |
Could have solved the problem except for 5 logic errors OR could have solved the problem except for 4 logic errors and syntax errors | 1 |
Does not satisfy any of the descriptors above. | 0 |
The programmers make the solution publicly available on their website as a web application. Explain and justify how they could implement two useability principles to optimise user experience.
Reveal Answer
An important usability principle is utility. The web app user interface should be responsive as it needs to adjust to all viewport sizes (display device). As users will use various devices, such as mobile phones and laptops, to access the app, the solution needs to adjust appropriately to ensure it is practical and accessible. Responsiveness can be implemented by using breakpoints and a grid for the layout of interface elements.
The solution also needs to be accessible. It should use suitable colours and font (typeface, size and style) to ensure it is accessible to all users, regardless of visual or physical disability. Accessibility can be implemented by checking the colours and fonts with an accessibility checker, available online, to ensure they meet accessibility standards.
First Usability Principle
| Descriptor | Marks |
|---|---|
States a relevant useability principle | 1 |
Describes the useability principle in relation to the solution | 1 |
Justifies how to implement the useability principle | 1 |
Second Usability Principle
| Descriptor | Marks |
|---|---|
States a relevant useability principle | 1 |
Describes the useability principle in relation to the solution | 1 |
Justifies how to implement the useability principle | 1 |
Evaluate whether the programmers have developed the most secure method to encrypt an email message by identifying two strengths and two weaknesses in the steps. Support all statements with examples. Provide two recommendations and justify how each recommendation would improve security.
Reveal Answer
The method used is relatively secure as Blowfish is a well-known and trusted method of encryption. The method could be made more secure with some recommendations to improve security.
The strength of meeting in the same location is that they reduce the risk of a security breach by not using technology that could be digitally intercepted. The weakness is that someone could overhear their conversation — this depends on the security of the location.
The strength of using different languages is that if one program is breached, it is contained, because the same method of breaching may not work for a program written in another language. A weakness may be the language used, as different languages have different levels of vulnerability.
To improve security, it would be recommended to test the program that is written before using it to identify any issues prior to implementation. Another recommendation would be to consider the vulnerabilities of the range of programming languages and use the least vulnerable languages to optimise security.
Conclusion
| Descriptor | Marks |
|---|---|
Provides a valid conclusion about Blowfish | 1 |
Evaluation
| Descriptor | Marks |
|---|---|
States a valid weakness | 1 |
States a second valid weakness | 1 |
States a valid strength | 1 |
States a second valid strength | 1 |
Improving Security
| Descriptor | Marks |
|---|---|
Provides a relevant recommendation | 1 |
Justifies the provided recommendation | 1 |
Provides a second relevant recommendation | 1 |
Justifies the second provided recommendation | 1 |
Converting a variable-length set of data to a fixed-length hexadecimal value is known as
hashing.
checksum.
encryption.
authentication.
Reveal Answer
hashing.
Hashing is the specific process of mapping data of arbitrary size to fixed-size values, often resulting in a hexadecimal digest (like MD5 or SHA-256).
checksum.
While a checksum is a fixed-size value used for error detection, it is a specific type of result; hashing is the broader term for the algorithmic process described.
encryption.
Encryption is a two-way process designed to be reversible with a key, and the output length typically increases as the input length increases.
authentication.
Authentication is a security process used to verify the identity of a user or system, not the mathematical operation of converting data lengths.
Explain the features of two network transmission protocols for transferring data between websites.
Reveal Answer
Two network transmission protocols are HTTP and HTTPS.
HTTP (hypertext transfer protocol) transfers data as text and offers no encryption and no authentication. This can be intercepted so should not be used for transferring data between websites.
In contrast, HTTPS (HTTP secure) uses a range of encryption protocols, e.g. TLS standard and certificates to confirm the identity of the server, making it the more secure option.
| Descriptor | Marks |
|---|---|
Explains features of one valid network transmission protocol | 1 |
Explains features of another valid network transmission protocol | 1 |
Which encryption method uses a fixed shift of letters down the alphabet with a modulus operation?
Caesar
Vigenere
Gronsfeld
One-time pad
Reveal Answer
Caesar
The Caesar cipher is a monoalphabetic substitution cipher that replaces each letter with one a fixed number of positions down the alphabet, calculated as .
Vigenere
The Vigenère cipher is polyalphabetic, meaning it uses a keyword to apply different shifts to different letters rather than a single fixed shift for the entire message.
Gronsfeld
The Gronsfeld cipher is a variant of Vigenère that uses a numeric key to apply varying shifts, not a single fixed shift.
One-time pad
A One-time pad uses a random key equal in length to the message to shift each character independently, rather than using a constant shift value.
A JSON string is shown.
{"song":"Butterfly", "duration":320, "band":"zerogarage"}
How many properties are defined by the string?
1
3
5
6
Reveal Answer
1
While there is only one JSON object defined by the curly braces, it contains multiple properties within it.
3
The JSON object contains exactly three key-value pairs (properties): "song", "duration", and "band".
5
This is an incorrect count. There are exactly three key-value pairs in the JSON object.
6
This incorrectly counts both the keys and their corresponding values as separate properties. A property consists of a single key-value pair.
What type of algorithm irreversibly takes a variable-length input and outputs a fixed-length string?
hashing
decryption
encryption
compression
Reveal Answer
hashing
Hashing algorithms are designed to be one-way (irreversible) mathematical functions that convert data of any size into a fixed-length string of characters.
decryption
Decryption is the reversible process of converting encrypted data back into its original form, and it does not produce a fixed-length output.
encryption
Encryption is a reversible process designed to secure data, and its output length typically varies depending on the size of the input data.
compression
Compression algorithms reduce the size of data, but they are designed to be reversible (via decompression) and output variable-length data depending on the input.
Asymmetric encryption algorithms
all use one key.
only use private keys.
have a block size of 64.
use different keys for encryption and decryption.
Reveal Answer
all use one key.
Symmetric encryption uses a single shared key, whereas asymmetric encryption utilizes a pair of mathematically related keys.
only use private keys.
Asymmetric encryption requires a key pair consisting of both a public key (which is shared openly) and a private key (which is kept secret).
have a block size of 64.
Fixed block sizes like 64 bits are characteristic of symmetric block ciphers (e.g., DES), while asymmetric algorithms like RSA typically operate on much larger numbers based on the key length (e.g., 2048 bits).
use different keys for encryption and decryption.
Asymmetric encryption is defined by the use of a mathematically related key pair, where one key encrypts the data and a different key is required to decrypt it.
A business uses an online form to collect information about its customers. A customer has entered their tax file number in a comment area, even though they were not required to provide this information. To comply with the Australian Privacy Principles (2014), the business should
encrypt this data.
delete this data immediately.
notify the customer that the data has been received.
notify the tax department that a data breach has occurred.
Reveal Answer
encrypt this data.
Encrypting the data implies retaining it; however, under APP 4, if an entity receives unsolicited personal information that it could not have lawfully collected, it must destroy or de-identify the data rather than secure and keep it.
delete this data immediately.
According to Australian Privacy Principle 4 (Dealing with unsolicited personal information), if a business receives personal information it did not solicit and determines it could not have collected it under APP 3, it must destroy or de-identify the information as soon as practicable.
notify the customer that the data has been received.
Simply notifying the customer does not address the compliance obligation to remove unsolicited personal information that the business has no valid legal basis to hold.
notify the tax department that a data breach has occurred.
A customer voluntarily providing their own information does not constitute a data breach (which involves unauthorized access, disclosure, or loss), so reporting it to the tax department is incorrect.
Screen-based user interfaces must be dynamically adjustable because mobile phones, televisions and other screens have different aspect ratios and dimensions.
This is an example of which useability principle?
safety
utility
validity
reliability
Reveal Answer
safety
Safety refers to the protection of data and the user (e.g., preventing accidental deletion or ergonomic issues), not the visual adaptation of the interface.
utility
Utility refers to the ability of the solution to perform the tasks required by the user; ensuring the interface is viewable and functional across different devices is essential for the software to remain useful.
validity
Validity is a data integrity concept involving checks to ensure input data is reasonable and correct (e.g., range checks), which is unrelated to screen layout.
reliability
Reliability refers to how consistently a system functions without failure or crashing over time, rather than how its layout adjusts to hardware dimensions.
In the context of network transmission, what is the primary function of FTP?
rendering web pages in a browser
transferring files between computers on a network
encrypting data during transmission over a network
acting as a protocol for real-time communication and messaging
Reveal Answer
rendering web pages in a browser
Incorrect. Rendering web pages is handled by web browsers using HTML and protocols like HTTP, not FTP.
transferring files between computers on a network
Correct. FTP stands for File Transfer Protocol, which is a standard network protocol used specifically to copy files between a client and server.
encrypting data during transmission over a network
Incorrect. Standard FTP transmits data in plaintext; encryption is handled by secure protocols like TLS/SSL (FTPS) or SSH (SFTP).
acting as a protocol for real-time communication and messaging
Incorrect. Real-time communication relies on protocols like WebRTC or XMPP, whereas FTP is designed solely for bulk file transfers.