A proxy server is a computer that offers a computer network service to Transparent Proxy
allow clients to make indirect network connections to other network
services. A client connects to the proxy server, then requests a This type of proxy server identifies itself as a proxy server and also
connection, file, or other resource available on a different server. The makes the original IP address available through the http headers. These
proxy provides the resource either by connecting to the specified are generally used for their ability to cache websites and do not
server or by serving it from a cache. In some cases, the proxy may effectively provide any anonymity to those who use them. However,
alter the client's request or the server's response for various purposes. the use of a transparent proxy will get you around simple IP bans.
They are transparent in the terms that your IP address is exposed, not
Web Proxies: A common proxy application is a caching Web proxy. transparent in the terms that you do not know that you are using it
This provides a nearby cache of Web pages and files available on (your system is not specifically configured to use it.)
remote Web servers, allowing local network clients to access them
more quickly or reliably. Anonymous Proxy
When it receives a request for a Web resource (specified by a URL), a This type of proxy server identifies itself as a proxy server, but
caching proxy looks for the resulting URL in its local cache. If found, does not make the original IP address available. This type of
it returns the document immediately. Otherwise it fetches it from the proxy server is detectable, but provides reasonable anonymity
remote server, returns it to the requester and saves a copy in the cache. for most users.
The cache usually uses an expiry algorithm to remove documents from
the cache, according to their age, size, and access history. Two simple
cache algorithms are Least Recently Used (LRU) and Least Frequently Distorting Proxy
Used (LFU). LRU removes the least-recently used documents, and
LFU removes the least-frequently used documents. This type of proxy server identifies itself as a proxy server, but
make an incorrect original IP address available through the http
Web proxies can also filter the content of Web pages served. Some headers.
censorware applications - which attempt to block offensive Web
content - are implemented as Web proxies. Other web proxies reformat High Anonymity Proxy
web pages for a specific purpose or audience; for example, Skweezer
reformats web pages for cell phones and PDAs. Network operators can This type of proxy server does not identify itself as a proxy
also deploy proxies to intercept computer viruses and other hostile server and does not make available the original IP address.
content served from remote Web pages.
(a) CO3: List various limitations of Packet Filtering Firewall.
A special case of web proxies are "CGI proxies." These are web sites i. Stateless packet filters. (cf. iptables connection
which allow a user to access a site through them. They generally use tracking), cf. state vs. stateless discussion.
PHP or CGI to implement the proxying functionality. CGI proxies are
frequently used to gain access to web sites blocked by corporate or ii. confounded application layer protocols like FTP, H323
school proxies. Since they also hide the user's own IP address from the
web sites they access through the proxy, they are sometimes also used
iii. Because of the nature of connection tracking and state
to gain a degree of anonymity.
awareness, stateful packet filters are vulnerable to
resource exhaustion and deliberate attempts to trip rate- from given message digest is used. The most often used algorithms are
limiting features. RSA (based on the number theory), DSA (based on the theory of the
discrete logarithms), and ECDSA (based on the elliptic curves theory).
iv. DoS on connection tracking packet filters DoS on rate Often, the obtained digital signature is attached to the message in a
special format to be verified later if it is necessary.
limiters ?
Verifying Digital Signatures
Step 2: Calculate the Original Hash-Value If the verification fails, in spite of the cause, this proves only one
thing: The signature that is being verified was not obtained by signing
In the second step of the digital signature verification process, the the message that is being verified with the private key that corresponds
digital signature is decrypted with the same encryption algorithm that to the public key used for the verification. Unsuccessful verification
was used during the signing process. The decryption is done by the does not always mean that an attempt for digital signature adulteration
public key that corresponds to the private key used during the signing is detected. Sometimes, verification could fail because an invalid
of the message. As a result, we obtain the original hash-value that public key is used. Such a situation could be obtained when the
was calculated from the original message during the first step of the message is not sent by the person who was expected to send it or when
signing process (the original message digests). the signature verification system has an incorrect public key for this
person. It is even possible for one person to own several different valid
Step 3: Compare the Current and the Original Hash- public keys along with valid certificates for each of them and the
Values system attempted to verify a message received from this person with
some of these public keys but not with the correct one (the key
In the third step, we compare the current hash-value obtained in the corresponding to the private key used for signing the message).
first step with the original hash-value obtained in the second step. If
the two values are identical, the verification if successful and proves In order for such problems to be avoided, most often when a signed
that the message has been signed with the private key that corresponds document is sent, the certificate of the signer is also sent along with
to the public key used in the verification process. If the two values this document and the corresponding digital signature. Thus, during
differ from onr another, this means that the digital signature is invalid the verification, the public key contained in the received certificate is
and the verification is unsuccessful. used for signature verification; if the verification is successful, it is
considered that the document is signed by the person who owns the
certificate. Of course, it is always necessary that, when certificates are
used, we should believe the certificate only if its validity is verified or
the certificate is self-signed but is obtained from the sender in a secure
Reasons for Invalid Signatures way (not from the Internet).
There are three possible reasons for getting an invalid digital signature:
(e) CO4: Why security is important in e-commerce?
If the digital signature is adulterated (it is not real) and is To maintain:
decrypted with the public key, the obtained original value will 1. Integrity: prevention against unauthorized data
not be the original hash-value of the original message but some modification.
other value. 2. Nonrepudiation: prevention against any one party from
reneging on an agreement after the fact
If the message was changed (adulterated) after its signing, the 3. Authenticity: authentication of data source
current hash-value calculated from this adulterated message 4. Confidentiality: protection against unauthorized data
will differ from the original hash-value because the two disclosure
different messages correspond to different hash-values. 5. Privacy: provision of data control and disclosure
6. Availability: prevention against data delays or removal.
SECTION- B
(f) CO4: Write in Short about PKI.
Note: Attempt all questions
A typical PKI consists of hardware, software, policies and standards to
manage the creation, administration, distribution and revocation of Q2. Attempt any four parts (4*6 =24 )
keys and digital certificates. Digital certificates are at the heart of PKI
(a). CO3: Enlighten growing technical challenges in web security.
as they affirm the identity of the certificate subject and bind that
identity to the public key contained in the certificate.
A certificate database, which stores certificate requests and (b) CO3: Classify Firewall on the basis of their application.
issues and revokes certificates
i. Packet Filter: Looks at each packet entering or leaving the
network and accepts or rejects it based on user-defined
A certificate store, which resides on a local computer as a place
rules. Packet filtering is fairly effective and transparent to
to store issued certificates and private keys
users, but it is difficult to configure. In addition, it is
susceptible to IP spoofing.
A CA issues digital certificates to entities and individuals after
verifying their identity. It signs these certificates using its private key;
ii. Application Gateway: Applies security mechanisms to
its public key is made available to all interested parties in a self-signed
specific applications, such as FTP and Telnet servers. This
CA certificate. CAs use this trusted root certificate to create a "chain of
is very effective, but can impose a performance
trust" -- many root certificates are embedded in Web browsers so they
degradation.
have built-in trust of those CAs. Web servers, email clients,
smartphones and many other types of hardware and software also
iii. Circuit-level Gateway: Applies security mechanisms
support PKI and contain trusted root certificates from the major CAs.
when a TCP or UDP connection is established. Once the
connection has been made, packets can flow between the
Along with an entitys or individuals public key, digital certificates
hosts without further checking.
contain information about the algorithm used to create the signature,
the person or entity identified, the digital signature of the CA that
iv. Proxy Server: Intercepts all messages entering and leaving
verified the subject data and issued the certificate, the purpose of the
the network. The proxy server effectively hides the true
public key encryption, signature and certificate signing, as well as a
network addresses.
date range during which the certificate can be considered valid.
Two main approaches to designing a ruleset are:
(c) CO3: Explain various components of Firewall? 1. Block everything then open holes.
2. Block nothing then close holes.
The primary components (or aspects) of a firewall are:
network policy,
application gateways.
Types of VPNs
VPN connections technically give you all the benefits of a Local Area ii. IPSec Protocol
IPsec provides two choices of security service: Authentication
Network (LAN), which is similar to that found in many offices but Header (AH), which essentially allows authentication of the sender
without requiring a hard-wired connection. of data, and Encapsulating Security Payload (ESP), which supports
both authentication of the sender and encryption of data as well. The
Early VPNs were often set up to give individual employees secure specific information associated with each of these services is inserted
into the packet in a header that follows the IP packet header. Separate
remote access to their company networks, hence the name virtual
key protocols can be selected, such as the ISAKMP/Oakley protocol.
private network. By connecting to the companys network, an iii.Feistel Cipher
individual employee can access all the companys resources and Feistel ciphers are a special class of iterated block ciphers
services as if the employee were inside the company. where the ciphertext is calculated from the plaintext by
repeated application of the same transformation or round
function. Feistel ciphers are also sometimes called DES-like
ciphers. In a Feistel cipher, the text being encrypted is split into
two halves. The round function f is applied to one half using a
subkey and the output of f is exclusive-ored with the other half.
The two halves are then swapped. Each round follows the same
pattern except for the last round where there is no swap. A nice
feature of a Feistel cipher is that encryption and decryption are
structurally identical, though the subkeys used during
encryption at each round are taken in reverse order during
decryption. It is possible to design iterative ciphers that are not
Feistel ciphers, yet whose encryption and decryption (after a
certain re-ordering or re-calculation of variables) are
structurally the same. One such example is IDEA.
(e) CO4: Draw Block Diagram for DES algorithm. How various
rounds are performed in it. Discuss Substitution and Permutation in
DES algorithm.