Anda di halaman 1dari 8

a. CO3: How Proxy Server is used in the network?

You may see references to four different types of proxy servers:

A proxy server is a computer that offers a computer network service to Transparent Proxy
allow clients to make indirect network connections to other network
services. A client connects to the proxy server, then requests a This type of proxy server identifies itself as a proxy server and also
connection, file, or other resource available on a different server. The makes the original IP address available through the http headers. These
proxy provides the resource either by connecting to the specified are generally used for their ability to cache websites and do not
server or by serving it from a cache. In some cases, the proxy may effectively provide any anonymity to those who use them. However,
alter the client's request or the server's response for various purposes. the use of a transparent proxy will get you around simple IP bans.
They are transparent in the terms that your IP address is exposed, not
Web Proxies: A common proxy application is a caching Web proxy. transparent in the terms that you do not know that you are using it
This provides a nearby cache of Web pages and files available on (your system is not specifically configured to use it.)
remote Web servers, allowing local network clients to access them
more quickly or reliably. Anonymous Proxy
When it receives a request for a Web resource (specified by a URL), a This type of proxy server identifies itself as a proxy server, but
caching proxy looks for the resulting URL in its local cache. If found, does not make the original IP address available. This type of
it returns the document immediately. Otherwise it fetches it from the proxy server is detectable, but provides reasonable anonymity
remote server, returns it to the requester and saves a copy in the cache. for most users.
The cache usually uses an expiry algorithm to remove documents from
the cache, according to their age, size, and access history. Two simple
cache algorithms are Least Recently Used (LRU) and Least Frequently Distorting Proxy
Used (LFU). LRU removes the least-recently used documents, and
LFU removes the least-frequently used documents. This type of proxy server identifies itself as a proxy server, but
make an incorrect original IP address available through the http
Web proxies can also filter the content of Web pages served. Some headers.
censorware applications - which attempt to block offensive Web
content - are implemented as Web proxies. Other web proxies reformat High Anonymity Proxy
web pages for a specific purpose or audience; for example, Skweezer
reformats web pages for cell phones and PDAs. Network operators can This type of proxy server does not identify itself as a proxy
also deploy proxies to intercept computer viruses and other hostile server and does not make available the original IP address.
content served from remote Web pages.
(a) CO3: List various limitations of Packet Filtering Firewall.
A special case of web proxies are "CGI proxies." These are web sites i. Stateless packet filters. (cf. iptables connection
which allow a user to access a site through them. They generally use tracking), cf. state vs. stateless discussion.
PHP or CGI to implement the proxying functionality. CGI proxies are
frequently used to gain access to web sites blocked by corporate or ii. confounded application layer protocols like FTP, H323
school proxies. Since they also hide the user's own IP address from the
web sites they access through the proxy, they are sometimes also used
iii. Because of the nature of connection tracking and state
to gain a degree of anonymity.
awareness, stateful packet filters are vulnerable to
resource exhaustion and deliberate attempts to trip rate- from given message digest is used. The most often used algorithms are
limiting features. RSA (based on the number theory), DSA (based on the theory of the
discrete logarithms), and ECDSA (based on the elliptic curves theory).
iv. DoS on connection tracking packet filters DoS on rate Often, the obtained digital signature is attached to the message in a
special format to be verified later if it is necessary.
limiters ?
Verifying Digital Signatures

Digital signature technology allows the recipient of given signed


(b)
message to verify its real origin and its integrity. The process of digital
(c) CO3: Differentiate SSL with HTTPS.
Secure Sockets Layer (SSL) is a cryptographic signature verification is purposed to ascertain if a given message has
protocol that enables secure communications over the been signed by the private key that corresponds to a given public key.
Internet. SSL was originally developed by Netscape The digital signature verification cannot ascertain whether the given
and released as SSL 2.0 in 1995. A much improved SSL message has been signed by a given person. If we need to check
3.0 was released in 1996. Current browsers do not whether some person has signed a given message, we need to obtain
support SSL 2.0. his real public key in some manner. This is possible either by getting
Hypertext Transfer Protocol Secure (HTTPs), or the public key in a secure way (for example, on a floppy disk or CD)
HTTP Secure, is an application-specific or with the help of the Public Key Infrastructure by means of a digital
implementation that is a combination of the Hypertext certificate. Without having a secure way to obtain the real public key
Transfer Protocol (HTTP) with the SSL/TLS. HTTPS is of given person, we don't have a possibility to check whether the given
used to provide encrypted communication with and message is really signed by this person.
secure identification of a Web server.
From a technical point of view, the verification of a digital signature is
(d) CO4: Write down various steps of creating Digital Signature. performed in three steps:
Step 1: Calculate the Message Digest

In the first step of the process, a hash-value of the message (often


called the message digest) is calculated by applying some
cryptographic hashing algorithm (for example, MD2, MD4, MD5,
SHA1, or other). The calculated hash-value of a message is a sequence
of bits, usually with a fixed length, extracted in some manner from the
message.

Step 2: Calculate the Digital Signature

In the second step of digitally signing a message, the information


obtained in the first step hash-value of the message (the message
digest) is encrypted with the private key of the person who signs the Step 1: Calculate the Current Hash-Value
message and thus an encrypted hash-value, also called digital
signature, is obtained. For this purpose, some mathematical In the first step, a hash-value of the signed message is calculated. For
cryptographic encrypting algorithm for calculating digital signatures this calculation, the same hashing algorithm is used as was used during
the signing process. The obtained hash-value is called the current If the public key does not correspond to the private key used
hash-value because it is calculated from the current state of the for signing, the original hash-value obtained by decrypting the
message. signature with an incorrect key will not be the correct one.

Step 2: Calculate the Original Hash-Value If the verification fails, in spite of the cause, this proves only one
thing: The signature that is being verified was not obtained by signing
In the second step of the digital signature verification process, the the message that is being verified with the private key that corresponds
digital signature is decrypted with the same encryption algorithm that to the public key used for the verification. Unsuccessful verification
was used during the signing process. The decryption is done by the does not always mean that an attempt for digital signature adulteration
public key that corresponds to the private key used during the signing is detected. Sometimes, verification could fail because an invalid
of the message. As a result, we obtain the original hash-value that public key is used. Such a situation could be obtained when the
was calculated from the original message during the first step of the message is not sent by the person who was expected to send it or when
signing process (the original message digests). the signature verification system has an incorrect public key for this
person. It is even possible for one person to own several different valid
Step 3: Compare the Current and the Original Hash- public keys along with valid certificates for each of them and the
Values system attempted to verify a message received from this person with
some of these public keys but not with the correct one (the key
In the third step, we compare the current hash-value obtained in the corresponding to the private key used for signing the message).
first step with the original hash-value obtained in the second step. If
the two values are identical, the verification if successful and proves In order for such problems to be avoided, most often when a signed
that the message has been signed with the private key that corresponds document is sent, the certificate of the signer is also sent along with
to the public key used in the verification process. If the two values this document and the corresponding digital signature. Thus, during
differ from onr another, this means that the digital signature is invalid the verification, the public key contained in the received certificate is
and the verification is unsuccessful. used for signature verification; if the verification is successful, it is
considered that the document is signed by the person who owns the
certificate. Of course, it is always necessary that, when certificates are
used, we should believe the certificate only if its validity is verified or
the certificate is self-signed but is obtained from the sender in a secure
Reasons for Invalid Signatures way (not from the Internet).
There are three possible reasons for getting an invalid digital signature:
(e) CO4: Why security is important in e-commerce?
If the digital signature is adulterated (it is not real) and is To maintain:
decrypted with the public key, the obtained original value will 1. Integrity: prevention against unauthorized data
not be the original hash-value of the original message but some modification.
other value. 2. Nonrepudiation: prevention against any one party from
reneging on an agreement after the fact
If the message was changed (adulterated) after its signing, the 3. Authenticity: authentication of data source
current hash-value calculated from this adulterated message 4. Confidentiality: protection against unauthorized data
will differ from the original hash-value because the two disclosure
different messages correspond to different hash-values. 5. Privacy: provision of data control and disclosure
6. Availability: prevention against data delays or removal.
SECTION- B
(f) CO4: Write in Short about PKI.
Note: Attempt all questions
A typical PKI consists of hardware, software, policies and standards to
manage the creation, administration, distribution and revocation of Q2. Attempt any four parts (4*6 =24 )
keys and digital certificates. Digital certificates are at the heart of PKI
(a). CO3: Enlighten growing technical challenges in web security.
as they affirm the identity of the certificate subject and bind that
identity to the public key contained in the certificate.

A typical PKI includes the following key elements:

A trusted party, called a certificate authority (CA), acts as the


root of trust and provides services that authenticate the identity
of individuals, computers and other entities

A registration authority, often called a subordinate CA,


certified by a root CA to issue certificates for specific uses
permitted by the root

A certificate database, which stores certificate requests and (b) CO3: Classify Firewall on the basis of their application.
issues and revokes certificates
i. Packet Filter: Looks at each packet entering or leaving the
network and accepts or rejects it based on user-defined
A certificate store, which resides on a local computer as a place
rules. Packet filtering is fairly effective and transparent to
to store issued certificates and private keys
users, but it is difficult to configure. In addition, it is
susceptible to IP spoofing.
A CA issues digital certificates to entities and individuals after
verifying their identity. It signs these certificates using its private key;
ii. Application Gateway: Applies security mechanisms to
its public key is made available to all interested parties in a self-signed
specific applications, such as FTP and Telnet servers. This
CA certificate. CAs use this trusted root certificate to create a "chain of
is very effective, but can impose a performance
trust" -- many root certificates are embedded in Web browsers so they
degradation.
have built-in trust of those CAs. Web servers, email clients,
smartphones and many other types of hardware and software also
iii. Circuit-level Gateway: Applies security mechanisms
support PKI and contain trusted root certificates from the major CAs.
when a TCP or UDP connection is established. Once the
connection has been made, packets can flow between the
Along with an entitys or individuals public key, digital certificates
hosts without further checking.
contain information about the algorithm used to create the signature,
the person or entity identified, the digital signature of the CA that
iv. Proxy Server: Intercepts all messages entering and leaving
verified the subject data and issued the certificate, the purpose of the
the network. The proxy server effectively hides the true
public key encryption, signature and certificate signing, as well as a
network addresses.
date range during which the certificate can be considered valid.
Two main approaches to designing a ruleset are:
(c) CO3: Explain various components of Firewall? 1. Block everything then open holes.
2. Block nothing then close holes.
The primary components (or aspects) of a firewall are:

network policy,

advanced authentication mechanisms,

packet filtering, and

application gateways.

(d) CO3: Explain Transaction security issues in E-commerce


Application with Generic Model of Online Transaction.
Security Concerns
i. Client-Side Security: is concerned with the techniques
and practices that protect a user's privacy and the
integrity of the user's computing system.
ii. Server-Side Security: is concerned with the techniques
and practices that protect the Web server software and Q3. Attempt any four parts (4*6=24)
its associated hardware from break-ins, Web site
(a) CO4: Explain Symmetric and Asymmetric Key Cryptography.
vandalism and denial of service attacks.
Asymmetric encryption
iii. Secure transmission of Information: is concerned
with the techniques and practices that will guarantee Asymmetric encryption, also known as public-key encryption,
protection from eavesdropping and intentional message
utilizes a pair of keys a public key and a private key. If you encrypt
modification.
data with the public key, only the holder of the corresponding private
key can decrypt the data, hence ensuring confidentiality.
The first practical algorithm for asymmetric encryption was proposed
by Diffie and Hellman in 1976. Subsequently, RSA became the most
widely deployed asymmetric encryption algorithm.

Many secure online transaction systems rely on asymmetric


encryption to establish a secure channel. SSL, for example, is a
protocol that utilizes asymmetric encryption to provide communication
security on the Internet.

An asymmetric encryption algorithms typically involve exponential


(e) CO3: Explain firewall Security Policies. operations, they are not lightweight in terms of performance. For that
reason, asymmetric algorithms are often used to secure key exchanges (b)CO4: Explain RSA algorithm in detail with mathematical
rather than used for bulk data encryption. implication to generate various key Combinations.
The RSA scheme is a block cipher in which the plaintext and
Symmetric encryption ciphertext are
integers between 0 and n - 1 for some n. A typical size for n is 1024
Symmetric encryption, as the name suggests, means that the bits, or 309 decimal digits. That is, n is less than 2.
encryption and decryption operations utilize the same key. For two The block size must be less than or equal to log2(n) + 1; in practice,
communicating parties using symmetric encryption for secure the block size is i bits, where 2i<n<=2i+1.
Encryption and decryption are of the following form, for some
communication, the key represents a shared secret between the two.
plaintext block M and ciphertext block C.
There exist many symmetric encryption algorithms. A few of the well- C=Me mod n
known ones include AES, DES, Blowfish, and Skipjack. M=Cd mod n = Me d mod n
Both sender and receiver must know the value of n. The sender knows
Symmetric encryption is typically more efficient than asymmetric the value of e, and only the receiver knows the value of d. Thus, this is
encryption, and is often used for bulk data encryption. a public-key encryption algorithm with a public key of PU = {e, n}
and a private key of PR = {d, n}.
Attack a cryptosystem

Given enough computing resources, both symmetric and asymmetric


encryption can be broken.

The most basic way to attack a symmetric cryptosystem is brute-force


attacks, where you essentially try every combination of a key. For a
128-bit key, there are 2^128 combinations to attempt, which requires
extensive computing resources. Other cryptanalysis attacks, including
chosen-ciphertext and chosen-plaintext attacks, can be more efficient
than brute-force, but they require a priori knowledge to work.

To guard against brute-force attacks, the key length of a symmetric


cryptosystem needs to be sufficiently long. The Advanced (c) CO4: Explain Digital Signature Standard with X.509 certificate.
Encryption Standard (AES) algorithm with 256-bit key is considered
secure enough for most purposes. And the implementation can be
made relatively efficient.

The best way to attack a well-designed RSA implementation is through


factoring of RSAs public modulus, which is a large number. Factoring
large numbers, with todays best known factoring techniques, is a
compute-intensive problem.
Since then, VPNs have evolved to provide the same level of secure
communication between any device on the internet. Today, using VPN
is increasingly popular among consumers as a means to protect their
privacy online, secure their browsing sessions, and get unrestricted
access to content or websites that are otherwise blocked or censored.

Types of VPNs

VPNs differ by architecture, purpose of usage, and accessibility. Two


basic types of accessibility are site-to-site VPN and remote access
VPN.

Corporate VPNs Corporate VPNs allow business travelers


and telecommuters to connect to their company networks
and remotely access resources and services on the
networks. When a user connects his/her device to the
(d) CO4: Write Short Note on companys VPN, the VPN thinks that the users computer is
i. VPN: A VPN or Virtual Private Network is a network on the same local network as the VPN.
connection that enables you to create a secure connection over the
public Internet to private networks at a remote location. With a VPN, Personal VPNs Personal VPNs provide consumers with
all network traffic (data, voice, and video) goes through a secure the same private and secure connection as the corporate
virtual tunnel between the host device (client) and the VPN providers VPNs. However, personal VPNs are not used to connect to
servers, and is encrypted. VPN technology uses a combination of private networks to access private resources.
features such as encryption, tunneling protocols, data encapsulation,
and certified connections to provide you with a secure connection to
private networks and to protect your identity.

VPN connections technically give you all the benefits of a Local Area ii. IPSec Protocol
IPsec provides two choices of security service: Authentication
Network (LAN), which is similar to that found in many offices but Header (AH), which essentially allows authentication of the sender
without requiring a hard-wired connection. of data, and Encapsulating Security Payload (ESP), which supports
both authentication of the sender and encryption of data as well. The
Early VPNs were often set up to give individual employees secure specific information associated with each of these services is inserted
into the packet in a header that follows the IP packet header. Separate
remote access to their company networks, hence the name virtual
key protocols can be selected, such as the ISAKMP/Oakley protocol.
private network. By connecting to the companys network, an iii.Feistel Cipher
individual employee can access all the companys resources and Feistel ciphers are a special class of iterated block ciphers
services as if the employee were inside the company. where the ciphertext is calculated from the plaintext by
repeated application of the same transformation or round
function. Feistel ciphers are also sometimes called DES-like
ciphers. In a Feistel cipher, the text being encrypted is split into
two halves. The round function f is applied to one half using a
subkey and the output of f is exclusive-ored with the other half.
The two halves are then swapped. Each round follows the same
pattern except for the last round where there is no swap. A nice
feature of a Feistel cipher is that encryption and decryption are
structurally identical, though the subkeys used during
encryption at each round are taken in reverse order during
decryption. It is possible to design iterative ciphers that are not
Feistel ciphers, yet whose encryption and decryption (after a
certain re-ordering or re-calculation of variables) are
structurally the same. One such example is IDEA.

(e) CO4: Draw Block Diagram for DES algorithm. How various
rounds are performed in it. Discuss Substitution and Permutation in
DES algorithm.

Anda mungkin juga menyukai