Documente Academic
Documente Profesional
Documente Cultură
3. Authentication is the process of making sure that the piece of data being
claimed by the user belongs to it.
Message encryption
Message authentication code
Hash function
4) What is HTTPs?
HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket
Layer (SSL) or Transport Layer Security (TLS) as a sublayer under
regular HTTP application layering. HTTPS encrypts and decrypts user
page requests as well as the pages that are returned by the Web
server. The use of HTTPS protects against eavesdropping and man-in-
the-middle attacks.
CMAC:
In cryptography, CMAC (Cipher-based Message Authentication
Code) is a block cipherbased message authentication code
algorithm. It may be used to provide assurance of the authenticity
and, hence, the integrity of binary data. This mode of operation fixes
security deficiencies of CBC-MAC (CBC-MAC is secure only for
fixed-length messages). ). The core of the CMAC algorithm is a
variation of CBCMAC that Black and Rogaway proposed and
analyzed under the name XCBC and submitted to NIST. The XCBC
algorithm efficiently addresses the security deficiencies of CBC-
MAC, but requires three keys. Iwata and Kurosawa proposed an
improvement of XCBC and named the resulting algorithm One-Key
CBC-MAC (OMAC) in their papers. They later submitted OMAC1, a
refinement of OMAC, and additional security analysis. The OMAC
algorithm reduces the amount of key material required for XCBC.
CMAC is equivalent to OMAC1
Passive Attacks
Active attacks
Passive Attacks: It attempts to learn or make use of information from system but
does not affect the system. They are in nature of eavesdropping on or
monitoring of transmissions two types,
• Four categories
– Masquerade
– Replay
– Modification of messages
(i)If user A has public key YA=9 WHAT a’S Private key
XA=?
Cipher text
5) (a) What do you mean by Message authentication and What are
the requirements of
Authentication?
(b) Explain Kerberos in detail and also give its version 4 and version 5 differences.
(a):
There are three classes by which different types of functions that may be used to
produce an authenticator. They are:
Message authentication code (MAC)–a public function of the message and a secret
key producing a fixedlength value to serve as authenticator. This does not provide a
digital signature because A and B share the same key.
Hash function–a public function mapping an arbitrary length message into a fixed-
length hash value to serve as authenticator. This does not provide a digital signature
because there is no key
(b):
Kerberos version 4 was released prior to the The The version 5 was published in 1993,
version 5 in the late 1980's years after the appearance of version
5.
Since the same key is used repeatedly to gain a In V5 this is avoided by requiring a sub
service from particular server, there is a risk that an session key which is used only for one
attacker can replay messages from an old session to connection.
the client or server.
In V4 the ticket lifetime has to be specified in units of In V5 ticket lifetime one can specify an
5 minutes. explicit start and finish times allowing
arbitrary lifetimes.
It contains only a few IP addresses and other It contains only a few IP addresses and
addresses for types of network protocols. other addresses for types of network
protocols.
Pre-Image Resistance
o This property protects against an attacker who only has a hash value and is
trying to find the input.
o This property means given an input and its hash, it should be hard to find a
different input with the same hash.
o In other words, if a hash function h for an input x produces hash value h(x), then
it should be difficult to find any other input value y such that h(y) = h(x).
o This property of hash function protects against an attacker who has an input
value and its hash, and wants to substitute different value as legitimate value in
place of original input value.
Collision Resistance
o This property means it should be hard to find two different inputs of any length
that result in the same hash. This property is also referred to as collision free
hash function.
o In other words, for a hash function h, it is hard to find any two different inputs x
and y such that h(x) = h(y).
o This property makes it very difficult for an attacker to find two input values with
the same hash.
SHA-512 :
The secure hash algorithm (SHA) was developed by the National Institute of
Standards and Technology (NIST). SHA-1 is the best established of the existing
SHA hash functions, and is employed in several widely used security applications
and protocols. The algorithm takes as input a message with a maximum length of
less than 264 bits and produces as output a 160-bit message digest.
1.) Append Padding Bits: The message is padded so that length is congruent to 448
modulo 512; padding always added –one bit 1 followed by the necessary number of
0 bits.
2.) Append Length: a block of 64 bits containing the length of the original message
is added.
3.) Initialize MD buffer: A 160-bit buffer is used to hold intermediate and final results
on the hash function. This is formed by 32-bit registers A,B,C,D,E. Initial values:
A=0x67452301, B=0xEFCDAB89, C=0x98BADCFE, D=0x10325476, E=C3D2E1F0.
Stores in big-endian format i.e. the most significant bit in low address.
4.) Process message in blocks 512-bit (16-word) blocks: The processing of a single
512-bit block is shown above. It consists of four rounds of processing of 20 steps
each. These four rounds have similar structure, but uses a different primitive logical
function, which we refer to as f1, f2, f3 and f4. Each round takes as input the current
512-bit block being processed and the 160-bit buffer value ABCDE and updates the
contents of the buffer. Each round also makes use of four distinct additive constants
Kt. The output of the fourth round i.e. eightieth step is added to the input to the first
round to produce CVq+1.
5.) Output: After all L 512-bit blocks have been processed, the output from the Lth
stage is the 160-bit message digest.
(b):
• The information includes a mapping from user name to network address with
certificate
• The directory server itself is not responsible for the creation of public keys or for the
certification function; it merely provides an easily accessible location for users to
obtain certificates.
• Each certificate contains the public key of a user and is signed with the private key
of a CA.
X.509 Formats:
Certificates are digital documents that are used for secure authentication of
communicating parties.
A certificate binds identity information about an entity to the entity’s public key for a
certain validity period.
A certificate is digitally signed by a trusted third party (TTP) who has verified that
the key pair actually belongs to the entity.
Certificates can be thought of as analogous to passport that guarantee the identity
of their bearers.
Authorities: The trusted party who issues certificates to the identified end entities is
called a Certification Authority (CA).
CA’s can also issue certificates to other (sub) CA’s. This leads to a tree-like
Certification Hierarchy.
7) (a) Discuss the need of Secure Socket Layer. What are different
alert codes of this protocol?
(b) Discuss about Mobile Device Security and Wireless security.
(a)
SSL is the backbone of our secure Internet and it protects your sensitive information
as it travels across the world's computer networks. SSL is essential for protecting
your website, even if it doesn't handle sensitive information like credit cards. It
provides privacy, critical security and data integrity for both your websites and your
users' personal information.
Alert codes:
Alert
Alert Message Description
Code
Notifies the recipient that the sender will not send any
0 close_notify
more messages on this connection.
Received an inappropriate message This alert should
10 unexpected_message never be observed in communication between proper
implementations. This message is always fatal.
Received a record with an incorrect MAC. This
20 bad_record_mac
message is always fatal.
Decryption of a TLSCiphertext record is decrypted in an
invalid way: either it was not an even multiple of the
21 decryption_failed
block length or its padding values, when checked, were
not correct. This message is always fatal.
(b):
Mobile security is the protection of smartphones, tablets, laptops and other portable
computing devices, and the networks they connect to, from threats and
vulnerabilities associated with wireless computing. Mobile security is also known as
wireless security.
Securing mobile devices has become increasingly important in recent years as the
numbers of the devices in operation and the uses to which they are put have
expanded dramatically. The problem is compounded within the enterprise as the
ongoing trend toward IT consumerization is resulting in more and more employee-
owned devices connecting to the corporate network.
SearchSecurity.com's 2012 enterprise mobile security survey polled 487 IT security
professionals and IT managers. The survey found the following top five mobile
security concerns:
1. Device loss was the top concern. If an employee leaves a tablet or smartphone in
a taxi cab or at a restaurant, for example, sensitive data, such as customer
information or corporate intellectual property, can be put at risk. According to Marcus
Carey, a security researcher at Boston-based compliance auditing firm Rapid7 Inc.,
such incidents have been behind many high-profile data breaches.
2. Application security was the second-ranking concern. One problem is mobile apps
that request too many privileges, which allows them to access various data sources
on the device. According to Domingo Guerra, president and co-founder of San
Francisco-based Appthority Inc., many mobile apps -- especially free ones -- are built
with ties to advertising networks, which makes contacts, browsing history
and geolocation data extremely valuable to application developers. As Guerra put it,
"Developers want to monetize, consumers want free apps and then ad networks will
pay developers to get all of that juicy data from their users." According to survey
respondents, leaked corporate contacts, calendar items and even the location of
certain executives could put the company at a competitive disadvantage.
3. Device data leakage was the third-ranking mobile security issue. Nearly all of the
chief concerns identified in the mobile security survey, from data loss and theft to
malicious applications and mobile malware, are sources of data leakage. While most
corporate access privileges on mobile devices remain limited to calendar items and
email, new mobile business applications can tap into a variety of sources, if the
enterprise accepts the risks, said mobile security expert Lisa Phifer. Increased
corporate data on devices increases the draw of cybercriminals who can target both
the device and the back-end systems they tap into with mobile malware, Phifer said.
"If you're going to put sensitive business applications on those devices, then you
would want to start taking that threat seriously."
4. Malware attacks were the fourth-ranking mobile security concern. A new report
from Finland-based antivirus vendor F-Secure Corp. found the vast majority of
mobile malware to be SMS Trojans, designed to charge device owners premium text
messages. Experts say Android devices face the biggest threat, but other platforms
can attract financially motivated cybercriminals if they adopt Near Field
Communications and other mobile payment technologies. An F-Secure analysis of
more than 5,000 malicious Android files found that 81% of mobile malware can be
classified as Trojans, followed by monitoring tools (10.1%) and malicious
applications (5.1%).
5. Device theft was fifth on the list of top concerns. Smartphone theft is a common
problem for owners of highly coveted smartphones such as the iPhone or high-
end Android devices. The danger of corporate data, such as account credentials and
access to email, falling into the hands of a tech-savvy thief, makes the issue a major
threat to the IT security pros who took the survey.
The internet and web has become widely popular today. However, it is
vulnerable to serious attacks.
For this purpose, various security approaches are possible. These
approaches are mainly dependent on which network layer they operate on
(Remember the network layers of CN!!).
The SSL (Secure Socket Layer) is a whole new layer of protocol which
operates above the Internet TCP protocol and below high-level application
protocols
There are different protocols which are associated with SSL which are used in
the management of SSL exchanges.