Short answer questions

1) What are the principles of security

Data Confidentiality, Data Integrity, Authentication and Non-repudiation are core
principles of modern-day cryptography.

1. Confidentiality refers to certain rules and guidelines usually executed under

confidentiality agreements which ensure that the information is restricted to
certain people or places
.
2. Data integrity refers to maintaining and making sure that the data stays
accurate and consistent over its entire life cycle.

3. Authentication is the process of making sure that the piece of data being
claimed by the user belongs to it.

4. Non-repudiation refers to ability to make sure that a person or a party

associated with a contract or a communication cannot deny the authenticity of
their signature over their document or the sending of a message.

5. Access Control prevention of the unauthorised use of resourses.

2) Describe CBC mode of operation?

Cipher block chaining (CBC) is a mode of operation for a block
cipher (one in which a sequence of bits are encrypted as a single unit
or block with a cipher key applied to the entire block). Cipher block
chaining uses what is known as an initialization vector (IV) of a certain
length. One of its key characteristics is that it uses a chaining
mechanism that causes the decryption of a block of ciphertext to
depend on all the preceding ciphertext blocks. As a result, the entire
validity of all preceding blocks is contained in the immediately previous
ciphertext block
3) Briefly explain three approaches of Message Authentication?

Message encryption
 Message authentication code
Hash function

4) What is HTTPs?

HTTPS (HTTP over SSL or HTTP Secure) is the use of Secure Socket
Layer (SSL) or Transport Layer Security (TLS) as a sublayer under
regular HTTP application layering. HTTPS encrypts and decrypts user
page requests as well as the pages that are returned by the Web
server. The use of HTTPS protects against eavesdropping and man-in-
the-middle attacks.

5) Write short note on Virtual Elections?

6) Explain SSH?
SSH, or Secure Shell, is a remote administration protocol that allows
users to control and modify their remote servers over the Internet. The
service was created as a secure replacement for the unencrypted
Telnet and uses cryptographic techniques to ensure that all
communication to and from the remote server happens in an encrypted
manner

7) Write short notes on RC5

RC5 is a symmetric key block encryption algorithm designed by Ron Rivest in
1994. It is notable for being simple, fast (on account of using only primitive
computer operations like XOR, shift, etc.) and consumes less memory.
RC5 is a block cipher and addresses two word blocks at a time.
Depending on input plain text block size, number of rounds and key size,
various instances of RC5 can be defined and each instance is denoted as RC5-
w/r/b where w=word size in bits, r=number of rounds and b=key size in bytes.
Step-1: Initialization of constants P and Q.
RC5 makes use of 2 magic constants P and Q whose value is defined by the
word size w.

Step-2: Converting secret key K from bytes to words.

Step-3: Initializing sub-key S.

Step-4: Sub-key mixing.

 Step-5: Encryption

8) Discuss RC4 algorithm

RC4 is a stream cipher and variable length key algorithm. This algorithm encrypt one
byte at a time (or larger units on a time).
A key input is pseudorandom bit generator that produces a stream 8-bit number that
is unpredictable without knowledge of input key, The output of generator is called
key-stream, is combined one byte at a time with the plaintext stream cipher using X-
OR operation.
Key-Generation Algorithm –
A variable-ength key of from 1 to 256 byte is used to initialize a 256-byte state vector
S, with elements S[0] to S[255]. For encryption and decryption, a byte k is generated
from S by selecting one of te 255 entries in systematic fashion, then the entries in S
are permuted again.
1.Key-Scheduling Algorithm
2.Pseudo random generation algorithm (Stream Generation)(generation of k)
3. Encrypt using X-Or()

9) Discuss Knapsack problem

Given n items of different values vi and wi , find the most valuable
 subset of the items while the overall weight does not exceed the
weight of knapsack/given weight W.
The knapsack problem defines a problem where we have a number
of weights and then must pack our knapsack with the minimum
number of weights that will make it a given weight. In general the
problem is:
 Given a set of numbers A and a number b.
 Find a subset of A which sums to b (or gets nearest to it). The
subset sum problem is stated as follows: given a set of positive
integers (a1,a2 . . . , an) and positive integer S. Whether there is a
subset of the ai’ s that sums to S. This is equivalent to determine
whether there are variables (x1 , . . . , xn)
Key generation
Here, keys are two knapsacks. The public key is a 'hard' knapsack
A, and the private key is an 'easy', or super increasing, knapsack B,
combined with two additional numbers, a multiplier and a modulus.
The multiplier and modulus can be used to convert the super
increasing knapsack into the hard knapsack. These same numbers
are used to transform the sum of the subset of the hard knapsack
into the sum of the subset of the easy knapsack, which is a problem
that is solvable in polynomial time. Encryption
To encrypt a message, a subset of the hard knapsack A is chosen
by comparing it with a set of bits (the plaintext) equal in length to the
key. Each term in the public key that corresponds to a 1 in the
plaintext is an element of the subset A_m, while terms that
corresponding to 0 in the plaintext are ignored when constructing
A_m – they are not elements of the key. The elements of this subset
are added together and the resulting sum is the cipher text.
Decryption
Decryption is possible because the multiplier and modulus used to
transform the easy knapsack into the public key can also be used to
transform the number representing the cipher text into the sum of
the corresponding elements of the super increasing knapsack.

10) Discuss HMAC and CMAC

HMAC:
 HMAC algorithm stands for Hashed or Hash based Message
Authentication Code. It is a result of work done on developing a
MAC derived from cryptographic hash functions. HMAC is a great
resistant towards cryptanalysis attacks as it uses the Hashing
concept twice. HMAC consists of twin benefits of Hashing and MAC,
and thus is more secure than any other authentication codes
The working of HMAC starts with taking a message M containing
blocks of length b bits. An input signature is padded to the left of the
message and the whole is given as input to a hash function which
gives us a temporary message digest MD’. MD’ again is appended
to an output signature and the whole is applied a hash function
again, the result is our final message digest MD.

CMAC:
In cryptography, CMAC (Cipher-based Message Authentication
Code) is a block cipherbased message authentication code
algorithm. It may be used to provide assurance of the authenticity
and, hence, the integrity of binary data. This mode of operation fixes
security deficiencies of CBC-MAC (CBC-MAC is secure only for
fixed-length messages). ). The core of the CMAC algorithm is a
variation of CBCMAC that Black and Rogaway proposed and
analyzed under the name XCBC and submitted to NIST. The XCBC
algorithm efficiently addresses the security deficiencies of CBC-
MAC, but requires three keys. Iwata and Kurosawa proposed an
improvement of XCBC and named the resulting algorithm One-Key
CBC-MAC (OMAC) in their papers. They later submitted OMAC1, a
refinement of OMAC, and additional security analysis. The OMAC
algorithm reduces the amount of key material required for XCBC.
CMAC is equivalent to OMAC1

Long answer Questions:

1) (a) Discuss in detail about various types of Security attacks with

neat diagrams.

(b) write about Security Services and Security Mechanisms in detail.

(a):
Two types based on nature of attack

 Passive Attacks

 Active attacks

Passive Attacks: It attempts to learn or make use of information from system but
does not affect the system. They are in nature of eavesdropping on or
monitoring of transmissions two types,

 Release of Message Contents: Opponent reads contents of the message

 Traffic Analysis: Opponent can’t understand message. So, observes the

traffic pattern

Active attacks: Try to alter system resources or affect their

operation.Modification of data, or creation of false data.

• Four categories

– Masquerade

– Replay

– Modification of messages

– Denial of service: preventing normal use

• A specific target or entire network

• Difficult to prevent -The goal is to detect and recover

(b):
• Enhance security of data processing systems and information transfers of an
organization
• X.800: “a service provided by a protocol layer of communicating open
systems, which ensures adequate security of the systems or of data transfers”
Security Services (X.800)
• Authentication - assurance that communicating entity is the one claimed –
have both peer-entity & data origin authentication
• Access Control - prevention of the unauthorized use of a resource
• Data Confidentiality –protection of data from unauthorized disclosure
• Data Integrity - assurance that data received is as sent by an authorized entity
• Non-Repudiation - protection against denial by one of the parties in a
communication AUTHENTICATION: The assurance that the communicating
entity is the one that it claims to be: – Peer Entity Authentication: Used in
 association with a logical connection to provide confidence in the identity of the
entities connected.
– Data-Origin Authentication: In a connectionless transfer, provides assurance
that the source of received data is as claimed.
ACCESS CONTROL: The prevention of unauthorized use of a resource.
DATA CONFIDENTIALITY: The protection of data from unauthorized
disclosure.
– Connection Confidentiality: The protection of all user data on a connection.
– Connectionless Confidentiality: The protection of all user data in a single data
block.
– Selective-Field Confidentiality: The confidentiality of selected fields within the
user data on a connection or in a single data block.
– Traffic-Flow Confidentiality: The protection of the information that might be
derived from observation of traffic flows.
DATA INTEGRITY: The assurance that data received are exactly as sent by an
authorized entity (i.e., contain no modification, insertion, deletion, or replay).
Connection Integrity with Recovery Provides for the integrity of all user data on
a connection and detects any modification, insertion, deletion, or replay of any
data within an entire data sequence, with recovery attempted.
Connection Integrity without Recovery As above, but provides only detection
without
recovery.
Selective-Field Connection Integrity Provides for the integrity of selected fields
within the user data of a data block transferred over a connection and takes the
form of determination of whether the selected fields have been modified,
inserted, deleted, or replayed.
Connectionless Integrity Provides for the integrity of a single connectionless
data block and may take the form of detection of data modification. Additionally,
a limited form of replay detection may be provided.
Selective-Field Connectionless Integrity Provides for the integrity of selected
fields within a single connectionless data block; takes the form of determination
of whether the selected fields have been modified.
NONREPUDIATION Provides protection against denial by one of the entities
involved in a communication of having participated in all or part of the
communication.
Nonrepudiation, Origin - Proof that the message was sent by the specified
party. Nonrepudiation, Destination - Proof that the message was received by
the specified.
6. SECURITY MECHANISMS:
• Designed to detect, prevent, or recover from a security attack.
• No single mechanism that will support all services required.
• However one particular element underlies many of the security mechanisms
in use: – cryptographic techniques
 • specific security mechanisms: – Encipherment, digital signatures, access
controls, data integrity, authentication exchange, traffic padding, routing
control, notarization
• pervasive security mechanisms: – trusted functionality, security labels, event
detection, security audit trails, security recovery Specific security
mechanisms: May be incorporated into the appropriate protocol layer in order
to provide some of the OSI security services.
• Encipherment - The use of mathematical algorithms to transform data into a
form that is not readily intelligible. - The transformation and subsequent
recovery of the data depend on an algorithm and zero or more encryption
keys.
• Access Control - A variety of mechanisms that enforce access rights to
resources.
• Digital Signature - Data appended to, or a cryptographic transformation of, a
data unit that allows a recipient of the data unit to prove the source and
integrity of the data unit and protect against forgery (e.g., by the recipient).
• Data Integrity -A variety of mechanisms used to assure the integrity of a data
unit or stream of data units.
• Authentication Exchange A mechanism intended to ensure the identity of an
entity by means of information exchange.
• Traffic Padding - The insertion of bits into gaps in a data stream to frustrate
traffic analysis attempts.
• Routing Control -Enables selection of particular physically secure routes for
certain data and allows routing changes, especially when a breach of security
is suspected.
• Notarization -The use of a trusted third party to assure certain properties of a
data exchange. Pervasive security mechanisms: Mechanisms that is not
specific to any particular OSI security service or protocol layer.
• Trusted Functionality -That which is perceived to be correct with respect to
some criteria (e.g., as established by a security policy).
• Security Label -The marking bound to a resource (which may be a data unit)
that names or designates the security attributes of that resource.
• Event Detection - Detection of security-relevant events.
• Security Audit Trail - Data collected and potentially used to facilitate a
security audit, which is an independent review and examination of system
records and activities.
• Security Recovery- Deals with requests from mechanisms, such as event
handling and management functions, and takes recovery actions.

3) (a) Explain DES algorithm in detail.

(b) Consider a Diffie-Hellman scheme with a common prime

q=11 and a primitive root
 alpha =2.

(i)If user A has public key YA=9 WHAT a’S Private key
XA=?

(ii)If user B has public key YB=9 WHAT a’S Private

key XB=?
(a):
● Plainext is broken into blocks of length 64 bits.Encryption is blockwise
● A message block is first gone through an initial permutation IP,then divided
into two parts L0,where L0 is the left part of 32 bits and R0 is the right part of
the 32 bits
● Round i has input Li-1,Ri-1 and output Li,Ri
Li = Ri-1,Ri = Li-1 ⊕ f(Ri-1,Ki)
and Ki is the subkey for the 'i'th where 1 ≤ i ≤ 16
L1 = R0, R1 = L0 ⊕ f(R0,K1)
L2 = R1, R2 = L1 ⊕ f(R1,K2)
................ ..........................
L16 = R15, R16 = L15 ⊕ f(R15,K16)
● After round 16,L16 and R16 are swapped,so that the decryption algorithm
has the same structure as the encrption algorithm.
Finally,the block is gone through the inverse the permutation IP-1 and then
output
● One round of DES in very simple way during encryption
DES DECRYPTION:
● Observation:In encryption,we have
Li = Ri-1,Ri = Ri = Li-1 ⊕ f(Ri-1,Ki)
● and Ki is the subkey for the 'i'th round.Hence
Ri-1 = Li,Li-1 = Ri ⊕ f(Li,Ki) for each 'i'
● Due to swap operation after the 16th round encryption,the output of
encryption is IP
1(R16,L16)
● Equation(1) as follows:
R15 = L16, L15 = R16 ⊕ f(L16,K16)
R14 = L15, L14 = R15 ⊕ f(L15,K15)
................ .......................... ................ ..........................
R1 = L2, L1 = R2 ⊕ f(L2,K2)
● If we give IP-1(R16,L16) as the input for the same algorithm with round
subkeys(K16,K15,......K1),then the output is IP-1(L0,R0),the original message
block
● Decryption is performed using the same algorithm,except the K16 is used
as the first round,K15 in the second,and so on,with K1used in the 16th round
 ● One round of DES in very simple way during decryption

4) (a)Discuss IDEA algorithm in detail

(b) Consider Elgamal Scheme with prime q=19,alpha=10,xA

=5,M=17 and K=6 generate

Cipher text
5) (a) What do you mean by Message authentication and What are
the requirements of
Authentication?
(b) Explain Kerberos in detail and also give its version 4 and version 5 differences.
(a):

Message authentication is a procedure to verify that received messages come from

the alleged source and have not been altered. Message authentication may also
verify sequencing and timeliness. It is intended against the attacks like content
modification, sequence modification, timing modification and repudiation. For
repudiation, concept of digital signatures is used to counter it.

There are three classes by which different types of functions that may be used to
produce an authenticator. They are:

Message encryption–the ciphertext serves as authenticator

Message authentication code (MAC)–a public function of the message and a secret
key producing a fixedlength value to serve as authenticator. This does not provide a
digital signature because A and B share the same key.

Hash function–a public function mapping an arbitrary length message into a fixed-
length hash value to serve as authenticator. This does not provide a digital signature
because there is no key

(b):

 Kerberos is a network authentication protocol from MIT.

 It is designed to provide strong authentication for client/server applications

 provides centralised third-party authentication in a distributed network  allows

users access to services distributed through network  without needing to trust all
workstations  rather all trust a central authentication server

 two versions in use: 4 & 5

How does Kerberos work?

• Instead of client sending password to application server:

– Request Ticket from authentication server

– Ticket and encrypted request sent to application server

• How to request tickets without repeatedly sending credentials?

– Ticket granting ticket (TGT)

To accomplish secure authentication, Kerberos uses a trusted third party known as a

key distribution center (KDC).

Kerberos Version 4 Kerberos Version 5

Kerberos version 4 was released prior to the The The version 5 was published in 1993,
version 5 in the late 1980's years after the appearance of version
5.

Ticket support is Satisfactory in this version. Ticket support is well extended.

Facilitates forwarding, renewing and
postdating tickets.

It uses the "receiver-makes-right" It uses the ASN. I coding system.

encoding system.

Since the same key is used repeatedly to gain a In V5 this is avoided by requiring a sub
service from particular server, there is a risk that an session key which is used only for one
attacker can replay messages from an old session to connection.
the client or server.

Kerberos V4 uses DES encryption techniques. In Kerberos V5 the cipher text is

tagged with an encryption type
identifier hence any type of encryption
can be used.

Kerberos uses IP addressing. Kerberos V5 can use any address

since the address is now tagged with
Kerberos Version 4 Kerberos Version 5

type and length.

In V4 the ticket lifetime has to be specified in units of In V5 ticket lifetime one can specify an
5 minutes. explicit start and finish times allowing
arbitrary lifetimes.

It contains only a few IP addresses and other It contains only a few IP addresses and
addresses for types of network protocols. other addresses for types of network
protocols.

6) (a)Discuss Hash function properties. Explain SHA-512 logic in

detail
(b) Explain x.509 authentication service.
A hash function is a mathematical function that converts a numerical input value into
another compressed numerical value. The input to the hash function is of arbitrary length
but output is always of fixed length.

In order to be an effective cryptographic tool, the hash function is desired to

possess following properties −

 Pre-Image Resistance

o This property means that it should be computationally hard to reverse a hash

function.

o In other words, if a hash function h produced a hash value z, then it should be a

difficult process to find any input value x that hashes to z.

o This property protects against an attacker who only has a hash value and is
trying to find the input.

 Second Pre-Image Resistance

o This property means given an input and its hash, it should be hard to find a
different input with the same hash.

o In other words, if a hash function h for an input x produces hash value h(x), then
it should be difficult to find any other input value y such that h(y) = h(x).
 o This property of hash function protects against an attacker who has an input
value and its hash, and wants to substitute different value as legitimate value in
place of original input value.

 Collision Resistance

o This property means it should be hard to find two different inputs of any length
that result in the same hash. This property is also referred to as collision free
hash function.

o In other words, for a hash function h, it is hard to find any two different inputs x
and y such that h(x) = h(y).

o Since, hash function is compressing function with fixed hash length, it is

impossible for a hash function not to have collisions. This property of collision
free only confirms that these collisions should be hard to find.

o This property makes it very difficult for an attacker to find two input values with
the same hash.

o Also, if a hash function is collision-resistant then it is second pre-image

resistant.

SHA-512 :
The secure hash algorithm (SHA) was developed by the National Institute of
Standards and Technology (NIST). SHA-1 is the best established of the existing
SHA hash functions, and is employed in several widely used security applications
and protocols. The algorithm takes as input a message with a maximum length of
less than 264 bits and produces as output a 160-bit message digest.

The input is processed in 512-bit blocks. The overall processing of a message

follows the structure of MD5 with block length of 512 bits and a hash length and
chaining variable length of 160 bits. The processing consists of following steps:

1.) Append Padding Bits: The message is padded so that length is congruent to 448
modulo 512; padding always added –one bit 1 followed by the necessary number of
0 bits.

2.) Append Length: a block of 64 bits containing the length of the original message
is added.

3.) Initialize MD buffer: A 160-bit buffer is used to hold intermediate and final results
on the hash function. This is formed by 32-bit registers A,B,C,D,E. Initial values:
A=0x67452301, B=0xEFCDAB89, C=0x98BADCFE, D=0x10325476, E=C3D2E1F0.
Stores in big-endian format i.e. the most significant bit in low address.

4.) Process message in blocks 512-bit (16-word) blocks: The processing of a single
512-bit block is shown above. It consists of four rounds of processing of 20 steps
each. These four rounds have similar structure, but uses a different primitive logical
function, which we refer to as f1, f2, f3 and f4. Each round takes as input the current
512-bit block being processed and the 160-bit buffer value ABCDE and updates the
contents of the buffer. Each round also makes use of four distinct additive constants
Kt. The output of the fourth round i.e. eightieth step is added to the input to the first
round to produce CVq+1.

5.) Output: After all L 512-bit blocks have been processed, the output from the Lth
stage is the 160-bit message digest.

(b):

X.509 Authentication Service

• X.509 is part of the X.500 series of recommendations that define a directory

service. i.e, It is a Distributed set of servers that maintains a database about users.

• The information includes a mapping from user name to network address with
certificate

• These user certificates are assumed to be created by some trusted certification

authority (CA) and placed in the directory by the CA or by the user.

• The directory server itself is not responsible for the creation of public keys or for the
certification function; it merely provides an easily accessible location for users to
obtain certificates.

• Each certificate contains the public key of a user and is signed with the private key
of a CA.

• Is used in S/MIME, IP Security, SSL/TLS and SET.

• RSA is recommended to use.

X.509 Formats:

 Certificates are digital documents that are used for secure authentication of
communicating parties.

 A certificate binds identity information about an entity to the entity’s public key for a
certain validity period.

 A certificate is digitally signed by a trusted third party (TTP) who has verified that
the key pair actually belongs to the entity.
 Certificates can be thought of as analogous to passport that guarantee the identity
of their bearers.

 Authorities: The trusted party who issues certificates to the identified end entities is
called a Certification Authority (CA).

 Certification authorities can be thought of as being analogous to governments

issuing passports for their citizens.

 Certification authorities can be managed by an external certification service

provider or the CA can belong to the same organization as the end entities.

 CA’s can also issue certificates to other (sub) CA’s. This leads to a tree-like
Certification Hierarchy.

 The highest trusted CA in the tree is called a root CA.

7) (a) Discuss the need of Secure Socket Layer. What are different
alert codes of this protocol?
(b) Discuss about Mobile Device Security and Wireless security.
(a)
SSL is the backbone of our secure Internet and it protects your sensitive information
as it travels across the world's computer networks. SSL is essential for protecting
your website, even if it doesn't handle sensitive information like credit cards. It
provides privacy, critical security and data integrity for both your websites and your
users' personal information.

SSL Encrypts Sensitive Information

The primary reason why SSL is used is to keep sensitive information sent across the
Internet encrypted so that only the intended recipient can access it. This is important
because the information you send on the Internet is passed from computer to
computer to get to the destination server. Any computer in between you and the
server can see your credit card numbers, usernames and passwords, and other
sensitive information if it is not encrypted with an SSL certificate. When an SSL
certificate is used, the information becomes unreadable to everyone except for the
server you are sending the information to. This protects it from hackers and identity
thieves.

SSL Provides Authentication

In addition to encryption, a proper SSL certificate also provides authentication. This
means you can be sure that you are sending information to the right server and not
to an imposter trying to steal your information. Why is this important? The nature of
the Internet means that your customers will often be sending information through
several computers. Any of these computers could pretend to be your website and
trick your users into sending them personal information. It is only possible to avoid
this by getting an SSL Certificate from a trusted SSL provider.
Why are SSL providers important? Trusted SSL providers will only issue an SSL
certificate to a verified company that has gone through several identity checks.
Certain types of SSL certificates, like EV SSL Certificates, require more validation
than others. How do you know if an SSL provider is trusted? You can use our SSL
Wizard to compare SSL providers that are included in most web browsers. Web
browser manufactures verify that SSL providers are following specific practices and
have been audited by a third-party using a standard such as WebTrust.

SSL Provides Trust

Web browsers give visual cues, such as a lock icon or a green bar, to make sure
visitors know when their connection is secured. This means that they will trust your
website more when they see these cues and will be more likely to buy from you. SSL
providers will also give you a trust seal that instills more trust in your customers.
HTTPS also protects against phishing attacks. A phishing email is an email sent by a
criminal who tries to impersonate your website. The email usually includes a link to
their own website or uses a man-in-the-middle attack to use your own domain name.
Because it is very difficult for these criminals to receive a proper SSL certificate, they
won’t be able to perfectly impersonate your site. This means that your users will be
far less likely to fall for a phishing attack because they will be looking for the trust
indicators in their browser, such as a green address bar, and they won’t see it.

Alert codes:

Alert
Alert Message Description
Code
Notifies the recipient that the sender will not send any
0 close_notify
more messages on this connection.
Received an inappropriate message This alert should
10 unexpected_message never be observed in communication between proper
implementations. This message is always fatal.
Received a record with an incorrect MAC. This
20 bad_record_mac
message is always fatal.
Decryption of a TLSCiphertext record is decrypted in an
invalid way: either it was not an even multiple of the
21 decryption_failed
block length or its padding values, when checked, were
not correct. This message is always fatal.

(b):

Mobile security is the protection of smartphones, tablets, laptops and other portable
computing devices, and the networks they connect to, from threats and
vulnerabilities associated with wireless computing. Mobile security is also known as
wireless security.

Securing mobile devices has become increasingly important in recent years as the
numbers of the devices in operation and the uses to which they are put have
expanded dramatically. The problem is compounded within the enterprise as the
ongoing trend toward IT consumerization is resulting in more and more employee-
owned devices connecting to the corporate network.
SearchSecurity.com's 2012 enterprise mobile security survey polled 487 IT security
professionals and IT managers. The survey found the following top five mobile
security concerns:

1. Device loss was the top concern. If an employee leaves a tablet or smartphone in
a taxi cab or at a restaurant, for example, sensitive data, such as customer
information or corporate intellectual property, can be put at risk. According to Marcus
Carey, a security researcher at Boston-based compliance auditing firm Rapid7 Inc.,
such incidents have been behind many high-profile data breaches.

2. Application security was the second-ranking concern. One problem is mobile apps
that request too many privileges, which allows them to access various data sources
on the device. According to Domingo Guerra, president and co-founder of San
Francisco-based Appthority Inc., many mobile apps -- especially free ones -- are built
with ties to advertising networks, which makes contacts, browsing history
and geolocation data extremely valuable to application developers. As Guerra put it,
"Developers want to monetize, consumers want free apps and then ad networks will
pay developers to get all of that juicy data from their users." According to survey
respondents, leaked corporate contacts, calendar items and even the location of
certain executives could put the company at a competitive disadvantage.

Another concern is malicious or Trojan-infected applications that are designed to

look like they perform normally, but secretly upload sensitive data to a remote server.

3. Device data leakage was the third-ranking mobile security issue. Nearly all of the
chief concerns identified in the mobile security survey, from data loss and theft to
malicious applications and mobile malware, are sources of data leakage. While most
corporate access privileges on mobile devices remain limited to calendar items and
email, new mobile business applications can tap into a variety of sources, if the
enterprise accepts the risks, said mobile security expert Lisa Phifer. Increased
corporate data on devices increases the draw of cybercriminals who can target both
the device and the back-end systems they tap into with mobile malware, Phifer said.
"If you're going to put sensitive business applications on those devices, then you
would want to start taking that threat seriously."
4. Malware attacks were the fourth-ranking mobile security concern. A new report
from Finland-based antivirus vendor F-Secure Corp. found the vast majority of
mobile malware to be SMS Trojans, designed to charge device owners premium text
messages. Experts say Android devices face the biggest threat, but other platforms
can attract financially motivated cybercriminals if they adopt Near Field
Communications and other mobile payment technologies. An F-Secure analysis of
more than 5,000 malicious Android files found that 81% of mobile malware can be
classified as Trojans, followed by monitoring tools (10.1%) and malicious
applications (5.1%).

5. Device theft was fifth on the list of top concerns. Smartphone theft is a common
problem for owners of highly coveted smartphones such as the iPhone or high-
end Android devices. The danger of corporate data, such as account credentials and
access to email, falling into the hands of a tech-savvy thief, makes the issue a major
threat to the IT security pros who took the survey.

8) (a) Explain SSL Handshake Protocol in detail.

(b) Discuss in detail about IEEE 802.11 wireless LAN and Explain
IEEE 802.11i WLAN
security.
(a):

 The internet and web has become widely popular today. However, it is
vulnerable to serious attacks.
 For this purpose, various security approaches are possible. These
approaches are mainly dependent on which network layer they operate on
(Remember the network layers of CN!!).
 The SSL (Secure Socket Layer) is a whole new layer of protocol which
operates above the Internet TCP protocol and below high-level application
protocols
 There are different protocols which are associated with SSL which are used in
the management of SSL exchanges.

One among those is SSL handshake protocol.

 It is one the most complex protocols of SSL.

 It allows client and server to:
 o Authenticate each other
o To negotiate encryption & MAC algorithm.
o To negotiate cryptographic keys to be used.
 The Handshake Protocol is used before any application data is transmitted.
 The handshake protocol is made up of a series of messages exchanged
between both parties (server & client) which is of the format

 These messages are communicated as a series of messages in phases (4

phases) (Diagram shown below…)
a) Establish security capabilities : this phase is used by the client to initiate a
logical connection and to establish the security capabilities that will be
associated with it
b) Server Authentication and Key Exchange: The server begins this phase by
sending its certificate if it needs to be authenticated.
c) Client Authentication and Key Exchange: the client should verify that the
server provided a valid certificate if required and check that the
d) Finish: this phase completes the setting up of a secure connection.
.