Documente Academic
Documente Profesional
Documente Cultură
Ans: The short answer: Client/server is a computational architecture that involves client
processes
requesting service from server processes.
The long answer: Client/server computing is the logical extension of modular programming.
Modular programming has as its fundamental assumption that separation of a large piece of
software into its constituent parts ("modules") creates the possibility for easier development and
better maintainability. Client/server computing takes this a step farther by recognizing that those
modules need not all be executed within the same memory space.
With this architecture, the calling module becomes the "client" (that which requests a service),
and the called module becomes the "server" (that which provides the service). The logical
extension of this is to have clients and servers running on the appropriate hardware and
software platforms for their functions. For example, database management system servers
running on platforms specially designed and configured to perform queries, or file servers
running on platforms with special elements for managing files. It is this latter perspective that
has created the widely-believed myth that client/server has something to do with PCs or Unix
machines.
Ans: The client is a process (program) that sends a message to a server process (program),
requesting that the server perform a task (service). Client programs usually manage the user-
interface portion of the application, validate data entered by the user, dispatch requests to
server programs, and sometimes execute business logic. The client-basedprocess is the front-
end of the application that the user sees and interacts with. The client process contains solution-
specific logic and provides the interface between the user and the rest of the application system.
The client process also manages the local resources that the user interacts with such as the
monitor, keyboard, workstation CPU and peripherals. One of the key elements of a client
workstation is the graphical user interface (GUI). Normally a part of operating system i.e. the
window manager detects user actions, manages the windows on the display and displays the
data in the windows.
Ans : A server process (program) fulfills the client request by performing the task requested.
Server programs generally receive requests from client programs, execute database retrieval
and updates, manage data integrity and dispatch responses to client requests. Sometimes server
programs execute common or complex business logic. The server-based process "may" run on
another machine on the network. This server could be the host operating system or network file
server; the server is then provided both file system services and application services. Or in some
cases, another desktop machine provides the application services. The server process acts as a
software engine that manages shared resources such as databases, printers, communication
links, or high powered-processors. The server process performs the back-end tasks that are
common to similar applications.
Q4 What is a Two-Tier Architecture?
Ans : A two-tier architecture is where a client talks directly to a server, with no intervening
server. It is typically used in small environments (less than 50 users). A common error in
client/server development is to prototype an application in a small, two-tier environment, and
then scale up by simply adding more users to the server. This approach will usually result in an
ineffective system, as the server becomes overwhelmed. To properly scale to hundreds or
thousands of users, it is usually necessary to move to a three-tier architecture.
A three-tier architecture introduces a server (or an "agent") between the client and the server.
The role of the agent is manyfold. It can provide translation services (as in adapting a legacy
application on a mainframe to a client/server environment), metering services (as in acting as a
transaction monitor to limit the number of simultaneous requests to a given server), or
intellegent agent services (as in mapping a request to a number of different servers, collating the
results, and returning a single response to the client.
For SBI Speciality Officer, Allahabad bank IT Officer Exam
Model Questions : The Descriptive Test should be Prepared on Basis of All Books of Degree
Exam with Special Emphasis on Banking.We are Listing Sample Questions
4. Explain the DMA controller with block diagram. What is meant by a block transfer? What are
the various phases of an instruction cycle ? Give the micro operation of fetch and decode phases
Compare Static RAM with Dynamic RAM.
7. What is a Socket ? Write two differences between a TCP Socket and a UDP Socket.
8. What are the standard port numbers for (i) Web Server (ii) Mail Server (iii) FTP Server (iv)
Telnet ?
9 What is Network Address Translation (NAT) ? Give any two advantages and two
disadvantages of NAT.
11. What is a Search Engine ? How is it useful for Internet/Intranet ? Give the names of any four
Search engines.
12 What is WAP ? Give any two advantages and two limitations of WAP. Also explain its layered
architecture.
ANSWERS
The client authenticates to the AS once using a long-term shared secret (e.g. a password) and
receives a TGT from the AS. Later, when the client wants to contact some SS, it can (re)use this
ticket to get additional tickets from TGS, for SS, without resorting to using the shared secret.
These tickets can be used to prove authentication to SS.
The phases are detailed below.
[edit] User Client-based Logon
1. A user enters a username and password on the client machine.
2. The client performs a one-way function (hash usually) on the entered password, and
this becomes the secret key of the client/user.
Kerberos Protocol
1. The client sends a cleartext message of the user ID to the AS requesting services on
behalf of the user. (Note: Neither the secret key nor the password is sent to the AS.)
The AS generates the secret key by hashing the password of the user found at the
database (e.g. Active Directory in Windows Server).
2. The AS checks to see if the client is in its database. If it is, the AS sends back the
following two messages to the client:
○ Message A: Client/TGS Session Key encrypted using the secret key of the
client/user.
○ Message B: Ticket-to Get-Ticket (which includes the client ID, client network
address, ticket validity period, and the client/TGS session key) encrypted
using the secret key of the TGS.
3. Once the client receives messages A and B, it attempts to decrypt message A with
the secret key generated from the password entered by the user. If the user entered
password does not match the password in the AS database, the client's secret key
will be different and thus unable to decrypt message A. With a valid password and
secret key the client decrypts message A to obtain the Client/TGS Session Key. This
session key is used for further communications with the TGS. (Note: The client
cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point,
the client has enough information to authenticate itself to the TGS.
b.
Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP)
communications by authenticating and encrypting each IP packet of a communication session.
IPsec also includes protocols for establishing mutual authentication between agents at the
beginning of the session and negotiation of cryptographic keys to be used during the session.
IPsec is an end-to-end security scheme operating in the Internet Layer of the Internet Protocol
Suite. It can be used in protecting data flows between a pair of hosts (host-to-host), between a
pair of security gateways (network-to-network), or between a security gateway and a host
(network-to-host).[1]
Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL),
Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of the
TCP/IP model. Hence, IPsec protects any application traffic across an IP network. Applications
do not need to be specifically designed to use IPsec. The use of TLS/SSL, on the other hand, must
be designed into an application to protect the application protocols.
IPsec is a successor of the ISO standard Network Layer Security Protocol (NLSP). NLSP was
based on the SP3 protocol that was published by NIST, but designed by the Secure Data
Network System project of the National Security Agency (NSA).
IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Request
for Comment documents addressing various components and extensions. It specifies the spelling
of the protocol name to be IPsec.[2]
[edit] Security architecture
The IPsec suite is an open standard. IPsec uses the following protocols to perform various
functions:[3][4]
• Authentication Headers (AH) provide connectionless integrity and data origin
authentication for IP datagrams and provides protection against replay attacks.[5][6]
• Encapsulating Security Payloads (ESP) provide confidentiality, data origin
authentication, connectionless integrity, an anti-replay service (a form of partial
sequence integrity), and limited traffic flow confidentiality.[1]
• Security associations (SA) provide the bundle of algorithms and data that provide the
parameters necessary to operate the AH and/or ESP operations. The Internet Security
Association and Key Management Protocol (ISAKMP) provides a framework for
authentication and key exchange,[7] with actual authenticated keying material provided
either by manual configuration with pre-shared keys, Internet Key Exchange (IKE and
IKEv2), Kerberized Internet Negotiation of Keys (KINK), or IPSECKEY DNS records.[8]
[9][10][11]
In cryptography, RSA (which stands for Rivest, Shamir and Adleman who first publicly
described it) is an algorithm for public-key cryptography.[1] It is the first algorithm known to be
suitable for signing as well as encryption, and was one of the first great advances in public key
cryptography. RSA is widely used in electronic commerce protocols, and is believed to be
sufficiently secure given sufficiently long keys and the use of up-to-date implementations.
Operation
The RSA algorithm involves three steps: key generation, encryption and decryption.
[edit] Key generation
RSA involves a public key and a private key. The public key can be known to everyone and is
used for encrypting messages. Messages encrypted with the public key can only be decrypted
using the private key. The keys for the RSA algorithm are generated the following way:
1. Choose two distinct prime numbers p and q.
○ For security purposes, the integers p and q should be chosen at random, and
should be of similar bit-length. Prime integers can be efficiently found using a
primality test.
2. Compute n = pq.
○ n is used as the modulus for both the public and private keys
3. Compute φ(n) = (p – 1)(q – 1), where φ is Euler's totient function.
4. Choose an integer e such that 1 < e < φ(n) and gcd(e,φ(n)) = 1, i.e. e and φ(n) are
coprime.
○ e is released as the public key exponent.
○ e having a short bit-length and small Hamming weight results in more efficient
encryption - most commonly 0x10001 = 65537. However, small values of e (such
as 3) have been shown to be less secure in some settings.[4]
5. Determine d = e–1 mod φ(n); i.e. d is the multiplicative inverse of e mod φ(n).
○ This is often computed using the extended Euclidean algorithm.
○ d is kept as the private key exponent.
The public key consists of the modulus n and the public (or encryption) exponent e. The private
key consists of the private (or decryption) exponent d which must be kept secret.
Notes:
• An alternative, used by PKCS#1, is to choose d matching de ≡ 1 mod λ with λ = lcm(p −
1,q − 1), where lcm is the least common multiple. Using λ instead of φ(n) allows more
choices for d. λ can also be defined using the Carmichael function, λ(n).
• The ANSI X9.31 standard prescribes, IEEE 1363 describes, and PKCS#1 allows, that p
and q match additional requirements: be strong primes, and be different enough that
Fermat factorization fails.
[edit] Encryption
Alice transmits her public key (n,e) to Bob and keeps the private key secret. Bob then wishes to
send message M to Alice.
He first turns M into an integer m, such that 0 < m < n by using an agreed-upon reversible
protocol known as a padding scheme. He then computes the ciphertext c corresponding to
c = me (mod n).
This can be done quickly using the method of exponentiation by squaring. Bob then transmits c
to Alice.
[edit] Decryption
Alice can recover m from c by using her private key exponent d via computing
m = cd (mod n).
Given m, she can recover the original message M by reversing the padding scheme.
(In practice, there are more efficient methods of calculating cd using the pre computed values
below.)
[edit] A worked example
Here is an example of RSA encryption and decryption. The parameters used here are artificially
small, but one can also use OpenSSL to generate and examine a real keypair.
1. Choose two distinct prime numbers, such as
p = 61 and q = 53.
2. Compute n = pq giving
n = 61 · 53 = 3233.
3. Compute the totient of the product as φ(n) = (p − 1)(q − 1) giving
φ(3233) = (61 − 1)(53 − 1) = 3120.
4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for
e leaves us only to check that e is not a divisor of 3120.
Let e = 17.
2. A Trojan horse:
Trojan, is software that appears to perform a desirable function for the user prior to run or
install, but (perhaps in addition to the expected function) steals information or harms the
system.[1] The term is derived from the Trojan Horse story in Greek mythology.
A contactless card requires only close proximity to a reader. Both the reader and the card have
antennae, and the two communicate using radio frequencies (RF) over this contactless link. Most
contactless cards also derive power for the internal chip from this electromagnetic signal. The
range is typically one-half to three inches for non-battery-powered cards, ideal for applications
such as building entry and payment that require a very fast card interface.
Two additional categories of cards are dual-interface cards and hybrid cards. A hybrid card has
two chips, one with a contact interface and one with a contactless interface. The two chips are
not interconnected. A dual-interface card has a single chip with both contact and contactless
interfaces. With dual-interface cards, it is possible to access the same chip using either a contact
or contactless interface with a very high level of security.
The chips used in all of these cards fall into two categories as well: microcontroller chips and
memory chips. A memory chip is like a small floppy disk with optional security. Memory chips
are less expensive than microcontrollers but with a corresponding decrease in data management
security. Cards that use memory chips depend on the security of the card reader for processing
and are ideal for situations that require low or medium security.
A microcontroller chip can add, delete, and otherwise manipulate information in its memory. A
microcontroller is like a miniature computer, with an input/output port, operating system, and
hard disk. Smart cards with an embedded microcontroller have the unique ability to store large
amounts of data, carry out their own on-card functions (e.g., encryption and digital signatures)
and interact intelligently with a smart card reader.
3.D. Pretty Good Privacy (PGP) is a data encryption and decryption computer program
that provides cryptographic privacy and authentication for data communication. PGP is often
used for signing, encrypting and decrypting texts, E-mails, files, directories and whole disk
partitions to increase the security of e-mail communications. It was created by Philip
Zimmermann in 1991.
PGP and similar products follow the OpenPGP standard (RFC 4880) for encrypting and
decrypting data.
How PGP encryption works
PGP encryption uses a serial combination of hashing, data compression, symmetric-key
cryptography, and, finally, public-key cryptography; each step uses one of several supported
algorithms. Each public key is bound to a user name and/or an e-mail address. The first version
of this system was generally known as a web of trust to contrast with the X.509 system which
uses a hierarchical approach based on certificate authority and which was added to PGP
implementations later. Current versions of PGP encryption include both options through an
automated key management server.
[edit] Compatibility
As PGP evolves, PGP systems that support newer features and algorithms are able to create
encrypted messages that older PGP systems cannot decrypt, even with a valid private key. Thus,
it is essential that partners in PGP communication understand each other's capabilities or at
least agree on PGP settings.
[edit] Confidentiality
PGP can be used to send messages confidentially. For this, PGP combines symmetric-key
encryption and public-key encryption. The message is encrypted using a symmetric encryption
algorithm, which requires a symmetric key. Each symmetric key is used only once and is also
called a session key. The session key is protected by encrypting it with the receiver's public key
thus ensuring that only the receiver can decrypt the session key. The encrypted message along
with the encrypted session key is sent to the recipient.
[edit] Digital signatures
PGP supports message authentication and integrity checking. The latter is used to detect
whether a message has been altered since it was completed (the message integrity property), and
the former to determine whether it was actually sent by the person/entity claimed to be the
sender (a digital signature). In PGP, these are used by default in conjunction with encryption,
but can be applied to the plaintext as well. The sender uses PGP to create a digital signature for
the message with either the RSA or DSA signature algorithms. To do so, PGP computes a hash
(also called a message digest) from the plaintext, and then creates the digital signature from that
hash using the sender's private key.
[edit] Web of trust
Main article: Web of trust
Both when encrypting messages and when verifying signatures, it is critical that the public key
used to send messages to someone or some entity actually does 'belong' to the intended recipient.
Simply downloading a public key from somewhere is not overwhelming assurance of that
association; deliberate (or accidental) impersonation is possible. PGP has, from its first
versions, always included provisions for distributing a user's public keys in an 'identity
certificate' which is also constructed cryptographically so that any tampering (or accidental
garble) is readily detectable. But merely making a certificate which is impossible to modify
without being detected effectively is also insufficient. It can prevent corruption only after the
certificate has been created, not before. Users must also ensure by some means that the public
key in a certificate actually does belong to the person/entity claiming it. From its first release,
PGP products have included an internal certificate 'vetting scheme' to assist with this; a trust
model which has been called a web of trust. A given public key (or more specifically,
information binding a user name to a key) may be digitally signed by a third party user to attest
to the association between someone (actually a user name) and the key. There are several levels
of confidence which can be included in such signatures. Although many programs read and
write this information, few (if any) include this level of certification when calculating whether to
trust a key.
c. Physical Security Threats and Controls
Physical security is the lifeblood of all security controls. If physical security is compromised, all
other controls are irrelevant.
Why? Think about it. If someone manages to get into your server, physically accessing your
computers, he or she can cause serious damage. Some examples of damage possible can
include: removing the hard drives from your computer, stealing computer backup tapes, or
simply shutting down the power to your servers. All of these can be accomplished in the blink of
an eye, without involving serious technical skills. As we have mentioned before, security is the
weakest link in your system. For this reason, we should not overlook physical security.
To understand physical security, we first need to understand physical threats.
The are three types of physical threats:
External physical threats:
• Flooding, lightning, earthquake, wind, tornado, hurricane, ice, fire, chemical
Internal physical threats:
• Fire, environmental failure, liquid leakage, electrical interruption
Human physical threats:
• Theft, vandalism, sabotage, espionage, errors
To prevent these threats from becoming reality, physical security controls should be
implemented. Some examples of effective physical security controls include:
Exterior physical security controls:
• Fences, Barriers
Entrance physical security controls:
• Doors and Gates with Locks
Administrative physical security controls:
• Badges and Escorts
Property physical security controls:
• Monitoring/Detection Systems, Lighting
Environmental physical security controls:
• HVAC System, Power Protection, Water and Fire Protection
All of these controls require detailed and careful planning prior to setting up an office with
computing facilities. We will discuss physical controls in more detail later.
Tags: Administrative Physical Security Control, Environmental Physical Security Control,
Water Protection