network security(9)

9. Web Security & Application Security

1          Briefly explain how cookies pose security threat?                                                         [4]

2          Write short notes on the following:

            Secure Socket Layer.                                                                                                 [6]

Ans :-- The Secure Sockets Layer (SSL) is a commonly-used protocol for managing the security of a message transmission on the Internet. SSL has recently been succeeded by Transport Layer Security (TLS), which is based on SSL. SSL uses a program layer located between the Internet's Hypertext Transfer Protocol (HTTP) and Transport Control Protocol (TCP) layers. SSL is included as part of both the Microsoft and Netscape browsers and most Web server products. Developed by Netscape, SSL also gained the support of Microsoft and other Internet client/server developers as well and became the de facto standard until evolving into Transport Layer Security. The "sockets" part of the term refers to the sockets method of passing data back and forth between a client and a server program in a network or between program layers in the same computer. SSL uses the public-and-private key encryption system from RSA, which also includes the use of a digital certificate.TLS and SSL are an integral part of most Web browsers (clients) and Web servers. If a Web site is on a server that supports SSL, SSL can be enabled and specific Web pages can be identified as requiring SSL access. Any Web server can be enabled by using Netscape's SSLRef program library which can be downloaded for noncommercial use or licensed for commercial use.
TLS and SSL are not interoperable. However, a message sent with TLS can be handled by a client that handles SSL but not TLS

3          What are the different levels in TCP/IP at which WEB security may be implemented? Illustrate with examples.                                                                                          [6]

4          How is the Internet challenging the protection of individual privacy? Discuss and give examples where appropriate.                                                                                   [12]

5          Consider the task of designing a Web server that will target specifically E-commerce, with the objective of accommodating a number of merchant sites, each consisting of a catalog, shopping cart, payment system interfacing with a credit card company, customer profiles repository based on previous transactions, and a recommender system. What specific architectural suggestions would you make to ensure-

i)          efficiency

ii)          security

iii)         reliability                                                                                                       [9]

6          Write short notes on any THREE of the following technologies explaining how they are used in the development of a distributed information system.

i)          Active X control                                                                                              [4]

ans :-- ActiveX is a framework for defining reusable software components in a programming language-independent way. Software applications can then be composed from one or more of these components in order to provide their functionality.^[1]
It was introduced in 1996 by Microsoft as a development of its Component Object Model (COM) and Object Linking and Embedding (OLE) technologies and is commonly used in its Windows operating system, although the technology itself is not tied to it.
Many Microsoft Windows applications — including many of those from Microsoft itself, such as Internet Explorer, Microsoft Office, Microsoft Visual Studio, and Windows Media Player — use ActiveX controls to build their feature-set and also encapsulate their own functionality as ActiveX controls which can then be embedded into other applications. Internet Explorer also allows embedding ActiveX controls onto web pages.

ActiveX controls

ActiveX controls, mini program building blocks, can serve to create distributed applications working over the Internet through web browsers. Examples include customized applications for gathering data, viewing certain kinds of files, and displaying animation.
ActiveX controls are comparable to Java applets: programmers designed both of these mechanisms to allow web browsers to download and execute them. But Java applets can run on nearly any platform, while ActiveX components officially operate only with Microsoft's Internet Explorer web browser and the Microsoft Windows operating system.^[2]
Malwares, e.g. computer viruses and spywares, can be accidentally installed from malicious websites using ActiveX controls (drive-by downloads).
Programmers can write ActiveX controls in any language which supports COM component development, including the following languages/environments:

• C++ either directly or with the help of libraries such as ATL or MFC^[3]
• Borland Delphi
• Visual Basic
• .NET Framework (C# / VB.NET)

Common examples of ActiveX controls include command buttons, list boxes, dialog boxes, and the Internet Explorer browser. ctiveX controls are small programs, sometimes called add-ons, that are used on the Internet. They can enhance your browsing experience by allowing animation or they can help with tasks such as installing security updates at Microsoft Update.
Some websites require you to install ActiveX controls to see the site or perform certain tasks on it. When you visit such a site, Windows Internet Explorer asks if you want to install the ActiveX control.

ii)          FTP server                                                                                                     [4]

ans :--

iii)         CGI script                                                                                                      [4]

iv)         Active Server Page                                                                                         [4]

v)          HTML form                                                                                                    [4]

Indicate whether the technology runs on the client, on the server, or on both.

7          Which security feature’s do you expect from a secure e-mail system and from the machines running a secure e-mail system? Which layer is most appropriate for such a security service? Distinguish between services that want to offer anonymity in your answer.                                                                                                                  [6]

8          What are the different levels in TCP/IP at which web security may be implemented? Illustrate with examples.                                                                                            [6]

9          Consider the following threats to Web security and describe how each is countered by a particular feature of SSL (Secure Sockets Layer):

            i)          Brute-Force Cryptanalytic Attack

            ii)          Replay Attack

            iii)         Packet Sniffing

            iv)         Password Cracker

            v)          SYN Flooding

vi)         Man-In- The-Middle Attack                                                                            [12]

10         Name the six participants in the SET system and show their interconnections in a secure electronic commerce component diagram.                                                               [6]

11         Write short notes on any three:

            i)          Pretty Good Privacy (PGP)                                                                             [6]

12         What are two most popular active contents used as tools by attackers? Describe them briefly.                                                                                                                             [6]

13         What is the use of Active Directory in Windows 2000?                                                  [4]

14         Hoe does SET make a digital wallet similar to a real wallet and secure for e-commerce payment transaction?                                                                                                       [6]

 

15         Which protocol is used for securing credit card transactions over insecured network, specifically, the Internet? Which features are incorporated in the protocol to meet the business requirements?                                                                                                     [4]

16         What is secure mail? What is the reason for the lack of deployment of Privacy-enhanced Electronic mail (PEM) as compared to Pretty Good Privacy (PGP)?                                [6]

17         What is the difference between passive and active attacks with respect to security threats faced in using the web?                                                                                                [6]

18         What is secure mail? What is the reason for the lack of deployment of Privacy-enhanced Electronic mail (PEM) as compared to Pretty Good Privacy (PGP)? Explain PEM and PGP.                     [8]

19         How does the Secured Socket Layer transaction helps in secured data transmission?  [4]

20         What are the various ways of attacking the e-mails?                 [6]

21         Explain briefly Active Directory and the advantages offered by it.            [6]

22         Bob has just received a message. How does his Privacy Enhanced e-Mail (PEM)

processor know whether the message is a PEM message or just an ordinary message?    [6]

23         Explain briefly with an example, how Windows registry is secured. [6]

24         Name the six participants in the SET system and show their interconnections in a secure electronic commerce component diagram.       [6]

25)        Explain how PGP encryption works.        [9]

26         Why is the SSL layer positioned between the application layer and the transport layer?       [4]

27         List and give the purpose of the following protocols defined in SSL:

Handshake protocol, ChangeCipherSpec Protocol, Alert protocol and Record protocol.[4]

28         Name seven types of packets used in Pretty Good Services (PGP) and explain their purposes.        [7]

29        Consider the following threats to Web Security and describe how each is countered by a particular feature of SSL.

i)                     Brute-Force Cryptanalytic Attack.

ii)                   Replay Attack

iii)                  IP Spoofing

iv)                 Password Sniffing          [4]

30         What is the utility of detached signature in PGP?             [4]       

31         What is S/MIME? Explain its functions.   [9]

ans :-- S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for public key encryption and signing of MIME data. S/MIME is on an IETF standards track and defined in a number of documents, most importantly RFCs(3369,3370,3850,3851). S/MIME was originally developed by RSA Data Security Inc. The original specification used the IETF MIME specification^[1] with the de facto industry standard PKCS#7 secure message format. Change control to S/MIME has since been vested in the IETF and the specification is now layered on Cryptographic Message Syntax, an IETF specification that is identical in most respects with PKCS #7. S/MIME functionality is built into the majority of modern email software and interoperates between them.

Function:--

S/MIME provides two security services:

• Digital signatures
• Message encryption

These two services are the core of S/MIME-based message security. All other concepts related to message security support these two services. Although the full scope of message security may seem complex, these two services are the basis of message security. After gaining a basic understanding of digital signatures and message encryption, you can then learn how other concepts support these services.
Each service will be reviewed individually, and then information about how the two services work together will be provided.

 Understanding Digital Signatures

Digital signatures are the more commonly used service of S/MIME. As the name suggests, digital signatures are the digital counterpart to the traditional, legal signature on a paper document. As with a legal signature, digital signatures provide the following security capabilities:

• Authentication   A signature serves to validate an identity. It verifies the answer to "who are you" by providing a means of differentiating that entity from all others and proving its uniqueness. Because there is no authentication in SMTP e-mail, there is no way to know who actually sent a message. Authentication in a digital signature solves this problem by allowing a recipient to know that a message was sent by the person or organization who claims to have sent the message.
• Nonrepudiation   The uniqueness of a signature prevents the owner of the signature from disowning the signature. This capability is called nonrepudiation. Thus, the authentication that a signature provides gives the means to enforce nonrepudiation. The concept of nonrepudiation is most familiar in the context of paper contracts: a signed contract is a legally binding document, and it is impossible to disown an authenticated signature. Digital signatures provide the same function and, increasingly in some areas, are recognized as legally binding, similar to a signature on paper. Because SMTP e-mail does not provide a means of authentication, it cannot provide nonrepudiation. It is easy for a sender to disavow ownership of an SMTP e-mail message.
• Data integrity   An additional security service that digital signatures provide is data integrity. Data integrity is a result of the specific operations that make digital signatures possible. With data integrity services, when the recipient of a digitally signed e-mail message validates the digital signature, the recipient is assured that the e-mail message that is received is, in fact, the same message that was signed and sent, and has not been altered while in transit. Any alteration of the message while in transit after it has been signed invalidates the signature. In this way, digital signatures are able to provide an assurance that signatures on paper cannot, because it is possible for a paper document to be altered after it has been signed.

Important:

Although digital signatures provide data integrity, they do not provide confidentiality. Messages with only a digital signature are sent in cleartext, similar to SMTP messages, and can be read by others. In the case where the message is opaque-signed, a level of obfuscation is achieved because the message is base64-encoded, but it is still cleartext. To protect the contents of e-mail messages, you must use message encryption.

Authentication, nonrepudiation, and data integrity are the core functions of digital signatures. Together, they ensure recipients that the message came from the sender, and that the message received is the message that was sent.
At its simplest, a digital signature works by performing a signing operation on the text of the e-mail message when the message is sent, and a verifying operation when the message is read, as shown in the following figure.

Digital signature and verification operations on an e-mail message

The signing operation that is performed when the message is sent requires information that can only be supplied by the sender. (For more information about this signing operation, see "Public Key Cryptography and Digital Signatures" in Understanding Public Key Cryptography.) This information is used in a signing operation by capturing the e-mail message and performing a signing operation on the message. This operation produces the actual digital signature. This signature is then appended to the e-mail message and included with the message when it is sent. The following figure shows the sequence of signing a message.

Digital signing of an e-mail message

1. Message is captured.
2. Information uniquely identifying the sender is retrieved.
3. Signing operation is performed on the message using the sender's unique information to produce a digital signature.
4. Digital signature is appended to the message.
5. Message is sent.

Because this operation requires unique information from the sender, digital signatures provide authentication and nonrepudiation. This unique information can prove that the message could only come from the sender.

Note:

No security mechanism is perfect. It is possible for unauthorized users to obtain the unique information that is used for digital signatures and attempt to impersonate a sender. However, the S/MIME standard can handle these situations so that unauthorized signatures are shown to be invalid. For more information, see Understanding Digital Certificates.

When the recipient opens a digitally signed e-mail message, a verification procedure is performed on the digital signature. The digital signature that is included with the message is retrieved from the message. The original message is also retrieved, and a signing operation is then performed, which produces another digital signature. The digital signature included with the message is compared to the digital signature produced by the recipient. If the signatures match, the message is verified as having come from the sender as claimed. If the signatures do not match, the message is marked as invalid. The following figure shows the sequence of verifying a message.

Verifying a digital signature of an e-mail message

1. Message is received.
2. Digital signature is retrieved from the message.
3. Message is retrieved.
4. Information identifying the sender is retrieved.
5. Signing operation is performed on the message.
6. Digital signature included with the message is compared against the digital signature produced on receipt.
7. If the digital signatures match, the message is valid.

Important:

The sender's information that is used in verifying the signature is not the same information that is provided by the sender when the message is signed. The information used by the recipient is related in a way that lets the recipient verify the sender's unique information without actually knowing that information, thus protecting the sender's information. For more information about how the sender and recipient can share information, see "Public Key Cryptography and Digital Signatures" in Understanding Public Key Cryptography.

Taken together, the process of digital signing and verification of the digital signature authenticates the sender of an e-mail message and determines the integrity of the data within the signed message. Authenticating senders provides the additional capability of nonrepudiation, which prevents authenticated senders from claiming that they did not send the message. Digital signatures are a solution to impersonation and data tampering, which are possible with standard SMTP-based Internet e-mail.

 Understanding Message Encryption

Message encryption provides a solution to information disclosure. SMTP-based Internet e-mail does not secure messages. An SMTP Internet e-mail message can be read by anyone who sees it as it travels or views it where it is stored. These problems are addressed by S/MIME through the use of encryption.
Encryption is a way to change information so that it cannot be read or understood until it is changed back into a readable and understandable form.
Although message encryption is not as widely used as digital signatures, it does address what many perceive as the most serious weakness in Internet e-mail. Message encryption provides two specific security services:

• Confidentiality   Message encryption serves to protect the contents of an e-mail message. Only the intended recipient can view the contents, and the contents remain confidential and cannot be known by anyone else who might receive or view the message. Encryption provides confidentiality while the message is in transit and in storage.
• Data integrity   As with digital signatures, message encryption provides data integrity services as a result of the specific operations that make encryption possible.

Important:

Although message encryption provides confidentiality, it does not authenticate the message sender in any way. An unsigned, encrypted message is as susceptible to sender impersonation as an unencrypted message. Because nonrepudiation is a direct result of authentication, message encryption also does not provide nonrepudiation. Although encryption provides data integrity, an encrypted message can show only that the message has not been altered since it was sent. No information about who sent the message is provided. To prove the identity of the sender, the message must use a digital signature.

Confidentiality and data integrity provide the core functions of message encryption. They ensure that only the intended recipient can view a message and that the message received is the message that was sent.
Message encryption makes the text of a message unreadable by performing an encryption operation on it when it is sent. When the message is received, the text is made readable again by performing a decryption operation when the message is read, as shown in the following figure.

Message encryption and decryption operations on an e-mail message

The encryption operation that is performed when the message is sent captures the e-mail message and encrypts it using information that is specific to the intended recipient. The encrypted message replaces the original message, and then the message is sent to the recipient. The following figure shows the sequence of encrypting an e-mail message.

Encryption of an e-mail message

1. Message is captured.
2. Information uniquely identifying the recipient is retrieved.
3. Encryption operation is performed on the message using the recipient's information to produce an encrypted message.
4. Encrypted message replaces the text in the message.
5. Message is sent.

32.        Write short notes on any three of the following:-

a)         SET              [6]