CS707 Network Security Midterm Short Questions
Q.1 what are the characteristics of stream cipher
A stream cipher treats the message as a stream of bits and performs mathematical functions on each bit individually. When using a stream cipher, a plaintext bit will be transformed into a different ciphertext bit each time it is encrypted. Stream ciphers use keystream generators, which produce a stream of bits that is XORed with the plaintext bits to produce ciphertext
Q.2 Message Authentication Codes (MACs)
A MAC function is an authentication scheme derived by applying a secret key to a message in some form. This does not mean the symmetric key is used to encrypt the message, though.
Q.3 Define and describe the fields of the digital certificate. 10 marks
Digital certificates (public key certificates, specifically X.509 certificates) are signed data structures that bind attributes of an entity to its corresponding public key. The basic requirement for a Digital Certificate is that it needs to be signed by a certification authority (CA).
Q.4 What CMAC? How it works
Cipher-Based Message Authentication Code (CMAC) provides the same type of data origin authentication and integrity as CBC-MAC but is more secure mathematically.
CMAC is a variation of CBC-MAC. It is approved to work with AES and Triple DES.
So here is how CMAC works: the symmetric algorithm (AES or 3DES) creates the symmetric key. This key is used to create subkeys. The subkeys are used individually to encrypt the individual blocks of a message
Q.5 CBC-MAcdrescibe its properties.
If a CBC-MAC is being used, the message is encrypted with a symmetric block cipher in CBC mode, and the output of the final block of ciphertext is used as the MAC.
Q.6 What Is the Difference Between Public Key Cryptography and Public Key Infrastructure?
Public key cryptography is the use of an asymmetric algorithm. Thus, the terms asymmetric algorithm and public key cryptography are interchangeable and mean the same thing. Examples of asymmetric algorithms are RSA, elliptic curve cryptosystem (ECC), Diffie-Hellman, El Gamal, LUC, and Knapsack.
Public key infrastructure (PKI) is different. It is not an algorithm, a protocol, or an application—it is an infrastructure based on public key cryptography.
Q. 7 Chain certificates
Also known as a certificate authority (CA) is a trusted entity that issues electronic documents that verify a digital entity’s identity on the Internet. The electronic documents, which are called digital certificates, are an essential part of secure communication and play an important part in the public key infrastructure (PKI). Certificates typically include the owner's public key, the expiration date of the certificate, the owner's name and other information about the public key owner. Operating systems (OSes) and browsers maintain lists of trusted CA root certificates to verify certificates that a CA has issued and signed.
Q.8 Elaborate the term digital signature?
A digital signature (not to be confused with a digital certificate) is a mathematical technique used to validate the authenticity and integrity of a message, software or digital document.
To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash -- along with other information, such as the hashing algorithm -- is the digital signature.
Q.9 What is a digital certificate?
Digital Certificates are a means by which consumers and businesses can utilize the security applications of Public Key Infrastructure (PKI). PKI comprises the technology to enables secure e-commerce and Internet-based communication.
Q.10 What security measures are adopted in the layers of OSI model.
The OSI reference model for networking (ISO 7498-1) is designed around seven layers arranged in a stack. The OSI security architecture reference model (ISO 7498-2) is also designed around seven layers, reflecting a high-level view of the different requirements within network security.
|
Layers (ISO 7498-1)
|
ISO 7498-2 Security Model
|
|
Application
|
Authentication
|
|
Presentation
|
Access Control
|
|
Session
|
Non-Repudiation
|
|
Transport
|
Data Integrity
|
|
Network
|
Confidentiality
|
|
Data Link
|
Assurance / Availability
|
|
Physical
|
Notarization / Signature
|
Q:11 - In the context of hashing what is meant by compression.
This function used for message integrity and the generated hashed number must be the same when the recipient receives the message and run the same with a hash function,
if the resultant hashed number/message digest would be the same, the received message would not be altered.
Q. 12 What is X509 standard?
The standard for how the CA creates the certificate is X.509, which dictates the different fields used in the certificate and the valid values that can populate those fields. The most commonly used version is 3 of this standard, which is often denoted as X.509v3. Many cryptographic protocols use this type of certificate, including SSL.
PKI is an ISO authentication framework that uses public key cryptography and the X.509 standard.
The framework was set up to enable authentication to happen across different networks and the Internet.
Particular protocols and algorithms are not specified, which is why PKI is called a framework and not a specific technology.
Q.13 What are one-way functions? How they are implemented in cryptography?
A one-way function is a mathematical function that is easier to compute in one direction than in the opposite direction. An analogy of this is when you drop a glass on the floor. Although dropping a glass on the floor is easy, putting all the pieces back together again to reconstruct the original glass is next to impossible. This concept is similar to how a one-way function is used in cryptography, which is what the RSA algorithm, and all other asymmetric algorithms, is based upon. The easy direction of computation in the one-way function that is used in the RSA algorithm is the process of multiplying two large prime numbers. Multiplying the two numbers to get the resulting product is much easier than factoring the product and recovering the two initial large prime numbers used to calculate the obtained product, which is the difficult direction. RSA is based on the difficulty of factoring large numbers that are the product of two large prime numbers. Attacks on these types of cryptosystems do not necessarily try every possible key value, but rather try to factor the large number, which will give the attacker the private key.
When a user encrypts a message with a public key, this message is encoded with a one-way function (breaking a glass). This function supplies a trapdoor (knowledge of how to put the glass back together), but the only way the trapdoor can be taken advantage of is if it is known about and the correct code is applied. The private key provides this service. The private key knows about the trapdoor, knows how to derive the original prime numbers, and has the necessary programming code to take advantage of this secret trapdoor to unlock the encoded message (reassembling the broken glass). Knowing about the trapdoor and having the correct functionality to take advantage of it are what make the private key private.
When a one-way function is carried out in the easy direction, encryption and digital signature verification functionality are available. When the one-way function is carried out in the hard direction, decryption and signature generation functionality are available. This means only the public key can carry out encryption and signature verification and only the private key can carry out decryption and signature generation.
As explained earlier in this chapter, work factor is the amount of time and resources it would take for someone to break an encryption method. In asymmetric algorithms, the work factor relates to the difference in time and effort that carrying out a one-way function in the easy direction takes compared to carrying out a one-way function in the hard direction. In most cases, the larger the key size, the longer it would take for the bad guy to carry out the one-way function in the hard direction (decrypt a message).
Q.14 Define and discuss various components of PKI infrastructure.
A PKI may be made up of the following entities and functions:
• CA • RA • Certificate repository
• Certificate revocation system• Key backup and recovery system
• Automatic key update• Management of key histories
• Timestamping• Client-side software
Q.15 Characteristics Of Strong Stream Ciphers
Long periods of no repeating patterns within keystream values. Bits generated by the keystream must be random
Statistically unpredictable keystream The bits generated from the keystream generator cannot be predicted
A keystream not linearly related to the key If someone figures out the keystream values, that does not mean she now knows the key value
Statistically unbiased keystream (as many 0’s as 1’s). There should be no dominance in the number of 0’s or 1’s in the keystream
Q.16 public key cryptography
1- Public-key encryption
2- Digital signatures
3- Secure key exchange:
Define and describe the fields of digital certificate
|
Version
|
Identifies the version of the certificate
|
|
Serial Number
|
Unique number for the certificate
|
|
Signature
|
Algorithm ID used to Sign the Certificate
|
|
Issuer
|
Name of Certificate Issuer
|
|
Validity
|
Validity dates
|
|
Subject
|
Name of Owner
|
|
Subject Public Key info
|
Public Key Of Owner
|
|
Issuer Unique ID
|
ID of Issuing CA
|
|
Subject Unique ID
|
ID of Subject
|
|
Extensions
|
Optional Extensions
|
Q.17 What are the categories of security services? Briefly explain them.
Solution:
PKI supplies the following security services:
• Confidentiality • Access control • Integrity • Authentication
• Nonrepudiation
A PKI must retain a key history, which keeps track of all the old and current public keys that have been used by individual users. For example, if Kevin encrypted a symmetric key with Dave’s old public key, there should be a way for Dave to still access this data. This can only happen if the CA keeps a proper history of Dave’s old certificates and keys.
Q.18 Briefly describe the features of the Advanced Encryption Algorithm (Rijndael). [5]
The block sizes that Rijndael supports are 128, 192, and 256 bits. The number of rounds depends upon the size of the block and the key length:
· If both the key and block size is 128 bits, there are 10 rounds
· If both the key and block size are 192 bits, there are 12 rounds
· If both the key and block size are 256 bits, there are 14 rounds
Rijndael works well when implemented in software and hardware in a wide range of products and environments. It has low memory requirements and has been constructed to easily defend against timing attacks.
Rijndael was NIST's choice to replace DES. It is now the algorithm required to protect sensitive but unclassified government information.
Q. 19 List and briefly describe the fields that are part of a digital certificate.
Version number: Version number of the X.509 standard. Most certificates follow
Version 3. Different versions have different fields.
Issuer: Name of the certificate authority (CA).
Serial Number: Unique serial number for the certificate, set by the CA.
Subject : The name of the person, organization, computer, or program to which the certificate has been issued. This is the true party.
Public Key: The public key of the subject (the true party).
Public Key Algorithm: The algorithm the subject uses to sign messages with digital signatures
Valid Period:. The period before which and after which the certificate should not be used. Note: Certificate may be revoked before the end of this period.
Digital Signature: The digital signature of the certificate, signed by the CA with the CA’s own private key. For testing certificate authentication and integrity. User must know the CA’s public key independently.
Signature Algorithm Identifier: The digital signature algorithm the CA uses to sign its certificates.
Other Fields:
Q:20 If you are supposed to implement one-time pad encryption scheme, which requirements do you think, each pad fulfill so that it is unbreakable?
A one-time pad is a perfect encryption scheme because it is considered unbreakable if implemented properly .
For a one-time pad encryption scheme to be considered unbreakable, each pad in the
scheme must be:
Made up of truly random values
Used only one time
Securely distributed to its destination
Secured at sender's and receiver's sites
At least as long as the message
Q:22 Differentiate between public key cryptography and public key infrastructure.
These algorithms are used to create public/private key pairs, perform key exchange or agreement, and generate and verify digital signatures. Note that public key cryptography can only perform key agreement and cannot generate or verify digital signatures.
Public key infrastructure (PKI) is different. It is not an algorithm, a protocol, or an application. It is an infrastructure based on public key cryptography.
Q:23 What are the two basic functions used in encryption algorithms?
All the encryption Algorithms are based on two general Principles:
Substitution:
In which each element in the plaintext (bit, letter , group, of bits or letters, is mapped into another element.
Transposition:
In which elements in the plaintext are arranges. The fundamentals requirements is that no information be lost (that is, that all operations are reversible). Most system referred to as product systems, involve multiple stages of substitution and transposition.
Q:24 Differentiate between Kerberos version 4 and version 5.
|
|
Kerberos Version 4
|
Kerberos Version 5
|
|
Chronology
|
Kerberos v4 was released prior to the version 5 in the late 1980’s.
|
The version 5 was published in 1993, years after the appearance of version 5.
|
|
Key salt algorithm
|
Uses the principal name partially.
|
Uses the entire principal name.
|
|
Encoding
|
Uses the “receiver-makes-right” encoding system.
|
Uses the ASN.1 coding system.
|
|
Ticket support
|
Satisfactory
|
Well extended. Facilitates forwarding, renewing and postdating tickets.
|
|
Transitive cross-realm authentication support
|
No present support for the cause.
|
Reasonable support present for such authentication.
|
Q:25 Consider A 32-bit has function implemented as two 16-bit functions using XOR and RXOR. Is created checksum by concatenation the both detects all the odd parity errors? Explain. If these functions are used for authentication what will be the effectiveness of the authentication.
Consider a 32-bit hash function defined as the concatenation of two 16-bit functions: XOR and RXOR, which are defined in Section 3.2 as “two simple hash functions.”
a. Will this checksum detect all errors caused by an odd number of error bits? Explain.
b. Will this checksum detect all errors caused by an even number of error bits? If not, characterize the error patterns that will cause the checksum to fail.
c. Comment on the effectiveness of this function for use as a hash function for authentication.
a. Will this checksum detect all errors caused by an odd number of error bits? Explain.
b. Will this checksum detect all errors caused by an even number of error bits? If not, characterize the error patterns that will cause the checksum to fail.
c. Comment on the effectiveness of this function for use as a hash function for authentication.
Solution:
a. Yes. The XOR function is simply a vertical parity check. If there is an odd number of errors, then there must be at least one column that contains an odd number of errors, and the parity bit for that column will detect the error.
Note that the RXOR function also catches all errors caused by an odd number of error bits. Each RXOR bit is a function of a unique “spiral” of bits in the block of data. If there is an odd number of errors, then there must be at least one spiral that contains an odd number of errors, and the parity bit for that spiral will detect the error.
b. No. The checksum will fail to detect an even number of errors when both the XOR and RXOR functions fail. In order for both to fail, the pattern of error bits must be at intersection points between parity spirals and parity columns such that there is an even number of error bits in each parity column and even number of error bits in each spiral.
c. It is too simple to be used as a secure hash function; finding multiple message with the same hash function would be too easy.
No comments: