Q1.

a) Incident handling consists of the following points: (Proper Explanation of the points to be given) (1) (2) Preparing and planning (what are the goals and objectives in handling an incident). (Half mark) Notification (who should be contacted in the case of an incident). Local managers and personnel - Law enforcement and investigative agencies - Computer security incidents handling teams - Affected and involved sites - Internal communications Public relations and press releases (half mark) (3) (4) Identifying an incident (is it an incident and how serious is it).(half mark) Handling (what should be done when an incident occurs). - Notification (who should be notified about the incident)- Protecting evidence and activity logs (what records should be kept from before, during, and after the incident) Containment (how can the damage be limited) Eradication (how to eliminate the reasons for the incident) Recovery (how to reestablish service and systems)- Follow Up (what actions should be taken after the incident) (2 marks) (5) Aftermath (what are the implications of past incidents). (Half mark)

b) Risk Assessment: What is risk assessment? (1 mark). It is a balanced and realistic approach to quantify probably the amount of risk. The two steps involved in these actions are: 1) Identifying the assets (2 marks)

1. Hardware: CPUs, boards, keyboards, terminals, workstations, personal computers,

printers, disk drives, communication lines, terminal servers, routers.

2. Software: source programs, object programs, utilities, diagnostic programs, operating

systems, and communication programs.

3. Data: during execution, stored on-line, archived off-line, backups, audit logs, databases,
in transit over communication media.

4. People: users, administrators, and hardware maintainers. 5. Documentation: on programs, hardware, systems, and local administrative procedures. 6. Supplies: paper, forms, ribbons, and magnetic media.

2) Identifying the threats (1 mark) Unauthorized access to resources and/or information Unintended and/or unauthorized Disclosure of information Denial of Service c) Botnets What are Botnets? (2 marks)

A botnet (also known as a zombie army) is a number of Internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. Any such computer is referred to as a zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master spam or virus originator.
How it uses IRC? (1 mark) Applications of Botnet such as DDOS etc.(1 mark) d) Digging for Worms:

E-mail isn't the only way that viruses and worms spread, but it's one of the most common. The following approaches to dig for worms: (1 mark for each approach) 1.One approach, of course, is to screen each piece of incoming mail on each desktop. It's a good idea to use a different brand of virus scanner for your gateway than for your desktop.In some cases, you may want to add your own patterns. 2.It's not hard to install a centralized filter for malware. 3.Use MX records to ensure that all inbound e-mail goes to a central place. Make sure that you include a wildcard MX record, too, for both your inside and your outside DNS: example. com. *.example.com. IN MX IN MX 10 mail-gw.example.com 10 mail-gw.example.com

4. Outgoing e-mail should be scanned, too. There's no convenient analog to MX records; IN MX 10 mail-gw.example.co Just make sure that you filter out any more-specific inbound records.

A more dangerous form of annoyance is the trailer that reads something like this: This piece of e-mail has been scanned, X-rayed, and screened for excessive nitrogenous compounds by ASCI/phage 2.71827, and is warranted to be free of viruses and worms.It is safe for consumption by humans and computers. A trailer like that is about equivalent to naming a file "This is not a virus. exe,"

e) Digital Envelop Explanation ( 3 marks)

In practice, symmetric key cryptography and asymmetric key cryptography are combined to a very efficient security solution. When using secret-key cryptosystems, users must first agree on a session key, that is, a secret key to be used for the duration of one message or communication session. In completing this task there is a risk the key will be intercepted during transmission. This is part of the key management problem. Public-key cryptography offers an attractive solution to this problem within a framework called a digital envelope. It is a secure container for electronic message. It includes a packet of electronic data including an encoded message, plus authenticating information The digital envelope consists of a message encrypted using secret-key cryptography and an encrypted secret key. While digital envelopes usually use public-key cryptography to encrypt the secret key, this is not necessary. (Diagram 1 mark) If Alice and Bob have an established secret key, they could use this to

encrypt the secret key in the digital envelope.

Suppose Alice wants to send a message to Bob using secret-key

cryptography for message encryption and public-key cryptography to transfer the message encryption key. Alice chooses a secret key and encrypts the message with it, then

encrypts the secret key using Bob's public key. She sends Bob both the encrypted secret key and the encrypted message. When Bob wants to read the message he decrypts the secret key, using

his private key, and then decrypts the message, using the secret key. In a multi-addressed communications environment such as e-mail, this

can be extended directly and usefully. If Alice's message is intended for both Bob and Carol, the message

encryption key can be represented concisely in encrypted forms for Bob and for Carol, along with a single copy of the message's content encrypted under that message encryption key. Alice and Bob may use this key to encrypt just one message or they may

use it for an extended communication. One of the nice features about this technique is they may switch secret

keys as frequently as they would like. Not only do digital envelopes help solve the key management problem; they increase performance without sacrificing security. The increase in performance is obtained by using a secret-key cryptosystem to encrypt the large and variably sized amount of message data, reserving public-key cryptography for encryption of shortlength keys. In general, secret-key cryptosystems are much faster than public-key cryptosystems. The digital envelope technique is a method of key exchange, but not all key exchange protocols use digital envelopes.

f) Exponential Attacks: What are exponential attacks? (1 mark) Exponential attacks use programs to spread themselves, multiplying their numbers quickly. When the programs travel by themselves, they are worms. When they attach to other programs, they are viruses How they spread? Impact of the attacks? (2 marks) These programs succeed by exploiting common bugs or behaviors found in a large population of susceptible programs or users. They can spread around the world within hours, and potentially in a few minutes. They can cause vast economic harm spread over a large community. The Melissa worm clogged the Microsoft-based e-mail in some companies for five days. Various worms have added substantial load to the entire Internet. These programs tend to infect "targets of opportunity," rather than specific individuals or organizations. But their payloads can and do attack popular political and commercial targets. Example of Exponential Attacks (1 mark)
Q2.

a) What is Security policy? (1 mark).(Either of the definition) A security policy is the set of decisions that collectively, determines an organization's attitude
toward security. A security policy defines the boundaries of acceptable behavior and what the response to violations should be. Characteristics of security policy (3 marks) It must be able to implement through system administration procedures, publishing of acceptable use guidelines, or other appropriate methods.

(2) It must be enforceable with security tools, where appropriate, and with sanctions, where actual prevention is not technically feasible. (3) It must clearly define the areas of responsibility for the users, administrators, and management. The components of a good security policy. ( for 8 components 4 marks) (1) Computer Technology Purchasing Guidelines, which specify required, or preferred, security features. These should supplement existing purchasing policies and guidelines. (2) A Privacy Policy which defines reasonable expectations of privacy regarding such issues as monitoring of electronic mail, logging of keystrokes, and access to users' files. (3) An Access Policy, which defines access rights and privileges to protect assets from loss or disclosure by specifying acceptable use guidelines for users, operations staff, and management. It should provide guidelines for external connections, data communications, connecting devices to a network, and adding new software to systems (4) An Accountability Policy, which defines the responsibilities of users, operations staff, and management. It should specify an audit capability, and provide incident handling guidelines (i.e., what to do and who to contact if a possible intrusion is detected). (5) An Authentication Policy which establishes trust through an effective password policy, and by setting guidelines for remote location authentication and the use of authentication devices (e.g., one-time passwords and the devices that generate them). (6) An Availability statement, which sets users' expectations for the availability of resources. It should address redundancy and recovery issues, as well as specify operating hours and maintenance downtime periods. (7) An Information Technology System & Network Maintenance Policy which describes how both internal and external maintenance people are allowed to handle and access technology. One important topic to be addressed here is whether remote maintenance is allowed and how such access is controlled. Another area for consideration here is outsourcing and how it is managed.

(8) A Violations Reporting Policy that indicates which types of violations (e.g., privacy and security, internal and external) must be reported and to whom the reports are made. A nonthreatening atmosphere and the possibility of anonymous reporting will result in a greater probability that a violation will be reported if it is detected. (9) Supporting Information which provides users, staff, and management with contact information for each type of policy violation; guidelines on how to handle outside queries about a security incident, or information which may be considered confidential or proprietary; and crossreferences to security procedures and related information, such as company policies and governmental laws and regulations.

b) Social Engineering:
What is social Engineering? (2 marks)

1.Social Engineering is hacker speak for tricking a person into revealing some vital information. In other words, Social Engineering is a practice of cheating people into revealing sensitive data on a computer system, often on the Internet. 2. This is like an art, a special tool of the attacker in which he plays the psychological tricks at the target in order to gain the important information. All this happens without the knowledge of the target, i.e. the target does not know at all that he/she is giving some vital information to the hacker. 3. Social Engineering is a term that describes a non-technical kind of intrusion that relies on human interaction and often involves tricking other people to break normal security procedures.
Methods used by the hackers.(2 marks) Through personal conversation Through Telephonic conversation By chatting with the target By sending anonymous mails

Example of the trick (1 mark) Counter Measures (1mark)

c) Bugs and backdoors. What are bugs? (1 mark)

A bug is something in a program that does not meet its specification. A bug may refer to some kind of problem in the software, which is undesired by its author.
Counter measures (1 mark)

The administrator should be checking for all the input correctness at every point. If the program has fixed size buffers of any sort, then it should be made sure that they do not overflow. If we use dynamic memory allocation, prepare for memory or file system exhaustion, and proper recovery strategies, which may need memory or disk space, too.

What are backdoors? (1 mark) A backdoor is a feature of a program that can be used to make it act in some way that the person who is running it did not intend. Back doors are shortcut entry points to software or networks i.e. entry without going through authentication mechanisms. How it affects the computer? (1 mark) These are the programs which when stored on the target systems, may allow easy access to hackers or give them sufficient information about the target to carry out the attacks. There are several backdoor programs used by the hackers. These are like automated tools, which carry out the destructive jobs for the hackers. Counter measure. (1 mark) The only solution for backdoor attacks is double and triple checking of every piece of software before implementation. In order to save from the backdoors, cleaner solutions are also available (which work in similar manner as the antivirus utilities). Example (1 mark)

Q3. a) Definition of Cryptography. (1 mark) Techniques: Substitution Technique: ( Explanation of any 4 techniques) (4 marks) 1. Caesar cipher (used by Julius Caesar), 2. Modified Caesar Cipher, 3. Mono-alphabetic cipher, 4. Homophonic substitution cipher, 5. Polygram substitution cipher 6. Polyalphabetic cipher etc. Transposition technique: (Explanation of any 3 techniques) (3 marks) 1. Rail fence technique 2. Simple columnar transposition 3. Simple columnar transposition with multiple rounds 4. Vernam cipher, 5. Book cipher etc. b) What is firewall? (1 mark) Architecture of the firewall diagram (1 mark) Distributed firewall-Concept (1mark) Provide multiple checkpoints less prone (is in multiple forms). Possible to prevent inside attacks more secure implementation Servers can be outside perimeter more flexibility in operation Different security levels possible. Features of Distributed firewall (4 features)(2 marks) The Distributed firewalls are the host-resident security solutions. These are meant to provide higher security to the corporate networks. The main features include the centralized management, logging and fine accesscontrol granularity.

These protect remote employees, precious servers of the enterprise, internal network as well as the individual terminal.

Diagram: (1 mark)

c) Protocol Failure: Concept:( 2 marks)

1. The protocol used in the networks also has certain limitations or problems contained in them, which prevent the applications from doing the appropriate things. Since they work from behind the applications, this may increase the vulnerability. 2. In Protocol failures, we consider the reverse: i.e. areas where the protocols themselves are inadequate, thus denying the application the opportunity to do the right thing. An example of such failure is the TCP protocol failure. (2 marks) TCP provides the circuits or paths for the IP datagrams. These may be sent across the network. The attackers checking for the packets can get information about the source IP. Similarly the IP is a stateless and unreliable protocol. No guarantee of delivery of packets can be given for it. It is possible for attackers to send packets using any known or valid source address.

Diagram and explanation of three-way-handshake.(2 marks)

Q4. a) Different types of Viruses: (4 marks) Viruses based on the following 4 types:

Memory-Based Obfuscation-Based Payload-Based

Target-Based

Structure of virus: (2 marks) Program V: = { goto main ; 1234567; subroutine infect- executable : = { loop; file : = get- random- executable-file: if(first-line-of-file=1234567)

then goto loop else prepend V to file; } subroutine do-damage := { whatever damage is to be done} subroutine trigger-pulled := {Return true if some condition holds} Main: main-program: = {Infect executable; if trigger pulled then do damage; goto next;} next: }
Prevention (Any 4 points) (2 marks)

1 2 3 4 5 6

Always keep backup of your data/programs. Keep floppies Write-protected (especially if they are bootable.) Do not copy anything in your system from any unknown source. Restrict the use of machine to only authorized users. Never download mail attachments, unknown content from Internet. Even after using these precautions, if the virus creeps into your system, it can be detected in various ways apart from using a virus scanner for it.

b) Strategies for Secure network: (Explanation of the 6 strategies) ( 6 marks) Host Security
Authentication of users Choosing good passwords & protecting them Using firewalls & proxy servers DMZ Making use of Encryption

c) What is Malicious software: (1 mark) Comparison : For 5 categories (5 marks) Concept Method of infection Carriers Types Example

Q5. a) Packet Filter: Concept and Diagram (2 marks)

1. This firewall checks for each and every IP packet individually, either coming in or going out of private network 2. According to the selected policies (called Rule-sets or Access Control Lists or ACLs) it determines whether to accept a packet or reject it.

Advantages/Features of packet filters: (2 marks) 1. Simple and straightforward mechanism.

2. It is cost effective. 3. It is fairly effective and adequate in most cases. 4. Operation is totally transparent to the users. 5. Faster in operation. 6. It has a built-in operating system optimized for security and performance. So it can be plugged into a network, regardless of the OS being used.

Circuit level gateway: Definition (1 mark)

These are set to run on the Transport level of TCP/IP model (or Session layer in case of the OSI model). This check for the specific sessions or services for filtering. They neither check individual packets nor the entire applications for filtering purpose. They are sometimes called as the Relays which relay the sessions / services (also called circuits) for the users. Features of circuit level gateway: (Any 3 features) (1 mark) 1. More secure than packet filters since work on higher level. 2. Do not check individual packets inbound or outbound. 3. Can hide internal network structure to the external entities. 4. Flexibility to enable or disable sessions or services is available. 5. 5. Less expensive compared to the Application level products. 6. Operation is transparent to the end-users
Example along with diagram (2 marks)

The SOCKS server is an example of the real life implementation of a circuit gateway. It is a client server application. The SOCKS client runs on the internal host, and, the SOCKS server runs on the firewall.

Diagram:

b) Any of the symmetric cryptographic algorithm (such as IDEA, DES etc)

DES (Data Encryption Standard) Cipher Algorithm DES Cipher - A 16-round Feistel cipher with block size of 64 bits. DES stands for Data Encryption Standard. IBM developed DES in 1974 in response to a federal government public invitation for data encryption algorithms. In 977, DES was published as a federal standard, FIPS PUB 46. Algorithm: Step 1: 64 bit plain text blocks is handed over to the initial permutation (IP) function. Step 2: IP is performed on the plain text. Step 3: IP produces 2 halves; say LPT and RPT, both of 32 bit each. Step 4: Perform 16 rounds of encryption process each with its own key. Rounds are defined as follows in the algorithm: 4a: Key transformation 4b: Expansion Permutation (EP)

4c: S-Box Substitution 4d: P-Box Permutation 4e: XOR and Swap. Step 5: LPT and RPT are rejoined finally and a Final Permutation (FP) is performed on the combined block. Step 6: The result of this process produces 64-bit cipher text. Diagrammatical representation: Plain Text(64 Bit)

IP

LPT

RPT

16 Rounds

FP

Cipher Text

Explanation of the algorithm: Comparing the IP table performs IP. It happens only once, and it happens before the first round. It suggests how the transposition in IP should proceed, as shown in the IP table.

In the rounds, step 1 is key transformation. That is achieved by 1. Shifting the key position by considering the Round Table.

2. Compare the Compression Table to get the sub key of 48 bits. Step 2 is Expansion Permutation (EP). In this step, the 32-bit RPT is expanded to 48 bits as it of key length. The process is shown as under: The 32-bit text is divided into 8 blocks of 4 bits each. Then by adding 2 bits extra, that is the first bit of the block 1 is the last bit of the block 8 and the last bit of the block 8 is the first bit of the 7th block the 48-bit text is obtained. After this expansion it will be compared with the Expansion Permutation Table. Step 3 in Round is S-Box Substitution. 1. This step reduces 48 bits RPT into 32 bits because LPT is of 32 bits. 2. It accepts 48 bits, does some XOR logic and gives 32 bits. The 48 bits key (Result of Step 1) and the 48 bits of RPT (Result of Step 2) will be XOR and the output will be 48 bits Input block and that will be given as the input for the S-Box Substitution. The 48-bit block text will be divided into 8 blocks of 6 bits each. Decimal equivalent of the first and last bit in a block denotes the row number and decimal equivalent of the bit 2,3,4 and 5 denotes the column number of the S-Box Substitution table.

Check the value and take the binary equivalent of the number. The result is 4-bit binary number. For example if the 6-bit number is 100101 then the first and last bit is 11 and the decimal equivalent of the number is 3. The remaining bits are 0010 and the decimal equivalent of the number is 2. If it is the first block of input, then check the 3rd row 2nd column value in the Sbox-1 substitution table. It is given as 1 in the table. Binary equivalent of 1 is 0001.

The input 100101 of 6-bit is now reduced to 0001 after S-Box Substitution.

Step 4 in Round is P-Box Permutation. In this step, the output of S-Box, that is 32 bits are permuted using a p-box. This mechanism involves simple permutation, that is replacement of each bit with another bit as specified in the p-Box table, without any expansion or compression. This is called as P-Box Permutation. The P-Box is shown below. 16 2 7 8 20 24 21 14 29 32 12 27 28 3 17 9 1 19 15 13 23 30 26 6 5 22 18 11 31 4 10 25

For example, a 16 in the first block indicates that the bit at position 16 moves to bit at position 1 in the output. Step 5 is XOR and Swap The untouched LPT, which is of 32 bits, is XORed with the resultant RPT that is with the output produced by P-Box permutation. The result of this XOR operation becomes the new right half. The old right half becomes the new left half in the process of swapping. At the end of 16 rounds, the Final Permutation is performed only once. This is a simple transposition based on the Final Permutation Table. The output of the Final permutation is the 64-bit encrypted block.

Filtering services for Telnet: Inbound telnet services (2 marks) Outbound telnet services (2 marks) Telnet summary(2 marks)

Outbound Telnet Service: In an outbound telnet a local client is talking to a remote server. We need to handle both outgoing and incoming packets. The outgoing packets contain the users keystrokes and have the following characteristics. The IP Source address of the outgoing packets is the local hosts IP address The IP Destination address of the outgoing packets is the remote hosts IP address Telnet is a TCP-based service. So the IP packet type is TCP.

The TCP Destination port is 23. The TCP Source port number is some seemingly random number greater than 1023 The first outgoing packet, establishing the connection, will not have the ACK bit set; the rest of the outgoing packets will.

The incoming packets contain the data to be displayed on the users screen and have the following characteristics. The IP Source address of the incoming packets is the remote hosts IP address The IP Destination address is the local hosts IP address The IP packet type is TCP. The TCP Source port is 23.That is the port the server use. The TCP Destination port number is the same random number greater than 1023 that we used as the source port for the outgoing packets. All incoming packets will have the ACK bit set.

Inbound telnet Services:-In the inbound telnet services a remote client communicate with a local telnet server. We need to handle both incoming and the outgoing packets.

The incoming packets for the inbound telnet services contain the users keystrokes and have the following characteristics: 1) The IP source address of these packets in the remote host address 2) The IP destination address is the local host address 3) The IP packet type is TCP 4) The TCP source code is some random code number greater than 1023. 5) The TCP destination port is 23. 6) The TCP ACK bit will not be set on the very first inbound packet establishing the connection, but it will be set on all other inbound packets The outgoing packet for this inbound telnet service contain the server responses and have the following characteristics: 1) The IP source address is the local host address 2) The IP destination address is the remote host address 3) The IP packet type is TCP 4) The IP source port is 23 5) The TCP destination port is the same random port Z, that was used as a source port for the inbound packets. 6) The TCP ACK bit will be set on all outgoing packets. Telnet Summary: 1) Rule A allows packets out to remote telnet servers. 2) Rule B allows the returning packets to come back in because it verifies that the ACK bit is set, Rule B can be abused by an attacker to allow incoming TCP connections from port 23 on the attackers end to port above 1023 on your end. 3) Rule C is the default rule. If none of the preceding rules apply the packet is blocked. Remember from your previous discussion that any blocked packet should be logged and that it may or may not cause an ICMP message to be returned to the originator.

The following table illustrates the various types of packets involved in inbound and outbound telnet services: Service direction Outboun d Outboun d Inbound Inbound Packet Direction Outgoing Incoming Incoming Outgoing Source Address Internal Destination Packet Address External type TCP TCP TCP TCP Source port Y 23 Z 23 Destination ACK Port 23 Y 23 Z Set a Yes a yes

External Internal External Internal Internal External;

a-The TCP ACK bit will be set on all but the first of these packets which establishes the Connection. Note that y and z are both random port numbers above 1023. If u want to allow outgoing telnet, but nothing else you would set up your packet filtering as follows: Rule Direction Source Address A Out Internal B In Any C Either Any Destination Address Any Internal Any Protocol Source port TCP >1023 TCP 23 Any Any Destination Port 23 >1023 Any ACK set Either yes Either Action Permit Permit Deny

Q6. a) What is message digest? (1 mark) Idea/Concept of MD. (1 mark) Any of the algorithm (MD1/MD2/MD3/MD4/MD5) 6 marks

MD5 Algorithm Description: We begin by supposing that we have a 1000-bit message as input, and that We wish to find its message digest. The following five steps are performed to compute the message digest

of the message. Step 1. Append Padding Bits The message is "padded" (extended) so that its length (in bits) is Similar to 448, modulo 512. That is, the message is extended so that it is just 64 bits timid of being a multiple of 512 bits long. Padding is always performed, even if the length of the message is already similar to 448, modulo 512. Padding is performed as follows: a single "1" bit is appended to the message, and then "0" bits are appended so that the length in bits of the padded message becomes congruent to 448, modulo 512. In all, at least one bit and at most 512 bits are appended. Step 2. Append Length A 64-bit representation of 1000 (The message length excluding padded one) is appended to the result of the previous step. In the unlikely event that the message length is greater than 2^64, then only the low-order 64 bits of b are used. At this point the resulting message (that is message+padding+length) has a length that is an exact multiple of 512 bits. Equivalently, this message has a length that is an exact multiple of 16 (32-bit) words.

Step 3: Divide the input into 512-bit blocks: Now, we divide the input message into blocks, each of length 512 bits. Step 4. Initialize MD Buffer/Chaining Variables A four-word buffer (A, B, C, D) is used to compute the message digest. Here each of A, B, C, D is a 32-bit register. These registers are initialized to the following values in hexadecimal, low-order bytes first): A: 01 23 45 67 B: 89 ab cd ef C: fe dc ba 98 D: 76 54 32 10

Step 5. Process Message in 16-Word Blocks 5.1: Copy the four chaining variables into four corresponding variables a, b, c, and d. The Algorithm considers the combination of abcd as a 128-bit single registers. This is useful for holding intermediate as well as final results. 5.2: Divide the current 512-bit block into 16 sub blocks of 32-bit each. 5.3: Now we have 4 rounds. In each round, we process all the 16 sub-blocks. The inputs to each round are: 1. All the 16 sub-blocks. Say M[0] to M[15] of 32 bits. 2. The variables a, b, c and d of 32 bits.

3. Some constants t, an array of 64 elements. Say t[1] to t[64].Since there are four rounds, we use 16 out of the 64 values of t in each round. The process of rounds: 1. A process P is first performed on b, c and d. This process P is different in all the four rounds. 2. The variable a is added to the output of the process P. 3. The message sub-block M[I] is added to the output of step 2. 4. The constant t[k] is added to the output of step 3. 5. The output of step 4 is circular-left shifted by s bits. The value of s keeps changing. 6. The variable b is added to the output of step 5. 7. The output of step 6 becomes the new abcd for the next round.

One MD5 Operation:

Process P

ADD

M [I]

ADD

T [K]

ADD

SHIFT

ADD

We define four auxiliary functions that is Process P in our context, that each take as input of three 32-bit words and produce as output one 32-bit word.

Round 1 =(b and c) or (not (b)) and d Round 2 = (b and d) or (c and (not(c))) Round 3 = b xor c xor d Round 4 = c xor (b or not (d))

Summary: The MD5 message-digest algorithm is simple to implement, and provides a "fingerprint" or message digest of a message of arbitrary length. It is conjectured that the difficulty of coming up with two messages having the same message digest is on the order of 2^64 operations, and that the difficulty of coming up with any message having a given message digest is on the order of 2^128 operations. The MD5 algorithm has been carefully scrutinized for weaknesses. It is, however, a relatively new algorithm and further security analysis is of course justified, as is the case with any new proposal of this sort.

b) Views based on the inside and outside attacks : (2 marks) Explanation (3 marks) Justification/Support points (1 mark)

c) Digital Signature: Definition: (1 mark) Techniques: (1 mark)

Actual working of Digital signatures involves the use of a concept called 'Message digest' or 'hash'. Implementation: (Both senders and receivers side with diagram) (4 marks) Steps for the process: Senders Side: 1. If X is the sender, the SHA-1 algorithm is used to first calculate the message digest (MD 1) of original message. 2. This MD1 is further encrypted using RSA with X's private key. This output is called the Digital Signature (DS) of X. 3. Further, the original message (M) along with the Digital signature (DS) is sent to receiver.

Receivers Side: 1. Y thus receives the original message (M) and X's digital signature. Y uses the same message digest algorithm used by X to calculate the message digest (MD2) of received message (M). 2. Also, Y uses X's public key to decrypt the digital signature. The outcome of this decryption is nothing but original message digest (MD1) calculated by X. 3. Y, then compares this digest MD1 with the digest MD2 he has just calculated in step 4. If both of them are matching, i.e. MDl = MD2, Y can accept the

original message (M) as correctly authenticated and assured to have originated from X. whereas, if they are different, the message shall be rejected.

Q7. Distinguish between the following: a) Traditional and Distributed Firewall Categories: (Any 5 categories) (5 marks)

Concept/Definition entry point into the network prone to attacks approach with inside attacks secure implementation Servers location flexibility of operation
b) Active and Passive attacks:

Categories: (5 marks)

Concept/Definition (1 mark) Types-its explanation and diagram (4 marks) c) Symmetric and asymmetric cryptography: Concept/Definition (1 mark) 8 categories (4 marks)

S. No.

Characteristic

Symmetric Key Cryptography Same key is used for encryption and decryption Ke = Kd Very fast Usually same as or less

Asymmetric Key Cryptography One key used for encryption and another, different key is used for decryption Kd Kd

Key used for encryption/decryption Key Process Speed of encryption/decryption Size of resulting encrypted text Key agreement / exchange Number of keys required as compared to the number of participants in the message exchange

2 3

Slower

than the original clear text size

More than the original clear text size

A big problem Equals about the square of the number of participants, so scalability is an issue Mainly for encryption and decryption (confidentiality),

No problem at all

Same as the number of participants, so scales up quite well

Can be used for encryption and decryption (confidentiality) as well as for digital signatures (integrity and non-repudiation checks)

Usage

cannot be used for digital signatures (integrity and nonrepudiation checks) Symmetric key

Efficiency in usage

cryptography is often used for long messages

Public key algorithm are more efficient for short messages

d) Sniffing and Spoofing:

Packet Sniffing: ( Concept and levels ) (2 marks) Packet sniffing is a passive attack on an ongoing conversation. An attacker need not hijack a conversation, but instead, can simply observe i.e. sniff packets as they pass by. Clearly, to prevent an attacker from sniffing packets, the information that is passing needs to be protected in some ways. This can be done at two levels: i. ii. The data that is traveling can be encoded in some ways. The transmission link itself can be encoded.

Packet Spoofing: (concept and 3 levels) ( 3 marks) In this technique, an attacker sends packets with an incorrect source address. When this happens, the receiver i.e. the party who receives the packets containing a false source address would inadvertently send replies back to the forged address (called as spoofed address) and not to the attacker. This can lead to three possible cases: i. The attacker can intercept the reply- If the attacker is between the destination and the forged source, the attacker can see the reply and use that information for hijacking attacks. ii. iii. the attacker need not see the reply-If the attacker's intention was a Denial of Service(DOS) attack, the attacker need not bother about the reply. , The attacker does not want the reply- the attacker could simply be angry with the host. So it may put that host's address as the forged source address and send the packet to the destination. The attacker does not want a reply from the destination, as it wants the host with the forged address to receive it and get confused.