Describe the main participants in the Secure Electronic Transaction standard (X509v3) and the steps in processing a transaction
Cardholder: In the electronic environment, consumers and corporate purchasers interact with merchants from personal computers over the Internet. A cardholder is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer.
Merchant: A merchant is a person or organization that has goods or services to sell to the cardholder. Typically, these goods and services are offered via a Web site or by electronic mail. A merchant that accepts payment cards must have a relationship with an acquirer.
Issuer: This is a financial institution, such as a bank, that provides the cardholder with the payment card. Typically, accounts are applied for and opened by mail or in person. Ultimately, it is the issuer that is responsible for the payment of the debt of the cardholder.
Acquirer: This is a financial institution that establishes an account with a merchant and processes payment card authorizations and payments. Merchants will usually accept more than one credit card brand but do not want to deal with multiple bankcard associations or with multiple individual issuers. The acquirer provides authorization to the merchant that a given card accounts is active and that the proposed purchase does not exceed the credit limit. The acquirer also provides electronic transfer of payments to the merchant's account. Subsequently, the acquirer is reimbursed by the issuer over some sort of payment network for electronic funds transfer.
Payment gateway: This is a function operated by the acquirer or a designated third party that processes merchant payment messages. The payment gateway interfaces between SET and the existing bankcard payment networks for authorization and payment functions. The merchant exchanges SET messages with the payment gateway over the Internet, while the payment gateway has some direct or network connection to the acquirer's financial processing system.
Certification authority (CA): This is an entity that is trusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways. The success of SET will depend on the existence of a CA infrastructure available for this purpose. As was discussed in previous chapters, a hierarchy of CAs is used, so that participants need not be directly certified by a root authority.
(b) Discuss the types of security threats to be faced when using the web applications, their consequences and the countermeasures
Answer:
Consequences
|
Countermeasures
| ||
Integrity
(2 marks)
|
· Modification of user data
· Trojan horse browser
· Modification of memory
· Modification of message traffic in transit
|
· Loss of information
· Compromise of machine
· Vulnerability to all other threats
|
Cryptographic checksums- A cryptographic checksum is created by performing a complicated series of mathematical operations that translates the data in the file into a fixed string of digits called a hash value, which is then used as a checksum.
|
Confidentiality
(2 marks)
|
· Eavesdropping on the Net
· Theft of info from server
· Theft of data from client
· Info about network configuration
· Info about which client talks to server
|
· Loss of information
· Loss of privacy
|
Encryption, web proxies- A proxy server receives a request for an Internet service (such as a Web page request) from a user. If it passes filtering requirements, the proxy server, assuming it is also a cache server, looks in its local cache of previously downloaded Web pages. If it finds the page, it returns it to the user without needing to forward the request to the Internet. If the page is not in the cache, the proxy server, acting as a client on behalf of the user, uses one of its own IP addresses to request the page from the server out on the Internet. When the page is returned, the proxy server relates it to the original request and forwards it on to the user.
|
Denial of Service
(2 marks)
|
· Killing of user threads
· Flooding machine with bogus requests
· Filling up disk or memory
· Isolating machine by DNS attacks
|
· Disruptive
· Annoying
· Prevent user from getting work done
|
Difficult to prevent
|
Authentication
(2 marks)
|
· Impersonation of legitimate users
· Data forgery
|
· Misrepresentation of user
· Belief that false information is valid
|
Cryptographic techniques - Secret Key Cryptography (SKC): Uses a single key for both encryption and decryption, Public Key Cryptography (PKC): Uses one key for encryption and another for decryption ,Hash Functions: Uses a mathematical transformation to irreversibly "encrypt" information.
|
Apart from the above issues students are required to include other threats related with phishing, password policies, disgruntled or corruptible employees and security awareness for mobile devices – 2 marks.
Q2.(a) Describe the benefits that can be provided by Intrusion Detection System(IDS).
1. If an intrusion is detected quickly enough, the intruder can be identified and
ejected from the system before any damage is done or any data are compromised.
Even if the detection is not sufficiently timely to preempt the intruder, the sooner
that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved- briefing on this –
2. An effective intrusion detection system can serve as a deterrant, so acting to prevent intrusions - briefing on this – 5 marks.
3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility - briefing on this –
(b) Describe where a network-based intrusion detection system may be installed in an organisation and discuss the advantages and disadvantages of each.
Answer :
The possible solutions are based on the following: (1) just inside the external firewall, explanation including advantages and disadvantages on this will be awared 4 marks; (2) between the external firewall and the Internet or WAN, explanation including advantages and disadvantages based on this 4 marks; (3) at the entrance to major backbone networks; to support workstation LANs – 2 marks.
Q3. (a) Critically evaluate the approaches to anti-virus.
:
The ideal solution to the threat of viruses is prevention: Do not allow a virus to get into the system in the first place. This goal is, in general, impossible to achieve, although prevention can reduce the number of successful viral attacks –
The next best approach is to be able to do the following:
· Detection: Once the infection has occurred, determine that it has occurred and locate the virus.
· Identification: Once detection has been achieved, identify the specific virus that has infected a program.
· Removal: Once the specific virus has been identified, remove all traces of the virus from the infected program and restore it to its original state. Remove the virus from all infected systems so that the disease cannot spread further – 5 marks.
If detection succeeds but either identification or removal is not possible, then the alternative is to discard the infected program and reload a clean backup version.
Advances in virus and antivirus technology go hand in hand. Early viruses were relatively simple code fragments and could be identified and purged with relatively simple antivirus software packages. As the virus arms race has evolved, both viruses and, necessarily, antivirus software have grown more complex and sophisticated – 5arks.
(b) Discuss the techniques used by generic decryption technology in detecting viruses.
Answer:
Generic Decryption (GD) technology enables the antivirus program to easily detect even the most complex polymorphic viruses, while maintaining fast scanning speeds. Recall that when a file containing a polymorphic virus is executed, the virus must decrypt itself to activate
In order to detect such a structure, executable files are run through a GD scanner, which contains the following elements:
· CPU emulator: A software-based virtual computer. Instructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. The emulator includes software versions of all registers and other processor hardware, so that the underlying processor is unaffected by programs interpreted on the emulator.
· Virus signature scanner: A module that scans the target code looking for known virus signatures.
· Emulation control module: Controls the execution of the target code.
- 6 marks.
At the start of each simulation, the emulator begins interpreting instructions in the target code, one at a time. Thus, if the code includes a decryption routine that decrypts and hence exposes the virus, that code is interpreted. In effect, the virus does the work for the antivirus program by exposing the virus. Periodically, the control module interrupts interpretation to scan the target code for virus signatures – 2 marks.
During interpretation, the target code can cause no damage to the actual personal computer environment, because it is being interpreted in a completely controlled environment – 2 marks.
Q4.(a) If a client needs to obtain a ticket and authenticate with a particular service (MyService), which is running on a computer (MyServer) and listening on port 4766, explain how Kerberos protocol authenticates the user for accessing this service
The Kerberos authentication protocol uses a string of encoded messages and the issuance of special tickets to verify the identification of the user in question and allow or disallow a user’s access to services –
The first step in protocol is the request for access. Using a password or a smart card, the user attempts to access a service. The rest of what follows is transparent to the user. Upon receiving the request, the authentication server (AS) issues a ticket-granting ticket (TGT) to the client. This encrypted ticket includes the user’s password and a random seed representing the requested network service. The client machine then returns the ticket to the ticket-granting server(TGS), which may or may not be the same machine as the AS. The TGS then issues a service ticket to the client. Once the client machine possesses the service ticket, the ticket can be used to request a service. The service ticket verifies the use’s identity to the service
– 5 marks
For example, if a client needs to obtain a ticket and authenticate with a particular service (MyService), which is running on a computer (MyServer) that is listening on port 4766, then the client requests a ticket from the KDC (Key Distribution Center) by using a name constructed from that information, as shown here:
MyService/MyServer:4766 –
(b) Discuss the steps involved in Kerberos authentication by including the necessary structure.
Answer:
In a Kerberos environment, the authentication process begins at logon. The following steps describe the Kerberos authentication process:
1. When a user enters a user name and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm – 3 marks.
2. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows –
Kerberos implements secret key cryptography, which is different from public key cryptography in that it does not use a public and private key pair.
3. The client computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
When a client receives the session key and TGT from the server, it stores that information in volatile memory and not on the hard disk. Storing the information in the volatile memory and not on the hard disk makes the information more secure, because the information would be lost if the server were physically removed –
4. When a Kerberos client needs to access resources on a server that is a member of the same domain, it contacts the KDC. The client will present its TGT and a timestamp encrypted with the session key that is already shared with the KDC. The KDC decrypts the TGT using its KKDC. The TGT contains the user name and a copy of the SA. The KDC uses the SA to decrypt the timestamp. The KDC can confirm that this request actually comes from the user because only the user can use the SA- 2 marks.
5. Next, the KDC creates a pair of tickets, one for the client and one for the server on which the client needs to access resources. Each ticket contains the name of the user requesting the service, the recipient of the request, a timestamp that declares when the ticket was created, and a time duration that says how long the tickets are valid. Both tickets also contain a new key (KAB) that will be shared between the client and the server so they can securely communicate. – 2 marks.
6. When the user receives the ticket, the user decrypts it using the SA. This exposes the KAB to the client and also exposes the server's ticket. The user cannot read the server's ticket. The user will encrypt the timestamp by using the KAB and send the timestamp and the server's ticket to the server on which the client wants to access resources. When it receives these two items, the server first decrypts its own ticket by using its KB. This permits access to the KAB, which can then decrypt the timestamp from the client – 2 marks.
Any supporting diagram can be included.
) For symmetric encryption to work, the two parties to an exchange must share the same key, and that key must be protected from access by others. Discuss how key distribution can be achieved.
Answer:
For symmetric encryption to work, the two parties to an exchange must share the same key, and that key must be protected from access by others. Key distribution can be achieved in a number of ways. For two parties A and B:
1. A key could be selected by A and physically delivered to B.
2. A third party could select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party could transmit the new key to the other, encrypted using the old key.
4. If A and B each have an encrypted connection to a third party C, C could deliver a key on the encrypted links to A and B.
Options 1 and 2 call for manual delivery of a key. For link encryption, this is a reasonable requirement, because each link encryption device is only going to be exchanging data with its partner on the other end of the link. However, for end-to-end encryption, manual delivery is awkward. In a distributed system, any given host or terminal may need to engage in exchanges with many other hosts and terminals over time. Thus, each device needs a number of keys, supplied dynamically. The problem is especially difficult in a wide area distributed system.
Option 3 is a possibility for either link encryption or end-to-end encryption, but if an attacker ever succeeds in gaining access to one key, then all subsequent keys are revealed. Even if frequent changes are made to the link encryption keys, these should be done manually. To provide keys for end-to-end encryption, option 4 is preferable.
Any valid explanation with an example –
(b) Explain and evaluate the use of Data Encryption Standard (DES)
Introduction to DES
The most widely used encryption scheme is based on the Data Encryption Standard (DES) . The algorithm itself is referred to as the Data Encryption Algorithm (DEA). DES takes a plaintext block of 64 bits and a key of 56 bits, to produce a ciphertext block of 64 bits. Concerns about the strength of DES fall into two categories: concerns about the algorithm itself and concerns about the use of a 56-bit key. The first concern refers to the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. Over the years, there have been numerous attempts to find and exploit weaknesses in the algorithm, making DES the most-studied encryption algorithm in existence. A more serious concern is key length. With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2 ´ 1016 keys. As noted on the previous slide, this can now be broken relatively easily – 5 Marks
The life of DES was extended by the use of triple DES (3DES), which involves repeating the basic DES algorithm three times, using either two or three unique keys, for a key size of 112 or 168 bits. Triple DES (3DES) was first standardized for use in financial applications. 3DES was incorporated as part of the Data Encryption Standard. 3DES has two attractions that assure its widespread use over the next few years. First, with its 168-bit key length, it overcomes the vulnerability to brute-force attack of DEA. Second, the underlying encryption algorithm in 3DES is the same as in DEA. The principal drawback of 3DES is that the algorithm is relatively sluggish in software.
The block of the message is divided into two halves. The right half is expanded from 32 to 48 bits using another fixed table. The result is combined with the subkey for that round using the XOR operation. Using the S-boxes the 48 resulting bits are then transformed again to 32 bits, which are subsequently permutated again using yet another fixed table. This by now thoroughly shuffled right half is now combined with the left half using the XOR operation. In the next round, this combination is used as the new left half - 10 marks.
Generic Decryption (GD) technology enables the antivirus program to easily detect even the most complex polymorphic viruses, while maintaining fast scanning speeds. Recall that when a file containing a polymorphic virus is executed, the virus must decrypt itself to activate. In order to detect such a structure, executable files are run through a GD scanner, which contains the following elements:
· CPU emulator: A software-based virtual computer. Instructions in an executable file are interpreted by the emulator rather than executed on the underlying processor. The emulator includes software versions of all registers and other processor hardware, so that the underlying processor is unaffected by programs interpreted on the emulator.
· Virus signature scanner: A module that scans the target code looking for known virus signatures.
· Emulation control module: Controls the execution of the target code.
At the start of each simulation, the emulator begins interpreting instructions in the target code, one at a time. Thus, if the code includes a decryption routine that decrypts and hence exposes the virus, that code is interpreted. In effect, the virus does the work for the antivirus program by exposing the virus. Periodically, the control module interrupts interpretation to scan the target code for virus signatures.
During interpretation, the target code can cause no damage to the actual personal computer environment, because it is being interpreted in a completely controlled environment.
-- 10 marks
(c) Discuss the techniques used in steganography
Answer
· Character marking: Selected letters of printed or typewritten text are overwritten in pencil. The marks are ordinarily not visible unless the paper is held at an angle to bright light.
· Invisible ink: A number of substances can be used for writing but leave no visible trace until heat or some chemical is applied to the paper.
· Pin punctures: Small pin punctures on selected letters are ordinarily not visible unless the paper is held up in front of a light.
· Typewriter correction ribbon: Used between lines typed with a black ribbon, the results of typing with the correction tape are visible only under a strong light.
Explain and evaluate the use of Data Encryption Standard (DES) (15 marks)
Answer
The most widely used encryption scheme is based on the Data Encryption Standard (DES) . The algorithm itself is referred to as the Data Encryption Algorithm (DEA). DES takes a plaintext block of 64 bits and a key of 56 bits, to produce a ciphertext block of 64 bits. Concerns about the strength of DES fall into two categories: concerns about the algorithm itself and concerns about the use of a 56-bit key. The first concern refers to the possibility that cryptanalysis is possible by exploiting the characteristics of the DES algorithm. Over the years, there have been numerous attempts to find and exploit weaknesses in the algorithm, making DES the most-studied encryption algorithm in existence. A more serious concern is key length. With a key length of 56 bits, there are 256 possible keys, which is approximately 7.2 ´ 1016 keys. As noted on the previous slide, this can now be broken relatively easily.
The life of DES was extended by the use of triple DES (3DES), which involves repeating the basic DES algorithm three times, using either two or three unique keys, for a key size of 112 or 168 bits. Triple DES (3DES) was first standardized for use in financial applications. 3DES was incorporated as part of the Data Encryption Standard. 3DES has two attractions that assure its widespread use over the next few years. First, with its 168-bit key length, it overcomes the vulnerability to brute-force attack of DEA. Second, the underlying encryption algorithm in 3DES is the same as in DEA. The principal drawback of 3DES is that the algorithm is relatively sluggish in software.
Logic bomb
A logic bomb is a piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. For example, a programmer may hide a piece of code that starts deleting files (such as a salary database trigger), should they ever be terminated from the company.
Software that is inherently malicious, such as viruses and worms, often contain logic bombs that execute a certain payload at a pre-defined time or when some other condition is met. This technique can be used by a virus or worm to gain momentum and spread before being noticed. Many viruses attack their host systems on specific dates, such as Friday the 13th or April Fool's Day. Trojans that activate on certain dates are often called "time bombs".
To be considered a logic bomb, the payload should be unwanted and unknown to the user of the software. As an example, trial programs with code that disables certain functionality after a set time are not normally regarded as logic bombs.
Zombie
In computer science, a zombie is a computer connected to the Internet that has been compromised by a cracker, computer virus or trojan horse and can be used to perform malicious tasks of one sort or another under remote direction. Botnets of zombie computers are often used to spread e-mail spam and launch denial-of-service attacks. Most owners of zombie computers are unaware that their system is being used in this way. Because the owner tends to be unaware, these computers are metaphorically compared to zombies.
Life Cycle of a Virus
Creation
Until a few years ago, creating a virus required knowledge of a computer programming language. Today anyone with even a little programming knowledge can create a virus. Usually, though, viruses are created by misguided individuals who wish to cause widespread, random damage to computers. |
Replication
Viruses replicate by nature. A well-designed virus will replicate for a long time before it activates, which allows it plenty of time to spread. |
Activation
Viruses that have damage routines will activate when certain conditions are met, for example, on a certain date or when a particular action is taken by the user. Viruses without damage routines don't activate, instead causing damage by stealing storage space. |
Discovery
This phase doesn't always come after activation, but it usually does. When a virus is detected and isolated, it is sent to the International Computer Security Association in Washington, D.C., to be documented and distributed to antivirus developers. Discovery normally takes place at least a year before the virus might have become a threat to the computing community. |
Assimilation
At this point, antivirus developers modify their software so that it can detect the new virus. This can take anywhere from one day to six months, depending on the developer and the virus type. |
Eradication
If enough users install up-to-date virus protection software, any virus can be wiped out. So far no viruses have disappeared completely, but some have long ceased to be a major threat. |
Intrusion detection system
An intrusion detection system (IDS) is a device or software application that monitors network and/or system activities for malicious activities or policy violations and produces reports to a Management Station.[1] Some systems may attempt to stop an intrusion attempt but this is neither required nor expected of a monitoring system.[1] Intrusion detection and prevention systems (IDPS) are primarily focused on identifying possible incidents, logging information about them, and reporting attempts.[1] In addition, organizations use IDPSes for other purposes, such as identifying problems with security policies, documenting existing threats, and deterring individuals from violating security policies.[1] IDPSes have become a necessary addition to the security infrastructure of nearly every organization.[1]
IDPSes typically record information related to observed events, notify security administrators of important observed events, and produce reports.[1] Many IDPSes can also respond to a detected threat by attempting to prevent it from succeeding.[1] They use several response techniques, which involve the IDPS stopping the attack itself, changing the security environment (e.g., reconfiguring a firewall), or changing the attack’s content.[1]
Types
For the purpose of dealing with IT, there are two main types of IDS:
is an independent platform that identifies intrusions by examining network traffic and monitors multiple hosts. Network intrusion detection systems gain access to network traffic by connecting to anetwork hub, network switch configured for port mirroring, or network tap. In a NIDS, sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. Sensors capture all network traffic and analyzes the content of individual packets for malicious traffic. An example of a NIDS is Snort.
It consists of an agent on a host that identifies intrusions by analyzing system calls, application logs, file-system modifications (binaries, password files, capability databases, Access control lists, etc.) and other host activities and state. In a HIDS, sensors usually consist of a software agent. Some application-based IDS are also part of this category. An example of a HIDS is OSSEC.
Intrusion detection systems can also be system-specific using custom tools and honeypots.
0 Comments:
Post a Comment