Describe the main participants in the Secure Electronic Transaction standard (X509v3) and the steps in processing a transaction
Cardholder: In the electronic environment, consumers and corporate
purchasers interact with merchants from personal computers over the Internet. A
cardholder is an authorized holder of a payment card (e.g., MasterCard, Visa)
that has been issued by an issuer.
Merchant: A merchant is a person or organization that has goods or
services to sell to the cardholder. Typically, these goods and services are
offered via a Web site or by electronic mail. A merchant that accepts payment
cards must have a relationship with an acquirer.
Issuer: This is a financial institution, such as a bank, that
provides the cardholder with the payment card. Typically, accounts are applied
for and opened by mail or in person. Ultimately, it is the issuer that is
responsible for the payment of the debt of the cardholder.
Acquirer: This is a financial institution that establishes an account
with a merchant and processes payment card authorizations and payments.
Merchants will usually accept more than one credit card brand but do not want
to deal with multiple bankcard associations or with multiple individual
issuers. The acquirer provides authorization to the merchant that a given card
accounts is active and that the proposed purchase does not exceed the credit
limit. The acquirer also provides electronic transfer of payments to the
merchant's account. Subsequently, the acquirer is reimbursed by the issuer over
some sort of payment network for electronic funds transfer.
Payment gateway: This is a function operated by the acquirer or a designated
third party that processes merchant payment messages. The payment gateway
interfaces between SET and the existing bankcard payment networks for
authorization and payment functions. The merchant exchanges SET messages with
the payment gateway over the Internet, while the payment gateway has some
direct or network connection to the acquirer's financial processing
system.
Certification authority (CA): This is an entity that is trusted to issue X.509v3
public-key certificates for cardholders, merchants, and payment gateways. The
success of SET will depend on the existence of a CA infrastructure available
for this purpose. As was discussed in previous chapters, a hierarchy of CAs is
used, so that participants need not be directly certified by a root authority.
(b) Discuss the types of security threats to be
faced when using the web applications,
their consequences and the
countermeasures
Answer:
Consequences
|
Countermeasures
|
||
Integrity
(2 marks)
|
· Modification of user data
· Trojan horse browser
· Modification of memory
· Modification of message traffic in
transit
|
· Loss of information
· Compromise of machine
· Vulnerability to all other threats
|
Cryptographic checksums- A
cryptographic checksum is created by performing a complicated series of
mathematical operations that translates the data in the file into a fixed
string of digits called a hash value, which is then used as a checksum.
|
Confidentiality
(2 marks)
|
· Eavesdropping on the Net
· Theft of info from server
· Theft of data from client
· Info about network configuration
· Info about which client talks to server
|
· Loss of information
· Loss of privacy
|
Encryption, web proxies- A proxy server
receives a request for an Internet service (such as a Web page request) from
a user. If it passes filtering requirements, the proxy server, assuming it is
also a cache server, looks in its local cache of previously downloaded Web
pages. If it finds the page, it returns it to the user without needing to
forward the request to the Internet. If the page is not in the cache, the
proxy server, acting as a client on behalf of the user, uses one of its own
IP addresses to request the page from the server out on the Internet. When
the page is returned, the proxy server relates it to the original request and
forwards it on to the user.
|
Denial of
Service
(2 marks)
|
· Killing of user threads
· Flooding machine with bogus requests
· Filling up disk or memory
· Isolating machine by DNS attacks
|
· Disruptive
· Annoying
· Prevent user from getting work done
|
Difficult to
prevent
|
Authentication
(2 marks)
|
· Impersonation of legitimate users
· Data forgery
|
· Misrepresentation of user
· Belief that false information is valid
|
Cryptographic
techniques - Secret Key Cryptography (SKC): Uses a single key for both
encryption and decryption, Public Key Cryptography (PKC): Uses one key for
encryption and another for decryption ,Hash Functions: Uses a mathematical
transformation to irreversibly "encrypt" information.
|
Apart from the above issues students are required to
include other threats related with phishing, password policies, disgruntled or
corruptible employees and security awareness for mobile devices – 2 marks.
Q2.(a) Describe the benefits that can be
provided by Intrusion Detection System(IDS).
1. If an intrusion is detected quickly enough,
the intruder can be identified and
ejected from the system before any damage is done or any
data are compromised.
Even if the
detection is not sufficiently timely to preempt the intruder, the sooner
that the intrusion is detected, the less the
amount of damage and the more quickly that recovery can be
achieved- briefing on this –
2. An effective intrusion detection system can serve as a
deterrant, so acting to prevent intrusions - briefing on this – 5 marks.
3. Intrusion detection enables the collection
of information about intrusion techniques that can be used to strengthen the
intrusion prevention facility - briefing on this –
(b) Describe where a
network-based intrusion detection system may be installed in an organisation
and discuss the advantages and disadvantages of each.
Answer :
The
possible solutions are based on the following: (1) just inside the external
firewall, explanation including advantages and disadvantages on this will be
awared 4 marks; (2) between the external firewall and the Internet or WAN,
explanation including advantages and disadvantages based on this 4 marks; (3)
at the entrance to major backbone networks; to support workstation LANs – 2
marks.
Q3. (a)
Critically evaluate the
approaches to anti-virus.
:
The ideal solution to the threat of viruses is prevention:
Do not allow a virus to get into the system in the first place. This goal is,
in general, impossible to achieve, although prevention can reduce the number of
successful viral attacks –
The next best approach is to be able to do the
following:
· Detection: Once
the infection has occurred, determine that it has occurred and locate the
virus.
· Identification: Once
detection has been achieved, identify the specific virus that has infected a
program.
· Removal: Once
the specific virus has been identified, remove all traces of the virus from the
infected program and restore it to its original state. Remove the virus from
all infected systems so that the disease cannot spread further – 5 marks.
If detection succeeds but either identification
or removal is not possible, then the alternative is to discard the infected
program and reload a clean backup version.
Advances in virus and antivirus technology go
hand in hand. Early viruses were relatively simple code fragments and could be
identified and purged with relatively simple antivirus software packages. As
the virus arms race has evolved, both viruses and, necessarily, antivirus
software have grown more complex and sophisticated – 5arks.
(b) Discuss the techniques used by generic
decryption technology in detecting viruses.
Answer:
Generic Decryption (GD) technology enables the antivirus
program to easily detect even the most complex polymorphic viruses, while maintaining
fast scanning speeds. Recall that when a file containing a polymorphic virus is
executed, the virus must decrypt itself to activate
In order to detect such a structure, executable files are
run through a GD scanner, which contains the following elements:
· CPU
emulator: A software-based virtual computer. Instructions in an executable
file are interpreted by the emulator rather than executed on the underlying
processor. The emulator includes software versions of all registers and other
processor hardware, so that the underlying processor is unaffected by programs
interpreted on the emulator.
· Virus
signature scanner: A module that scans the target code looking for known
virus signatures.
· Emulation
control module: Controls the execution of the target code.
- 6 marks.
At the start of each simulation, the emulator begins
interpreting instructions in the target code, one at a time. Thus, if the code
includes a decryption routine that decrypts and hence exposes the virus, that
code is interpreted. In effect, the virus does the work for the antivirus
program by exposing the virus. Periodically, the control module interrupts
interpretation to scan the target code for virus signatures – 2 marks.
During interpretation, the target code can cause no damage
to the actual personal computer environment, because it is being interpreted in
a completely controlled environment – 2 marks.
Q4.(a)
If a client needs to obtain a ticket and authenticate with a particular
service (MyService),
which is running on a computer (MyServer) and listening on port 4766, explain
how Kerberos protocol authenticates the user for accessing this service
The Kerberos authentication protocol uses a
string of encoded messages and the issuance of special tickets to verify the
identification of the user in question and allow or disallow a user’s access to
services –
The
first step in protocol is the request for access. Using a password or a smart
card, the user attempts to access a service. The rest of what follows is
transparent to the user. Upon receiving the request, the authentication server
(AS) issues a ticket-granting ticket (TGT) to the client. This encrypted ticket
includes the user’s password and a random seed representing the requested
network service. The client machine then returns the ticket to the
ticket-granting server(TGS), which may or may not be the same machine as the
AS. The TGS then issues a service ticket to the client. Once the
client machine possesses the service ticket, the ticket can be used to request
a service. The service ticket verifies the use’s identity to the service
– 5
marks
For example, if a client needs to obtain a
ticket and authenticate with a particular service (MyService), which is running
on a computer (MyServer) that is listening on port 4766, then the client
requests a ticket from the KDC (Key Distribution Center) by using a name
constructed from that information, as shown here:
MyService/MyServer:4766 –
(b) Discuss the steps involved in Kerberos
authentication by including the necessary structure.
Answer:
In a Kerberos environment, the authentication process begins at logon.
The following steps describe the Kerberos authentication process:
1. When a user enters a user name and password,
the computer sends the user name to the KDC. The KDC contains a master database
of unique long term keys for every principal in its realm – 3 marks.
2. The KDC looks up the
user's master key (KA), which is based on the user's password. The KDC then
creates two items: a session key (SA) to share with the user and a
Ticket-Granting Ticket (TGT). The TGT includes a second copy of the
SA, the user name, and an expiration time. The KDC encrypts this ticket by
using its own master key (KKDC), which only the KDC knows –
Kerberos
implements secret key cryptography, which is different from public key
cryptography in that it does not use a public and private key pair.
3. The client computer receives the information
from the KDC and runs the user's password through a one-way hashing function,
which converts the password into the user's KA. The client computer now has a
session key and a TGT so that it can securely communicate with the
KDC. The client is now authenticated to the domain and is ready to access other
resources in the domain by using the Kerberos protocol.
When a client receives the
session key and TGT from the server, it stores that information in
volatile memory and not on the hard disk. Storing the information in the
volatile memory and not on the hard disk makes the information more secure,
because the information would be lost if the server were physically removed –
4. When a Kerberos client
needs to access resources on a server that is a member of the same domain, it
contacts the KDC. The client will present its TGT and a timestamp
encrypted with the session key that is already shared with the KDC. The KDC
decrypts the TGT using its KKDC. The TGT contains the user
name and a copy of the SA. The KDC uses the SA to decrypt the timestamp. The
KDC can confirm that this request actually comes from the user because only the
user can use the SA- 2 marks.
5. Next, the KDC creates a pair of tickets, one
for the client and one for the server on which the client needs to access
resources. Each ticket contains the name of the user requesting the service,
the recipient of the request, a timestamp that declares when the ticket was
created, and a time duration that says how long the tickets are valid. Both
tickets also contain a new key (KAB) that will be shared between the client and
the server so they can securely communicate. – 2 marks.
6.
When the user receives the ticket, the user decrypts it using the SA. This exposes
the KAB to the client and also exposes the server's ticket. The user
cannot read the server's ticket. The user will encrypt the timestamp by using
the KAB and send the timestamp and the server's ticket to the server
on which the client wants to access resources. When it receives these two
items, the server first decrypts its own ticket by using its KB. This permits
access to the KAB, which can then decrypt the timestamp from the client –
2 marks.
Any supporting diagram can be included.
) For symmetric encryption to work, the two parties
to an exchange must share the same key, and that key must be protected from
access by others. Discuss how key distribution can be achieved.
Answer:
For symmetric encryption to work, the two
parties to an exchange must share the same key, and that key must be protected
from access by others. Key distribution can be achieved in a number of ways. For
two parties A and B:
1. A key could be selected by A and physically
delivered to B.
2. A third party could select the key and
physically deliver it to A and B.
3. If A and B have previously and recently used
a key, one party could transmit the new key to the other, encrypted using the
old key.
4. If A and B each have an encrypted connection
to a third party C, C could deliver a key on the encrypted links to A and B.
Options 1 and 2 call for manual delivery of a
key. For link encryption, this is a reasonable requirement, because each link
encryption device is only going to be exchanging data with its partner on the
other end of the link. However, for end-to-end encryption, manual delivery is
awkward. In a distributed system, any given host or terminal may need to engage
in exchanges with many other hosts and terminals over time. Thus, each device
needs a number of keys, supplied dynamically. The problem is especially
difficult in a wide area distributed system.
Option 3 is a possibility for either link encryption
or end-to-end encryption, but if an attacker ever succeeds in gaining access to
one key, then all subsequent keys are revealed. Even if frequent changes are
made to the link encryption keys, these should be done manually. To provide
keys for end-to-end encryption, option 4 is preferable.
Any valid explanation with an example
–
(b) Explain and evaluate the use of Data
Encryption Standard (DES)
Introduction to DES
The
most widely used encryption scheme is based on the Data Encryption Standard
(DES) . The algorithm itself is referred to as the Data Encryption Algorithm
(DEA). DES takes a plaintext block of 64 bits and a key of 56 bits,
to produce a ciphertext block of 64 bits. Concerns about the strength of DES fall
into two categories: concerns about the algorithm itself and concerns about the
use of a 56-bit key. The first concern refers to the possibility that
cryptanalysis is possible by exploiting the characteristics of the DES algorithm.
Over the years, there have been numerous attempts to find and exploit
weaknesses in the algorithm, making DES the most-studied encryption
algorithm in existence. A more serious concern is key length. With a key length
of 56 bits, there are 256 possible keys, which is approximately 7.2 ´ 1016 keys. As noted on
the previous slide, this can now be broken relatively easily – 5 Marks
The life of DES was extended by the
use of triple DES (3DES), which involves repeating the basic DES algorithm
three times, using either two or three unique keys, for a key size of 112 or
168 bits. Triple DES (3DES) was first standardized for use in
financial applications. 3DES was incorporated as part of the Data
Encryption Standard. 3DES has two attractions that assure its widespread
use over the next few years. First, with its 168-bit key length, it overcomes
the vulnerability to brute-force attack of DEA. Second, the underlying
encryption algorithm in 3DES is the same as in DEA. The principal drawback
of 3DES is that the algorithm is relatively sluggish in software.
The block of the message is divided into two
halves. The right half is expanded from 32 to 48 bits using another fixed
table. The result is combined with the subkey for that round using the XOR
operation. Using the S-boxes the 48 resulting bits are then transformed again
to 32 bits, which are subsequently permutated again using yet another fixed
table. This by now thoroughly shuffled right half is now combined with the left
half using the XOR operation. In the next round, this combination is used as
the new left half - 10 marks.
Generic Decryption (GD) technology enables the antivirus
program to easily detect even the most complex polymorphic viruses, while
maintaining fast scanning speeds. Recall that when a file containing a
polymorphic virus is executed, the virus must decrypt itself to activate. In
order to detect such a structure, executable files are run through a GD
scanner, which contains the following elements:
· CPU
emulator: A software-based virtual computer. Instructions in an executable
file are interpreted by the emulator rather than executed on the underlying
processor. The emulator includes software versions of all registers and other
processor hardware, so that the underlying processor is unaffected by programs
interpreted on the emulator.
· Virus
signature scanner: A module that scans the target code looking for known
virus signatures.
· Emulation
control module: Controls the execution of the target code.
At the start of each simulation, the emulator begins
interpreting instructions in the target code, one at a time. Thus, if the code
includes a decryption routine that decrypts and hence exposes the virus, that
code is interpreted. In effect, the virus does the work for the antivirus
program by exposing the virus. Periodically, the control module interrupts
interpretation to scan the target code for virus signatures.
During interpretation, the target code can cause no damage
to the actual personal computer environment, because it is being interpreted in
a completely controlled environment.
-- 10 marks
(c)
Discuss the techniques used in steganography
Answer
· Character
marking: Selected letters of printed or typewritten text are overwritten
in pencil. The marks are ordinarily not visible unless the paper is held at an
angle to bright light.
· Invisible
ink: A number of substances can be used for writing but leave no visible
trace until heat or some chemical is applied to the paper.
· Pin
punctures: Small pin punctures on selected letters
are ordinarily not visible unless the paper is held up in front of a light.
· Typewriter
correction ribbon: Used between lines typed with a black ribbon, the
results of typing with the correction tape are visible only under a strong
light.
Explain and evaluate the use of Data Encryption
Standard (DES) (15
marks)
Answer
The
most widely used encryption scheme is based on the Data Encryption Standard
(DES) . The algorithm itself is referred to as the Data Encryption Algorithm
(DEA). DES takes a plaintext block of 64 bits and a key of 56 bits, to produce
a ciphertext block of 64 bits. Concerns about the strength of DES fall into two
categories: concerns about the algorithm itself and concerns about the use of a
56-bit key. The first concern refers to the possibility that cryptanalysis is
possible by exploiting the characteristics of the DES algorithm. Over the
years, there have been numerous attempts to find and exploit weaknesses in the
algorithm, making DES the most-studied encryption algorithm in existence. A
more serious concern is key length. With a key length of 56 bits, there are 256
possible keys, which is approximately 7.2 ´ 1016 keys. As noted on
the previous slide, this can now be broken relatively easily.
The life of DES was extended by the use of
triple DES (3DES), which involves repeating the basic DES algorithm three
times, using either two or three unique keys, for a key size of 112 or 168
bits. Triple DES (3DES) was first standardized for use in financial
applications. 3DES was incorporated as part of the Data Encryption Standard.
3DES has two attractions that assure its widespread use over the next few
years. First, with its 168-bit key length, it overcomes the vulnerability to
brute-force attack of DEA. Second, the underlying encryption algorithm in 3DES
is the same as in DEA. The principal drawback of 3DES is that the algorithm is
relatively sluggish in software.
Logic bomb
A logic bomb is a piece of code intentionally
inserted into a software system that will set off a malicious function
when specified conditions are met. For example, a programmer may hide a piece
of code that starts deleting files (such
as a salary database trigger),
should they ever be terminated from the company.
Software
that is inherently malicious, such as viruses and worms,
often contain logic bombs that execute a certain payload at a pre-defined time or when some
other condition is met. This technique can be used by a virus or worm to gain
momentum and spread before being noticed. Many viruses attack their host
systems on specific dates, such as Friday the 13th or April Fool's Day.
Trojans that activate on certain dates are often called "time bombs".
To be
considered a logic bomb, the payload should be unwanted and unknown to the user
of the software. As an example, trial programs with code that disables certain
functionality after a set time are not normally regarded as logic bombs.
Zombie
In computer science, a zombie is a computer connected
to the Internet that
has been compromised by a cracker, computer
virus or trojan horse and can be used to perform malicious tasks of
one sort or another under remote direction. Botnets of zombie computers are often used to
spread e-mail spam and
launch denial-of-service attacks. Most owners of zombie computers are unaware that
their system is being used in this way. Because the owner tends to be unaware,
these computers are metaphorically compared to zombies.
Life Cycle of a Virus
Creation
Until a few years ago, creating a virus required knowledge of a computer programming language. Today anyone with even a little programming knowledge can create a virus. Usually, though, viruses are created by misguided individuals who wish to cause widespread, random damage to computers. |
Replication
Viruses replicate by nature. A well-designed virus will replicate for a long time before it activates, which allows it plenty of time to spread. |
Activation
Viruses that have damage routines will activate when certain conditions are met, for example, on a certain date or when a particular action is taken by the user. Viruses without damage routines don't activate, instead causing damage by stealing storage space. |
Discovery
This phase doesn't always come after activation, but it usually does. When a virus is detected and isolated, it is sent to the International Computer Security Association in Washington, D.C., to be documented and distributed to antivirus developers. Discovery normally takes place at least a year before the virus might have become a threat to the computing community. |
Assimilation
At this point, antivirus developers modify their software so that it can detect the new virus. This can take anywhere from one day to six months, depending on the developer and the virus type. |
Eradication
If enough users install up-to-date virus protection software, any virus can be wiped out. So far no viruses have disappeared completely, but some have long ceased to be a major threat. |
Intrusion
detection system
An intrusion detection
system (IDS) is a device or software
application that monitors network and/or system activities for malicious
activities or policy violations and produces reports to a Management Station.[1] Some
systems may attempt to stop an intrusion attempt but this is neither required
nor expected of a monitoring system.[1] Intrusion
detection and prevention systems (IDPS) are primarily focused on identifying
possible incidents, logging information about them, and reporting attempts.[1] In
addition, organizations use IDPSes for other purposes, such as identifying
problems with security policies, documenting existing threats, and deterring
individuals from violating security policies.[1] IDPSes
have become a necessary addition to the security infrastructure of nearly every
organization.[1]
IDPSes
typically record information related to observed events, notify security administrators
of important observed events, and produce reports.[1] Many
IDPSes can also respond to a detected threat by attempting to prevent it from
succeeding.[1] They
use several response techniques, which involve the IDPS stopping the attack
itself, changing the security environment (e.g., reconfiguring a firewall), or
changing the attack’s content.[1]
Types
For the purpose of dealing with IT, there are
two main types of IDS:
is an independent platform that identifies
intrusions by examining network traffic and monitors multiple hosts. Network
intrusion detection systems gain access to network traffic by connecting to anetwork hub, network switch configured
for port mirroring, or network tap.
In a NIDS, sensors are located at choke points in the network to be monitored,
often in the demilitarized zone (DMZ) or at
network borders. Sensors capture all network traffic and analyzes the content
of individual packets for malicious traffic. An example of a NIDS is Snort.
It consists of an agent on a host that
identifies intrusions by analyzing system calls, application logs, file-system
modifications (binaries, password files, capability databases, Access control lists, etc.) and other host
activities and state. In a HIDS, sensors usually consist of a software agent.
Some application-based IDS are also part of this category. An example of a HIDS
is OSSEC.
Intrusion detection systems can also be
system-specific using custom tools and honeypots.
0 Comments:
Post a Comment