Important Questions and Answers for Mid-1 Examination

1. What is cookie? Explain cookie protocol and applications of cookie

Ans) Cookie:- A Cookie is a small piece of textual information sent by the server
to the client, stored on the client, and returned by the client for all requests to
the server.

Applications of cookies

2. List out various reasons for maintaining the backups.

Ans)
 3. List out and explain different cryptographic protocols.
Ans)

Ans) Cryptographic protocols are network protocols used for providing

confidentiality, authentication, integrity and non repudiation in a network
environment. Such systems require realtime interplay between client and server
to work properly. Some of the popular systems that fall into this category
include the following

a) SSL
b) PCT
c) S-HTTP
d) SET
e) DNSSEC
f) IPsec and IPv6
g) Kerberos
h) SSH

PCT

PCT is a transport layer security protocol similar to SSL that was developed by
Microsoft. Reportedly, the acronym has had several expansions: the current favored
one is Private Communications Technology. PCT was developed in response to
problems with SSL 2.0; these problems were also addressed in SSL 3.0. Although
Microsoft is supporting SSL 3.0 and TLS, the new Transport Layer Security model,
Microsoft intends to continue supporting PCT because it is being used by several large
Microsoft customers on their corporate intranets.

SET

SET is a cryptographic protocol designed for sending encrypted credit card numbers
over the Internet. Unlike the other protocols described here, it is still under
development. There are three parts to the SET system: an "electronic wallet" that
resides on the user's computer; a server that runs at the merchant's web site; and the
SET Payment Server that runs at the merchant's bank. To use the SET system, you
must first enter your credit card number into the electronic wallet software. Most
implementations will store the credit card number in an encrypted file on your hard
disk or in a smart card. The software also creates a public and a secret key for
encrypting your financial information before it is sent over the Internet. When you
want to buy something, your credit card number is encrypted and sent to the merchant.
The merchant's software digitally signs the payment message and forwards it to the
processing bank, where the Payment Server decrypts all of the information and runs
the credit card charge. Finally, a receipt gets sent back to both the merchant and you,
the customer. Banks that process credit cards are excited about SET because it keeps
credit card numbers out of the hands of the merchants. That should cut down on a lot
of fraud, because it is merchants (and their employees), and not teenage hackers, who
are responsible for much of the credit card fraud in the world today. SET offers
confidentiality for credit card numbers, as they are encrypted using the RSA
algorithm. But it does not offer confidentiality (and thus privacy) for the other
elements of a user's transaction: this was a compromise necessary to gain approval to
export the SET software without restriction. SET does provide for integrity,
authentication, and nonrepudiation through the use of message digest functions and
digital signatures.

DNSSEC

The Domain Name System Security ( DNSSEC) standard is a system designed to

bring security to the Internet's Domain Name System (DNS). DNSSEC creates a
parallel public key infrastructure built upon the DNS system. Each DNS domain is
assigned a public key. A domain's public key can be obtained in a trusted manner from
the parent domain or it can be preloaded into a DNS server using the server's "boot"
file.

IPsec and IPv6

IPsec is a cryptographic protocol designed by the Internet Engineering Task Force to

provide end-to-end confidentiality for packets traveling over the Internet. IPsec works
with IPv4, the standard version of IP used on today's Internet. IPv6, the "next-
generation" IP, includes IPsec. IPsec does not provide for integrity, authentication, or
non repudiation, but leaves these features to other protocols. Currently, the main use of
IPsec seems to be as a multivendor protocol for creating virtual private networks
(VPNs) over the Internet. But IPsec has the capacity to provide authentication,
integrity, and optionally, data confidentiality for all communication that takes place
over the Internet, provided that vendors widely implement the protocol and that
governments allow its use.

Kerberos

Kerberos is a network security system developed at MIT and used throughout the
United States. Unlike the other systems mentioned in this chapter, Kerberos does not
use public key technology.61 Instead, Kerberos is based on symmetric ciphers and
secrets that are shared between the Kerberos server and each individual user. Each
user has his own password, and the Kerberos server uses this password to encrypt
messages sent to that user so that they cannot be read by anyone else. Support for
Kerberos must be added to each program that is to be protected. Currently,
"Kerberized" versions of Telnet, FTP, POP, and Sun RPC are in general use. A system
that used Kerberos to provide confidentiality for HTTP was developed but never made
it out of the lab. Kerberos is a difficult system to configure and administer. To operate
a Kerberos system, each site must have a Kerberos server that is physically secure.
The Kerberos server maintains a copy of every user's password. In the event that the
Kerberos server is compromised, every user's password must be changed.

SSH

SSH is the secure shell. It provides for cryptographically protected virtual terminal
(Telnet) and file transfer (rcp) operations. Noncommercial versions of SSH are
available for many versions of UNIX. SSH is available for UNIX, Windows, and the
Macintosh from Data Fellows (http://www.datafellows.com).

4. List and Explain different Web Security Problems?

Ans)

The web security problem consists of three major parts:

1) Securing the web server and the data that is on it. You need to be sure that
the server can continue its operation, the information on the server is not
modified without authorization, and the information is only distributed to those
individuals to whom you want it to be distributed.
2) Securing information that travels between the web server and the user. You
would like to assure that information the user supplies to the web server
(usernames, passwords, financial information, etc.) cannot be read, modified, or
destroyed by others. Many network technologies are especially susceptible to
eavesdropping, because information is broadcast to every computer that is on
the local area network.
3) Securing the user's own computer. You would like to have a way of assuring
users that information, data, or programs downloaded to their systems will not
cause damage - otherwise, they will be reluctant to use the service. You would
also like to have a way of assuring that information downloaded is controlled
thereafter, in accordance with the user's license agreement and/or copyright.

Along with all of these considerations, we may also have other requirements. For
instance, in some cases, we have the challenges of:

a) Verifying the identity of the user to the server

b) Verifying the identity of the server to the user
 c) Ensuring that messages get passed between client and server in a timely
fashion, reliably, and without replay
d) Logging and auditing information about the transaction for purposes of
billing, conflict resolution, "non repudiation," and investigation of misuse
e) Balancing the load among multiple server.

5. Explain different computer based Identification techniques

Ans)

Computerized Identification techniques

Personal computers didn’t really care who was using them. They just
let anyone sitting at the keyboard do whatever they wanted. That’s
why they are called personal computers- they were meant for one
person.
But things have changed. Now a days computers can be connected
the internet, and sometimes many people share one computer with
important stuff on it. So just relying on who’s physically there isn’t
enough to keep things safe. We need a way to know who’s using the
computer

Now , lots of us have different IDs like passwords or even our faces.
So, why not use those to prove who we are, when we use a computer?

Unfortunately, most computers can't look at your face and then glance at your
driver's license to decide if you should be allowed access or not:

a) Most computers don't have video cameras.

b) Even computers that do have video cameras don't have software that lets
them reliably identify a person.
c) Even computers that can identify people from video images still don't
have the "common sense" to know if they are looking at a real-time video
image of a person or a videotape of the person that's been previously
recorded.
d) And even if computers had common sense, they don't have the hands,
fingers, and so forth to look at a driver's license and determine if it is a
true instrument or an imitation.

a) Password Based System: Something that you know

 The first way computers checked who you were is by using
passwords. Every user had a username and a secret password. To
prove it’s really you, you type in your password. If it matches the
one stored in the computer, you get access.
Passwords are still popular because they’re easy, familiar and don’t
need special stuff. But there are issues:

a) Most computers don't have video cameras.

b) Even computers that do have video cameras don't have software that lets
them reliably identify a person.
c) Even computers that can identify people from video images still don't
have the "common sense" to know if they are looking at a real-time video
image of a person or a videotape of the person that's been previously
recorded.
d) And even if computers had common sense, they don't have the hands,
fingers, and so forth to look at a driver's license and determine if it is a
true instrument or an imitation.

b) Physical tokens: Something that you have

Another way to prove who you are is by using something physical,
like a access card. These cards are often used in business. When you
want to open a door, you just put the card near a reader. Each card
has its own special number. The system knows which cards can
open which doors at certain times.

As with passwords, tokens have problems as well:

a) The token doesn't really "prove" who you are. Anybody who has physical
possession of the token can gain access to the restricted area.
b) If a person loses his token, he cannot enter the restricted area, even
though his identity hasn't changed.
c) Some tokens are easily copied or forged.

c) Biometrics: Something that you are

 Because of the possibility of false matches, biometrics are often
combined with passwords or tokens. In the case of passwords, a user
might be asked to type a secret identification code, such as a personal
identification number (PIN), and then give a biometric sample, such as a
voice-print.
d) Location.

Some companies are developing authentication systems based on the

Global positioning System(GPS). Such systems authenticate users
based on where they are.

6. What is log file? Explain different types of Log files.

Ans)

Log files are a historical record of everything and anything that happens within a
system, including events such as transactions, errors and intrusions.
Log files are ubiquitous. Programmers add log files to their programs to assist in
writing and debugging. System operators leave log files enabled so they can verify that
software is working correctly, and so they can diagnose the cause of problems when
things do not operate properly. Governments and marketers use this information
because it is an excellent source of data.

Different types of log file

1. Web Log

Practically every time a web browser downloads a page on the Web, a record of
this event is routinely recorded in the log files of the remote web server. If the
web page is assembled using a database server, the database server may create
log files of its own. Finally, web logs are also routinely kept on network
firewalls, web proxies, and web cache.
The following information is either stored directly in most web log files

a) The name and IP address of the computer that downloaded the web page.
b) The time of the request.
c)The URL that was requested.
d)The time it took to download the file (this is an indication of the user’s
Internet connection) etc.
2. RADIUS Logs

RADIUS (Remote Authentication Dial-In User Service) is widely used on the

Internet by ISPs and large organizations to validate usernames/passwords for
dialup users and to provide for proper accounting. Originally designed by
Livingston, RADIUS is now widely implemented by Cisco, Nortel, Lucent,
Redback, and most other vendors.

3. Mail Logs

Every time an email message is sent, received, or transported through a mail

server, there is a good chance that some program somewhere is making note of
that fact in a mail log file. Mail logs usually contain the from: and to: email
addresses, the time that the message was sent, and the message-id. Subject: lines
and content are usually not logged.

4. DNS Logs

The bind DNS nameserver produced by the Internet Software Consortium can
be configured to log every DNS query that it receives. The bind log file contains
 name of the host from which each query was made, the IP address from which
the query was made, and the query itself.

7. What are different security measures need to taken for Backups

Ans)

1. Physical security for backups

a) Remove Tapes from the Drive: Always remember to take the tape out of
the tape drive when not actively using it. This prevents data loss in case of
theft or other incidents. There was a case where a company lost everything
because thieves stole their computer, including the tape drive with the
backup tape still inside.

b) Store Backups Offsite: Do not keep your backup tapes in the same room as
your computer system. If a disaster like fire, flood, explosion, or building
collapse occurs, it could damage or destroy both your computer and backups.
Keep your backups in a different location to ensure their safety.

c) Consider a Fireproof Safe: To protect your backup tapes, you can invest in
a fireproof safe. However, it's essential to place the safe offsite, away from
your computer system. Fireproof safes are excellent for protecting against
fire and theft, but they may not safeguard against other types of damage like
explosions or certain water damage.

d) Choose the Right Safe: Ensure that the safe you select is designed for
storing your specific type of backup media. Some generic fire-resistant safes
are not magnetically safe for tapes. Also, some safes have chemicals inside
their walls that can damage plastic materials like magnetic tapes or CD-
ROMs when exposed to heat.

2. Write-protect your backups.

After you have removed a backup tape from a drive, do yourself a favor and
flip the write-protect switch. A write-protected tape cannot be accidentally
erased. If you are using the tape for incremental backups, you can flip the
write-protect switch when you remove the tape, and then flip it again when
you reinsert the tape later. If you forget to unprotect the tape, your software
will probably give you an error and let you try again. On the other hand,
having the tape write-protected will save your data if you accidentally put the
wrong tape in the tape drive, or run a program on the wrong tape.
3. Data security for backups
 a) Protect Backup Tapes: Backup tapes can restore all your computer files, so
keep them locked up securely.

b) Security Incident: An employee stole a backup tape containing sensitive

data, which could be used against the company.

c) Transfer Safely: When moving backup tapes, ensure the same level of
security as you do for your computers. Messengers may not be suitable for
sensitive data transfers.

d) Encryption for Security: Using encryption greatly improves backup tape

security, but make sure more than one person knows the encryption key.
Consider escrowing the key.
Recommendations for Key Storage:
- Change encryption keys infrequently or not at all, as it can be
cumbersome.
- Store key copies on paper in envelopes, distributing them among key
individuals.
- Use encryption systems like PGP that allow multiple recipients to
decrypt the key.
- Consider secret-sharing systems, where multiple board members must
collaborate to access the key.

8. List and explain different Cryptographic programs used for encrypting

emails.
Ans)
1. PGP
2. S/MIME
Check in your Notes, for the above two concept.