model ans patern for is

8/6/2019 MOdel Ans Patern for Is

1/30

Q1.

a) Incident handling consists of the following points: (Proper Explanation of the points to be

given)

(1) Preparing and planning (what are the goals and objectives in handling an incident).

(Half mark)

(2) Notification (who should be contacted in the case of an incident). Local managers

and personnel - Law enforcement and investigative agencies - Computer security

incidents handling teams - Affected and involved sites - Internal communications -

Public relations and press releases (half mark)

(3) Identifying an incident (is it an incident and how serious is it).(half mark)

(4) Handling (what should be done when an incident occurs). - Notification (who should

be notified about the incident)- Protecting evidence and activity logs (what records

should be kept from before, during, and after the incident) Containment (how can the

damage be limited) Eradication (how to eliminate the reasons for the incident)

Recovery (how to reestablish service and systems)- Follow Up (what actions should

be taken after the incident) (2 marks)

(5) Aftermath (what are the implications of past incidents). (Half mark)

b) Risk Assessment:

What is risk assessment? (1 mark).

It is a balanced and realistic approach to quantify probably the amount of risk. The two steps

involved in these actions are:

1) Identifying the assets (2 marks)

1. Hardware: CPUs, boards, keyboards, terminals, workstations, personal computers,

printers, disk drives, communication lines, terminal servers, routers.

2. Software: source programs, object programs, utilities, diagnostic programs, operating

systems, and communication programs.

3. Data: during execution, stored on-line, archived off-line, backups, audit logs, databases,

in transit over communication media.

4. People: users, administrators, and hardware maintainers.

5. Documentation: on programs, hardware, systems, and local administrative procedures.

6. Supplies: paper, forms, ribbons, and magnetic media.


2/30

2) Identifying the threats (1 mark)

Unauthorized access to resources and/or information

Unintended and/or unauthorized Disclosure of information

Denial of Service

c) Botnets

What are Botnets? (2 marks)

A botnet (also known as a zombie army) is a number of Internet computers that, although

their owners are unaware of it, have been set up to forward transmissions (including spam

or viruses) to other computers on the Internet. Any such computer is referred to as a

zombie - in effect, a computer "robot" or "bot" that serves the wishes of some master

spam or virus originator.

How it uses IRC? (1 mark)

Applications of Botnet such as DDOS etc.(1 mark)

d) Digging for Worms:

E-mail isn't the only way that viruses and worms spread, but it's one of the most common.

The following approaches to dig for worms: (1 mark for each approach)

1.One approach, of course, is to screen each piece of incoming mail on each desktop. It's

a good idea to use a different brand of virus scanner for your gateway than for yourdesktop.In some cases, you may want to add your own patterns.

2.It's not hard to install a centralized filter for malware.

3.Use MX records to ensure that all inbound e-mail goes to a central place.

Make sure that you include a wildcard MX record, too, for both your inside and your

outside DNS:

example. com. IN MX 10 mail-gw.example.com

*.example.com. IN MX 10 mail-gw.example.com

4. Outgoing e-mail should be scanned, too. There's no convenient analog to MX records;

IN MX 10 mail-gw.example.co

Just make sure that you filter out any more-specific inbound records.


3/30

A more dangerous form of annoyance is the trailer that reads something like this:

This piece of e-mail has been scanned, X-rayed, and screened for excessive

nitrogenous compounds by ASCI/phage 2.71827, and is warranted to be free of viruses

and worms.It is safe for consumption by humans and computers.

A trailer like that is about equivalent to naming a file "This is not a virus. exe,"

e) Digital Envelop

Explanation ( 3 marks)

In practice, symmetric key cryptography and asymmetric key cryptography are combined

to a very efficient security solution.

When using secret-key cryptosystems, users must first agree on a session key,

that is, a secret key to be used for the duration of one message or communication

session. In completing this task there is a risk the key will be intercepted during

transmission. This is part of the key management problem.

Public-key cryptography offers an attractive solution to this problem within aframework called a digital envelope.

It is a secure container for electronic message. It includesa packet of

electronic data including an encoded message, plus authenticating information

The digital envelope consists of a message encrypted using secret-key

cryptography and an encrypted secret key. While digital envelopes usually use

public-key cryptography to encrypt the secret key, this is not necessary.

(Diagram 1 mark)

If Alice and Bob have an established secret key, they could use this to

encrypt the secret key in the digital envelope.


4/30

Suppose Alice wants to send a message to Bob using secret-key

cryptography for message encryption and public-key cryptography to transfer the

message encryption key.

Alice chooses a secret key and encrypts the message with it, thenencrypts the secret key using Bob's public key.

She sends Bob both the encrypted secret key and the encrypted message.

When Bob wants to read the message he decrypts the secret key, using

his private key, and then decrypts the message, using the secret key.

In a multi-addressed communications environment such as e-mail, this

can be extended directly and usefully.

If Alice's message is intended for both Bob and Carol, the message

encryption key can be represented concisely in encrypted forms for Bob and for Carol,

along with a single copy of the message's content encrypted under that message

encryption key.

Alice and Bob may use this key to encrypt just one message or they may

use it for an extended communication.

One of the nice features about this technique is they may switch secret

keys as frequently as they would like.

Not only do digital envelopes help solve the key management problem; they

increase performance without sacrificing security. The increase in performance is

obtained by using a secret-key cryptosystem to encrypt the large and variably sized

amount of message data, reserving public-key cryptography for encryption of short-

length keys.

In general, secret-key cryptosystems are much faster than public-key

cryptosystems.

The digital envelope technique is a method of key exchange, but not all key exchange

protocols use digital envelopes.


5/30

f) Exponential Attacks:

What are exponential attacks? (1 mark)

Exponential attacks use programs to spread themselves, multiplying their numbers

quickly. When the programs travel by themselves, they are worms. When they attach to

other programs, they are viruses

How they spread? Impact of the attacks? (2 marks)

These programs succeed by exploiting common bugs or behaviors found in a large

population of susceptible programs or users.

They can spread around the world within hours, and potentially in a few minutes.

They can cause vast economic harm spread over a large community.

The Melissa worm clogged the Microsoft-based e-mail in some companies for five days.

Various worms have added substantial load to the entire Internet.

These programs tend to infect "targets of opportunity," rather than specific individuals or

organizations. But their payloads can and do attack popular political and commercial

targets.

Example of Exponential Attacks (1 mark)

Q2.

a) What is Security policy? (1 mark).(Either of the definition)

A security policy is the set of decisions that collectively, determines an organization's attitude

toward security.

A security policy defines the boundaries of acceptable behavior and what the response to

violations should be.

Characteristics of security policy (3 marks)

It must be able to implement through system administration procedures, publishing of acceptable

use guidelines, or other appropriate methods.


6/30

(2) It must be enforceable with security tools, where appropriate, and with sanctions, where actual

prevention is not technically feasible.

(3) It must clearly define the areas of responsibility for the users, administrators, and

management.

The components of a good security policy. ( for 8 components 4 marks)

(1) Computer Technology Purchasing Guidelines, which specify required, or preferred, security

features. These should supplement existing purchasing policies and guidelines.

(2) A Privacy Policy which defines reasonable expectations of privacy regarding such issues as

monitoring of electronic mail, logging of keystrokes, and access to users' files.

(3) An Access Policy, which defines access rights and privileges to protect assets from loss or

disclosure by specifying acceptable use guidelines for users, operations staff, and management. It

should provide guidelines for external connections, data communications, connecting devices to a

network, and adding new software to systems

(4) An Accountability Policy, which defines the responsibilities of users, operations staff, and

management. It should specify an audit capability, and provide incident handling guidelines (i.e.,

what to do and who to contact if a possible intrusion is detected).

(5) An Authentication Policy which establishes trust through an effective password policy, and

by setting guidelines for remote location authentication and the use of authentication devices

(e.g., one-time passwords and the devices that generate them).

(6) An Availability statement, which sets users' expectations for the availability of resources. It

should address redundancy and recovery issues, as well as specify operating hours and

maintenance downtime periods.

(7) An Information Technology System & Network Maintenance Policy which describes how

both internal and external maintenance people are allowed to handle and access technology. One

important topic to be addressed here is whether remote maintenance is allowed and how such

access is controlled. Another area for consideration here is outsourcing and how it is managed.


7/30

(8) A Violations Reporting Policy that indicates which types of violations (e.g., privacy and

security, internal and external) must be reported and to whom the reports are made. A non-

threatening atmosphere and the possibility of anonymous reporting will result in a greater

probability that a violation will be reported if it is detected.

(9) Supporting Information which provides users, staff, and management with contact

information for each type of policy violation; guidelines on how to handle outside queries about a

security incident, or information which may be considered confidential or proprietary; and cross-

references to security procedures and related information, such as company policies and

governmental laws and regulations.

b) Social Engineering:

What is social Engineering? (2 marks)

1.Social Engineering is hacker speak for tricking a person into revealing some vital

information. In other words, Social Engineering is a practice of cheating people into

revealing sensitive data on a computer system, often on the Internet.

2. This is like an art, a special tool of the attacker in which he plays the psychological

tricks at the target in order to gain the important information. All this happens without the

knowledge of the target, i.e. the target does not know at all that he/she is giving some

vital information to the hacker.

3. Social Engineering is a term that describes a non-technical kind of intrusion that relies

on human interaction and often involves tricking other people to break normal security

procedures.

Methods used by the hackers.(2 marks)

Through personal conversation

Through Telephonic conversation

By chatting with the target

By sending anonymous mails

Example of the trick (1 mark)

Counter Measures (1mark)


8/30

c) Bugs and backdoors.

What are bugs? (1 mark)

A bug is something in a program that does not meet its specification. A bug

may refer to some kind of problem in the software, which is undesired by its

author.

Counter measures (1 mark)

The administrator should be checking for all the input correctness at every point.

If the program has fixed size buffers of any sort, then it should be made sure that

they do not overflow.

If we use dynamic memory allocation, prepare for memory or file system

exhaustion, and proper recovery strategies, which may need memory or disk

space, too.

What are backdoors? (1 mark)

A backdoor is a feature of a program that can be used to make it act in

some way that the person who is running it did not intend.

Back doors are shortcut entry points to software or networks i.e. entry

without going through authentication mechanisms.

How it affects the computer? (1 mark)These are the programs which when stored on the target systems, may allow easy

access to hackers or give them sufficient information about the target to carry out the

attacks. There are several backdoor programs used by the hackers. These are like

automated tools, which carry out the destructive jobs for the hackers.

Counter measure. (1 mark)

The only solution for backdoor attacks is double and triple checking of

every piece of software before implementation.

In order to save from the backdoors, cleaner solutions are also

available (which work in similar manner as the antivirus utilities).

Example (1 mark)


9/30

Q3.

a)

Definition of Cryptography. (1 mark)

Techniques:

Substitution Technique: ( Explanation of any 4 techniques) (4 marks)

1. Caesar cipher (used by Julius Caesar),

2. Modified Caesar Cipher,

3. Mono-alphabetic cipher,

4. Homophonic substitution cipher,

5. Polygram substitution cipher

6. Polyalphabetic cipher etc.

Transposition technique: (Explanation of any 3 techniques) (3 marks)

1. Rail fence technique

2. Simple columnar transposition

3. Simple columnar transposition with multiple rounds

4. Vernam cipher,

5. Book cipher etc.

b)

What is firewall? (1 mark)

Architecture of the firewall diagram (1 mark)

Distributed firewall-Concept (1mark)

Provide multiple checkpoints less prone (is in multiple forms). Possible to prevent

inside attacks more secure implementation Servers can be outside perimeter more

flexibility in operation Different security levels possible.

Features of Distributed firewall (4 features)(2 marks)

The Distributed firewalls are the host-resident security solutions.

These are meant to provide higher security to the corporate networks.

The main features include the centralized management, logging and fine access-

control granularity.


10/30

These protect remote employees, precious servers of the enterprise, internal

network as well as the individual terminal.

Diagram: (1 mark)

c)

Protocol Failure:

Concept:( 2 marks)

1. The protocol used in the networks also has certain limitations or problems contained in

them, which prevent the applications from doing the appropriate things. Since they work

from behind the applications, this may increase the vulnerability.

2. In Protocol failures, we consider the reverse: i.e. areas where the protocols themselves

are inadequate, thus denying the application the opportunity to do the right thing.

An example of such failure is the TCP protocol failure. (2 marks)

TCP provides the circuits or paths for the IP datagrams. These may be sent across the

network. The attackers checking for the packets can get information about the source IP.

Similarly the IP is a stateless and unreliable protocol. No guarantee of delivery of packets

can be given for it. It is possible for attackers to send packets using any known or valid

source address.


11/30

Diagram and explanation of three-way-handshake.(2 marks)

Q4.

a)

Different types of Viruses: (4 marks)

Viruses based on the following 4 types:

Memory-Based

Target-Based

Obfuscation-Based

Payload-Based

Structure of virus: (2 marks)

Program V: =

{ goto main ;

1234567;

subroutine infect- executable : =

{

loop;

file : = get- random- executable-file:

if(first-line-of-file=1234567)


12/30

then goto loop

else prepend V to file;

}

subroutine do-damage :=

{ whatever damage is to be done}

subroutine trigger-pulled :=

{Return true if some condition holds}

Main: main-program: =

{Infect executable;

if trigger pulled then do damage;

goto next;}

next:

}

Prevention (Any 4 points) (2 marks)

1 Always keep backup of your data/programs.

2 Keep floppies Write-protected (especially if they are bootable.)

3 Do not copy anything in your system from any unknown source.

4 Restrict the use of machine to only authorized users.

5 Never download mail attachments, unknown content from Internet.

6 Even after using these precautions, if the virus creeps into your system, it can

be detected in various ways apart from using a virus scanner for it.

b) Strategies for Secure network: (Explanation of the 6 strategies) ( 6 marks)

Host Security

Authentication of users

Choosing good passwords & protecting them -

Using firewalls & proxy servers

DMZ

Making use of Encryption


13/30

c)

What is Malicious software: (1 mark)

Comparison :

For 5 categories (5 marks)

Concept

Method of infection

Carriers

Types

Example

Q5.

a) Packet Filter:

Concept and Diagram (2 marks)

1. This firewall checks for each and every IP packet

individually, either coming in or going out of private

network

2. According to the selected policies (called Rule-sets or

Access Control Lists or ACLs) it determines whether to

accept a packet or reject it.

Advantages/Features of packet filters: (2 marks)

1. Simple and straightforward mechanism.


14/30

2. It is cost effective.

3. It is fairly effective and adequate in most cases.

4. Operation is totally transparent to the users.

5. Faster in operation.

6. It has a built-in operating system optimized for security and

performance. So it can be plugged into a network, regardless of the OS

being used.

Circuit level gateway:

Definition (1 mark)

These are set to run on the Transport level of TCP/IP model (or Session layer incase of the OSI model). This check for the specific sessions or services for filtering. They

neither check individual packets nor the entire applications for filtering purpose. They are

sometimes called as the Relays which relay the sessions / services (also called circuits)

for the users.

Features of circuit level gateway: (Any 3 features) (1 mark)

1. More secure than packet filters since work on higher level.

2. Do not check individual packets inbound or outbound.

3. Can hide internal network structure to the external entities.

4. Flexibility to enable or disable sessions or services is available.

5. 5. Less expensive compared to the Application level products.

6. Operation is transparent to the end-users

Example along with diagram (2 marks)

The SOCKS server is an example of the real life implementation of a circuit

gateway. It is a client server application. The SOCKS client runs on the internal host,

and, the SOCKS server runs on the firewall.


15/30

Diagram:

b) Any of the symmetric cryptographic algorithm (such as IDEA,

DES etc)

DES (Data Encryption Standard) Cipher Algorithm

DES Cipher - A 16-round Feistel cipher with block size of 64 bits. DES stands for Data

Encryption Standard. IBM developed DES in 1974 in response to a federal government

public invitation for data encryption algorithms. In 977, DES was published as a federal

standard, FIPS PUB 46.

Algorithm:

Step 1: 64 bit plain text blocks is handed over to the initial permutation (IP) function.

Step 2: IP is performed on the plain text.

Step 3: IP produces 2 halves; say LPT and RPT, both of 32 bit each.

Step 4: Perform 16 rounds of encryption process each with its own key.

Rounds are defined as follows in the algorithm:

4a: Key transformation 4b: Expansion Permutation (EP)


16/30

4c: S-Box Substitution

4d: P-Box Permutation 4e: XOR and Swap.

Step 5: LPT and RPT are rejoined finally and a Final Permutation (FP) is performed on

the combined block. Step 6: The result of this process produces 64-bit cipher text.

Diagrammatical representation:

Explanation of the algorithm:

Comparing the IP table performs IP. It happens only once, and it happens before

the first round. It suggests how the transposition in IP should proceed, as shown inthe IP table.

In the rounds, step 1 is key transformation.

That is achieved by

1. Shifting the key position by considering the Round Table.

Plain Text 64 Bit

IP

LPT RPT

16 Rounds

FP

Cipher Text


17/30

2. Compare the Compression Table to get the sub key of 48 bits.

Step 2 is Expansion Permutation (EP).

In this step, the 32-bit RPT is expanded to 48 bits as it of key length. The process

is shown as under:

The 32-bit text is divided into 8 blocks of 4 bits each. Then by adding 2 bits extra,

that is the first bit of the block 1 is the last bit of the block 8 and the last bit of the

block 8 is the first bit of the 7 th block the 48-bit text is obtained.

After this expansion it will be compared with the Expansion Permutation Table.

Step 3 in Round is S-Box Substitution.

1. This step reduces 48 bits RPT into 32 bits because LPT is of 32 bits.

2. It accepts 48 bits, does some XOR logic and gives 32 bits.

The 48 bits key (Result of Step 1) and the 48 bits of RPT (Result of Step 2) will

be XOR and the output will be 48 bits Input block and that will be given as the

input for the S-Box Substitution.

The 48-bit block text will be divided into 8 blocks of 6 bits each.

Decimal equivalent of the first and last bit in a block denotes the row number anddecimal equivalent of the bit 2,3,4 and 5 denotes the column number of the S-Box

Substitution table.

Check the value and take the binary equivalent of the number.

The result is 4-bit binary number.

For example if the 6-bit number is 100101 then the first and last bit is 11 and the

decimal equivalent of the number is 3. The remaining bits are 0010 and the

decimal equivalent of the number is 2. If it is the first block of input, then check

the 3rd row 2nd column value in the Sbox-1 substitution table. It is given as 1 in the

table. Binary equivalent of 1 is 0001.

The input 100101 of 6-bit is now reduced to 0001 after S-Box Substitution.


18/30

Step 4 in Round is P-Box Permutation.

In this step, the output of S-Box, that is 32 bits are permuted using a p-box. This

mechanism involves simple permutation, that is replacement of each bit with another

bit as specified in the p-Box table, without any expansion or compression. This iscalled as P-Box Permutation. The P-Box is shown below.

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10

2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

For example, a 16 in the first block indicates that the bit at position 16 moves to bit at

position 1 in the output.

Step 5 is XOR and Swap

The untouched LPT, which is of 32 bits, is XORed with the resultant RPT that is

with the output produced by P-Box permutation. The result of this XOR operation

becomes the new right half. The old right half becomes the new left half in the

process of swapping.

At the end of 16 rounds, the Final Permutation is performed only once. This is a

simple transposition based on the Final Permutation Table.

The output of the Final permutation is the 64-bit encrypted block.

Filtering services for Telnet:

Inbound telnet services (2 marks)

Outbound telnet services (2 marks)

Telnet summary(2 marks)

Outbound Telnet Service:

In an outbound telnet a local client is talking to a remote server. We need

to handle both outgoing and incoming packets. The outgoing packets contain the users

keystrokes and have the following characteristics.

The IP Source address of the outgoing packets is the local hosts IP address

The IP Destination address of the outgoing packets is the remote hosts IP address

Telnet is a TCP-based service. So the IP packet type is TCP.


19/30

The TCP Destination port is 23.

The TCP Source port number is some seemingly random number greater than

1023

The first outgoing packet, establishing the connection, will not have the ACK bit

set; the rest of the outgoing packets will.

The incoming packets contain the data to be displayed on the users screen and have the

following characteristics.

The IP Source address of the incoming packets is the remote hosts IP address

The IP Destination address is the local hosts IP address

The IP packet type is TCP.

The TCP Source port is 23.That is the port the server use.

The TCP Destination port number is the same random number greater than 1023

that we used as the source port for the outgoing packets.

All incoming packets will have the ACK bit set.

Inbound telnet Services:-In the inbound telnet services a remote client

communicate with a local telnet server. We need to handle both incoming and the

outgoing packets.


20/30

The incoming packets for the inbound telnet services contain the users keystrokes

and have the following characteristics:

1) The IP source address of these packets in the remote host address

2) The IP destination address is the local host address

3) The IP packet type is TCP

4) The TCP source code is some random code number greater than 1023.

5) The TCP destination port is 23.

6) The TCP ACK bit will not be set on the very first inbound packet establishing the

connection, but it will be set on all other inbound packets

The outgoing packet for this inbound telnet service contain the server responses

and have the following characteristics:

1) The IP source address is the local host address

2) The IP destination address is the remote host address

3) The IP packet type is TCP

4) The IP source port is 23

5) The TCP destination port is the same random port Z, that was used as a source port

for the inbound packets.

6) The TCP ACK bit will be set on all outgoing packets.

Telnet Summary:

1) Rule A allows packets out to remote telnet servers.

2) Rule B allows the returning packets to come back in because it verifies that the ACK

bit is set, Rule B can be abused by an attacker to allow incoming TCP connections from

port 23 on the attackers end to port above 1023 on your end.

3) Rule C is the default rule. If none of the preceding rules apply the packet is blocked.

Remember from your previous discussion that any blocked packet should be logged and

that it may or may not cause an ICMP message to be returned to the originator.


21/30

The following table illustrates the various types of packets involved in inbound and

outbound telnet services:

Service

direction

Packet

Direction

Source

Address

Destination

Address

Packet

type

Source

port

Destination

Port

ACK

Set

Outboun

d

Outgoing Internal External TCP Y 23 a

Outboun

d

Incoming External Internal TCP 23 Y Yes

Inbound Incoming External Internal TCP Z 23 a

Inbound Outgoing Internal External; TCP 23 Z yes

a-The TCP ACK bit will be set on all but the first of these packets which establishes the

Connection.

Note that y and z are both random port numbers above 1023.

If u want to allow outgoing telnet, but nothing else you would set up your packet filtering

as follows:

Rule Direction Source

Address

Destination

Address

Protocol Source

port

Destination

Port

ACK

set

Action

A Out Internal Any TCP >1023 23 Either Permit

B In Any Internal TCP 23 >1023 yes Permit

C Either Any Any Any Any Any Either Deny

Q6.

a)

What is message digest? (1 mark)

Idea/Concept of MD. (1 mark)

Any of the algorithm (MD1/MD2/MD3/MD4/MD5) 6 marks

MD5 Algorithm Description:

We begin by supposing that we have a 1000-bit message as input, and that

We wish to find its message digest.

The following five steps are performed to compute the message digest


22/30

of the message.

Step 1. Append Padding Bits

The message is "padded" (extended) so that its length (in bits) is

Similar to 448, modulo 512. That is, the message is extended so

that it is just 64 bits timid of being a multiple of 512 bits long.

Padding is always performed, even if the length of the message is

already similar to 448, modulo 512.

Padding is performed as follows: a single "1" bit is appended to the

message, and then "0" bits are appended so that the length in bits of

the padded message becomes congruent to 448, modulo 512. In all, at

least one bit and at most 512 bits are appended.

Step 2. Append Length

A 64-bit representation of 1000 (The message length excluding padded one) is

appended to the result of the previous step.

In the unlikely event that the message length is greater than 2^64, then only

the low-order 64 bits of b are used.

At this point the resulting message (that is message+padding+length) has a

length that is an exact multiple of 512 bits. Equivalently,

this message has a length that is an exact multiple of 16 (32-bit)

words.


23/30

Step 3: Divide the input into 512-bit blocks:

Now, we divide the input message into blocks, each of length 512 bits.

Step 4. Initialize MD Buffer/Chaining Variables

A four-word buffer (A, B, C, D) is used to compute the message digest.

Here each of A, B, C, D is a 32-bit register. These registers are

initialized to the following values in hexadecimal, low-order bytes

first):

A: 01 23 45 67

B: 89 ab cd ef

C: fe dc ba 98

D: 76 54 32 10

Step 5. Process Message in 16-Word Blocks

5.1:

Copy the four chaining variables into four corresponding variables a, b, c, and

d. The Algorithm considers the combination of abcd as a 128-bit single registers. This is

useful for holding intermediate as well as final results.

5.2:

Divide the current 512-bit block into 16 sub blocks of 32-bit each.

5.3:

Now we have 4 rounds. In each round, we process all the 16 sub-blocks.

The inputs to each round are:

1. All the 16 sub-blocks. Say M[0] to M[15] of 32 bits.

2. The variables a, b, c and d of 32 bits.


24/30

3. Some constants t, an array of 64 elements. Say t[1] to t[64].Since there are four

rounds, we use 16 out of the 64 values of t in each round.

The process of rounds:

1. A process P is first performed on b, c and d. This process P is different

in all the four rounds.

2. The variable a is added to the output of the process P.

3. The message sub-block M[I] is added to the output of step 2.

4. The constant t[k] is added to the output of step 3.

5. The output of step 4 is circular-left shifted by s bits. The value of s

keeps changing.

6. The variable b is added to the output of step 5.

7. The output of step 6 becomes the new abcd for the next round.

One MD5 Operation:


25/30

a b c d

Process P

ADD

ADD

ADD

SHIFT

ADD

M [I]

T [K]

a b c d


26/30

We define four auxiliary functions that is Process P in our context, that each take as input

of three 32-bit words and produce as output one 32-bit word.

Round 1 =(b and c) or (not (b)) and d

Round 2 = (b and d) or (c and (not(c)))

Round 3 = b xor c xor d

Round 4 = c xor (b or not (d))

Summary:

The MD5 message-digest algorithm is simple to implement, and provides

a "fingerprint" or message digest of a message of arbitrary length.

It is conjectured that the difficulty of coming up with two messages

having the same message digest is on the order of 2^64 operations,

and that the difficulty of coming up with any message having a given

message digest is on the order of 2^128 operations. The MD5 algorithm

has been carefully scrutinized for weaknesses. It is, however, a

relatively new algorithm and further security analysis is of course

justified, as is the case with any new proposal of this sort.

b)

Views based on the inside and outside attacks : (2 marks)

Explanation (3 marks)

Justification/Support points (1 mark)


27/30

c) Digital Signature:

Definition: (1 mark)

Techniques: (1 mark)

Actual working of Digital signatures involves the use of a concept called 'Message digest'

or 'hash'.

Implementation: (Both senders and receivers side with diagram) (4 marks)

Steps for the process:

Senders Side:

1. If X is the sender, the SHA-1 algorithm is used to first calculate the message

digest (MD 1) of original message.

2. This MD1 is further encrypted using RSA with X's private key. This output iscalled the Digital Signature (DS) of X.

3. Further, the original message (M) along with the Digital signature (DS) is sent

to receiver.

Receivers Side:

1. Y thus receives the original message (M) and X's digital signature. Y uses the

same message digest algorithm used by X to calculate the message digest

(MD2) of received message (M).

2. Also, Y uses X's public key to decrypt the digital signature. The outcome of

this decryption is nothing but original message digest (MD1) calculated by X.

3. Y, then compares this digest MD1 with the digest MD2 he has just calculated

in step 4. If both of them are matching, i.e. MDl = MD2, Y can accept the


28/30

original message (M) as correctly authenticated and assured to have originated

from X. whereas, if they are different, the message shall be rejected.

Q7.

Distinguish between the following:

a) Traditional and Distributed Firewall

Categories: (Any 5 categories) (5 marks)

Concept/Definition

entry point into the network

prone to attacks

approach with inside attacks

secure implementation

Servers location

flexibility of operation

b) Active and Passive attacks:

Categories: (5 marks)

Concept/Definition (1 mark)

Types-its explanation and diagram (4 marks)

c) Symmetric and asymmetric cryptography:

Concept/Definition (1 mark)

8 categories (4 marks)


29/30

S. No. Characteristic Symmetric Key

Cryptography

Asymmetric Key

Cryptography

1Key used for

encryption/decryption

Same key is used for

encryption and

decryption

One key used for encryption

and another, different key is

used for decryption

2 Key Process Ke = KdKd Kd

3Speed of

encryption/decryptionVery fast Slower

4Size of resulting

encrypted text

Usually same as or less

than the original clear

text size

More than the original clear

text size

5Key agreement /

exchangeA big problem No problem at all

6

Number of keys

required as compared

to the number of

participants in the

message exchange

Equals about the

square of the number

of participants, so

scalability is an issue

Same as the number of

participants, so scales up quite

well

7 Usage

Mainly for encryption

and decryption

(confidentiality),

cannot be used for

digital signatures

(integrity and non-

repudiation checks)

Can be used for encryption

and decryption

(confidentiality) as well as for

digital signatures (integrity

and non-repudiation checks)

8 Efficiency in usage

Symmetric key

cryptography is often

used for long messages

Public key algorithm are more

efficient for short messages

d) Sniffing and Spoofing:


30/30

Packet Sniffing: ( Concept and levels ) (2 marks)

Packet sniffing is a passive attack on an ongoing conversation. An attacker need not

hijack a conversation, but instead, can simply observe i.e. sniff packets as they pass by.

Clearly, to prevent an attacker from sniffing packets, the information that is passing

needs to be protected in some ways.

This can be done at two levels:

i. The data that is traveling can be encoded in some ways.

ii. The transmission link itself can be encoded.

Packet Spoofing: (concept and 3 levels) ( 3 marks)

In this technique, an attacker sends packets with an incorrect source address. When this

happens, the receiver i.e. the party who receives the packets containing a false source

address would inadvertently send replies back to the forged address (called as spoofed

address) and not to the attacker.

This can lead to three possible cases:

i. The attacker can intercept the reply- If the attacker is between the destination and

the forged source, the attacker can see the reply and use that information for

hijacking attacks.

ii. the attacker need not see the reply-If the attacker's intention was a Denial of

Service(DOS) attack, the attacker need not bother about the reply. ,

iii. The attacker does not want the reply- the attacker could simply be angry with the

host. So it may put that host's address as the forged source address and send the

packet to the destination. The attacker does not want a reply from the destination,

as it wants the host with the forged address to receive it and get confused.

model ans patern for is

Documents