Sabrina Hefied
CIS 534/NETWORK SECURITY
MID TERM
1) - What is “Brute Force attack”? How the Brute Force Attack is related to
Kespace (the range of possible value of the Key space)? Why the issue of number of bit required in a Key to ensure secure encryption is controversial?
- The Brute Force Attack is a way of trying to break an encryption algorithm in which every possible key is applied to the encrypted text to determine whether the resulting plaintext is meaningful.
- The longer the Keyspace –the range of possible value of the key space-the more difficult it is to learn (referred to as breaking) the key in a brute force attack. There are numbers of keys that must be tried to exhaust all possibilities (length of key 128 number of combination 2 x powers 128. this makes it difficult to discover.
- The more bits that are in a key, the less susceptible a key is to being compromised by a third party.
2) – Very briefly describe the three types of cryptographic functions (symmetric,
Asymmetric, and Hash) that enables authentication, integrity and confidentiality.
Hash: takes an input message of arbitrary length and outputs fixed-length code. This later is called Hash or message digest of the original input message. One way Hash functions are typically used to provide a fingerprint of a message or file that can proves the integrity and authenticity of the message.
Symmetric: referred to as secret key encryption, uses a common key and the same cryptographic algorithm to scramble and unscramble a message. A sends a message to B, they need to agree on the same encryption algorithm to use for encryption and decryption data. They also have to agree on a common key –the secret key- to use with their chosen encryption/decryption algorithm.
Asymmetric: referred to public key encryption. It can use either the same algorithm, or different but complementary algorithms to scramble and unscramble data.
Two different but related key values are required: a public and private key. A and B want to communicate using a public key encryption, both will need a public key and private key pair. A has to create his public key/private key pair, B has also to create his own public key/private key pair. A and B exchange their public keys, A writes a message and uses B’s public key to encrypt the message the sends the encrypted data to B over the internet. B uses his own private key to decrypt the message. B writes a reply, encrypts the reply with A’s public key and sends the encrypted reply over the Internet. Then, A uses her private key to decrypt the reply.
1/4
3) – What are the three challenges with secret Key encryption?
The three challenges with secret Key encryption are:
. Changing the secret keys frequently to avoid the risk of compromising the keys.
. Securely generating the secret keys
. Securely distributing the secret keys.
4) – What are the improvements of 3DES over DES? Why the 3DES with one Key is used at all?
Triple DES is an alternative to DES that preserves the existing investment in software but makes a brute force attack more difficult. It has the advantage of proven reliability and a longer key length that eliminates many of the shortcut attacks that can be used to reduce the amount of time it takes to break DES. 3DES takes 64 bit block of data and performs the operations of encrypt, decrypt, and encrypt. 3DES can use 1, 2 or 3 different keys.
Using one key is that, with the exception of the additional processing time required, 3DES with one key is the same as standard DES (for backward compatibility).
5) – A centralized Key distribution model relies on what entity to issue Keys?
A centralized Key distribution model relies on a trusted third party, the KDC, which issues the session keys to the communicating entities.
6) – Which algorithm is commonly used to create secret session Keys in a distributed manner?
A common method used to create secret session keys in a distributed manner is the
Diffie-Hellman algorithm.
7) – What transport protocol is commonly used for SSL? Why?
SSL/TLS (Transport Layer Security) protocol specifies a mechanism for providing data security layered between application protocols (such as HTTP, Telnet, NNTP, or
FTP) and TCP/IP. It provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.
8) – List three things included as part of an IPsec security association (SA)?
AH (Authentication header), ESP encryption algorithms and IKE.
9) – What is the primary reason for classifying VPNs into access VPNs, Intranet
VPNs, and Extranet VPNs?
The primary reason for these three classifications is due to security variations.
A good security policy details corporate infrastructure and information authentication mechanism and access privileges and in many instance this will vary depending on how the corporate resources are accessed. Authentication mechanism may be much more stringent in access VPNs than for either Intranet or Extranet VPNs.
2/4
10) – What is NAT? Why is it used and what is its security issue?
NAT is the process of converting one IP address to another IP address, often used to connect networks with a private address space to the internet. The NAT will translate the unregistered IP addresses into legal IP addresses that are routable in the outside public network. Its issues are: -when the TCP or UDP checksum is encrypted with ESP, a NAT device cannot compute the TCP or UDP checksum. NAT Traversal defines an additional payload in IKE that will send the original IP addresses to appropriately compute the checksum. – TCP or and UDP headers are not visible with ESP and thus, TCP and UDP port numbers cannot be used to multiple traffic between different hosts using private network addresses. NAT traversal encapsulates the ESP packet with a UDP header, and
NAT can use the UDP ports in this header to multiplex the IP sec data stream. –IKE UDP port number change.
11) – Security Technology protocols are grouped according to their shared attributes of:
- Name and briefly describe one example for each of the above four security technology group.
a. Identity technologies: Authentication is an extremely critical element because every thing is based on who you are. In many corporate networks, you would not grant authorized access to specific parts of the network before establishing who is trying to gain access to restricted resources. Thus, this technology is used to establish identity for a host and end user, or both. Passwords are used as proof for authenticating a user or device. For instance, a client user may dial into server, this later prompt for pin or user
ID, the user provides the ID to the server which then issues a challenge-a random number that appears on the user’s screen, the user enters that challenge number into a token card, then encrypts the challenge with the user’s encryption key and displays a response. The user types this response and sends it to the authentication server. The server receives it and compares that response with the one it has calculated. This is TOKEN PASSWORD
AUTHENTICATION.
b. Public Key infrastructure and distribution models: The use of PKI is to provide trusted and efficient key and certificate management. For example, two entities communicating with a common CA, using digital certificates to validate public keys.
Both routers and the CA have a public/private key pair. The router in NY has traffic to send to the router is Paris. The NY router sends a request to the CA to obtain the Paris router’s public key. The CA sends the Paris router’s certificate, signed with its own private key. The NY router verifies the signature with the CA’s public key to validate the
Paris router’s public key. This later sends request to the CA to obtain the NY router’s public key. The CA sends the NY router’s certificate, signed with its own private key.
The Paris router verifies the signature with the CA’s public key to validate the NY router’s public key. Now both routers have each other’s public key and can use public key encryption to send authentication, confidential data. (Diffie-Hellman).
3/4
c. virtual Private Dial-up security technologies: enables large enterprises to extend their private networks across dial-up lines. Link layer tunneling technologies enable remote sites and users to securely connect to the enterprise infrastructure using local dialup access to the internet. One example of protocol to accomplish this goal is: the layer 2 forwarding protocol. The remote user initiates a PPP connection to an ISP over the PSTN or natively over ISDN. The NAS accepts the connection, and the PPP link is established.
The ISP authenticates the end system or user using CHAP or PAP. NAS initiates the L2F tunnel to the desired corporate gateway. This later authenticates the remote user and either accepts or rejects the tunnel. The corporate gateway confirms acceptance of the call and L2F tunnel. The gateway exchanges PPP negotiations with the remote user. End to end data is tunneled between the remote user and the corporate gateway.
b. Security in TCP/IP structured layers: The network layer provides hop by hop handling of data packets, where intermediary systems in a network, such as routers, could be involved. The data packet is inspected at the IP layer and then forwarded on to the next intermediary system until the final destination is reached.
12) – What is Denial of Service (DoS) Attacks? Briefly describe three types of common DoS Attacks?
Denial of Service Attack is any action that prevents any part of a network or host system from functioning in accordance with its intended purpose. It is a breaking.
There are different types of common DoS Attacks:
- Ping of Death: an attack that exploits the fragmentation vulnerability of large ICMP echo request packets. The vulnerability is not restricted to the ping. The problem can be exploited by sending any large IP datagram packet.
- The Teardrop.c is a program that results in another fragmentation attack. It works by exploiting a reassembly bug with overlapping fragments and causes the targeted system to crash or hang.
- Smurf Attack starts with a perpetrator sending a large number of spoofed ICMP echo requests to broadcast addresses, hoping that these packets will be magnified and sent to the spoofed addresses.
4/4