You are on page 1of 11

UNIT-V

What are the responsibilities of application layer. Explain in brief.

Ans
The application layer is the top-most layer of OSI model. It provides services directly to user
applications. It enables the to access the network. It provides user interfaces and support for
services such as email, remote file access and transfer, shared database management and other
types of distributed information services.
1 File Transfer: It allows a user to access, retrieve and manage files in a remote computer.
2 Mail services: It provides the basis for email forwarding and storage facilities.
3 Directory services: It provides distributes database sources and access for global information
about various objects and services.

2
Ans

Makes sure that the other party is identified and can be reached
If appropriate, authenticates either the message sender or receiver or both
Makes sure that necessary communication resources exist (for example, is there a modem
in the sender's computer?)

Ensures agreement at both ends about error recovery procedures, data integrity, and
privacy

Determines protocol and data syntax rules at the application level


It may be convenient to think of the application layer as the high-level set-up services for the
application program or an interactive user.
Explain DNS in Internet
Domain Name System (DNS):
The last client-server application program we discuss has been designed to help other application
programs. To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the
connection of a host to the Internet. However, people prefer to use names instead of numeric
addresses. Therefore, the Internet needs to have a directory system that can map a name to an
address. This is analogous to the telephone network. A telephone network is designed to use
telephone numbers, not names. People can either keep a private file to map a name to the
corresponding telephone number or can call the telephone directory to do so. We discuss how this
directory system in the Internet can map names to IP addresses. Since the Internet is so huge
today, a central directory system cannot hold all the mapping. In addition, if the central computer
fails, the whole communication network will collapse. A better solution is to distribute the
information among many computers in the world. In this method, the host that needs mapping can
contact the closest computer holding the needed information. This method is used by the Domain
Name System (DNS). We first discuss the concepts and ideas behind the DNS. We then describe
the DNS protocol itself.
Figure 1 shows how TCP/IP uses a DNS client and a DNS server to map a name to an address. A
user wants to use a file transfer client to access the corresponding file transfer server running on a
remote host. The user knows only the file transfer server name, such as afilesource.com. However,
the TCP/IP suite needs the IP address of the file transfer server to make the connection. The

following six steps map the host name to an IP address:


1. The user passes the host name to the file transfer client.
2. The file transfer client passes the host name to the DNS client.
3. Each computer, after being booted, knows the address of one DNS server. The
DNS client sends a message to a DNS server with a query that gives the file transfer
server name using the known IP address of the DNS server.
4. The DNS server responds with the IP address of the desired file transfer server.
5. The DNS server passes the IP address to the file transfer client.
6. The file transfer client now uses the received IP address to access the file transfer server.
Note that the purpose of accessing the Internet is to make a connection between the file transfer
client and server, but before this can happen, another connection needs to be made between the
DNS client and DNS server. In other words, we need at least two connections in this case. The
first is for mapping the name to an IP address; the second is for transferring files.

Figure 1: Purpose of DNS


3

Explain RSA algorithm. Also explain its limitation.

Ans

Although there are several asymmetric-key cryptosystems, one of the common publickey
algorithms is the RSA cryptosystem, named for its inventors (Rivest, Shamir, and Adleman).
RSA uses two exponents, e and d, where e is public and d is private. Suppose P is the plaintext and
e

C is the ciphertext. Alice uses C=P mod n to create cipher text C from plaintext P; Bob uses P=C
mod n to retrieve the plaintext sent by Alice. The modulus n, a very large number, is created
during the key generation process.
Procedure
Figure 2 shows the general idea behind the procedure used in RSA. Bob chooses two large
numbers, p and q, and calculates n=p*q and =(p-1)*(q-1). Bob then selects e and d such that
(e*d) mod *1. Bob advertises e and n to the community as the public key; Bob keeps d as the
private key. Anyone, including Alice, can encrypt a message and send the cipher text to Bob, using
C= (Pe) mod n; only Bob can decrypt the message, using P= (Cd) mod n. An intruder such as Eve
cannot decrypt the message if p and q are very large numbers (she does not know d).
Example :
For the sake of demonstration, let Bob choose 7 and 11 as p and q and calculate n=7*11=77.
The value of (n) (7 1)(11 -1), or 60. If he chooses e to be 13, then d is 37. Note that e d
mod 60 1.
Now imagine that Alice wants to send the plaintext 5 to Bob. She uses the public exponent 13 to
encrypt 5. This system is not safe because p and q are small.

Figure 2: Encryption, decryption, and key generation in RSA


4

Write short note on electronic mail system.

Ans

Electronic Mail:
Electronic mail (or e-mail) allows users to exchange messages. The nature of this application,
however, is different from other applications discussed so far. In an application such as HTTP or
FTP, the server program is running all the time, waiting for a request from a client. When the
request arrives, the server provides the service. There is a request and there is a response. In the
case of electronic mail, the situation is different. First, e-mail is considered a one-way transaction.
When Alice sends an email to Bob, she may expect a response, but this is not a mandate. Bob may
or may not respond. If he does respond, it is another one-way transaction .
Architecture
To explain the architecture of e-mail, we give a common scenario, as shown in Figure 26.12.
Another possibility is the case in which Alice or Bob is directly connected tothe corresponding
mail server, in which LAN or WAN connection is not required, but this variation in the scenario
does not affect our discussion. In the common scenario, the sender and the receiver of the e-mail,
Alice and Bob respectively, are connected via a LAN or a WAN to two mail servers. The
administrator has created one mailbox for each user where the received messages are stored. A
mailbox is part of a server hard drive, a special file with permission restrictions. Only the owner of
the mailbox has access to it. The administrator has also created a queue (spool) to store messages
waiting to be sent.
A simple e-mail from Alice to Bob takes nine different steps, as shown in the figure.
Alice and Bob use three different agents: a user agent (UA), a message transfer agent (MTA),
and a message access agent (MAA). When Alice needs to send a message to

Figure 3: Common scenario


Bob, she runs a UA program to prepare the message and send it to her mail server. The mail server
at her site uses a queue (spool) to store messages waiting to be sent. The message, however, needs
to be sent through the Internet from Alices site to Bobs site using an MTA. Here two message
transfer agents are needed: one client and one server. Like most client-server programs on the
Internet, the server needs to run all the time because it does not know when a client will ask for a
connection. The client, on the other hand, can be triggered by the system when there is a message
in the queue to be sent. The user agent at the Bob site allows Bob to read the received message.
Bob later uses an MAA client to retrieve the message from an MAA server running on the second
server.

Figure 4: Protocols used in electronic mail


5

Explain substitution cipher with its advantages and disadvantages.

Ans

Substitution Ciphers
A substitution cipher replaces one symbol with another. If the symbols in the plaintext are
alphabetic characters, we replace one character with another. For example, we can replace letter A
with letter D and letter T with letter Z. If the symbols are digits (0 to 9), we can replace 3 with 7
and 2 with 6. Substitution ciphers can be categorized as either monoalphabetic ciphers or
polyalphabetic ciphers.
Monoalphabetic Ciphers In a monoalphabetic cipher, a character (or a symbol) in the plaintext
is always changed to the same character (or symbol) in the ciphertext regardless of its position in
the text. For example, if the algorithm says that letter A in the plaintext is changed to letter D,
every letter A is changed to letter D. In other words, the relationship between letters in the
plaintext and the ciphertext is one-to-one. The simplest monoalphabetic cipher is the additive
cipher (or shift cipher). Assume that the plaintext consists of lowercase letters (a to z), and that
the ciphertext consists of uppercase letters (A to Z). To be able to apply mathematical operations
on the plaintext and ciphertext, we assign numerical values to each letter (lowercase or
uppercase), as shown in Figure 31.4.

Figure 5: Representation of plaintext and ciphertext characters in modulo 26


In Figure 31.4 each character (lowercase or uppercase) is assigned an integer in modulo 26. The
secret key between Alice and Bob is also an integer in modulo 26. The encryption algorithm adds
the key to the plaintext character; the decryption algorithm subtracts the key from the ciphertext
character. All operations are done in modulo 26.
A substitution cipher replaces one symbol with another.
In additive cipher, the plaintext, ciphertext, and key are integers in modulo 26.
Historically, additive ciphers are called shift ciphers because the encryption algorithm can be
interpreted as shift key characters down and the encryption algorithm can be interpreted as shift
key characters up. Julius Caesar used an additive cipher, with a key of 3, to communicate with his
officers. For this reason, additive ciphers are sometimes referred to as the Caesar cipher.
Example 31.1
Use the additive cipher with key 15 to encrypt the message hello.
Solution
We apply the encryption algorithm to the plaintext, character by character:

The result is WTAAD. Note that the cipher is monoalphabetic because two instances of the
same plaintext character (l) are encrypted as the same character (A).
Example 31.2
Use the additive cipher with key 15 to decrypt the message WTAAD.
Solution
We apply the decryption algorithm to the plaintext character by character:

The result is hello. Note that the operation is in modulo 26, which means that we need to add 26
to a negative result (for example 15 becomes 11). Additive ciphers are vulnerable to attacks
using exhaustive key searches (bruteforce attacks). The key domain of the additive cipher is very
small; there are only 26 keys. However, one of the keys, zero, is useless (the ciphertext is the same
as the plaintext). This leaves only 25 possible keys. Eve can easily launch a brute-force attack on
the ciphertext.

Figure 6: An example key for a monoalphabetic substitution cipher


Polyalphabetic Ciphers In a polyalphabetic cipher, each occurrence of a character may have a

6
Ans

different substitute. The relationship of a character in the plaintext to a character in the ciphertext
is one-to-many. For example, a could be enciphered as D at the beginning of the text, but as
N in the middle. Polyalphabetic ciphers have the advantage of hiding the letter frequency of the
underlying language. Eve cannot use single-letter frequency statistics to break the ciphertext.
What is the purpose of FTP? What are the FTP transmission modes?
File Transfer Protocol (FTP) is the standard protocol provided by TCP/IP for copying a file from
one host to another. Although transferring files from one system to another seems simple and
straightforward, some problems must be dealt with first. For example, two systems may use
different file name conventions. Two systems may have different ways to represent data. Two
systems may have different directory structures. All of these problems have been solved by FTP in
a very simple and elegant approach. Although we can transfer files using HTTP, FTP is a better
choice to transfer large files or to transfer files using different formats. Figure 7: shows the

Figure 7: FTP

7
Ans

basic model of FTP. The client has three components: the user interface, the client control process,
and the client data transfer process. The server has two components: the server control process and
the server data transfer process. The control connection is made between the control processes.
The data connection is made between the data transfer processes. Separation of commands and
data transfer makes FTP more efficient. The control connection uses very simple rules of
communication. We need to transfer only a line of command or a line of response at a time. The
data connection, on the other hand, needs more complex rules due to the variety of data types
transferred.
Transmission Mode
FTP can transfer a file across the data connection using one of the following three transmission
modes: stream mode, block mode, or compressed mode. The stream mode is the default mode;
data are delivered from FTP to TCP as a continuous stream of bytes. In the block mode, data can
be delivered from FTP to TCP in blocks. In this case, each block is preceded by a 3-byte header.
The first byte is called the block descriptor; the next two bytes define the size of the block in
bytes.
Write short note on WWW and internet.
World Wide Web
The Web today is a repository of information in which the documents, called web pages, are
distributed all over the world and related documents are linked together. The popularity and
growth of the Web can be related to two terms in the above statement:
distributed and linked. Distribution allows the growth of the Web. Each web server in the world

can add a new web page to the repository and announce it to all Internet users without overloading
a few servers. Linking allows one web page to refer to another web page stored in another server
somewhere else in the world. The linking of web pages was achieved using a concept called
hypertext, which was introduced many years before the advent of the Internet. The idea was to use
a machine that automatically retrieved another document stored in the system when a link to it
appeared in the document. The Web implemented this idea electronically to allow the linked
document to be retrieved when the link was clicked by the user. Today, the term hypertext, coined
to mean linked text documents, has been changed to hypermedia, to show that a web page can be
a text document, an image, an audio file, or a video file.
Architecture
The WWW today is a distributed client-server service, in which a client using a browser can
access a service using a server. However, the service provided is distributed over many locations
called sites. Each site holds one or more web pages. Each web page, however, can contain some
links to other web pages in the same or other sites. In other words, a web page can be simple or
composite. A simple web page has no links to other web pages; a composite web page has one or
more links to other web pages. Each web page is a file with a name and address.

With an appropriate example, explain the public key algorithm.

Ans

Asymmetric-Key Ciphers
Asymmetric key cryptography uses two separate keys: one private and one public. If encryption
and decryption are thought of as locking and unlocking padlocks with keys, then the padlock that
is locked with a public key can be unlocked only with the corresponding private key. Figure 31.13
shows that if Alice locks the padlock with Bobs public key, then only Bobs private key can
unlock it.

Figure 8: Locking and unlocking in asymmetric-key cryptosystem


The figure shows that, unlike symmetric-key cryptography, there are distinctive keys in
asymmetric-key cryptography: a private key and a public key. Although some books use the term

secret key instead of private key, we use the term secret key only for symmetric-key cryptography
and the terms private key and public key for asymmetrickey cryptography. We even use different
symbols to show the three keys. In other words, we want to show that a secret key is not
interchangeable with a private key; there are two different types of secrets.
Asymmetric-key ciphers are sometimes called public-key ciphers.
General Idea
Figure 31.14 shows the general idea of asymmetric-key cryptography as used for encipherment.

Figure 9: General idea of asymmetric-key cryptosystem


Figure 9 shows several important facts. First, it emphasizes the asymmetric nature of the
cryptosystem. The burden of providing security is mostly on the shoulders of the receiver (Bob, in
this case). Bob needs to create two keys: one private and one public. Bob is responsible for
distributing the public key to the community. This can be done through a public-key distribution
channel. Although this channel is not required to provide secrecy, it must provide authentication
and integrity. Eve should not be able to advertise her public key to the community pretending that
it is Bobs public key. Second, asymmetric-key cryptography means that Bob and Alice cannot use
the same set of keys for two-way communication. Each entity in the community should create its
own private and public keys. Figure 31.14 shows how Alice can use Bobs public key to send
encrypted messages to Bob. If Bob wants to respond, Alice needs to establish her own private and
public keys. Third, asymmetric-key cryptography means that Bob needs only one private key to
receive all correspondence from anyone in the community, but Alice needs n public keys to
communicate with n entities in the community, one public key for each entity. In other words,
Alice needs a ring of public keys.
Plaintext/Ciphertext
Unlike in symmetric-key cryptography, plaintext and ciphertext in asymmetric-key cryptography
are treated as integers. The message must be encoded as an integer (or a set of integers) before
encryption; the integer (or the set of integers) must be decoded into the message after decryption.
Asymmetric-key cryptography is normally used to encrypt or decrypt small pieces of information,
such as the cipher key for a symmetrickey cryptography. In other words, asymmetric-key
cryptography normally is used for ancillary goals instead of message encipherment. However,
these ancillary goals play a very important role in cryptography today.
Asymmetric-key cryptography is normally used to encrypt or decrypt small pieces of
information.
Encryption/Decryption
Encryption and decryption in asymmetric-key cryptography are mathematical functions applied
over the numbers representing the plaintext and ciphertext. The ciphertext can be thought of as C
= f (Kpublic, P); the plaintext can be thought of as P = g (Kprivate, C). The encryption function f
is used only for encryption; the decryption function g is used only for decryption.
Write short note on Firewall.

Ans

FIREWALLS
All previous security measures cannot prevent Eve from sending a harmful message to a system.
To control access to a system we need firewalls. A firewall is a device (usually a router or a
computer) installed between the internal network of an organization and the rest of the Internet. It
is designed to forward some packets and filter (not forward) others. Figure 11 shows a firewall.
For example, a firewall may filter all incoming packets destined for a specific host or a specific
server such as HTTP. A firewall can be used to deny access to a specific host or a specific service
in the organization. A firewall is usually classified as a packet-filter firewall or a proxy-based
firewall.
Packet-Filter Firewall
A firewall can be used as a packet filter. It can forward or block packets based on the information
in the network-layer and transport-layer headers: source and destination IP addresses, source and
destination port addresses, and type of protocol (TCP or UDP). A packet-filter firewall is a router
that uses a filtering table to decide which packets must be discarded (not forwarded). Figure 11
shows an example of a filtering table for this kind of a firewall.

Figure 11: Packet-filter firewall


According to the figure, the following packets are filtered:
1. Incoming packets from network 131.34.0.0 are blocked (security precaution). Note that the *
(asterisk) means any.
2. Incoming packets destined for any internal TELNET server (port 23) are blocked.
3. Incoming packets destined for internal host 194.78.20.8 are blocked. The organization wants
this host for internal use only.
4. Outgoing packets destined for an HTTP server (port 80) are blocked. The organization does not
want employees to browse the Internet.
Proxy Firewall
The packet-filter firewall is based on the information available in the network layer and transport
layer headers (IP and TCP/UDP). However, sometimes we need to filter a message based on the
information available in the message itself (at the application layer). As an example, assume that
an organization wants to implement the following policies regarding its web pages: only those
Internet users who have previously established business relations with the company can have
access; access to other users must be blocked. In this case, a packet-filter firewall is not feasible
because it cannot distinguish between different packets arriving at TCP port 80 (HTTP). Testing
must be done at the application level (using URLs).

10
Ans

Figure 12: Proxy firewall


What is DNS ?Explain the components of DNS systems.
DOMAIN NAME SYSTEM (DNS)
The last client-server application program we discuss has been designed to help other application
programs. To identify an entity, TCP/IP protocols use the IP address, which uniquely identifies the
connection of a host to the Internet. However, people prefer to use names instead of numeric
addresses. Therefore, the Internet needs to have a directory system that can map a name to an
address. This is analogous to the telephone network. A telephone network is designed to use
telephone numbers, not names. People can either keep a private file to map a name to the
corresponding telephone number or can call the telephone directory to do so. We discuss how this
directory system in the Internet can map names to IP addresses. Since the Internet is so huge
today, a central directory system cannot hold all the mapping. In addition, if the central computer
fails, the whole communication network will collapse. A better solution is to distribute the
information among many computers in the world. In this method, the host that needs mapping can
contact the closest computer holding the needed information. This method is used by the Domain
Name System (DNS). We first discuss the concepts and ideas behind the DNS. We then describe
the DNS protocol itself.
Figure 13 shows how TCP/IP uses a DNS client and a DNS server to map a name to an address. A
user wants to use a file transfer client to access the corresponding file transfer server running on a
remote host. The user knows only the file transfer server name, such as afilesource.com.

Figure 13: Purpose of DNS


However, the TCP/IP suite needs the IP address of the file transfer server to make the connection.
The following six steps map the host name to an IP address:
1. The user passes the host name to the file transfer client.
2. The file transfer client passes the host name to the DNS client.
3. Each computer, after being booted, knows the address of one DNS server. The DNS client sends

a message to a DNS server with a query that gives the file transfer server name using the known
IP address of the DNS server.
4. The DNS server responds with the IP address of the desired file transfer server.
5. The DNS server passes the IP address to the file transfer client.
6. The file transfer client now uses the received IP address to access the file transfer server.