NATIONAL INSTITUTE OF

PUBLIC
ADMINISTRATION

NAME: TRYSON SIKANYIKA

STUDENT NUMBER: 28026322

PROGRAM: BACHELOR OF COMPUTER SCIENCE

COURSE: ADVANCED COMPUTER NETWORK SECURITY

COURSE CODE: 408

YEAR OF STUDY: YEAR 4 SEMISTER 2

EMAIL: treymaxsikanyi@gmail.com

LECTURE: YEAR 4 SEMISTER 2

 QUESTION ONE

a) Discuss the practical and security issues associated with transfer of the data in this scenario
using the following three mechanisms:

i. FTP

FTP (File Transfer Protocol) is a network protocol for transmitting files between computers
over Transmission Control Protocol/Internet Protocol (TCP/IP) connections. Within the
TCP/IP suite, FTP is considered an application layer protocol.

✓ One of the biggest advantages of ftp is the security to access the ftp server, we need to login
with the username and password. Therefore, we can say that FTP is more secure,
✓ Speed is also one of the biggest advantages of FTP is speed. The FTP is one of the fastest
way to transfer the files from one computer to another computer.
✓ The disadvantages are that Passwords and file contents are sent in clear text that allows
unwanted eavesdropping. So, it is quite possible that attackers can carry out the brute force
attack by trying to guess the FTP password.
✓ It is not compatible with every system.

ii. Secure Shell (consider both scp and tunneling mode);

Secure Shell or Secure Socket Shell. It is a cryptographic network protocol that allows two
computers to communicate and share the data over an insecure network such as the internet.
It is used to login to a remote server to execute commands and data transfer from one
machine to another machine and it uses three different encryption techniques which are
symmetric, asymmetric and Hashing.

✓ SSH tunneling is a method of transporting arbitrary networking data over an encrypted

SSH connection. It can be used to add encryption to legacy applications. It can also be
used to implement VPNs (Virtual Private Networks) and access intranet services across
firewalls.

iii. Virtual Private Network (VPN).

A virtual private network, or VPN, is an encrypted connection over the Internet from a
device to a network. The encrypted connection helps ensure that sensitive data is safely
transmitted. It prevents unauthorized people from eavesdropping on the traffic and allows the
user to conduct work remotely. The VPN security model provides:
 ✓ Confidentiality such that even if the network traffic is sniffed at the packet level an attacker
would see only encrypted data
✓ Sender authentication to prevent unauthorized users from accessing the VPN
✓ message integrity to detect any instances of tampering with transmitted messages.
b) For EACH of the above, describe a mechanism for automating the transfer without
the need to use a password.
i. Write the script such that it reads a configuration file for its username and password. Keep
the config file in a secure location that can only be accessed by trusted administrators and the
script itself. I tend to use YAML for this, as the format is straightforward and Ruby has
native support for it. Not sure about PHP.
ii. SSH key pairs are only one way to automate authentication without passwords. Using the
Generic Security Service Application Program Interface authentication is also common when
trying to reduce the use of passwords on a network with centralized user management. SSH
key pairs are the easier option to implement when single sign-on (SSO) is not already
available.

C) Make a recommendation for the easiest and most secure mechanism of data transfer,
describing briefly how the mechanism will be implemented
I recommend the FTP because it easy and faster is the most and Security: To access the
FTP server, we need to login with the username and password. Therefore, we can say that
FTP is more secure.

QUESTION TWO

i. Public key (asymmetric) and symmetric encryption.

SSL/TLS uses both asymmetric and symmetric encryption to protect the confidentiality
and integrity of data-in-transit. Asymmetric encryption is used to establish a secure session
between a client and a server, and symmetric encryption is used to exchange data within the
secured session

ii. Message Digest

When sending encrypted data, TLS typically uses a cryptographic hash function to ensure
data integrity. The hash function prevents Charlie from tampering with data that Alice sends
to Bob.A cryptographic hash function is similar to a checksum. The main difference is that
whereas a checksum is designed to detect accidental alterations in data, a cryptographic hash
function is designed to detect deliberate alterations. When data is processed by a
cryptographic hash function, a small string of bits, known as a hash or message digest, is
generated. The slightest change to the message typically makes a large change in the
 resulting hash. A cryptographic hash function does not require a cryptographic key. A hash
function often used with TLS is Secure Hash Algorithm (SHA).

iii. Digitally signed server certificate

A digital certificate is an electronic document issued by a Certificate Authority (CA). It
contains the public key for a digital signature and specifies the identity associated with the
key, such as the name of an organization. The certificate is used to confirm that the public
key belongs to the specific organization is used to verify authenticity, integrity, non-
repudiation while digital certificate is used to verify the identity of the user, maybe sender
or receiver.A digital signature is formed by encrypting a representation of a message. The
encryption uses the private key of the signatory and, for efficiency, usually operates on a
message digest rather than the message itself.

QUESTION THREE (3)

✓ Confidentiality, integrity and availability (CIA), is a conceptual model designed to
guide policies for information security within an organisation. In this context,
confidentiality is a set of rules that limits access to information, integrity is the
assurance that the information is trustworthy and accurate, and availability is a
guarantee of timely and reliable access to the information by authorised users.
Confidentiality is poor. Such pages have no encryption preventing interception of data, although
the password provides a measure of acces security. Integrity is also poor in that there is no
defence from man in the middle attacks and change of the data. Availability is good, as long as
the password is known.
✓ Confidentiality is much better, although has a weakness in that the last hop to the website across
the corporate network is unencrypted, so there remains a vector for attack. Integrity is also better
for the same reason, and a man in the middle attack would have to occur in the company or
involve a breach.Availability is reduced in that now a special tunnel must be created before the
information can be accessed and this is an additional point of failure.
✓ Confidentiality is very good, with SSL providing a good and secure means of
encryption. Integrity is also excellent for the same reason (use of public key
cryptography to share session keys provides authentication and integrity).
However, there is a weakness if a certificate is signed by a compromised key
that the client trusts, allowing a man in the middle attack (e.g. as in the
Diginotar attack). Availability is good, as SSL/TLS is built into the web the information is
probably unencrypted on the corporate network and
vulnerable to a breach within the company. Integrity is good but again suffers
serverand client and does not require additional steps.
✓ Confidentiality is good but no better, in fact, than the VPN solution as, again,
 from the susceptibility to breach and man in the middle attacks that could allow for data to be
modified in transmission. Availability is now very poor,requiring a visit in person to access the
data.

QUESTION FOUR (4)

A cryptographic hash function is an algorithm that takes an arbitrary amount of data input—a
credential—and produces a fixed-size output of enciphered text called a hash value, or just “hash.”
That enciphered text can then be stored instead of the password itself, and later used to verify the
user.
Pre-Image Resistance
✓ This property means that it should be computationally hard to reverse a hash function.
✓ In other words, if a hash function h produced a hash value z, then it should be a difficult process
to find any input value x that hashes to z.
✓ This property protects against an attacker who only has a hash value and is trying to find the input.
Collision Resistance
✓ This property means it should be hard to find two different inputs of any length that result in the
same hash. This property is also referred to as collision free hash function.
✓ In other words, for a hash function h, it is hard to find any two different inputs x and y such that
h(x) = h(y).
✓ Since, hash function is compressing function with fixed hash length, it is impossible for a hash
function not to have collisions. This property of collision free only confirms that these collisions
should be hard to find.
✓ This property makes it very difficult for an attacker to find two input values with the same hash.
✓ Also, if a hash function is collision-resistant then it is second pre-image resistant.