Professional Documents
Culture Documents
Network Security
QUESTIONS COVERED:
8. With the help of block diagram explain how PGP is used to provide email
security
9. Explain the working of IPsec Architecture with the help of a neat diagram
1
The information provided by me in this portable document format is for general
informational purposes only. All information here is provided in good faith,
however I make no representation or warranty of any kind, express or implied,
regarding the accuracy, adequacy, validity, reliability, availability, or
completeness of any information.
- Safwan Rasheed
2
1. List the advantages of TLS over SSL
Both the SSL protocol and the TLS protocol manage secure communication in a
similar way. However, TLS provides a more secure method for managing
authentication and exchanging messages, using the following features:
• While SSL provides keyed message authentication, TLS uses the more secure Key-
Hashing for Message Authentication Code (HMAC) to ensure that a record cannot
be altered during transmission over an open network such as the Internet.
• TLS defines the Enhanced Pseudorandom Function (PRF), which uses two hash
algorithms to generate key data with the HMAC. Two algorithms increase security
by preventing the data from being changed if only one algorithm is compromised.
The data remains secure as long as the second algorithm is not compromised.
• While SSL and TLS both provide a message to each node to authenticate that the
exchanged messages were not altered, TLS uses PRF and HMAC values in the
message to provide a more secure authentication method.
• To provide more consistency, the TLS protocol specifies the type of certificate that
must be exchanged between nodes.
• TLS provides more specific alerts about problems with a session and documents
when certain alerts are sent.
• If you are required to have a FIPS 140-2-validated solution, a FIPS-mode of
operation is available in Sterling Connect:Direct® for the TLS protocol.
3
2. DIFFERENTIATE BETWEEN transfer mode and tunnel mode
IP sec can be used (both AH packets and ESP packets) in two modes
• Transport mode: the IP sec header is inserted just after the IP header –this
contains the security information, such as SA identifier, encryption, authentication
Typically used in end-to-end communication IP header not protected
• Tunnel mode: the entire IP packet, header and all, is encapsulated in the body of a
new IP packet with a completely new IP header
Typically used in firewall-to-firewall communication Provides protection for the
whole IP packet
No routers along the way will be able (and will not need) to check
the content of the packets
4
3. List the transfer encoding provided by SMIME
MIME Transfer Encodings The other major component of the MIME specification, in
addition to content type specification, is a definition of transfer encodings for
message
bodies. The objective is to provide reliable delivery across the largest range of
environments.
The MIME standard defines two methods of encoding data. The Content-Transfer-
Encoding
field can actually take on six values. Three of these values (7bit, 8bit, and binary)
indicate
that no encoding has been done but provide some information about the nature of the
data.
Another Content-Transfer-Encoding value is x-token, which indicates that some other
5
encoding scheme is used, for which a name is to be supplied. The two actual
encoding
schemes defined are quoted- printable and base64. Two schemes are defined to
provide a
choice between a transfer technique that is essentially human
readable and one that is safe for all types of data in a way that is reasonably compact.
Canonical Form
An important concept in MIME and S/MIME is that of canonical form. Canonical
form
is a format, appropriate to the content type, that is standardized for use between
systems. This is in contrast to native form, which is a format that may be peculiar to a
particular system.
Two versions of Kerberos are in current use: Version-4 and Version-5. The first
published report on Kerberos listed the following requirements:
Reliable: For all services that rely on Kerberos for access control, lack of availability
of
the Kerberos service means lack of availability of the supported services. Hence,
Kerberos should be highly reliable and should employ a distributed server
architecture, with one system able to back up another.
6
Transparent: Ideally, the user should not be aware that authentication is taking
place, beyond the requirement to enter a password.
Scalable: The system should be capable of supporting large numbers of clients and
servers. This suggests a modular, distributed architecture
Two versions of Kerberos are in common use: Version 4 is most widely used version.
Version 5 corrects some of the security deficiencies of Version 4. Version 5 has been
issued as a draft Internet Standard (RFC 1510)
Advantages of Kerberos:
7
mutually authenticate limits the
It duration of their users'
authentication.
Authentications are reusable and durable
Kerberos has been scrutinized by many of the top programmers,
cryptologists and security experts in the industry
source: ( https://www.brainkart.com/article/IEEE-802-11i-Wireless-LAN-
Security_8486/)
There are two characteristics of a wired LAN that are not inherent in a wireless LAN.
In order to transmit over a wired LAN, a station must be physically connected to the
LAN. On the other hand, with a wireless LAN, any station within radio range of the
other devices on the LAN can transmit. In a sense, there is a form of authentication
with a wired LAN in that it requires some positive and presumably observable action
to connect a station to a wired LAN.
These differences between wired and wireless LANs suggest the increased need for
robust security services and mechanisms for wireless LANs.
The final form of the 802.11i standard is referred to as Robust Security Network
(RSN). The Wi-Fi Alliance certifies vendors in compliance with the full 802.11i
specification under the WPA2 program.
The 802.11i RSN security specification defines the following services.
8
• Access control:1 This function enforces the use of the
authentication function, routes the messages properly, and facilitates key exchange. It
can work with a variety of authentication protocols.
The operation of an IEEE 802.11i RSN can be broken down into five distinct phases
of operation.
• Discovery: An AP uses messages called Beacons and Probe Responses to advertise
its IEEE 802.11i security policy. The STA uses these to identify an AP for a WLAN
with which it wishes to communicate. The STA associates with the AP, which it uses
to select the cipher suite and authentication mecha- nism when the Beacons and
Probe Responses present a choice.
• Authentication: During this phase, the STA and AS prove their identities to
each other. The AP blocks non-authentication traffic between the STA and AS
until the authentication transaction is successful. The AP does not participate in
the authentication transaction other than forwarding traffic between the STA
and AS.
• Key generation and distribution: The AP and the STA perform several opera- tions
that cause cryptographic keys to be generated and placed on the AP and the STA.
Frames are exchanged between the AP and STA only.
• Protected data transfer: Frames are exchanged between the STA and the end station
through the AP. As denoted by the shading and the encryption module icon, secure
data transfer occurs between the STA and the AP only; security is not provided end-
to-end.
• Connection termination: The AP and STA exchange frames. During this phase, the
secure connection is torn down and the connection is restored to the original state.
9
6. Discuss the requirement of web security
source: ( https://chat.openai.com/)
10
3. Authorization: Authorization determines what actions or resources a user or entity
can access after successful authentication. Role-based access control (RBAC) and
access control lists (ACLs) are commonly used techniques to enforce proper
authorization and limit unauthorized access to sensitive areas of a website or
application.
4. Data Integrity: Data integrity ensures that data remains unchanged and uncorrupted
during transmission, storage, or processing. Techniques such as data validation,
checksums, and digital signatures help verify the integrity of data and detect any
unauthorized modifications.
9. User Awareness and Training: Educating users about web security best practices,
such as strong passwords, phishing awareness, and safe browsing habits, is vital to
prevent social engineering attacks and mitigate human-related security risks. Regular
security training programs help promote a security-conscious culture.
10. Compliance and Privacy: Web security should align with relevant legal and
regulatory requirements, such as data protection laws (e.g., GDPR) or industry-
specific standards (e.g., PCI DSS for payment card industry). Ensuring privacy,
11
safeguarding personal data, and providing transparent privacy policies are essential
aspects of web security.
source: ( https://www.geeksforgeeks.org/explain-working-of-https/ )
HTTPS stands for HyperText Transfer Protocol Secure. It is the most common
protocol for sending data between a web browser and a website. It is the secure
variant of HTTP used for communication between the browser and the webserver. In
order to make the data transfer more secure, it is encrypted. Encryption is required to
ensure security while transmitting sensitive information like passwords, contact
information, etc.
HTTPS establishes the communication between the browser and the webserver. It
uses the Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocol for
establishing communication. The new version of SSL is TSL.
HTTPS uses the conventional HTTP protocol and adds a layer of SSL/TSL over it.
The workflow of HTTP and HTTPS remains the same, the browsers and servers still
communicate with each other using the HTTP protocol. However, this is done over a
secure SSL connection. The SSL connection is responsible for the encryption and
decryption of the data that is being exchanged in order to ensure data safety.
Ensuring that the browser communicates with the required server directly.
Ensuring that only the communicating systems have access to the messages they
exchange.
12
HTTP transfers data in a hypertext format between the browser and the web server,
whereas HTTPS transfers data in an encrypted format.
Private Key: It is used for the decryption of the data that has been encrypted by the
public key. It resides on the server-side and is controlled by the owner of the website.
It is private in nature.
Public Key: It is public in nature and is accessible to all the users who communicate
with the server. The private key is used for the decryption of the data that has been
encrypted by the public key.
Advantage of HTTPS
• Secure Communication: HTTPS establishes a secure communication link between
the communicating system by providing encryption during transmission.
• Data Integrity: By encrypting the data, HTTPS ensures data integrity. This implies
that even if the data is compromised at any point, the hackers won’t be able to read
or modify the data being exchanged.
• Privacy and Security: HTTPS prevents attackers from accessing the data being
exchanged passively, thereby protecting the privacy and security of the users.
• Faster Performance: TTPS encrypts the data and reduces its size. Smaller size
accounts for faster data transmission in the case of HTTPS.
13
8. With the help of block diagram explain how PGP is used to provide email
security
Following are the steps taken by PGP to create secure e-mail at the sender site:
• The e-mail message is hashed by using a hashing function to create a digest.
• The digest is then encrypted to form a signed digest by using the sender's private
key, and then signed digest is added to the original email message.
• The original message and signed digest are encrypted by using a one-time secret
key created by the sender.
• The secret key is encrypted by using a receiver's public key.
• Both the encrypted secret key and the encrypted combination of message and digest
are sent together.
14
Following are the steps taken to show how PGP uses hashing and a combination of
three keys to generate the original message:
The receiver receives the combination of encrypted secret key and message digest is
received.
The encrypted secret key is decrypted by using the receiver's private key to get the
one-time secret key.
The secret key is then used to decrypt the combination of message and digest.
The digest is decrypted by using the sender's public key, and the original message is
hashed by using a hash function to create a digest.
Both the digests are compared if both of them are equal means that all the aspects of
security are preserved.
15
9. Explain the working of IPsec Architecture with the help of a neat diagram
16
Components of IP Security
It has the following components:
Working on IP Security
The host checks if the packet should be transmitted using IPsec or not. This packet
traffic triggers the security policy for itself. This is done when the system sending the
packet applies appropriate encryption. The incoming packets are also checked by the
host that they are encrypted properly or not.
Then IKE Phase 1 starts in which the 2 hosts( using IPsec ) authenticate themselves
to each other to start a secure channel. It has 2 modes. The Main mode provides
greater security and the Aggressive mode which enables the host to establish an IPsec
circuit more quickly.
The channel created in the last step is then used to securely negotiate the way the IP
circuit will encrypt data across the IP circuit.
Now, the IKE Phase 2 is conducted over the secure channel in which the two hosts
negotiate the type of cryptographic algorithms to use on the session and agree on
secret keying material to be used with those algorithms.
Then the data is exchanged across the newly created IPsec encrypted tunnel. These
packets are encrypted and decrypted by the hosts using IPsec SAs.
When the communication between the hosts is completed or the session times out
then the IPsec tunnel is terminated by discarding the keys by both hosts.
17
سالوں میں میری طرف سے کسی4 پچھلے
بھی پریشانی کے لئے معذرت خواہ ہوں۔
-Safwan Rasheed
18