Upload
others
View
10
Download
0
Embed Size (px)
Citation preview
CS6701 – CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY L T P
C
3 0 0
3
OBJECTIVES:
The student should be made to:
Understand OSI security architecture and classical encryption techniques.
Acquire fundamental knowledge on the concepts of finite fields and number theory.
Understand various block cipher and stream cipher models.
Describe the principles of public key cryptosystems, hash functions and digital signature.
UNIT I INTRODUCTION & NUMBER
THEORY 10
Services, Mechanisms and attacks-the OSI security architecture-Network security model-
Classical Encryption techniques (Symmetric cipher model, substitution techniques, transposition
techniques, steganography).FINITE FIELDS AND NUMBER THEORY: Groups, Rings, Fields-
Modular arithmetic- Euclid‟s algorithm-Finite fields- Polynomial Arithmetic –Prime numbers-
Fermat‟s and Euler‟s theorem- Testing for primality -The Chinese remainder theorem- Discrete
logarithms.
\
UNIT II BLOCK CIPHERS & PUBLIC KEY
CRYPTOGRAPHY 10
Data Encryption Standard-Block cipher principles-block cipher modes of operation-
Advanced Encryption Standard (AES)-Triple DES-Blowfish-RC5 algorithm. Public key
cryptography: Principles of public key cryptosystems-The RSA algorithm-Key management –
Diffie HellmanKeyexchange-Elliptic curve arithmetic-Elliptic curve cryptography.
UNIT III HASH FUNCTIONS AND DIGITAL
SIGNATURES 8
Authentication requirement – Authentication function – MAC – Hash function – Security of
hash function and MAC –MD5 – SHA – HMAC – CMAC – Digital signature and authentication
protocols – DSS – EI Gamal – Schnorr.
UNIT IV SECURITY PRACTICE & SYSTEM
SECURITY 8
Authentication applications – Kerberos – X.509 Authentication services – Internet Firewalls for
Trusted System: Roles of Firewalls – Firewall related terminology- Types of Firewalls – Firewall
designs – SET for E-Commerce Transactions. Intruder – Intrusion detection system – Virus and
related threats – Countermeasures – Firewalls design principles – Trusted systems – Practical
implementation of
cryptography and security.
UNIT V E-MAIL, IP & WEB
SECURITY 9
E-mail Security: Security Services for E-mail-attacks possible through E-mail – establishing
keys privacy-authentication of the source-Message Integrity-Non-repudiation-Pretty Good
Privacy-S/MIME. IPSecurity: Overview of IPSec – IP and IPv6-Authentication Header-
Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE, ISAKMP/IKE
Encoding). Web Security: SSL/TLS Basic Protocol-computing the keys- client authentication-
PKI as deployed by SSLAttacks fixed in v3- Exportability-Encoding-Secure Electronic
Transaction (SET).
TOTAL: 45
PERIODS
OUTCOMES:
Upon Completion of the course, the students should be able to:
Compare various Cryptographic Techniques
Design Secure applications
Inject secure coding in the developed applications
TEXT BOOKS:
1. William Stallings, Cryptography and Network Security, 6th Edition, Pearson Education,
March 2013. (UNIT I,II,III,IV).
2. Charlie Kaufman, Radia Perlman and Mike Speciner, “Network Security”, Prentice Hall
of India, 2002. (UNIT V).
REFERENCES:
1. Behrouz A. Ferouzan, “Cryptography & Network Security”, Tata Mc Graw Hill, 2007.
2. Man Young Rhee, “Internet Security: Cryptographic Principles”, “Algorithms and
Protocols”, Wiley Publications, 2003.
3. Charles Pfleeger, “Security in Computing”, 4th Edition, Prentice Hall of India, 2006.
4. Ulysess Black, “Internet Security Protocols”, Pearson Education Asia, 2000.
5. Charlie Kaufman and Radia Perlman, Mike Speciner, “Network Security, Second
Edition, Private Communication in Public World”, PHI 2002.
6. Bruce Schneier and Neils Ferguson, “Practical Cryptography”, First Edition, Wiley
Dreamtech India Pvt Ltd, 2003.
7. Douglas R Simson “Cryptography – Theory and practice”, First Edition, CRC Press,
1995.
8. http://nptel.ac.in/.
COURSE OUTCOMES
At the end of course, students will have,
Course Outcome Statement
CO1 An ability to explain the basics of number theory and to compare various encryption
techniques.
CO2 An ability to summarize the functionality of public key cryptography.
CO3 An ability to apply various message authentication functions and secure algorithms.
CO4 An ability to demonstrate different types of security systems and applications.
CO5 An ability to analyze and compare different security mechanisms and services
UNIT I -INTRODUCTION & NUMBER THEORY
Services, Mechanisms and attacks-the OSI security architecture-Network security model-
Classical Encryption techniques (Symmetric cipher model, substitution techniques,
transposition techniques, steganography).FINITE FIELDS AND NUMBER THEORY:
Groups, Rings, Fields-Modular arithmetic- Euclid’s algorithm-Finite fields- Polynomial
Arithmetic –Prime numbers-Fermat’s and Euler’s theorem- Testing for primarily -The
Chinese remainder theorem- Discrete logarithms.
PART-A
1. What is Cryptology? (R)
Cryptology is the study of secure communications, which encompasses both
cryptography and cryptanalysis.
2. Define Cryptography. (R)
The branch of cryptology dealing with the design of algorithms for encryption and
decryption,
intended to ensure the secrecy and/or authenticity of messages.
3. Define Cryptanalysis. (R)
The branch of cryptology dealing with the breaking of a cipher to recover information, or
forging encrypted information that will be accepted as authentic.
4. What is Plain text? (U)
An original message is known as the plaintext (Readable format)
5. What is Cipher Text? (U)
Coded message is called the Cipher Text.(Unreadable format)
6. What is Key? (U)
A sequence of symbols that controls the operation of a cryptographic transformation. A
key is normally a string of bits used by a cryptographic algorithm to transform plain text into
cipher text or vice versa. The key should be the only part of the algorithm that it is necessary
to keep secret.
7. What is Symmetric Cryptography? (U)
Symmetric cryptography uses a single private key to both encrypt and decrypt data.
Examples:
AES/Rijndael ,Blowfish,CAST5,DES,IDEA,RC2,RC4,RC6,Serpent,Triple DES, Two
fish
8. What is Asymmetric Cryptography? (U)
Asymmetric cryptography or public-key cryptography is cryptography in which a pair of
keys is used to encrypt and decrypt a message .The keys used are public and private key.
Examples: RSA,DSA, PGP
9. Define Stream cipher. (R)
Processes the input stream continuously and producing one element at a time.
Example: caeser cipher.
10. Define Block cipher. (R)
Processes the input one block of elements at a time producing an output block for each
input block.
Example: DES.
11. What is Passive attack? (U)
Monitoring the message during transmission.
Example: Interception
12. What is Active attack? (U)
Modification of data stream or creation of false data stream.
Example: Fabrication, Modification, and Interruption
13. Differentiate active and passive attacks. (AN) (April / May 2019)
Basis for
Comparison
Active Attack Passive Attack
Basic Active attack tries to change
the system resources or affect
their operation.
Passive attack tries to read or make use of
information from the system but does not
influence system resources.
Modification in
the information
Occurs does not take place
Harm to the
system
Always causes damage to the
system.
Do not cause any harm.
Threat to Integrity and availability Confidentiality
Attack awareness The entity (victim) gets
informed about the attack.
The entity is unaware of the attack.
Task performed
by the attacker
The transmission is captured
by physically controlling the
portion of a link.
Just need to observe the transmission.
Emphasis is on Detection Prevention
14. List the different Types of Ciphers. (R)
Shift Ciphers.
Affine Ciphers
Vigenere Cipher
Substitution Ciphers
Sherlock Holmes
Playfair and ADFGX Ciphers
Block ciphers
15. Write short notes Congruence. (R)
Let a, b, n be integers with n≠0. We say that a ≡ b (mod n), if a-b is a multiple of n.
16. Write short notes Chinese Remainder Theorem. (R)
Suppose gcd(m,n)=1.Given integers a and b, there exists exactly one solution x(mod mn)
to the simultaneous congruence x ≡ a(mod n) , x ≡ b(mod n).
17. Write short notes Modular Exponentiation. (R)
Modular exponentiation is of the form xa (mod n).
18. Write short notes Fermat’s Little Theorem. (R) (April/May 2017, Nov/Dec 2017)
If p is a prime and p does not divide a, then ap-1
≡ 1 (mod p)
19. Write short notes Euler’s Theorem. (R) (April/May 2018)
If gcd(a,n)=1, then aΦ(n)
≡ 1(mod n)
20. Define integrity and nonrepudiation. (R)
Integrity:
Service that ensures that only authorized person able to modify the message.
Nonrepudiation:
This service helps to prove that the person who denies the transaction is true or false.
21. Define confidentiality and authentication. (R)
Confidentiality:
It means how to maintain the secrecy of message. It ensures that the information in a
computer system and transmitted information are accessible only for reading by
authorized person.
Authentication:
It helps to prove that the source entity only has involved the transaction.
22. What is Discrete Logarithms? (R)
Discrete logarithms are fundamental to a number of public-key algorithms, including
Diffie Hellman key exchange and the digital signature algorithm.
23. List the approaches of Computing Discrete Logarithms. (R)
Pohlig Hellman Algorithm
Baby-step Giant-step
Index calculus algorithm
24. Define security mechanism. (U)
It is process that is designed to detect prevent, recover from a security attack.
Example: Encryption algorithm, Digital signature, Authentication protocols.
25. Specify the four categories of security threads. (R)
Interruption
Interception
Modification
Fabrication
26. Differentiate active and passive attacks. (AN) (April / May 2016) (Nov/Dec 2016)
Passive Attack:
Monitoring the message during transmission.
Eg: Interception
Active attack:
It involves the modification of data stream or creation of false data stream.
E.g.: Fabrication, Modification, and Interruption
27. Differentiate symmetric and asymmetric encryption. (AN)
Symmetric Encryption:
It is a form of cryptosystem in which encryption and decryption performed using
the same key. Eg: DES, AES
Asymmetric Encryption:
It is a form of cryptosystem in which encryption and decryption performed using
two keys. Eg: RSA, ECC
28. Compare stream cipher with block cipher with example. (AN) (April/May 2016)
Stream Cipher:
Processes the input stream continuously and producing one element at a time.
Example: caeser cipher.
Block cipher:
Processes the input one block of elements at a time producing an output block for
each input block.
Example: DES.
29. Differentiate unconditionally secured and computationally secured. (AN)
An Encryption Algorithm is unconditionally secured means that the condition is if the
cipher text generated by the encryption scheme doesn‟t contain enough information to
determine corresponding plaintext.
Encryption is computationally secured means,
1. The cost of breaking the cipher exceed the value of enough information.
2. Time required to break the cipher exceed the useful lifetime of information.
30. Define steganography. (R)
Hiding the message into some cover media. It conceals the existence of a message.
31. Why network need security? (U)
When systems are connected through the network, attacks are possible during
Transmission time.
32. Define Encryption. (R)
The process of converting from plaintext to cipher text.
33. Specify the components of encryption algorithm. (R) (April/May 2019)
1. Plaintext
2. Encryption algorithm
3. Secret key
4. Cipher text
5. Decryption algorithm
34. What are the design parameters of Feistel cipher network? (R)
Block size
Key size
Number of Rounds
Subkey generation algorithm
Round function
Fast software Encryption/Decryption
Ease of analysis
35. Define Product cipher. (R)
It means two or more basic cipher are combined and it produce the resultant cipher is
called the product cipher.
36. Explain Avalanche effect. (U)
A desirable property of any encryption algorithm is that a small change in either the
plaintext or the key produces a significant change in the ciphertext. In particular, a change in
one bit of the plaintext or one bit of the key should produce a change in many bits of the
ciphertext. If the change is small, this might provider a way to reduce the size of the plaintext
or key space to be searched.
37. Give the five modes of operation of Block cipher. (R)
1. Electronic Codebook(ECB)
2. Cipher Block Chaining(CBC)
3. Cipher Feedback(CFB)
4. Output Feedback(OFB)
5. Counter(CTR)
38. State advantages of counter mode. (U)
1. Hardware Efficiency
2. Software Efficiency
3. Preprocessing
4. Random Access
5. Provable Security
6. Simplicity.
39. Define Diffusion & confusion. (R)
Diffusion:
It means each plaintext digits affect the values of many ciphertext digits which is
equivalent to each ciphertext digit is affected by many plaintext digits. It can be achieved by
performing permutation on the data. It is the relationship between the plaintext and ciphertext.
Confusion:
It can be achieved by substitution algorithm. It is the relationship between ciphertext and
key.
40. Define Multiple Encryption. (R)
It is a technique in which the encryption is used multiple times.
Example: Double DES, Triple DES
41. Specify the design criteria of block cipher. (U)
Number of rounds
Design of the function F
Key scheduling
42. Find gcd (1970, 1066) using Euclid's algorithm. (A) (Nov/Dec 2016)
Euclid’s Algorithm to find gcd(a,b):
GCD(a,b) = GCD(b, a mod b)
Euclid's Algorithm to compute GCD (a, b):
A=a, B=b
while B>0
R = A mod B
A = B, B = R
return A
Therefore, gcd(1970, 1066) = gcd(1066, 1970 mod 1066) = gcd(1066, 904) = 904.
43. Determine GCD of (24140,16762) using Euclid's algorithm. (A) (April/May 2017)
Step 1. Divide the larger number by the smaller one:24,140 ÷ 16,762 = 1 + 7,378;
Step 2. Divide the smaller number by the above operation's remainder:16,762 ÷ 7,378 = 2
+ 2,006;
Step 3. Divide the remainder from the step 1 by the remainder from the step 2:7,378 ÷
2,006 = 3 + 1,360;
Step 4. Divide the remainder from the step 2 by the remainder from the step 3:2,006 ÷
1,360 = 1 + 646; Step 5. Divide the remainder from the step 3 by the remainder from the
step 4:1,360 ÷ 646 = 2 + 68; Step 6. Divide the remainder from the step 4 by the
remainder from the step 5:646 ÷ 68 = 9 + 34;
Step 7. Divide the remainder from the step 5 by the remainder from the step 6:68 ÷ 34 = 2
+ 0; At this step, the remainder is zero, so we stop:
34 is the number we were looking for, the last remainder that is not zero.
This is the greatest common factor (divisor).
Greatest (highest) common factor (divisor)
gcf, gcd (24,140; 16,762) = 34 = 2 × 17;
44. Why is asymmetric cryptography bad for huge data? Specify the reason.
(U) (April/May 2018)
There are two main reasons why asymmetric cryptography is practically never used to
directly
encrypt significant amount of data:
1) Size of cryptogram
2) Performance
45. Calculate the cipher test for the following using one time pad cipher. (A) (Nov/Dec
2018)
Plain Text: ROCK Keyword: BOTS
17 (R) 14 (O) 2 (C) 10 (K) -> Plain Text
1 (B) 14 (O) 19 (T) 18 (S) -> Key
18 28 21 28 -> Plain Text + Key
18 (S) 2 (C) 21 (V) 2 (C) -> (Plain Text+Key) mod 26
Cipher Text: SCVC
PART-B
1. What are the different types of attacks? Explain. (8) (U) (Dec - 2013)
2. Explain the OSI security architecture along with the services available. (R) (Nov/Dec 2009)
3. (i) Explain OSI Security Architecture model with neat diagram.(8) (R)
(ii) Describe the various security mechanisms. (8)(U) (Nov/Dec 2016)
4. Explain the network security model and its important parameters with a neat block diagram.
(April/May 2019)
5. With a neat structure of classical Feistel network, indicate the parameters and design features
which are essential for the exact realization of the network. (U) (May/June 2007)
6. Discuss any four substitution cipher encryption methods and list their merits and demerits.
(U)
(May/June 2008) (May/June 2014)(April/May
2016)
7. Explain any all types of cipher techniques in detail. (U) (June 2012) (Dec 2012)
8. Discuss the classical cryptosystem and its types. (U) (May 2011) (June 2013)
9. Explain the play fair cipher with an example. (U) (Nov/Dec 2009)
10. Solve using playfair cipher method. Encrypt the word “Semester Result” with the keyword
“Examination”. Discuss the rules to be followed. (A) (April/May 2019)
11. Discuss briefly about differential and linear cryptanalysis. (U) (May/June 2010)
12. Explain placement of encryption function. (U)
13. Discuss briefly about traffic confidentiality. (U)
14. Perform Encryption and Decryption using Hill Cipher for the following Message: PEN and
Key: ACTIVATED (A) (Nov/Dec 2018)
15. Explain classical encryption techniques with symmetric cipher and Hill cipher model.
(U) (April/May 2018)
16. (i) Whatis steganography? Describe the various techniques used in steganography. (7)
(ii) What is monoalphabetic cipher? Examine how it differs from Caesar cipher. (6)
(April/May 2019)
17. Solve gcd(98,56) using Extended Euclidean Algorithm. Write the algorithm also. (A)
(Nov/Dec 2018)
18. Explain Fermat‟s & Euler‟s theorem. (U)
(Dec 2012) (June 2013) (Dec - 2013) (April/May 2016)
19. Find 3 21
mod 11 using fermat‟s theorem.(6) (A) (Dec - 2013)
20. Describe LFSR & finite field with their application in cryptography. (16) (U) (June – 2014)
21. Explain Discrete logarithms in detail. (U)
22. Explain Euler‟s & Chinese Remainder theorem. (U) (May 2011)(June 2012) (Dec - 2013)
23. How is discrete logarithm evaluated for a number? What is the role of discrete logarithms in
the Diffie Hellman key exchange in exchanging the secret key among two users? (E)
(May/June
2008)
24. (a) State Chinese Remainder theorem and find X for the given set of congruent
equations
using CRT. (8) (A)
X = 2(mod 3)
X = 3(mod 5)
X = 2(mod 7).
(b) State and prove Fermat's theorem. (8) (U) (Nov/Dec 2016)
25. State Chinese Remainder theorem and find X for the given set of congruent equations
using CRT. (8) (A) (April/May 2017)
X = 1(mod 5)
X = 2(mod 7)
X = 3(mod 9)
X = 4(mod 11)
26. Describe (U) (April/May 2017)
i. Play Fair Cipher
ii. Railfence Cipher
iii. Vignere Cipher
Encrypt the following using play fair cipher using the keyword MONARCHY.”SWARAJ
IS MY BIRTH RIGHT”. Use X for blank spaces. (A) (Nov/Dec 2017)
27. Discuss the properties that are to be satisfied by Groups, Rings and Fields. (U)
(Nov/Dec
2017)
28. State and prove the Chinese remainder Theorem. What are the last two digits of 4919
?
(A)
(April/May 2018)
UNIT II - BLOCK CIPHERS & PUBLIC KEY CRYPTOGRAPHY
Data Encryption Standard-Block cipher principles-block cipher modes of operation-
Advanced Encryption Standard (AES)- Triple DES-Blowfish-RC5 algorithm. Public key
cryptography: Principles of public key cryptosystems-The RSA algorithm-Key
management - Diffie Hellman Key exchange- Elliptic curve arithmetic-Elliptic curve
cryptography.
PART A
1. What is the difference between differential and linear cryptanalysis? (A)
In differential cryptanalysis, it breaks the DES in less 255 complexities. In cryptanalysis,
it
finds the DES key given 247 plaintexts.
2. Define product cipher. (R)
Product cipher performs two or more basic ciphers in sequence in such a way that the
final result or product is crypto logically stronger than any of the component ciphers.
3. What was the original set of criteria used by NIST to evaluate candidate AES cipher?
(R)
The original set of criteria used by NIST to evaluate candidate AES cipher was:
Security
Actual Security
Randomness
Soundness
Other security factors
Cost
Licensing Requirements
Computational Efficiency
Memory Requirements
Algorithm And Implementation Characteristics
Flexibility
Hardware and software suitability
Simplicity
4. What was the final set of criteria used by NIST to evaluate candidate AES ciphers? (R)
The final set of criteria used by NIST to evaluate candidate AES ciphers are:
General Security
Software Implementations
Restricted-Space Environments
Hardware Implementations
Attacks On Implementations
Encryption vs. Decryption
Key Agility
Other Versatility and Flexibility
Potential for Instruction-Level Parallelism
5. What is Power Analysis? (R)
Power Analysis is the power consumed by the smart card at any particular time during
the cryptographic operation is related to the instruction being executed and to the data being
processed. Example: Multiplication consumes more power than addition and writing 1s
consumes more power than writing 0s.
6. What is the purpose of the State Array? (U)
A single 128-bit block is depicted as a square matrix of bytes. This block is copied into
the State array, which is modified at each stage of encryption or decryption. After the final stage,
State is copied to an output matrix.
7. How is the S-box constructed? (U)
The S-box is constructed in the following fashion:
Initialize the S-box with the byte values in ascending sequence row by row.
The first row contains {00}, {01}, {02}, ……….., {0F};
The second row contains {10},{11},etc; and so on. Thus, the value of the byte at row x,
column y is {x y}.
Map each byte in the S-box to its multiplicative inverse in the finite field GF (28); the
value {00} is mapped to itself.
Consider that each byte in the S-box consists of 8 bits labeled (b7, b6, b5, b4, b3, b2, b1,
b0).
Apply the transformation to each bit of each byte in the S-box.
8. Briefly describe Sub Bytes. (U)
Sub byte uses an S-box to perform a byte-by-byte substitution of the block. The left most
4 bits of the byte are used as row value and the rightmost 4 bits are used as a column value.
These row and column values serve as indexes into the S-box to select a unique 8-bit value.
9. Briefly describe Shift Rows. (U)
In shift row, a row shift moves an individual byte from one column to another, which is a
linear distance of a multiple of 4 bytes. In Forward Shift Row, each row perform circular left
shift. Second Row a 1-byte circular left shift is performed. Third Row a 2-byte circular left shift
is performed. For the Fourth Row a 3-byte circular left shift is performed. In Inverse Shift Row,
each row perform circular right shift.
10. How many bytes in State are affected by Shift Rows?(R)
Totally 6-bytes in state are affected by Shift Rows.
11. Briefly describe Mix Columns. (U)
Mix Column is substitution that makes use of arithmetic over GF(28).Mix Column
operates on each column individually. Each byte of a column is mapped into a new value that is
a function of all four bytes in the column. The Mix Column Transformation combined with the
shift row transformation ensures that after a few rounds, all output bits depend on all input bits.
12. Briefly describe Add Round Key. (U)
In Add Round Key, the 128 bits of State are bit wise XORed with the 128 bits of the
round key. The operation is viewed as a column wise operation between the 4 bytes of a State
column and one word of the round key; it can also be viewed as a byte-level operation. The Add
Round Key transformation is as simple as possible and affects every bit of State.
13. Briefly describe the Key Expansion Algorithm. (U)
The AES key expansion algorithm takes as input a 4-word (16-byte) key and produces a
linear array of 44 words(156 bytes). This is sufficient to provide a 4-word round key for the
initial Add Round Key stage and each of the 10 rounds of the cipher.
14. What is the difference between Sub Bytes and Sub Word? (AN)
Sub Bytes:
Sub Bytes uses an S-box to perform a byte-by-byte substitution of the block.
Sub Word:
Sub Word performs a byte substitution on each byte of its input word, using the S-
box.
15. What is the difference between Shift Rows and Rot Word? (AN)
Shift Rows: Shift Row is simple permutation. It shifts the rows circularly left or right.
Rot Word: Rot word performs a one-byte circular left shift on a word. This means that
an input word [b0,b1,b2,b3] is transformed into [b1,b2,b3,b0].
16. Why do some block cipher modes of operation only use encryption while others use
both
encryption and decryption? (AN)
Some block cipher modes of operation only use encryption because the input is set to
some initialization vector and the leftmost bits of the output of the encryption function are
„XOR‟ed with the first segment of plain text p1 to produce the first unit of cipher text C1 and it
is transmitted. While in decryption, the cipher text is XORed with the output of the encryption
function to produce the plain text.
17. What is triple encryption? (U)
Tuchman proposed a triple encryption method that uses only two keys [TUCH79]. The
function follows an encrypt – decrypt – encrypt (EDE) sequence. C=Ek1 [Dk2[Ek1[P]]] There is
no cryptographic significance to the use of decryption for the second stage. Its only advantage is
that it allows users of 3DES to decrypt data encrypted by users of the older single DES:
C=Ek1[Dk2[Ek1[P]]] = Ek1[P].
18. What is a meet-in-the-middle attack? (U)
Meet-in-the-middle attack, was first described in [DIFF77]. It is based on the observation
that, if we have C=Ek2[Ek1[P]] Then X=Ek1[P]=Dk2[C].
Given a known pair, (P,C), the attack proceeds as follows. First, encrypt P for all 256
possible values of K1. Store these results in a table and then sort the table by the values of X.
Next, decrypt C using all 256 possible values of K2. As each decryption is produced, check the
result against the table for a match. If a match occurs, then test the two resulting keys against a
new known plaintext-ciphertext pair. If the two keys produce the correct ciphertext, accept them
as the correct keys.
19. How many keys are used in triple encryption? (R)
Tuchman proposed a triple encryption method that uses only two keys [TUCH79].
20. List the parameters (block size, key size, number of rounds)for three AES versions. (R)
(April/May 2018)
Version Number of
rounds
Number of
round keys
AES-128 10 11
AES-192 12 13
AES-256 14 15
21. Compare DES and AES. (AN) (Nov/Dec 2018)
AES DES
AES stands for Advanced Encryption Standard DES stands for Data Encryption
Standard
Key length can be of 128-bits, 192-bits and
256-bits.
Key length is 56 bits in DES.
Number of rounds depends on key length :
10(128-bits), 12(192-bits) or 14(256-bits)
DES involves 16 rounds of identical
operations
The structure is based on substitution-
permutation network.
The structure is based in feistal network.
AES is more secure than the DES cipher and is
the de facto world standard.
DES can be broken easily as it has
known vulnerabilities. 3DES(Triple
DES) is a variation of DES which is
secure than the usual DES.
The rounds in AES are : Byte Substitution,
Shift Row, Mix Column and Key Addition
The rounds in DES are : Expansion,
XOR operation with round key,
Substitution and Permutation
AES can encrypt 128 bits of plaintext. DES can encrypt 64 bits of plaintext.
AES cipher is derived from square cipher. DES cipher is derived from Lucifer
cipher.
AES was designed by Vincent Rijmen and
Joan Daemen.
DES was designed by IBM.
No known crypt-analytical attacks against AES
but side channel attacks against AES
implementations possible. Biclique attack have
better complexity than brute-force but still
ineffective.
Known attacks against DES include :
Brute-force, Linear crypt-analysis and
Differential crypt-analysis.
22. Brief the strengths of triple DES. (U) (Nov/Dec 2016)
Triple DES provides a relatively simple method of increasing the key size of DES to
protect
against such attacks, without the need to design a completely new block cipher algorithm.
23. What is the key size for Blowfish? (R)
Blowfish makes use of a key that ranges from 32 bits to 448 bits (one to fourteen 32-bit
words). That key is used to generate 18 32-bit subkeys and four 8*32 S-boxes containing a total
of 1024 32-bit entries. The total is 1042 32-bit values, or 4168 bytes.
24. What are the primitive operations used in Blowfish? (R)
Blowfish uses two primitive operations:
Addition: Addition of words, denoted by +, is performed modulo 232.
Bit wise exclusive-OR:
25. What are the common mathematical constants used in RC5? (R)
W :Word size in bits. RC5 encrypts 2-word blocks. 16, 32,64 r: Number of rounds.
0,1,….,255 B Number of 8-bit bytes (octets) in the secret key K. 0,1,….,255
26. List out the primitive operations used in RC5. (R)
RC5 uses three primitive operations (and their inverse):
Addition: Addition of words, denoted by +, is performed modulo 2w. The inverse
operation, denoted by -, is subtraction modulo 2w.
Bitwise exclusive-OR:
Left cicular rotation: The cyclic rotation of word x left by y bits is denoted by
x<<<y. The inverse is the right circular rotation of word x by y bits, denoted by
x>>>y.
27. List the important design considerations for a stream cipher. (R)
The encryption sequence should have a large period. The key stream should approximate
the properties of a true random number stream as close as possible. The output of the
pseudorandom number generator is conditioned on the value of the input key.
28. Why is it not desirable to reuse a stream cipher key? (AN)
If two plaintexts are encrypted with the same key using a stream cipher then cryptanalysis
is often quite simple. If the two cipher text streams are „XOR‟ed together the result is the XOR
of the original plaintexts. So it is not desirable to reuse a stream cipher key.
29. What is the primitive operation used in RC4? (R)
The primitive operation used in RC4 is bit wise Exclusive-OR (XOR) operation.
30. What are the primitive operations used in RC5? (R) (April/May 2019)
RC5 uses three primitive operations (and their inverse):
• Addition: Addition of words, denoted by +, is performed modulo 2w. The inverse operation,
denoted by -, is subtraction modulo 2w.
• Bitwise exclusive-OR: This operation is denoted by “⊕”.
• Left circular rotation: The cyclic rotation of word x left by y bits is denoted by x<<<y. The
inverse is the right circular rotation of word x by y bits, denoted by x>>>y.
31. Give the applications of the public key cryptosystem. (U) (April/May 2019)
Public Key Cryptography is used in a number of applications and systems software. Some
examples of application of cryptography are:
• Digitally signed document
• E-mail encryption software such as PGP and MIME
• RFC 3161 authenticated timestamps
• Digital signatures in the Operating System software such as Ubuntu, Red Hat Linux
packages distribution
• SSL protocol
• SSH protocol
32. Define RSA. (R)
RSA (which stands for Rivest, Shamir and Adleman who first publicly described it) is an
algorithm for public-key cryptography. It is the first algorithm known to be suitable for signing
as well as encryption, and was one of the first great advances in public key cryptography.
33. List the four possible approaches to attack the RSA Algorithm. (R)
1. Brute Force
2. Mathematical Attacks
3. Timing attacks
4. Chosen Cipher text attacks
34. Why is trap door one way function used? (AN) (Nov/Dec 2018)
A trapdoor one way function is a function that is easy to compute in one direction, yet
difficult to compute in the opposite direction (finding its inverse) without special information,
called the "trapdoor". Trapdoor functions are widely used in cryptography.
35. What is an elliptic curve? (R) (Nov/Dec 2016)
An elliptic curve will simply be the set of points described by the equation: y2=x3+ax+b
36. State the difference between private key and public key algorithm. (R) (April/May
2017)
S.NO Private Key/ Symmetric Encryption Public Key/ Asymmetric Encryption
1 Symmetric encryption incorporates only
one key for encryption as well as
decryption.
Asymmetric Encryption consists of two
cryptographic keys. These keys are regarded as
Public Key and Private Key.
2 Symmetric encryption is a simple
technique compared to asymmetric
encryption as only one key is employed
to carry out both the operations.
Contribution from separate keys for encryption
and decryption makes it a rather complex
process.
37. Give the five modes of operation of block cipher. ( R ) (April/May 2017)
1. Electronic Code Book (ECB)
2. Cipher Block Chaining (CBC)
3. Cipher Feedback (CFB)
4. Output Feedback (OFB)
5. Counter (CTR)
38. Perform encryption for the plain text M=88 using the RSA algorithm p=17, q=11 and
the public component e=7.(A) (Nov/Dec 2017)
p = 17, q = 11, n=p * q = 187, Φ(n) = (p-1)(q-1)=160 e=7
Encryption:
C = 887mod 187 = 11
Decryption:
M = 1123
mod 187 = 88
39. Give the significance of hierarchical key control. (AN) ( Nov/Dec 2017)
Hierarchies of KDC‟s (Key Distribution Control) required for large networks. A single KDC may be responsible for a small number of users since it shares the master keys of all the
entities attached to it . If two entities in different domains want to communicate, local KDCs
communicate through a global KDC.
40. Perform encryption and decryption using RSA algorithm for the following:
p = 7; q = 11; e = 17; M= 8 (A) (April/May 2018)
n = p * q = 7 * 11 = 77
f(n) = (p-1) * (q-1) = 6 * 10 = 60
Now, we need to compute d = e-1
mod f(n) by using backward substitution of GCD
algorithm:
According to GCD:
60 = 17 * 3 + 9
17 = 9 * 1 + 8
9 = 8 * 1 + 1
8 = 1 * 8 + 0
Therefore, we have:
1 = 9 – 8
= 9 – (17 – 9)
= 9 – (17 – (60 – 17 * 3))
= 60 – 17*3 – (17 – 60 + 17*3)
= 60 – 17 *3 + 60 – 17*4
= 60*2 – 17*7
Hence, we get d = e-1
mod f(n) = e-1
mod 60 = -7 mod 60 = (53-60) mod 60 = 53
So, the public key is {17, 77} and the private key is {53, 77}, RSA encryption and
decryption is following:
PART-B
1. Discuss in detail the different ways of distribution of public keys. (U) (Nov/Dec 2007)
2. Describe the block cipher modes of operation in detail. (U)
3. Discuss the block cipher modes of operation and give the advantages and disadvantages. (U)
(May/June 2009, May/June 2010)
4. Explain AES algorithm with all its round functions in detail. (16) (U) (Nov/Dec 2016)
(April/May 2018)
5. Explain in detail the transformation takes place in AES encryption procedure. (E)
(Nov/Dec 2009)
6. Discuss about AES Cipher. (U) (May/June 2010)
7. (i) Describe in detail the key generation in AES algorithm and its expansion format. (7) (U)
(ii) Describe triple DSE and its applications. (6) (U) (April/May 2019)
8. Explain in detail about DES. (U) (June 2013) (Dec 2012) (April / May 2016)
(April / May 2017)
9. Explain about the single round DES algorithm. (10) (U) (May 2011) (June – 2014)
817
Mod 77= 57
Encryption
5753
Mod 77 = 8
Decryption
Plaintext
PU= (17, 77)
ciphertext
Plaintext
8
PR= (53, 77)
10. Describe key discarding process of DES. (6) (U) (May 2011)
11. Draw the general structure of DES and explain the encryption decryption process. (U)
(May/June 2009)
12. Mention the strengths and weakness of DES algorithm. (AN) ( May/June 2009)
13. For each of the following elements of DES, indicate the comparable element in AES if
available. (A) (Nov/Dec 2017)
(i) XOR of subkey material with the input to the function.
(ii) F function.
(iii)Permutation p.
(iv) Swapping of halves of the block.
14. Explain in detail about TRIPLE DES. (16) (U) (June 2012) (Dec - 2013)
15. Explain in detail about RC5 algorithm. (U) (June 2012)
16. Explain how encryption and decryption are done using RSA crypto system. (U)
(May/June 2009) (June – 2014)
17. (i) Describe RSA algorithm. (8)
(ii) Perform encryption and decryption using RSA algorithm for the following:
p = 7, q = 11, e = 7, M = 9 (5) (April/May 2019)
18. Explain the RSA Algorithm with example as p =11, q=5, e=3 and PT = 9. (16) (A) (Dec -
2013)
19. Perform encryption/decryption using RSA algorithm for the following: (A)
p=3, q=11, e=7, m=5 (Nov/Dec 2009) (June –
2014)
20. Explain the RSA algorithm in detail. For the given values, trace the sequence of calculation
in
RSA. p=7, q=13, e= 5 and m=10. (16) (A) (April /May 2016)
21. Perform encryption and decryption using RSA algorithm for
p = 17, q = 11, e = 7 and M = 88 (A) (Nov/Dec 2018)
22. Explain RSA algorithm, perform encryption and decryption to the system with
p = 7; q = 11; e = 17; M= 8. (16) (A) (Nov/Dec 2016)
23. Describe about the attacks that are possible on RSA algorithm. (U) (Nov/Dec 2009)
24. State the requirements for the design of an elliptic curve crypto system. Using that, explain
how secret keys are exchanged and messages are encrypted. (U) (May/June 2008)
25. Identify the possible threats for RSA algorithm and list their counter measures. (AN)
(May/June 2008) (June 2013) (Dec 2012) (May
2011)
26. How do elliptic curves take part in Encryption and Decryption process? (U) (May/June
2009) . (U) (April/May 2018)
27. Why ECC is better than RSA? However, why is it not widely used? Defend it.
(AN) (Nov/Dec 2018)
28. Discuss discrete algorithm & explain Diffie-Hellman key exchange algorithm with merits &
demerits. (U) ( May 2011) (Dec 2012) (June 2013) (June – 2014)
29. Users A and B use the Diffie Hellman key exchange technique a common prime q=11 and a
primitive root alpha=7. (A) (May/June 2009)
(i) If user A has private key XA =3 what is A‟s public key YA?
(ii) If user B has private key XB =6 what is B‟s public key YB?
30. What is the shared secret key? Also write the algorithm. (U)
31. How man in middle attack can be performed in Diffie Hellman algorithm? (U)(May/June
2009)
32. Explain Diffie-Hellman Key exchange algorithm in detail. (U) (April / May 2017)
33. User A & B use the Diffie-Hellman key exchange algorithm with a common prime
q=71,and a primitive root a=7. If user A has a private key Xa =5. What is A‟s public key Ya
(8)
(E) (June –
2014)
34. Users Alice and Bob use the Diffie Hellman key exchange technique a common prime q=83
and a primitive root alpha=5. (A) (Nov/Dec 2017)
(i) If Alice has private key XA =6 what is Alice‟s public key YA?
(ii) If Bob has private key XB =10 what is Bob‟s public key YB?
(iii) What is the shared secret key?
35. (i) Explain briefly about Diffie Hellman key exchange algorithm with its merits and demerits.
(10) (U)
(ii) Explain public key cryptography and when it is preferred? (5) (U) (April/May 2019)
36. Find the secret key shared between user A and user B using Diffie Hellman algorithm for the
following: (A) (Nov/Dec 2018)
q = 353; α (primitive root) = 3, XA = 45 and XB = 50
UNIT III- HASH FUNCTIONS AND DIGITAL SIGNATURES
Authentication requirement – Authentication function – MAC – Hash function – Security
of hash function and MAC –MD5 - SHA - HMAC – CMAC - Digital signature and
authentication protocols – DSS – EI Gamal – Schnorr.
PART A
1. What is message authentication? (R)
It is a procedure that verifies whether the received message comes from assigned source
has not been altered.
2. Define the classes of message authentication function. (R)
Message encryption: The entire cipher text would be used for authentication.
Message Authentication Code: It is a function of message and secret key produce a
fixed length value.
Hash function: Some function that map a message of any length to fixed length which
serves as authentication.
3. What you meant by MAC? (R)
MAC is Message Authentication Code. It is a function of message and secret key which
produce a fixed length value called as MAC.
4. Specify the techniques for distribution of public key. (R)
Public announcement.
Publicly available directory.
Public key authority.
Public key certificate.
5. Specify the requirements for message authentication. (R) (Nov/Dec 2016) (April/May
2019)
i. Disclosure.
ii. Traffic analysis.
iii. Masquerade.
iv. Content Modification.
v. Sequence Modification.
vi. Timing modification.
vii. Repudiation.
6. Differentiate internal and external error control. (AN)
Internal Error Control:
Internal error control, an error detecting code also known as frame check
sequence or checksum.
External Error Control:
In external error control, error detecting codes are appended after encryption.
7. Define the term message digest. (R) (Nov/Dec 2018)
A message digest is a fixed size numeric representation of the contents of a message,
computed by a hash function. i.e. A Message Digest is a cryptographic Hash of a message.
8. What you meant by hash function? (U) (April/May 2018)
Hash function accepts a variable size message M as input and produces a fixed size hash
code
H(M) called as message digest as output. It is the variation on the message authentication code.
9. Differentiate MAC and Hash function. (AN) (Nov/Dec 2016)
MAC: In Message Authentication Code, the secret key shared by sender and receiver.
The MAC is appended to the message at the source at a time which the message is assumed or
known to be correct.
Hash Function: The hash value is appended to the message at the source at time when
the message is assumed or known to be correct. The hash function itself not considered to be
secret.
10. Define Hash Function. (R)
A function that maps a variable-length data block or message into a fixed-length value
called a hash code. The function is designed in such a way that, when protected, it provides an
authenticator to the data or message. Also referred to as a message digest (or) Hash code.
11. List the Hash Algorithms. (R)
SHA(Secure Hash Algorithm)
MD5(Message Digest Version5)
12. Write Short notes on MD5. (U)
The MD5 Message-Digest Algorithm is a widely used cryptographic hash function that
produces a 128-bit (16-byte) hash value. MD5 has been employed in a wide variety of security
applications, and is also commonly used to check data integrity. MD5 was designed by Ron
Rivest in 1991 to replace an earlier hash function, MD4. An MD5 hash is typically expressed as
a 32-digit hexadecimal number
13. Write Short notes on SHA (Secure Hash Algorithm). (U)
The Secure Hash Algorithm is one of a number of cryptographic hash functions
published by the National Institute of Standards and Technology (NIST) as a U.S. Federal
Information Processing Standard (FIPS).
14. Contrast various SHA algorithm. (AN) (Nov/Dec 2018)
SHA-0: A retronym applied to the original version of the 160-bit hash function published in
1993 under the name "SHA". It was withdrawn shortly after publication due to an undisclosed
"significant flaw" and replaced by the slightly revised version SHA-1.
SHA-1: A 160-bit hash function which resembles the earlier MD5 algorithm. This was designed
by the National Security Agency (NSA) to be part of the Digital Signature Algorithm.
Cryptographic weaknesses were discovered in SHA-1, and the standard was no longer approved
for most cryptographic uses after 2010.
SHA-2: A family of two similar hash functions, with different block sizes, known as SHA-256
and SHA-512. They differ in the word size; SHA-256 uses 32-bit words where SHA-512 uses
64-bit words. There are also truncated versions of each standard, known as SHA-224, SHA-384,
SHA-512/224 and SHA-512/256. These were also designed by the NSA.
SHA-3: A hash function formerly called Keccak, chosen in 2012 after a public competition
among non-NSA designers. It supports the same hash lengths as SHA-2, and its internal structure
differs significantly from the rest of the SHA family.
15. What is Digital Signature? (U)
A digital signature is an authentication mechanism that enables the creator of a message
to attach a code that acts as a signature. The signature is formed by taking the hash of the
message and encrypting the message with the creator's private key. The signature guarantees the
source and integrity of the message.
16. List the Digital Signature Algorithms. (R)
RSA
El Gamal
DSA
17. List the Processes involved in Digital Signature. (R)
Signing Process
Verification Process
18. Define ElGamal Public Key Cryptosystem. (R)
ElGamal Public Key Cryptosystem is an asymmetric key encryption for public key
cryptography based on Diffie-Hellman Key Exchange.
19. Difference between MD5 and SHA-1. (AN)
S.No. Point of Discussion MD5 SHA-1
1. Message digest length in
bits 128 160
2. Speed Faster(64 iterations) Slower(80 iterations)
3.
Attack to try and find two
messages producing the
same message digest
Requires 264
operations to
break in.
Requires 280
operations to
break in.
20. Show how SHA is more secure than MD5. (AN) (April/May 2019)
SHA is structurally similar to MD5. It is slower than MD5 but more secure, because it
produces message digests that are 25% longer than those produced by the message digest
functions. Since SHA has a longer (160 bits) hash value it is more resistant to brute force
attacks than MD5.
21. Using ElGamal Scheme, let α = 5, p =11, XA= 2. Find the value of YA. (A)
α = 5, p =11, XA= 2
YA = α XA
mod p
= 52 mod 11
22. What are the requirements of the hash function? (U)
H can be applied to a block of data of any size.
H produces a fixed length output.
H(x) is relatively easy to compute for any given x, making both hardware and software
implementations practical.
23. Define the classes of message authentication function. (R)
Message encryption: The entire cipher text would be used for authentication.
Message Authentication Code: It is a function of message and secret key produce a fixed
length value.
Hash function: Some function that map a message of any length to fixed length which
serves as authentication.
24. Specify the various types of authentication protocol. (R) (April/May 2017)
Kerberos authentication protocol
NT LAN Manager (NTLM) authentication protocol
Secure Sockets Layer/Transport Security Layer (SSL/TLS)
Digest authentication
Smart cards
Virtual Private Networking (VPN) and Remote Access Services (RAS)
25. What is the role of compression function in hash function? (U) (April/May 2017)
A compression function takes a fixed length input and returns a shorter, fixed-
length output. Then a hash function can be defined by means of repeated applications of
the compression function until the entire message has been processed. In this process, a
message of arbitrary length is broken into blocks of a certain length which depends on the
compression function, and "padded" (for security reasons) so that the size of the message
is a multiple of the block size. The blocks are then processed sequentially, taking as input
the result of the hash so far and the current message block, with the final output being the
hash value for the message.
26. How is the security of a MAC function expressed? (U) (Nov/Dec 2017)
A MAC is an authentication technique involves the use of a secret key to generate a
small fixed-size block of data, known as a cryptographic checksum or MAC. The
MAC is then appended to the message.
Here, sender and receiver share a secret key.
When A has to send a message to B, it calculates the MAC as a function of the
message and the key:
MAC = MAC(K, M)
where M is
plaintext C is
the MAC
function
K is the
secret key
and
MAC is the message authentication code.
The message plus MAC are transmitted to the intended recipient.
The recipient performs the same calculation on the received message, using the same secret key, to generate a new MAC. The received MAC is compared to the calculated
MAC.
27. Mention the significance of signature function in Digital Signature Standard approach.
(R) (Nov/Dec 2017)
The Signature function assures the recipient that only the sender, with the knowledge of
the private key, could have produce the valid signature.
28. How digital signatures differ from authentication protocols? (AN) (April/May 2018)
A message authentication code (MAC) protects against message forgery by anyone who
doesn't know the secret key (shared by sender and receiver).This means that the receiver
can forge any message – thus we have both integrity and authentication , but not non-
repudiation.
Also an attacker could replay earlier messages authenticated with the same key, so a
protocol should take measures against this (e.g. by including message numbers or
timestamps). (Also, in case of a two-sided conversation, make sure that either both sides
have different keys, or by another way make sure that messages from one side can't sent
back by an attacker to this side.)
MACs can be created from unkeyed hashes (e.g. with the HMAC construction), or
created directly as MAC algorithms.
A (digital) signature is created with a private key, and verified with the corresponding
public key of an asymmetric key-pair. Only the holder of the private key can create this
signature, and normally anyone knowing the public key can verify it. Digital signatures
don't prevent the replay attack mentioned previously.
PART-B
1. Compare the features of SHA-1 and MD-5 algorithm. (AN) (May/June 2007)
2. Describe the MD5 message digest algorithm with necessary block diagrams. (U)
(April/May 2019)
3. Describe MD5 algorithm in detail. Compare its performance with SHA-1.(16)(U) (Nov/Dec
2016)
4. Discuss the objectives of HMAC and its security features. (U) (May/June 2007)
5. Discuss briefly about Digital Signature Algorithm. (U)
(May/June 2007) (Nov/Dec 2007) (May/June 2009) (May/June 2010)(June –
2014)
6. Describe the block chaining technique. (U) (Nov/Dec 2007)
7. Discuss the security of HMAC. (U) (Nov/Dec 2007)
8. What is message authentication? Explain. (R) (May/June 2009)
9. How does SHA-1 logic produce message digest? (U) (May/June 2009)
10. Illustrate SHA2 in detail. (U) (Nov/Dec 2018)
11. Explain the challenges/ response approach in mutual authentication. (U) (May/June 2009)
12. Explain digital signature standard with necessary diagrams in detail.(16) (U) (Nov/Dec
2016)(April/May 2017)
13. Describe digital signature algorithm and show how signing and verification is done using
DSS.
(E) (May/June 2008) (April/May 2019)
14. Write about the symmetric encryption approach for digital signatures. (U) (May/June 2008)
15. Explain MD5 message digest algorithm, with its logic and compression function. (U)
(Nov/Dec 2009) (May 2011) (June 2012)
16. What are the properties a hash function must satisfy? Explain. (R)
(Nov/Dec 2009) (Dec 2012, 2013)
17. Explain about any two authentication protocols. (R) (May/June 2010)
18. Discuss briefly about Secure Hash Algorithm. (U) (May/June 2010) (June 2013)
(Dec - 2013)(April/May 2016)
19. Explain the types of Digital Signatures. (R)
20. Explain RIPEMD in detail. (U)
21. Discuss digital Signature with Elgamal and Schnorr public key cryptosystem. (8) (U)
(Dec 2013) (April / May2016)(Nov/Dec
2017)
22. Explain Elgamal digital signature scheme. (U) (Nov/Dec 2018)
23. Compare the performance of RIPEMD-160 algorithm and SHA-1 algorithm.
(AN)(April/May 2017)
24. With a neat diagram, explain the steps involved in SHA algorithm for encrypting a message
with maximum length of less than 2128
bits and produces as output a 512-bit message digest.
(A) ( Nov/Dec
2017)
25. How Hash Function algorithm is designed? Explain their feature and properties. (AN)
(April/May 2018)
26. With a neat diagram, explain the MD5 processing of a single 512 bit block. (U) (April/May
2018)
UNIT IV - SECURITY PRACTICE & SYSTEM SECURITY
Authentication applications – Kerberos – X.509 Authentication services – Internet
Firewalls for Trusted System: Roles of Firewalls – Firewall related terminology- Types of
Firewalls - Firewall designs – SET for E-Commerce Transactions. Intruder – Intrusion
detection system – Virus and related threats – Countermeasures – Firewalls design
principles – Trusted systems – Practical implementation of cryptography and security.
PART A
1. What is Kerberos? (R)
Kerberos is an authentication service developed as a part of project Athena at MIT.
Kerberos provide a centralized authentication server whose function is to authenticate servers.
2. What were the requirements defined by Kerberos? (R)
1. Secure
2. Reliable
3. Transparent
4. Scalable
3. Define X.509 Authentication Service. (R)
X.509 is part of the X.500 series. X.509 defines a directory service. X.509 is based on the
use of public-key cryptography and digital signatures. X.509 defines a framework for the
provision of authentication services by the X.500 directory to its users. For example, the X.509
certificate format is used in S/MIME, IP Security, and SSL/TLS and SET.
4. Define Intruder. (R)
An individual who gains, or attempts to gain, unauthorized access to a computer system
or to gain unauthorized privileges on that system.
5. List the three classes of Intruders. (R) (Nov/Dec 2016) (April/May 2019)
1. Masquerader
2. Misfeasor
3. Clandestine user
6. Write short notes on Intrusion detection system. (U)
A set of automated tools designed to detect unauthorized access to a host system.
7. Discriminate statistical anomaly detection and rule based detection. (AN) (Nov/ Dec
2018)
Statistical Anomaly Detection Rule Based Detection
Involves the collection of data relating to the
behavior of legitimate users over a period of
Involves an attempt to define a set of rules that
can be used
time. Then statistical tests are applied
to observed behavior to determine with a high
level of confidence whether that
behavior is not legitimate user behavior
to decide that a given behavior is that of an
intruder.
a. Threshold detection
b. Profile based
a. Anomaly detection
b. Penetration identification
8. Write short notes on malicious software. (U)
Malicious software is software that is intentionally included or inserted in a system for a
harmful purpose.
9. Write short notes on Virus. (U)
A virus is a piece of software that can "infect" other programs by modifying them; the
modification includes a copy of the virus program, which can then go on to infect other
programs.
10. Write short notes on Worm. (U)
A worm is a program that can replicate itself and send copies from computer to computer
across network connections.
11. Define Botnets. (R) (Nov/Dec 2016) A botnet (also known as a zombie army) is a number of Internet computers that, although
their owners are unaware of it, have been set up to forward transmissions (including spam or
viruses) to other computers on the Internet.
12. Define Zombie. (R) (Nov/Dec 2016)
A Zombie is a program that secretly takes over another Internet-attached computer and then uses that computer to launch attacks that are difficult to trace to the zombie‟s creator. Zombies are used in denial-of-service attacks, typically against targeted web sites.
13. Define Statistical anomaly detection. (R)
Involves the collection of data relating to the behavior of legitimate users over a period
of time. Then statistical tests are applied to observed behavior to determine with a high level of
confidence whether that behavior is not legitimate user behavior.
14. In the content of Kerberos, what is realm? (U)
A full service Kerberos environment consisting of a Kerberos server, a no. of clients,
no.of application server requires the following:
_ The Kerberos server must have user ID and hashed password of all participating users
in its database.
_ The Kerberos server must share a secret key with each server. Such an environment is
referred to as “Realm”.
15. Specify the four categories of security threats. (R)
Interruption
Interception
Modification
Fabrication
16. What you mean by versioned certificate? (U)
Mostly used issue X.509 certificate with the product name” versioned digital id”. Each
digital id contains owner‟s public key, owner‟s name and serial number of the digital id.
17. Define virus. Specify the types of viruses. (R)
A virus is a program that can infect other program by modifying them the modification
includes a copy of the virus program, which can then go on to infect other program.
Types:
1) Parasitic virus
2) Memory-resident virus
3) Boot sector virus
4) Stealth virus
5) Polymorphic virus
18. What is application level gateway? (U)
An application level gateway also called a proxy server; act as a relay of application-level
traffic. The user contacts the gateway using a TCP\IP application, such as Telnet or FTP, and the
gateway asks the user for the name of the remote host to be accessed.
19. List the design goals of firewalls. (U) (April/May 2019)
1. All traffic from inside to outside, and vice versa, must pass through the firewall.
2. Only authorized traffic, as defined by the local security policy, will be allowed to pass.
3. The firewall itself is immune to penetration
20. Define the roles of firewall. (R) (April/May 2017) (April/May 2018)
A firewall is responsible for bringing in only safe and relevant traffic to your private
network or computer system. It keeps a check on any unauthorized access to your computer and
automatically refuses and decrypt‟s unwanted information through the network.
21. List various types of firewall. (R) (Nov/Dec 2018)
There are 3 common types of firewalls.
Packet filters
Application-level gateways
Circuit-level gateways
22. Distinguish between Attack and Threat. (AN) (Apr/May 2017, Nov/Dec 2018)
Parameter Attack Threat
Meaning An attack is a deliberate act that
exploits vulnerability
Threat is anything potential that cause
harm to the system
Categories
Virus – Piece of software to steal
and damage computer
Spyware – Collects information
against user‟s own will
Phishing – Mostly done through
email like fraudulent system
Worms – Self-replicating from
one system to another
Spam – Spam emails are
computer security threat
Botnets – Bots used to target and
attack systems
DOS attacks – Bombarding
server with traffic to overwhelm
the system
Security threat – Data stealing,
exploitation of data, virus attack
etc.
Physical threat – Loss or physical
damage to the system
Internal – power supply,
hardware fault etc.
External – lighting, natural
disaster such as flood, earthquake
Human – theft, vandalism etc.
Non-physical threat – Loss of
information, data corruption,
cyber security breaches etc.
23. List any 2 applications of X.509 Certificates . (R) (Nov/Dec 2017)
Probably the most widely visible application of X.509 certificates today is in web
browsers (such as Mozilla Firefox and Microsoft Internet Explorer) that support the TLS
protocol. TLS (Transport Layer Security) is a security protocol that provides privacy and
authentication for your network traffic. These browsers can only use this protocol with web
servers that support TLS.
Other technologies that rely on X.509 certificates include:
Various code-signing schemes, such as signed Java ARchives, and Microsoft Authenticode.
Various secure E-Mail standards, such as PEM and S/MIME.
E-Commerce protocols, such as SET.
24. Write a simple authentication dialogue used in Kerberos. (U) (Nov/Dec 2017)
(1) C AS: IDC||PC||IDV
(2) AS C: Ticket
(3) C V: IDC||Ticket
Ticket = E(Kv, [IDC||ADC||IDV])
• where
• C= client , AS= authentication server ,V=server
• IDC= identifier of user on C ,IDV= identifier of V
• PC= password of user on C ,ADC= network address of C
• Kv= secret encryption key shared by AS and V
the user logs on to a workstation and requests access to server V.
The client module C in the user's workstation requests the user's password and then sends a
message to the AS that includes the user's ID, the server's ID, and the user's password.
The AS checks its database to see if the user has supplied the proper password for this user ID
and whether this user is permitted access to server V.
• the AS creates a ticket that contains the user's ID and network address and the server's ID.
• This ticket is encrypted using the secret key shared by the AS and this server
• This ticket is then sent back to C.
• C sends a message to V containing C's ID and the ticket.
• V decrypts the ticket and verifies that the user ID in the ticket is the same as the
unencrypted user ID in the message.
25. What is a Threat? List their types. (R) (April/May 2018)
A computer threat is a possibility of danger that might harm the vulnerability of a
computer system and breach the security to cause damage. It can have an intentional cause like
hacking or an accidental cause of natural disaster or computer malfunction.
Types of security threats
A spyware threat
Hackers
Phishing scammers
PART B
1. How the encryption is key generated from password in Kerberos? (U) (May/June
2007)
2. Explain Kerberos Version 4 in detail. (16) (R) (April / May 2016)
3. Discuss Client Server Mutual authentication, with example flow diagram. (16) (U)
(Nov/Dec 2016)
4. Discuss the different types of authentication procedures? (U) (Nov/Dec 2007)
5. Describe the authentication dialogue used by Kerberos for obtaining services from another
realm.
(U) (May/June 2008)
6. Explain with the help of an example how a user‟s certificate is obtained from another
certification authority in x509 scheme. (E) (May/June 2008)
7. (i) What is Kerberos? Explain how it provides authenticated service. ( 7) (U)
(ii) Explain the format of the X.509 certificate. (6) (U) (April/May 2019)
8. Explain PKI. (8) (U) (DEC - 2013)
9. Explain Kerberos Authentication mechanism with suitable diagrams.(16) (U) (June – 2014)
10. (i) What is Kerberos? Explain how it provides authenticated service. (8) (U) (April/May
2018)
(ii) Explain the format of the X.509 certificate. (8) (R) (April/May 2018)
11. Explain the technical details of firewall and describe any three types of firewall with neat
diagram. (16) (U) (Nov/Dec 2016)
12. Explain the characteristics and types of firewalls. (16) (U) (April / May 2016,April/May
2019)
13. Discuss how firewalls help in the establishing a security framework for an organization. (U)
(Nov/Dec 2017)
14. Define intrusion detection and the different types of detection mechanisms, in detail. (16)
(U) (April / May 2017)
15. How does screened host architecture for firewalls differ from screened subnet firewall
architecture? Which offers more security for information assets on trusted network? Explain
with neat sketch. (AN)(April/May 2018)
16. Illustrate the working principle of SET. Relate SET for E-Commerce applications.
(U) (Nov/Dec 2018)
17. (i)Explain any two approaches for intrusion detection. (8) (U)
(ii)Identify a few malicious programs that need a host program for their existence. (8) (E)
18. (i) Explain firewalls and how they prevent intrusions. (8) (U)
(ii) List and Brief, the different generation of antivirus software (8) (U)
19. Explain the types of Host based intrusion detection. List any two IDS software available. (R)
20. What are the positive and negative effects of firewall? (8) (AN)
21. Describe the familiar types of firewall configurations.(16) (U)
22. Write brief notes on the following: (U) (April /May 2016)
(i) Classification of viruses. (8)
(ii) Worm Counter Measures. (8)
23. Discuss the different types of virus in detail. Suggest scenarios for deploying these types in
network scenario. (U) (April / May 2017)
24. Analyze various types of virus and its counter measures. (AN) (Nov/Dec 2018)
UNIT V- E-MAIL, IP & WEB SECURITY
E-mail Security: Security Services for E-mail-attacks possible through E-mail - establishing
keys privacy-authentication of the source-Message Integrity-Nonrepudiation-Pretty Good
Privacy - S/MIME. IPSecurity: Overview of IPSec - IP and IPv6 - Authentication Header-
Encapsulation Security Payload (ESP)-Internet Key Exchange (Phases of IKE,
ISAKMP/IKE Encoding). Web Security: SSL/TLS Basic Protocol computing the keys -
client authentication-PKI as deployed by SSL Attacks fixed in v3- Exportability-Encoding-
Secure Electronic Transaction (SET).
PART A
1. What are the services provided by PGP? (R) (April/May 2018, Nov/Dec 2018)
Digital signature
Message encryption
Compression
E-mail compatibility
Segmentation
2. Explain the reasons for using PGP. (U)
a) It is available free worldwide in versions that run on a variety of platforms, including
DOS/windows, UNIX, Macintosh and many more.
b) It is based on algorithms that have survived extensive public review and are considered
extremely secure.
E.g.) RSA, DSS and Diffie-Hellman for public key encryption, CAST-128, IDEA, 3DES
for conventional encryption, SHA-1for hash coding.
c) It has a wide range of applicability from corporations that wish to select and enforce a
standardized scheme for encrypting files and communication.
d) It was not developed by nor is it controlled by any governmental or standards
organization.
3. Why E-mail compatibility function in PGP needed? (U)
Electronic mail systems only permit the use of blocks consisting of ASCII text. To
accommodate this restriction PGP provides the service converting the row 8- bit binary stream to
a stream of printable ASCII characters. The scheme used for this purpose is Radix-64
conversion.
4. Name any cryptographic keys used in PGP. (R)
a) One-time session conventional keys.
b) Public keys.
c) Private keys.
d) Pass phrase based conventional keys.
5. Define key Identifier. (R)
PGP assigns a key ID to each public key that is very high probability unique with a user
ID. It is also required for the PGP digital signature. The key ID associated with each public key
consists of its least significant 64bits.
6. List the limitations of SMTP/RFC 822. (U) (Nov/Dec 2016)
a) SMTP cannot transmit executable files or binary objects.
b) It cannot transmit text data containing national language characters.
c) SMTP servers may reject mail message over certain size.
d) SMTP gateways cause problems while transmitting ASCII and EBCDIC.
e) SMTP gateways to X.400 E-mail network cannot handle non textual data included in
X.400 messages.
7. Define S/MIME. (R)
Secure/Multipurpose Internet Mail Extension(S/MIME) is a security enhancement to the
MIME Internet E-mail format standard, based on technology from RSA Data Security.
8. What are the elements of MIME? (R)
Five new message header fields are defined which may be included in an RFC 822
header.
A number of content formats are defined.
Transfer encodings are defined that enable the conversion of any content format into a
form that is protected from alteration by the mail system.
9. Mention the five headers fields defined in MME? (R) (April/May 2019)
MIME version.
Content type.
Content transfer encoding.
Content id.
Content description.
10. What is MIME content type? Explain. (U)
It is used to declare general type of data. Subtype define particular format for that type of
the data. It has 7 content type & 15 subtypes. They are,
1. Text type
Plain text.
Enriched.
2. Multipart type
Multipart/mixed.
Multipart/parallel.
Multipart/alternative.
Multipart/digest.
3. Message type
Message/RFC822.
Message/partial.
Message/external.
4. Image type
JPEG.
CIF.
5. Video type.
6. Audio type.
7. Application type
Post script.
Octet stream.
11. What are the key algorithms used in S/MIME? (R)
Digital Signature Standards.
Diffi-Hellman.
RSA Algorithm.
12. Give the steps for preparing envelope data MIME. (U)
1. Generate Ks.
2. Encrypt Ks using recipient‟s public key.
3. RSA algorithm used for encryption.
4. Prepare the „recipient info block‟.
5. Encrypt the message using Ks.
13. What are the function areas of IP security? (R)
Authentication
Confidentiality
Key management.
14. Give the application of IP security. (U)
Provide secure communication across private & public LAN.
Secure remote access over the Internet.
Secure communication to other organization.
15. What are the benefits of IP Security? (U) (April/May 2017, April/May 2019)
Provide security when IP security implement in router or firewall.
IP security is below the transport layer is transparent to the application.
IP security transparent to end-user.
IP security can provide security for individual user.
16. What are the protocols used to provide IP security? (R)
Authentication header (AH) protocol.
Encapsulating Security Payload (ESP).
17. Specify the IP security services. (R)
Access control.
Connectionless integrity.
Data origin authentication
Rejection of replayed packet.
Confidentiality.
Limited traffic for Confidentiality.
18. List out the steps involved in SSL record protocol. (U)
1. SSL record protocol takes application data as input and fragments it.
2. Apply lossless Compression algorithm.
3. Compute MAC for compressed data.
4. MAC and compression message is encrypted using conventional algorithm.
19. Write short notes on Transport Layer Security (TLS). (U)
Transport Layer Security is defined as a Proposed Internet Standard in RFC 2246. RFC
2246 is very similar to SSLv3. The TLS Record Format is the same as that of the SSL Record
Format, and the fields in the header have the same meanings. The one difference is in version
number
20. Differentiate Transport and Tunnel mode in IPsec. (AN) (Nov/Dec 2018)
S.No. Transport mode Tunnel Mode
1 Provide the protection for upper layer protocol
between two hosts.
Provide the protection for entire IP Packet.
2 ESP in this mode encrypts and optionally
authenticates IP Payload but not IP Header.
ESP in this mode encrypt authenticate the
entire IP packet.
3 AH in this mode authenticate the IP Payload
and selected portion of IP Header.
AH in this mode authenticate the entire IP
Packet plus selected portion of outer IP
Header.
21. What is mean by SET? What are the features of SET? (U)
Secure Electronic Transaction (SET) is an open encryption and security specification
designed to protect credit card transaction on the internet.
Features are:
1. Confidentiality of information
2. Integrity of data
3. Cardholder account authentication
4. Merchant authentication
22. What are the steps involved in SET Transaction? (R)
1. The customer opens an account
2. The customer receives a certificate
3. Merchants have their own certificate
4. The customer places an order.
5. The merchant is verified.
6. The order and payment are sent.
7. The merchant requests payment authorization.
8. The merchant confirm the order.
9. The merchant provides the goods or services.
10. The merchant requests payment.
23. Draw the ESP packet format. (R) (April/May 2017)
24. Specify the purpose of ID payload in phase I and Phase II inherent in ISAKMP/IKE
Encoding. (U) (April/May 2017)
ISAKMP defines payloads for exchanging key generation and authentication data. These
formats provide a consistent framework for transferring key and authentication data which is
independent of the key generation technique, encryption algorithm and authentication
mechanism.
25. Justify the following statement: (U) (Nov/Dec 2017)
“With a Network Address Translation(NAT) box, the computers on your internal network do
not need global IPV4 addresses in order to connect to the Internet .”
A NAT box located where the LAN meets the Internet makes all necessary IP address
translations. Hence, addresses allocated are locally unique but not globally unique.
26. What is the difference between TLS and SSL Security? (AN) (April/May 2018)
S.NO Concepts TLS SSL
1. Which is faster?
It is little slower due to the
two-step communication
process i.e. handshaking
and actual data transfer.
It is faster than TLS as
authentications are not
carried out intensively.
2.
Which is complex to
manage on the server
side?
It is complex as it requires
certificate validations and
good authentications.
It is simpler than the TLS
as it lacks few features that
are present in the TLS.
PART -B
1. Illustrate the confidentiality service provided by PGP. (U) (May/June 2007)
2. Summarize the S/MIME in detail. (U) (May/June 2007) (June 2013) (Nov/Dec 2018)
3. What services are provided by IP sec? (R) (May/June 2007) (June 2012)
4. What are the key features of SET? Explain. (U) (Nov/Dec 2007)
5. What protocols comprise SSL? Explain any two of them. (U) (Nov/Dec 2007)
6. Explain the operational description of PGP.(16) (U) (Nov/Dec 2016)
7. Explain PGP cryptographic functions in detail with suitable block diagrams. (U)
(April/May 2019)
8. How does PGP provide confidentiality and authentication service for e-mail and file storage
applications? Draw the block diagram and explain its components. (U) (May/June 2009)
9. Evaluate the performance of PGP. Compare it with S/MIME. (AN) (Nov/Dec 2018)
10. Bring out the importance of security associations in IP. (AN) (May/June 2009)
11. Describe the SSL Specific protocol – Handshake action in detail. (U)
(May/June 2009) (Dec /2013)(April / May 2016)
12. What are the functions included in MIME in order to enhance security? How are they done?
(E) (May/June 2008)
13. Explain the services of PGP. (U) (Nov/Dec 2009) (Dec - 2012) (May 2011)
14. Discuss briefly about PGP used for Email security. (U) (May/June 2010) (June –
2014)(April/May 2018)
15. Discuss briefly about X.509 authentication service. (U) (May/June 2010) (June 2013)
16. Describe about SET. (U) (Dec - 2012) (June 2012) (Nov/Dec 2017)
17. Discuss the working of SET with neat diagram. (16) (U) (Nov/Dec 2016)
18. Differentiate SSL & SET. (8) (AN) (May - 2011)
19. Explain about the overview of IP Security documents. (8)(U) (May 2011)
20. Explain the architecture of IP security in detail with a neat block diagram. (U)
(April/May 2017, April/May 2019)
21. Discuss authentication header and ESP in detail with their packet format . (U) (April/May
2017)
22. Discuss the different methods involved in authentication of the source.(8) (U) (Nov/Dec
2017)
23. Write about how the integrity of message is endured without source authentication.(8)
(U) (Nov/Dec
2017)
24. Describe in detail about SSL/TLS. (U) (Nov/Dec 2018)
25. Write the steps involved in the simplified form of the SSL/TLS protocol. (8) (U) (Nov/Dec
2017)
26. Write the methodology involved computing the keys in SSL/TLS protocol. (8) (U)
(Nov/Dec 2017)
27. Write short notes on the following: (U) (April/May 2018)
a) Public Key Infrastructure (8)
b) Secure Electronic Transaction. (8)