Computer Security

Model Answer 2

Q1. (A) a) Differentiate between virus and worm

(Any four differences 1 mark each)
Virus Worm
A virus is a piece of code that A worm is a malicious program
attaches itself to host program that spread automatically
It does not replicate itself It can replicate itself
Virus modifies code Worm does not modify the code
Virus is destructive in nature Worm is non destructive in nature
Need host program Does not need host program
Virus can infect other files Worm does not infect to other
programs, but occupies memory
Virus may need trigger for Worm does not need any trigger
execution

b) Explain keystroke mechanism for user authentication.

(Following key points should be included in answer - 4 Marks)
Keystroke is the method in which individuals recognized based
on analysis of his typing patterns.
Biometrics based on typing pattern is cheaper to implement,
more distributed.
For collecting data related to a person‟s typing pattern simply
requires a keyboard and software to collect keystroke data.
Keystroke biometrics can be collected from virtually anywhere
throughout the world via an internet.
Keystroke is captured entirely by the key pressed, the press
time, and the release time, the data can be transmitted in low
bandwidth.
c) Define (1 Mark for each definition)
i. Cryptography
Cryptography is the art and science of achieving security
by encoding messages to make them non-readable.
ii. Cryptanalysis
Cryptanalysis is also called as Codebreaking
Cryptanalysis is the technique of decoding ciphertext back
to plaintext without knowing how they were initially converted &
key used
iii. Cryptology
It is a combination of cryptography and cryptanalysis
iv. Steganography
Steganography is the art and science of writing hidden
message. It hides secret message into ordinary message.

d) Describe the term honeypot.

(Honeypot - 2 M, Types – 2M)
 Honeypot is a trap set to detect, deflect, or in some manner
counteract attempts at unauthorized use of information systems."
 "Honeypot is an information system resource whose value lies in
unauthorized use of that resource."
 Honeypots are designed to
 Divert an attacker from accessing critical systems
 Collect information about the attacker‟s activity
 Encourage the attacker to stay on the system long enough
for administrators to respond
 Honey pot contains information designed to appear valuable
 But a legitimate user of the system wouldn‟t access.
 Thus any access to honey pot is suspect.
  Contains sensitive monitors and event loggers
 Any attack against honeypot is made successful, administrators
have time to mobilize and log and track the attacker.
Types of Honeypot
Low-Interaction Honeypot
 Have limited interaction
 They normally work by emulating services and operating systems
 Attacker activity is limited to the level of emulation by the
honeypot.
 Easier to deploy and maintain, with minimal risk
High-Interaction Honeypot
 Are usually complex solutions as they involve real operating
systems and applications
 Nothing is emulated; we give attackers the real thing

Q1. (B) a) What is worm? Give significant difference between

virus and worm.
(Worm - 2M, Anatomy 2M, Any four diff. 2 Marks)
Worm is replicating program that propagates over net and use a
memory but not infecting other program (does not attach itself to a
program).
Worms perform unwanted function.
A worm does not need to attach itself to another program. In that
sense, a worm is self-contained.
A worm is able to send copies of itself to other machines over a
network. A worm can harm a network and consume network bandwidth
A worm is a program that can replicate itself
• It is a malicious s/w which does not require a host program for
its execution.
• Replicating program that propagates over net but not infecting
program (does not attach itself to a program)
 • Worm is non destructive
• A worm can harm a computer system by filling main memory
with its replicated copies.

 Worm has same phases as virus with some variations

 Worm has dormant phase as virus in which it remains idle
performing nothing.
 Second phase is propagation phase in which worm spread
automatically, it is not dependent on host program for its
execution like virus. It spread via network or through secondary
storage devices.
 Last phase is execution phase, worm does not require trigger for
its execution. It executes automatically when it enters into
system.
 Worms aim is to make computer system unusable through
nondestructive techniques.

b) What are objectives of IT Act 2000?

 (Any four objectives one mark each)
 To grant legal recognition to transactions carried out by means
of EDI and E-Commerce
 To give legal recognition to digital signatures for
authentication of any information.
 To facilitate electronic filing of document with government
departments
 To facilitate electronic storage of data
 To facilitate & give legal recognition to E fund transfers
between bank and financial institutes.
 To give legal recognition for keeping accounts in electronic
form by bankers.

Q2. a) Explain
i. Spoofing attack with diagram.
(Spoofing Diagram – 2M, Description 2M)
Spoofing is making data similar to it has come from a different
source.
This is possible in TCP/IP because of friendly assumptions
behind the protocols.
When packet is sent from one system to another, it includes not
only IP address and port of destination but the source IP address as
well.
Spoofing can takes advantage of a trusted relationship between
two systems.
Attacker takes advantage of this by sending a packet to one
system that appears to have come from a trusted system.
Target system may perform the requested task without
authentication.
The attacker will launch a DOS Attack to temporarily take out
the spoofed system for the period of time that the attacker is exploiting
the trusted relationship.
 When attack is completed, DOS attack on the spoofed system is
terminated.

ii. Sniffing with diagram.

Sniffing:
(Diagram 1 M, Sniffing Description -3M)
This is software or hardware that is used to observe traffic as it
passes through a network on shared broadcast media.
It can be used to view all traffic or target specific protocol,
service, or string of characters like logins.
Some network sniffers are not just designed to observe the all
traffic but also modify the traffic.
Network administrators use sniffers for monitoring traffic.
They can also used for network bandwidth analysis and to
troubleshoot certain problems such as duplicate MAC addresses.
b) Explain DES with diagram

 Symmetric Encryption, Block Cipher

 Plaintext (64 bit block)
 Key 56 bit –
 actually 64 bit key accepted, only 56 bits are used, 8 bits
are parity or simply set arbitrarily
 The algorithm transforms 64-bit input in a series of steps into a
64-bit output
 Same steps, with the same key, are used to reverse the encryption
Plaintext 64 bit

Initial Permutation

LPT RPT

16 16
Key Rounds Rounds

Inverse
Initial Permutation

Ciphertext 64 bit
The plaintext proceeds in three phases
1. Initial permutation (IP) that rearranges the bits to produce the
permuted input.
2. sixteen rounds involves both permutation and substitution
functions and outputs of last round are swapped to produce the
preoutput
3. inverse of the initial permutation function, to produce the 64-bit
ciphertext
Details of Single Round

 64-bit treated as separate 32-bit quantities, (L & R)

  The round key Ki is 48 bits.
 The input R is 32 bits. which is expanded to 48 bits
 The resulting 48 bits are XORed with Ki
 This 48-bit result passes through a substitution function that
produces a 32-bit output

c) Explain IPSec configuration with suitable diagram.

(IPSec 2M, diagram 2M, Tunnel Mode 2M, transport mode
2M)
IPSec is a set of protocols developed by IETF.
It is developed for exchange of packets at n/w layer.
Overall idea of IPSec is to encrypt & seal the transport & application
layer data during transmission
This protocol only works in combination with IP
Once an IPSec connection is established it is possible to tunnel across
other n/w
Original Original
Message Message

Application Application
Transpor Transport
t
IPSe IPSec
c
Internet Internet
Physical Physical

Transmission
Media

Transport Mode
• Encrypts only data portion of packet,
• Thus enabling outsiders to see source & dest. IP address.
• This protects data being transmitted, but allows knowledge of
transmission.
• IPSec takes transport layer payload adds IPSec header & then
adds the IP header
• Thus the IP header in not encrypted.
• Protection of data portion of packet is referred as content
protection

Transport Layer
Payload

IPSec IPSec IPSec

H Payload T

IP H IP Payload
Tunnel Mode
• Provides encryption of source & dest. IP addresses, as well as of
the data itself.
• It can only be done between IPSec servers because final dest.
Needs to be known for delivery.
• Protection of header information known as context protection.
• It takes IP datagram, including IP header.
• It adds IPSec header & trailer & encrypts whole thing.
• It then adds new IP header to this encrypted datagram
• It is possible to use both methods at the same time
• Such as using transport within ones own n/w to reach an IPSec
server
• Which then using the transport method from the target n/w IPSec
server to target host.
• Has three connections- host to server, server to server & host to
host.
Transport
Payload

IP H IP Payload

IPSec H IPSec Payload IPSec T

New IP H New IP payload

Q3. a) Describe the working of PEM mail security.

(1 Marks – PEM 1 M-PEM operations, 2 Marks –PEM working
steps)
  PEM is internet standard to provide email security
 Employ cryptographic techniques for confidentiality, sender
authentication, and message integrity
 Message integrity ensures user that message is not modified
during transit.
 Sender authentication verifies received message is originated
from person who claims to have sent it.
 Confidentiality allows a message to kept secret
PEM operations
 Canonical conversion
 Digital signature
 Encryption
 Base 64 encoding
Step 1: canonical conversion - PEM transforms each email into an
abstract canonical representation.
Canonical representation means email message travels in a
uniform, independent format.
Step 2: Digital Signature – Digital signature is creating using email
message digest (MD2 or MD5) and sender's private key.
Step 3: Encryption – Original email and digital signature are
encrypted with symmetric key (DES or DES 3)
Step 4: Base 64 encoding – This process transforms arbitrary
binary input into printable character over internet using keys.
b) Explain Password selection strategies
(Five criteria contain 4 Marks)
 Password should be at least eight characters long
 Password should have combination of uppercase letters (A-Z),
lowercase letters (a-z), numbers (0-9) and special characters like
(@,#,$,%,& etc.).
 Password should not consist of dictionary words.
 Password should not same as user‟s login name.
  Password should not consist of user‟s first name, last name,
family member‟s name, and date of birth, pet name or any other
item that is easily identified with user.
Four basic techniques are in use to reduce guessable passwords
a. User Education
b. Computer generated password
c. Reactive password checking
d. Proactive password checking

c) Explain the term DMZ.

(Diagram 2M, Description 2M)
DMS is a computer host or small network inserted as „neutral zone‟
between a company‟s private n/w & outside public network
It prevents outside users from getting direct access to a server.
DMZ is an optional & more secure approach to firewall
Effectively act as a proxy server as well.

Interne
t
d) What is steganography? Give its advantages
(Steganography 3M, two advantages 1M)
 Steganography is the art and science of writing hidden message
in such a way that no one, apart from the sender and intended
recipient, suspects the existence of the message.

 Steganography works by replacing bits of useless or unused data

in regular computer files (such as graphics, sound, text, html or
even floppy disks) with bits of different, invisible information.

 This hidden information can be plain text, cipher text or even

images. In modern steganography, data is first encrypted by the
usual means and then inserted, using a special algorithm, into
 redundant data that is part of a particular file format such as a
JPEG image.

 Steganography process :

 Cover-media + Hidden data + Stego-key = Stego-medium

 Cover media is the file in which we will hide the hidden data,
which may also be encrypted using stego-key.

 The resultant file is stego-medium. Cover-media can be image or

audio file.

 Stenography takes cryptography a step further by hiding an

encrypted message so that no one suspects it exists.

 Ideally, anyone scanning your data will fail to know it contains

encrypted data.

 Stenography has a number of drawbacks when compared to

encryption. It requires a lot of overhead to hide a relatively few
bits of information.

 The advantage of steganography is that it can be employed by

parties who have something to lose should the fact of their secret
communication (not necessarily the content) be discovered.
Encryption flags traffic as important or secret or may identify the
sender or receiver as someone with something to hide.

e) Describe Secure Electronic Transaction.

(Diagram 1M, Description 1M, Participant 2M)
Secure electronic Transaction is an open encryption and security
specification that is designed for protecting credit card transactions on
the Internet. It is a set of security protocols and formats that enable the
users to employ the existing credit card payment infrastructure on the
internet in a secure manner.
1) Cardholder
2) Merchant
3) Issuer
4) Acquirer
5) Payment gateway
6) Certification Authority (CA)

Describe any four

1) Cardholder: A cardholder is an authorized holder of a payment card
such as MasterCard or Visa that has been issued by an Issuer.
2) Merchant: Merchant is a person or an organization that wants to sell
goods or services to cardholders.
3) Issuer: The issuer is a financial institution that provides a payment
card to a cardholder.
4) Acquirer: this is a financial institution that has a relationship with
merchants for processing payment card authorizations and payments.
Also provides an assurance that a particular cardholder account is
active and that the purchase amount does not exceed the credit limits. It
provides electronic fund transfer to the merchant account.
5) Payment Gateway: It processes the payment messages on behalf of
the merchant. It connects to the acquirer‟s system using a dedicated
network line.
6) Certification Authority (CA): This is an authority that is trusted to
provide public key certificates to cardholders, merchant, and Payment
Gateway.

Q4) A) a) Convert plaintext "I AM A HACKER" into cipher text

using Rail Fence
ANS

Cipher Text IMHCEAAAKR

b) How PGP is used for email system

(Diagram 1M, Description 3M)
PGP provides a confidentiality and authentication service that can be
used for electronic mail and file storage applications. It runs on a wide
range of systems, in both free & commercial versions.
PGP Combines features of conventional & public key cryptography.
When a user encrypts plaintext with PGP, PGP first compress plaintext
Then PGP creates a session key, one time only secret key
Plaintext is encrypted with session key.
Once the data is encrypted, session key is encrypted with recipient's
public key
Public key encrypted session key is transmitted along with ciphertext to
receiver.

Receiver uses his/her private key to recover session key,

Session key is used to decrypt the ciphertext.

c) What is cyber crime?

(Cyber Crime Description 3M, Types 1M)
 Any crime that involves a computer and a network, which may
have been used in the commission of a crime, or it may be the
target.
 “Offences that are committed against individuals or groups of
individuals with a criminal motive to intentionally harm the
reputation of the victim or cause physical or mental harm to the
victim directly or indirectly, using modern telecommunication
 networks such as Interne (Chat rooms, emails, notice boards and
groups) and mobile phones (SMS/MMS)”.
 Defining cyber crimes, as "acts that are punishable by the
Information Technology Act"
 “Unlawful acts wherein the computer is either a tool or a target or
both".
 Cyber law can be defined as a law governing the use of computer
and the internet.
Types of Cyber Crime
 Hacking
 Cracking
 Theft/fraud
 Malicious software
 Child soliciting and abuse
 Software piracy
 Intellectual property

d) Explain different threats to web security

(Four Factors with threat, consequences and countermeasures)
Q 4) B) a) Define virus and explain virus spreading mechanism.
(Virus 2M, Infection Mechanism, Spreading mechanism 4M)
 Virus is a program which attaches itself to another program and
causes damage to the computer system or the network. It is
loaded onto your computer without your knowledge and runs
against your wishes.
 A printed copy of virus does nothing and threatens no one. Even
executable virus code sitting on a disk does nothing. To do
malicious work and spread itself, virus must be activated by
being executed.
 Virus attaches the setup program that we initiate on computer. A
more common means of virus activation is an attachment to an
email message. The virus writer tries to convince the victim to
open the attachment.
 Once the viral attachment is opened, the activated virus can do its
work.
 Some modern email handlers automatically open attachments as
soon as the receiver opens body of email.
 The virus can be executable code embedded in an executable
attachment. It is safer to force users to open files on their own
rather automatically.
 Appended Viruses:
 A virus attaches itself to a program. Whenever the program run,
the virus is activated. This kind of attachment is usually simple,
easy and effective to program.
 A virus inserts a copy of itself into the executable program file
before the first executable instruction. Then, all the virus
instructions execute first; after the last virus instruction, control
flows naturally to the first program instruction.
 The virus writer does not need to know anything about the
program to which the virus will attach.
Viruses That Surround a Program:
 An alternative to the attachment is a virus that runs the original
program but has control before and after its execution.
 A virus writer might want to prevent the virus from being
detected. The virus writer might arrange for the virus to attach
itself to the program that constructs the listing of files on the disk.

b) Explain IP spoofing and smurf attack.

(IP Spoofing 3M, Smurf attack 3M)

Spoofing means making data similar such as it appears as it comes

from a different source.
IP protocol is designed to work is to have the originators own IP
address in FROM portion of packet
Attacker takes benefit of trusted relationship.
There is nothing that prevent a system from inserting a different
address in the FROM portion of the packet is known as IP address
spoofing.
There are many reasons from spoofing IP address, Specific DOS attack,
Smurf attack, the attacker sends spoofed packet to the broadcast
address of a network, which distribute the packet to all systems on that
network.
In smurf attack the request is send to all the system on the network so
all system respond with echo reply to the target system.
Q 5 a) What is biometrics? State its importance. List different
biometrics used in computer security.
(Biometric 2M, Biometric system 2M, Importance 2M, Biometric
Techniques/factors 2M)
Biometric refers study of methods for uniquely recognizing humans
based upon one or more intrinsic physical or behavioral
characteristics.
Biometric identification is used on the basis of some unique physical
attribute of the user that positively identifies the user.
Example: finger print recognition, retina and face scan technique, voice
synthesis and recognition and so on. Physiological are related to shape
of the body.
For example finger print, face recognition, DNA, palm print, iris
recognition and so on.
Behavioral are related to the behavior of a person.
For example typing rhythm, gait, signature and voice.

Biometric system works in two phases

1. Enrollment / Registration
2. Test / Verification
Enrollment/Registration phase consist of only four phases which are
required to capture and store unique patterns of human being into the
database. These stored patterns are used for authentication (Test).
For authentication (in Testing Phase) the claiming person gives his
physical characteristics to biometric system. The biometric system
generate template, this newly generated template is compared with the
templates stored in database. If match found then the person is
authentic.
Importance
Biometrics cannot be lost, stolen or forgotten. Barring disease or
serious physical injury, the biometric is consistent and permanent.
It is also secure in that the biometric itself cannot be socially
engineered, shared or used by others.
There is no requirement to remember password or pins, thus
eliminating an overhead cost.
Coupled with a smart card, biometrics provides strong security for any
credentials on the smart card.
It provides a high degree of confidence in user identity.
The major biometric form factors today are:
1. Handprint
2. Fingerprint
3. Retina
4. Voice/speech
5. Handwriting/signature
6. Face Recognition
7. Keystroke
b) Explain Kerberos in detail.
(Kerberos 2M, Diagram 2M, 6 Correct steps 4M)
 Kerberos is authentication service developed at MIT.
 Kerberos addresses problem
 Servers to be able to restrict access to authorized users and
authenticate requests.
 Workstation cannot be trusted to identify its users.
 Threats
  User access to particular workstation and pretend to be
another user operating from that workstation
 User may alter workstations address
 User may eavesdrop on exchanges and use a reply attack

 Kerberos is a network authentication protocol.

 It is designed to provide strong authentication for client server
appln using secret key cryptography.
 Provides centralized authentication server whose function is to
authenticate users to servers and servers to users.
 Kerberos introduces concept of Ticket Granting (TGS).
 A client has to receive a ticket to use service.
 Ticket is a time limited cryptographic message, which gives
access to server.
 Kerberos requires an Authentication Server AS to verify clients.
 Client authenticates itself to AS, which forwards username to
KDC.
 KDC issues TGT which is time stamped, encrypted using users
password and sent to users workstation.
 Kerberos Key Distribution Center

Authentication
Server (AS)
KRB_AS_REQ 2
User
KRB_AS_REP Ticket Granting
Workstation Server (TGS)
1 KRB_TGS_REQ
4
KRB_TGS_REP
3

Once per
service Server
session 6

1. Workstation sends a message to the authentication server

requesting a ticket granting ticket (TGT)
2. The AS verifies user's access rights and creates a TGT and
session key. AS encrypts result using a key derived from user's
password and send encrypted result to user workstation. User
decrypt using password.
3. Workstation sends a request to TG Server containing the client
name, realm name (domain), and a timestamp. User proves his
identity by sending authenticator encrypted with session key
4. TGS decrypts the ticket and authenticator, verifies request, and
creates ticket for requested server. The ticket contains client
name, and optionally IP address, realm name and ticket
timestamp. The TGS returns ticket to workstation.
5. Client application sends a service request to server containing
ticket. The service authenticates the request by decrypting session
key. The server verifies ticket and authenticator match and then
grant access to the service.
 6. If mutual authentication is required, then server will reply with
server authentication message.

c) Explain Authentication Header and Encapsulating Security

Payload in transport and tunnel mode.
(Authentication Header 2M, AH in Tunnel and transport mode
2M, Encapsulating security Payload 2M, ESP in Tunnel and
Transport mode 2M)
Authentication Header (AH)
• The AH, when added to an IP datagram ensures
– The integrity of the data
– The authenticity of the data‟s origin
– Optional anti replay service
• Protects non changing elements in IP header
• AH protects the IP address, which enables data origin
authentication.
• IPSec AH contains a cryptographic checksum for the content of
packet.
• The AH is simply inserted between IP header & any subsequent
packet contents
• No changes are required to the data contents of the packet
• Security resides completely in the contents of the AH.
AH Transport Mode
• In transport mode position of AH is between the original IP
header & the original TCP header of the IP packet
AH Tunnel Mode
• In tunnel mode, entire original IP packet is authenticated and the
AH is inserted between the original IP header & new outer IP
header.
• Inner IP header contains ultimate source & destination address
• Outer IP header possibly contains different IP address
 IP TCP
Original Data
Header Header
Before applying AH

IP TCP
Header
AH Header
Original Data

After applying AH in transport mode

New IP AH Original IP TCP Original

Header Header Header Data
After applying AH in tunnel mode

Encapsulating Security Payload (ESP)

 Provides security for the higher level portion of packet not the IP
header.
 Provides data confidentiality
 Defines a new header, inserted into IP packet
 Transform data into unreadable encrypted form.
 The ESP will be inside AH i.e encryption happens first & then
authentication.
ESP Transport Mode
 Used to encrypt and optionally authenticate data carried by IP.
 ESP is inserted into the IP packet immediately before the
transport layer header & ESP trailer is inserted after the IP
packet.
 If authentication is also used, ESP authentication field is added
after ESP trailer.
  The entire transport layer segment & ESP trailer are encrypted.
IP TCP
Original Data
Header Header

Before applying ESP

IP ESP TCP Original ESP ESP

Header Header Header Data trailer Auth

After applying ESP in transport mode

NEW IP ESP ORI IP TCP Original ESP ESP

Header Header Header Header Data Trailer Auth

After applying ESP in Tunnel mode

Q 6 a) What problem will occur if unauthorized software installed.

(Four legal problems one mark each)
1. Installing unauthorized software from internet may create backdoors
in your system or network which can be used to access a system by
avoiding normal security mechanism.
2. When we are installing various games from the internet, the
problems with such a download is that users don‟t know from where
the software originally came and what may be hidden inside it?
3. Accessing and downloading data from unofficial sites can create
virus problem into your system as well in entire network.
4. Unauthorized hardware device and software product is not capable to
protect your system/network due to lack in security functionality.
b) Distinguish between symmetric encryption and asymmetric
encryption.
(Four differences one mark each)

c) What is firewall? What are its design principles?

(Firewall 2M, Design principles/goals 2M)
 Firewall is a dedicated appliance (H/w) or S/W.
 It stands between trusted & untrusted N/W, inspecting all
traffic passing between them.
 A choke point of control and monitoring
 Imposes restrictions on network services
 Only authorized traffic is allowed
 Provide NAT & usage monitoring
 Implement VPNs using IPSec

Design principles and goals

 In organization users needs internet access.
  Internet access enables outside world to connect & interact with
local n/w assets. This creates threat to organization.
 Firewall is inserted between the n/w location & the internet to
establish a controlled link.
 The aim of this boundary is to protect the location of n/w from
internet based attacks.
 All traffic must pass through the firewall either from inside to
outside or vice versa.
 This is achieved by physically blocking all access to the local
network except via the firewall.
 Only authorized traffic that is defined by the local security policy
will be allowed to pass.
 The firewall itself is immune to penetration.

d) What is data recovery?

(Data recovery 2M, Logical Failure 1M, Physical Failure 1M)
 Data recovery is the process of retrieving lost data.
Data can be lost because of reasons…..
 Accidental deletion of a file or a partition
 Due to disk malfunction or failure
 Due to accidentally formatting the storage device
 Due to problems with system
 Due to physical damage
Logical Failure
 In this data is highly recoverable by using recovery s/w
 When the file has been accidentally deleted, formatted, or
corrupted,
 It is important to recover the file before performing any new
actions like installation of new things.
 If you delete a file and store some new files in the same location
there is minimum chances of recovery.
 If file is not over written it can be easily retrieved.
Physical Failure
 In this part of data may be retrievable.
 For this storage device has to be rebuilt.
 If physical damage is of an extreme nature then data may be
irrecoverable.
 If spindle or head on a disk drive fails it can easily restored to
function again.

e) Explain SSL handshake protocol

(Diagram 2M, Description 2M)
Allows server & client to:
 Authenticate each other
 To negotiate encryption & MAC algorithms
 To negotiate cryptographic keys to be used
Consist of a series of messages in phases
 Establish Security Capabilities
 Server Authentication and Key Exchange
 Client Authentication and Key Exchange
 Finish