DNS LONG PP Question

Samia farnaz
BSIT 5
DNS LONG Question

Past Papers
(2017)
Q.NO.3. how IPSEC can be used in diferent ways

in network layer?
IP security (IPSec)
The IP security (IPSec) is an Internet Engineering Task
Force (IETF) standard suite of protocols between 2
communication points across the IP network that provide
data authentication, integrity, and confdentialityy It also
defnes the encrypted, decrypted and authenticated packetsy
The protocols needed for secure key exchange and key
management are defned in ity
Uses of IP Security –
IPsec can be used to do the following things:
 To encrypt application layer datay
 To provide security for routers sending routing data across
the public internety
 To provide authentication without encryption, like to
authenticate that the data originates from a known sendery
 To protect network data by setting up circuits using IPsec
tunneling in which all data is being sent between the two
endpoints is encrypted, as with a Virtual Private
Network(VPN) connectiony
Components of IP Security –
It has the following components:
1y Encapsulating Security Payload (ESP) –
It provides data integrity, encryption, authentication
and anti replayy It also provides authentication for
payloady
2y Authentication Header (AH) –
It also provides data integrity, authentication and anti
replay and it does not provide encryptiony The anti
replay protection, protects against unauthorized
transmission of packetsy It does not protect data’s
confdentialityy
3y Internet Key Exchange (IKE) –

It is a network security protocol designed to
dynamically exchange encryption keys and fnd a way
over Security Association (SA) between 2 devicesy The
Security Association (SA) establishes shared security
attributes between 2 network entities to support
secure communicationy The Key Management Protocol
(ISAKMP) and Internet Security Association which
provides a framework for authentication and key
exchangey ISAKMP tells how the set up of the Security
Associations (SAs) and how direct connections
between two hosts that are using IPsecy
Internet Key Exchange (IKE) provides message
content protection and also an open frame for
implementing standard algorithms such as SHA and
MD5y The algorithm’s IP sec users produces a unique
identifer for each packety This identifer then allows a
device to determine whether a packet has been
correct or noty Packets which are not authorized are
discarded and not given to receivery
Working of IP Security –
1y The host checks if the packet should be transmitted
using IPsec or noty These packet trafc triggers the
security policy for themselvesy This is done when the
system sending the packet apply an appropriate
encryptiony The incoming packets are also checked by
the host that they are encrypted properly or noty
2y Then the IKE Phase 1 starts in which the 2
hosts( using IPsec ) authenticate themselves to each
other to start a secure channely It has 2 modesy
The Main mode which provides the greater security
and the Aggressive mode which enables the host to
establish an IPsec circuit more quicklyy
3y The channel created in the last step is then used to
securely negotiate the way the IP circuit will encrypt
data across the IP circuity
4y Now, the IKE Phase 2 is conducted over the secure
channel in which the two hosts negotiate the type of
cryptographic algorithms to use on the session and
agreeing on secret keying material to be used with
those algorithmsy
5y Then the data is exchanged across the newly created
IPsec encrypted tunnely These packets are encrypted
and decrypted by the hosts using IPsec SAsy
6y When the communication between the hosts is
completed or the session times out then the IPsec
tunnel is terminated by discarding the keys by both
the hostsy
Q.No.4.(a) PGP is used to secure email how?
PGP
o PGP stands for Pretty Good Privacy (PGP) which is invented by Phil
Zimmermanny
o PGP was designed to provide all four aspects of security, iyey, privacy,
integrity, authentication, and non-repudiation in the sending of emaily
o PGP uses a digital signature (a combination of hashing and public key

encryption) to provide integrity, authentication, and non-repudiationy PGP
uses a combination of secret key encryption and public key encryption to
provide privacyy Therefore, we can say that the digital signature uses one
hash function, one secret key, and two private-public key pairsy
o PGP is an open source and freely available software package for email
securityy
o PGP provides authentication through the use of Digital Signaturey

o It provides confdentiality through the use of symmetric block encryptiony
o It provides compression by using the ZIP algorithm, and EMAIL
compatibility using the radix-64 encoding schemey
Following are the steps taken by PGP to create secure e-

mail at the sender site:
o The e-mail message is hashed by using a hashing function to create a
digesty
o The digest is then encrypted to form a signed digest by using the sender's
private key, and then signed digest is added to the original email
messagey
o The original message and signed digest are encrypted by using a one-time
secret key created by the sendery
o The secret key is encrypted by using a receiver's public keyy

o Both the encrypted secret key and the encrypted combination of message
and digest are sent togethery
PGP at the Sender site (A)
Following are the steps taken to show how PGP uses

hashing and a combination of three keys to generate the
original message:
o The receiver receives the combination of encrypted secret key and
message digest is receivedy
o The encrypted secret key is decrypted by using the receiver's private key
to get the one-time secret keyy
o The secret key is then used to decrypt the combination of message and
digesty
o The digest is decrypted by using the sender's public key, and the original
message is hashed by using a hash function to create a digesty
o Both the digests are compared if both of them are equal means that all
the aspects of security are preserved
PGP at the Receiver site (B)
Disadvantages of PGP Encryption

o The Administration is difcultl The diferent versions of PGP
complicate the administrationy
o Compatibility issuesl Both the sender and the receiver must have
compatible versions of PGPy For example, if you encrypt an email by using
PGP with one of the encryption technique, the receiver has a diferent
version of PGP which cannot read the datay
o Complexityl PGP is a complex techniquey Other security schemes use

symmetric encryption that uses one key or asymmetric encryption that
uses two diferent keysy PGP uses a hybrid approach that implements
symmetric encryption with two keysy PGP is more complex, and it is less
familiar than the traditional symmetric or asymmetric methodsy
o No Recoveryl Computer administrators face the problems of losing their

passwordsy In such situations, an administrator should use a special
program to retrieve passwordsy For example, a technician has physical
access to a PC which can be used to retrieve a passwordy However, PGP
does not ofer such a special program for recovery; encryption methods
are very strong so, it does not retrieve the forgotten passwords results in
lost messages or lost flesy
Q.NO.4.(b) describe challange response of using

asymmetric key cipher?
challenge-response authentication
In computer security, challenge-response authentication is a set of protocols used to protect digital

assets and services from unauthorized users, programs or activities. In computer security,
challenge-response authentication is a set of protocols used to protect digital assets and
services from unauthorized users, programs or activities. While challenge-response
authentication can be as simple as a password, it can also be as dynamic as a randomly
generated request. From login verification to machine learning (ML), challenge-response
authentication is an easy-to-implement cybersecurity tool to secure sensitive information,
identify suspicious behavior or block certain programs.
What is challenge-response authentication?
In its simplest form, challenge-response authentication is composed of two basic

components: a question and a response. The goal of the question, or challenge, is to
require a response that only authorized users will know. Users that successfully answer
the question are allowed access to whatever digital materials the challenge-response
authentication mechanism (CRAM) is safeguarding. Though this is a simple premise, the
tools, knowledge and information required to pass these challenges can become quite
complex.
The goal of challenge-response authentication is to limit the access, control and use of
digital resources to only authorized users and activities. After all, users aren't the only
ones sending requests. If a mobile application or a malicious software (malware)
program requests access to a set of photos, it can be denied by integrating challenge-
response authentication. Because challenges aren't just limited to questions and
answers, they can involve more complicated tasks and code decryption. Types of
challenge-response questions
There are two main types of challenge-response questions: static and dynamic. Each
varies in terms of complexity and response variability.
Static challenges are requests that can be satisfied using the same answer or process
every time. A static challenge includes the password recovery questions one needs to
answer to verify identity. A common example is the password for the lock screen on a
smartphone.
Dynamic challenges require a different answer with each attempt. Often, the
challenges themselves randomly change, and the user is expected to respond. Some
financial institutions provide their account holders with a small security token, a device
that can either receive codes or input them. Devices like these also provide a physical
element to the authentication process, which makes it even harder for cybercriminals to
exploit.
Challenge-response authentication wasn't always exclusive to digital use. In the early

20th century, U.S. military officials used DRYAD, a simple, paper cryptographic system,
to authenticate the identities of radio users. The purpose of this challenge-response
authentication system was to ensure the person on either end of the radio was not an
imposter. Through the DRYAD numeral cipher, two individuals could verify their
identities by reading out the corresponding number for a combination of letters. This
example illustrates that challenges don't have to be in the form of a question; they can
be numerical or digital permutations that require a designated response.
One of the most common examples of a challenge-response protocol is password

authentication. The challenge, in this case, is providing the word, phrase or code that
unlocks the device, network or program. Here, challenge-response authentication is the
only thing preventing a criminal from accessing the sensitive files, credentials and
information stored in a computer system. Without challenge-response authentication, it
would be impossible to perform activities like online banking with a high degree of
security confidence.
How challenge-response is used
Challenge-response is a barrier used to protect assets from unauthorized users,

activities, programs and internet of things (IoT) devices. It forces cyber attackers to
satisfy a potential series of challenges in order to bypass the security barrier and access
further materials. A commercial bank, for instance, uses challenge-response
authentication to create a multifactor authentication (MFA) process. This process
authenticates the identity of a user by utilizing multiple CRAMs.
An example of a two-factor authentication (2FA) process involves providing a password

and a code sent to a specified email address. An MFA variant may also require the
answer to a personal question, like "What is your mother's maiden name?" Account
logins aren't the only instance of challenge-response authentication, though.
Different uses of challenge-response authentication
In addition to login authentication, there are two main areas in which challenge-response
can be utilized, particularly when it comes to cybersecurity.
Human verification
Sometimes, when users log in to a website, they are asked to complete a series of
challenges to prove that they are not a robot (bot). Challenges like this are designed to
block programs, not users, from accessing certain webpages or activities. For instance,
many electronic commerce (e-commerce) platforms use human verification in order to
prevent bots from automatically buying up massive amounts of supplies. Not only can
these bots limit the experience of regular users, but they may also be using fraudulent or
stolen information to complete purchases. Challenge-response authentication is a way to
avoid this outcome and ensure the safety and security of specific web services. A
common challenge used to verify human activity includes selecting images that contain a
specific item or object, such as a fire hydrant, for example. CAPTCHA (Completely
Automated Public Turing test to tell Computers and Humans Apart) is an example of this
type of tool being put to use.
Machine learning training
One of the greatest advantages of machine learning is its ability to complete many tasks
at the same time. In cybersecurity, ML or artificial intelligence (AI) software combs
systems for suspicious or dangerous behavior. Challenge-response authentication tests
and trains machine learning models to help them solve complex problems. Some ML
programs are given human verification puzzles and their answers are matched and
compared to those of humans. Over time, the ML program learns from the human
examples to inform its future decision-making.
Examples of challenge-response authentication systems
In addition to its applications for verifying users and passwords, challenge-response

authentication systems can be classified by the cryptographic algorithms and techniques
they use for securing the authentication process.
Challenge-response commonly incorporates the following authentication technologies:
 Secure Shell (SSH) protocol includes a challenge-response mechanism that

uses separate public key infrastructure (PKI) to authenticate communication
sessions between servers. Each server authenticates itself by sending the
other a value signed with the other's public key.
 Zero-knowledge password proof systems use cryptographic methods to
confirm to each party that they have a correct password but without the need
to share that password with each other.
 Challenge-Handshake Authentication Protocol (CHAP) uses a three-way
handshake among an authenticating system, challenge message and local
system. If the hash values generated from this handshake match, then the
authenticating system can permit the connection. If they do not, it will
terminate the session.
 OATH Challenge-Response Algorithm (OCRA) uses a challenge-response
algorithm developed by the Initiative for Open Authentication for a
cryptographically strong challenge-response authentication.
Q.NO.5.How router security is ensured?
, there are some things you can do to improve router security. We'll go through some of
them now.
1. Change your router username and

password
Every provider's router comes with a predetermined username and password - they're
typically printed on a label somewhere on the device. Many people stick with this
default login, but the standard username and passwords are fairly well-known. To
combat this, change them.
The label on your router will tell you how to access your router settings - typically you
have to type an address into a web browser. The exact address will vary depending on
your router, but it'll look something like: 192.168.0.1 (read our guide on the subject for
more information).
From there, you'll be able to change username and password. Just make sure that it's
secure and uses a combination of lower and upper case, symbols and numbers - don't
use 'password' as a password, for example.
2. Change the network name

By default, your Wi-Fi network will probably have a provider-related SSID - the name
that shows up when scanning for connections on a device. For example, if you
have Virgin Media , it may look something like 'VM683632'. Alternatively, it may start
with the name of your router manufacturer - such as Belkin or Netgear.
One drawback of this is that it tells any would-be attackers the likely type of router
you're using, and what type of exploits they can use to get access. Change the name to
avoid that problem but just don't use any personal information that can identify you.
For example, I might go with "Awesome-Funky-Cool-WiFi" as a name, but would avoid

"Hunky-Duncs-Funky-WiFi". Though I wouldn't use either, as those names are dumb.
3. Change the network password

You'll also have a pre-defned password - usually a random string of letters and
numbers - to get devices online. Like your router setting login, these can typically be
found somewhere on the router. These are usually fairly secure, but it's good practice
to change the details every so often to maximise security.
You can do this by accessing your router settings (see point one).
4. Deactivate WPS
Wi-Fi Protected Setup (WPS) is only available on some routers. It makes it much easier
to connect wireless devices to the network - simply push the button marked WPS on
the router and you can connect without entering a password.
Some experts have complained that WPS isn't fully secure - particularly if the nefarious
types have physical access to your equipment, That's unlikely, of course, but the risk
can be fully removed by simply deactivating it in your router settings.
5. Don't broadcast your SSID

By default, most Wi-Fi networks broadcast their names, so you can simply scan for
accessible connections on whatever device you're using. One way you can increase
security us to stop it doing that (in router settings again). This is obviously more
secure, as people won't be able to detect your network, but it does mean your devices
won't detect it either. As a result, you'll have to manually type in the network name
when you want to connect a new device.
6. Make sure your router frewall is enabled

Many routers have a frewall that can be turned on or of. This essentially acts as a
flter for data, letting safe bits through, but blocking unauthorised access. Make sure
yours is enabled (router settings again), because while it's not infallible, it is safer on
than of. In addition, many internet security tools, such as Kaspersky or Norton, include
frewalls of their own, for an extra layer of protection.
7. Update your router's frmware

As with your computer or phone , routers receive updates to improve features, fx
problems or increase security. Naturally, it's best to ensure your device is kept fully up
to date. Some routers will update automatically, but it's worth going into your router
settings regularly to check if there's an update available.
8. Use WPA2
If you are using an older router, you may be using wired equivalent privacy (WPA). This
is a security standard that is, unfortunately, susceptible to hacking and should be
avoided. Instead, if you have the option, make sure your router is using WPA2 - this is
a much more secure security standard. Check the router settings to make sure you're
using this option, and if you don't have WPA2 available, consider upgrading your
router.
9. Filter MAC Addresses

Every single device you use to connect to your Wi-Fi has a media access control
(MAC) address - essentially an ID for that device. If you go into your router settings,
you can set your connection to only accept access from devices with approved MAC
addresses.
Go into the access control settings (this may vary from router to router, but a Google
search should help you fnd it on yours if necessary), and you should see a list of
connected devices, with MAC addresses. You can use this to confrm or deny access
as needed.
Alternatively, all devices will list their MAC address in their settings somewhere. For
example, on an iPhone , it can be found under Settings > General > About > Wi-Fi
settings, and on Android it's in Settings > About > Wi-Fi MAC address. The exact path
will vary depending on your Android model, however.
Finally…
Those are just some of the simple things you can do to improve security on your router.
Hopefully it proved useful.
Q.NO.6.Diffie-Hellman algorithm with example?
Q.NO.7.write down the steps of make sure wireless security?

 Change default passwords. Most network devices, including wireless access
points, are pre-configured with default administrator passwords to simplify setup. These
default passwords are easily available to obtain online, and so provide only marginal
protection. Changing default passwords makes it harder for attackers to access a device.
Use and periodic changing of complex passwords is your first line of defense in protecting
your device. (See Choosing and Protecting Passwords.)
 Restrict access. Only allow authorized users to access your network. Each piece of
hardware connected to a network has a media access control (MAC) address. You can
restrict access to your network by filtering these MAC addresses. Consult your user
documentation for specific information about enabling these features. You can also utilize
the “guest” account, which is a widely used feature on many wireless routers. This feature
allows you to grant wireless access to guests on a separate wireless channel with a
separate password, while maintaining the privacy of your primary credentials.
 Encrypt the data on your network. Encrypting your wireless data prevents
anyone who might be able to access your network from viewing it. There are several
encryption protocols available to provide this protection. Wi-Fi Protected Access (WPA),
WPA2, and WPA3 encrypt information being transmitted between wireless routers and
wireless devices. WPA3 is currently the strongest encryption. WPA and WPA2 are still
available; however, it is advisable to use equipment that specifically supports WPA3, as
using the other protocols could leave your network open to exploitation.
 Protect your Service Set Identifier (SSID). To prevent outsiders from
easily accessing your network, avoid publicizing your SSID. All Wi-Fi routers allow users to
protect their device’s SSID, which makes it more dificult for attackers to find a network. At
the very least, change your SSID to something unique. Leaving it as the manufacturer’s
default could allow a potential attacker to identify the type of router and possibly exploit
any known vulnerabilities.
 Install a firewall. Consider installing a firewall directly on your wireless devices (a
host-based firewall), as well as on your home network (a router- or modem-based
firewall). Attackers who can directly tap into your wireless network may be able to
circumvent your network firewall—a host-based firewall will add a layer of protection to
the data on your computer (see Understanding Firewalls for Home and Small Ofice Use).
 Maintain antivirus sofware. Install antivirus sofware and keep your virus
definitions up to date. Many antivirus programs also have additional features that detect
or protect against spyware and adware (see Protecting Against Malicious Code and What is
Cybersecurity?).
 Use file sharing with caution. File sharing between devices should be
disabled when not needed. You should always choose to only allow file sharing over home
or work networks, never on public networks. You may want to consider creating a
dedicated directory for file sharing and restrict access to all other directories. In addition,
you should password protect anything you share. Never open an entire hard drive for file
sharing (see Choosing and Protecting Passwords).
 Keep your access point sofware patched and up to date. The
manufacturer of your wireless access point will periodically release updates to and
patches for a device’s sofware and firmware. Be sure to check the manufacturer’s website
regularly for any updates or patches for your device.
 Check your internet provider’s or router manufacturer’s
wireless security options. Your internet service provider and router
manufacturer may provide information or resources to assist in securing your wireless
network. Check the customer support area of their websites for specific suggestions or
instructions.
 Connect using a Virtual Private Network (VPN). Many companies and
organizations have a VPN. VPNs allow employees to connect securely to their network
when away from the ofice. VPNs encrypt connections at the sending and receiving ends
and keep out trafic that is not properly encrypted. If a VPN is available to you, make sure
you log onto it any time you need to use a public wireless access point.
(~~~~~~)
(2018)
Q.NO.2.How AES ensured security?
Q.NO.3.Explain encryption and decryption with playfair in deail?
The Playfair cipher was the first practical digraph substitution cipher.
The scheme was invented in 1854 by Charles Wheatstone but was
named after Lord Playfair who promoted the use of the cipher. In
playfair cipher unlike traditional cipher we encrypt a pair of
alphabets(digraphs) instead of a single alphabet.
It was used for tactical purposes by British forces in the Second Boer
War and in World War I and for the same purpose by the Australians
during World War II. This was because Playfair is reasonably fast to
use and requires no special equipment.
Encryption Technique
For the encryption process let us consider the following example:
The Playfair Cipher Encryption Algorithm:
The Algorithm consists of 2 steps:
 Generate the key Square(5×5):

o The key square is a 5×5 grid of alphabets that acts as the
key for encrypting the plaintext. Each of the 25 alphabets
must be unique and one letter of the alphabet (usually J)
is omitted from the table (as the table can hold only 25
alphabets). If the plaintext contains J, then it is replaced
by I.
o The initial alphabets in the key square are the unique

alphabets of the key in the order in which they appear
followed by the remaining letters of the alphabet in order.
 Algorithm to encrypt the plain text: The plaintext is split into
pairs of two letters (digraphs). If there is an odd number of
letters, a Z is added to the last letter.
For example:
PlainText: "instruments"
After Split: 'in' 'st' 'ru' 'me' 'nt' 'sz'
1. Pair cannot be made with same letter. Break the letter in single
and add a bogus letter to the previous letter.
Plain Text: “hello”
After Split: ‘he’ ‘lx’ ‘lo’
Here ‘x’ is the bogus letter.
2. If the letter is standing alone in the process of pairing, then add an
extra bogus letter with the alone letter
Plain Text: “helloe”
AfterSplit: ‘he’ ‘lx’ ‘lo’ ‘ez’
Here ‘z’ is the bogus letter.
Rules for Encryption:
 If both the letters are in the same column: Take the letter below
each one (going back to the top if at the bottom).
For example:
Diagraph: "me"
Encrypted Text: cl
Encryption:
m -> c
e -> l

 If both the letters are in the same row: Take the letter to the right of
each one (going back to the leftmost if at the rightmost position).
 For example:
Diagraph: "st"
Encrypted Text: tl
Encryption:
s -> t
t -> l

 If neither of the above rules is true: Form a rectangle with the two
letters and take the letters on the horizontal opposite corner of the
rectangle.
For example:
Diagraph: "nt"
Encrypted Text: rq
Encryption:
n -> r
t -> q

Playfair Cipher with Examples
 Difculty Level : Easy
 Last Updated : 26 Jul, 2022
The Playfair cipher was the frst practical digraph substitution

ciphery The scheme was invented in 1854 by Charles
Wheatstone but was named after Lord Playfair who promoted
the use of the ciphery In playfair cipher unlike traditional
cipher we encrypt a pair of alphabets(digraphs) instead of a
single alphabety
It was used for tactical purposes by British forces in the
Second Boer War and in World War I and for the same
purpose by the Australians during World War IIy This was
because Playfair is reasonably fast to use and requires no
special equipmenty
Encryption Technique
For the encryption process let us consider the following
example:
The Playfair Cipher Encryption Algorithm:
The Algorithm consists of 2 steps:
 Generate the key Square(5×5):

 The key square is a 5×5 grid of alphabets that acts
as the key for encrypting the plaintexty Each of the
25 alphabets must be unique and one letter of the
alphabet (usually J) is omitted from the table (as the
table can hold only 25 alphabets)y If the plaintext
contains J, then it is replaced by Iy
 The initial alphabets in the key square are the

unique alphabets of the key in the order in which
they appear followed by the remaining letters of the
alphabet in ordery
 Algorithm to encrypt the plain text: The plaintext is

split into pairs of two letters (digraphs)y If there is an
odd number of letters, a Z is added to the last lettery
For example:
PlainText: "instruments"
After Split: 'in' 'st' 'ru' 'me' 'nt' 'sz'
1y Pair cannot be made with same lettery Break the letter in

single and add a bogus letter to the previous lettery
Plain Text: “hello”
After Split: ‘he’ ‘lx’ ‘lo’
Here ‘x’ is the bogus lettery
2y If the letter is standing alone in the process of pairing, then
add an extra bogus letter with the alone letter
Plain Text: “helloe”
AfterSplit: ‘he’ ‘lx’ ‘lo’ ‘ez’
Here ‘z’ is the bogus lettery
Rules for Encryption:
4y If both the letters are in the same column: Take the letter
below each one (going back to the top if at the bottom)y
For example:
Diagraph: "me"
Encrypted Text: cl
Encryption:
m -> c
e -> l
7y
o
o If both the letters are in the same row: Take the letter to the
right of each one (going back to the leftmost if at the
rightmost position)y
For example:
Diagraph: "st"
Encrypted Text: tl
Encryption:
s -> t
t -> l
o
o If neither of the above rules is true: Form a rectangle with
the two letters and take the letters on the horizontal
opposite corner of the rectangley
For example:
Diagraph: "nt"
Encrypted Text: rq
Encryption:
n -> r
t -> q
o

For example:
Plain Text: "instrumentsz"

Encrypted Text: gatlmzclrqtx
Encryption:
i -> g
n -> a
s -> t
t -> l
r -> m
u -> z
m -> c
e -> l
n -> r
t -> q
s -> t
z -> x
ting the Playfair cipher is as simple as doing the same process in
reverse. The receiver has the same key and can create the same
key table, and then decrypt any messages made using that key.
The Playfair Cipher Decryption Algorithm:
The Algorithm consistes of 2 steps:
 Generate the key Square(5×5) at the receiver’s end:

o The key square is a 5×5 grid of alphabets that acts as the
key for encrypting the plaintext. Each of the 25 alphabets
must be unique and one letter of the alphabet (usually J)
is omitted from the table (as the table can hold only 25
alphabets). If the plaintext contains J, then it is replaced
by I.
o The initial alphabets in the key square are the unique

alphabets of the key in the order in which they appear
followed by the remaining letters of the alphabet in order.
 Algorithm to decrypt the ciphertext: The ciphertext is split

into pairs of two letters (digraphs).
Note: The ciphertext always have even number of characters.

 For example:
CipherText: "gatlmzclrqtx"
After Split: 'ga' 'tl' 'mz' 'cl' 'rq' 'tx'
 Rules for Decryption:

o If both the letters are in the same column: Take the letter
above each one (going back to the bottom if at the top).
For example:
Diagraph: "cl"
Decrypted Text: me
Decryption:
c -> m
l -> e

 If both the letters are in the same row: Take the letter to the left of
each one (going back to the rightmost if at the leftmost position).
For example:
Diagraph: "tl"
Decrypted Text: st
Decryption:
t -> s
l -> t
5.
8.

 If neither of the above rules is true: Form a rectangle with the two
letters and take the letters on the horizontal opposite corner of the
rectangle.
For example:
Diagraph: "rq"
Decrypted Text: nt
Decryption:
r -> n
q -> t

For example:
Plain Text: "gatlmzclrqtx"
Decrypted Text: instrumentsz
Decryption:
(red)-> (green)
ga -> in
tl -> st
mz -> ru
cl -> me
rq -> nt
tx -> sz
Advantages and Disadvantages
 Advantages:
o It is significantly harder to break since the frequency
analysis technique used to break simple substitution
ciphers is difficult but still can be used on (25*25) = 625
digraphs rather than 25 monographs which is difficult.
o Frequency analysis thus requires more cipher text to crack

the encryption.
 Disadvantages:
o An interesting weakness is the fact that a digraph in the
ciphertext (AB) and it’s reverse (BA) will have
corresponding plaintexts like UR and RU (and also
ciphertext UR and RU will correspond to plaintext AB and
BA, i.e. the substitution is self-inverse). That can easily be
exploited with the aid of frequency analysis, if the
language of the plaintext is known.
o Another disadvantage is that playfair cipher is asymmetric

cipherthus same key is used for both encryption and
decryption.
Q.NO.4. Diffie hellmon algorithm?

Q.NO.5. How certificate authority solve the problem of management of
public keys?
Key Management
In cryptography, it is a very tedious task to distribute the public and
private keys between sender and receiver. If the key is known to the
third party (forger/eavesdropper) then the whole security mechanism
becomes worthless. So, there comes the need to secure the
exchange of keys.
There are two aspects for Key Management:
 Distribution of public keys.
 Use of public-key encryption to distribute secrets.
Distribution of Public Key:
The public key can be distributed in four ways:
 Public announcement
 Publicly available directory
 Public-key authority
 Public-key certificates.
These are explained as following below:
1. Public Announcement: Here the public key is broadcasted to
everyone. The major weakness of this method is a forgery. Anyone
can create a key claiming to be someone else and broadcast it. Until
forgery is discovered can masquerade as claimed user.
2. Publicly Available Directory: In this type, the public key is stored in

a public directory. Directories are trusted here, with properties like
Participant Registration, access and allow to modify values at any
time, contains entries like {name, public-key}. Directories can be
accessed electronically still vulnerable to forgery or tampering.
3. Public Key Authority: It is similar to the directory but, improves
security by tightening control over the distribution of keys from the
directory. It requires users to know the public key for the directory.
Whenever the keys are needed, real-time access to the directory is
made by the user to obtain any desired public key securely.
4. Public Certification: This time authority provides a certificate
(which binds an identity to the public key) to allow key exchange
without real-time access to the public authority each time. The
certificate is accompanied by some other info such as period of
validity, rights of use, etc. All of this content is signed by the private
key of the certificate authority and it can be verified by anyone
possessing the authority’s public key.
First sender and receiver both request CA for a certificate which
contains a public key and other information and then they can
exchange these certificates and can start communication.
Q.NO.6. What is WLAN?How wireless work with and without
open ports?
wireless LANs
Wireless LANs (WLANs) are wireless computer networks that use high-frequency
radio waves instead of cables for connecting the devices within a limited area
forming LAN (Local Area Network)y Users connected by wireless LANs can move
around within this limited area such as home, school, campus, ofce building,
railway platform, etcy
Most WLANs are based upon the standard IEEE 802y11 standard or WiFiy
Components of WLANs
The components of WLAN architecture as laid down in IEEE 802y11 are −
 Stations (STA) − Stations comprises of all devices and equipment
that are connected to the wireless LANy Each station has a wireless
network interface controllery A station can be of two types −
o Wireless Access Point (WAP or AP)
o Client
 Basic Service Set (BSS) − A basic service set is a group of stations
communicating at the physical layer levely BSS can be of two
categories −
o Infrastructure BSS
o Independent BSS
 Extended Service Set (ESS) − It is a set of all connected BSSy
 Distribution System (DS) − It connects access points in ESSy
Types of WLANS
WLANs, as standardized by IEEE 802y11, operates in two basic modes,
infrastructure, and ad hoc modey
 Infrastructure Mode − Mobile devices or clients connect to an access
point (AP) that in turn connects via a bridge to the LAN or Internety
The client transmits frames to other clients via the APy
 Ad Hoc Mode − Clients transmit frames directly to each other in a
peer-to-peer fashiony
Advantages of WLANs
 They provide clutter-free homes, ofces and other networked
placesy
 The LANs are scalable in nature, iyey devices may be added or
removed from the network at greater ease than wired LANsy
 The system is portable within the network coveragey Access to the
network is not bounded by the length of the cablesy
 Installation and setup are much easier than wired counterpartsy
 The equipment and setup costs are reducedy
Disadvantages of WLANs
 Since radio waves are used for communications, the signals are
noisier with more interference from nearby systemsy
 Greater care is needed for encrypting informationy Also, they are
more prone to errorsy So, they require greater bandwidth than the
wired LANsy
 WLANs are slower than wired LANsy
Q.NO.7. What is message authentication?
Explain authentication functions?
Message Authentication
In the last chapter, we discussed the data integrity threats and the use of
hashing technique to detect if any modifcation attacks have taken place on the
datay
Another type of threat that exist for data is the lack of message
authenticationy In this threat, the user is not sure about the originator of the
messagey Message authentication can be provided using the cryptographic
techniques that use secret keys as done in case of encryptiony
Message Authentication Code (MAC)

MAC algorithm is a symmetric key cryptographic technique to provide message
authenticationy For establishing MAC process, the sender and receiver share a
symmetric key Ky
Essentially, a MAC is an encrypted checksum generated on the underlying
message that is sent along with a message to ensure message authenticationy
The process of using MAC for authentication is depicted in the following
illustration −
Let us now try to understand the entire process in detail −

 The sender uses some publicly known MAC algorithm, inputs the
message and the secret key K and produces a MAC valuey
 Similar to hash, MAC function also compresses an arbitrary long
input into a fxed length outputy The major diference between hash
and MAC is that MAC uses secret key during the compressiony
 The sender forwards the message along with the MACy Here, we
assume that the message is sent in the clear, as we are concerned
of providing message origin authentication, not confdentialityy If
confdentiality is required then the message needs encryptiony
 On receipt of the message and the MAC, the receiver feeds the
received message and the shared secret key K into the MAC
algorithm and re-computes the MAC valuey
 The receiver now checks equality of freshly computed MAC with the
MAC received from the sendery If they match, then the receiver
accepts the message and assures himself that the message has
been sent by the intended sendery
 If the computed MAC does not match the MAC sent by the sender,
the receiver cannot determine whether it is the message that has
been altered or it is the origin that has been falsifedy As a bottom-
line, a receiver safely assumes that the message is not the genuiney
Limitations of MAC
There are two major limitations of MAC, both due to its symmetric nature of
operation −
 Establishment of Shared Secret.
o It can provide message authentication among pre-
decided legitimate users who have shared keyy
o This requires establishment of shared secret prior to
use of MACy
 Inability to Provide Non-Repudiation
o Non-repudiation is the assurance that a message
originator cannot deny any previously sent messages
and commitments or actionsy
o MAC technique does not provide a non-repudiation
servicey If the sender and receiver get involved in a
dispute over message origination, MACs cannot provide
a proof that a message was indeed sent by the sendery
o Though no third party can compute the MAC, still
sender could deny having sent the message and claim
that the receiver forged it, as it is impossible to
determine which of the two parties computed the MACy
Both these limitations can be overcome by using the public key based digital
signatures discussed in following sectiony
Authentication Functions
Introduction:-Any message authentication or digital signature mechanism has two

levels of functionality. At the lower level, there must be some sort of function that
produces an authenticator: a value to be used to authenticate a message. This
lower-level function is then used as a primitive in a higher-level authentication
protocol that enables a receiver to verify the authenticity of a message.
Following functions can be used to produce an authenticator:-
Message encryption: The cipher text of the entire message serves as its
authenticator.
Message authentication code (MAC): A function of the message and a secret key
that produces a fixed-length value that serves as the authenticator.
Hash function: A function that maps a message of any length into a fixed-length
hash value, which serves as the authenticator.
Basic Uses of Message Encryption
Message Encryption:-Message encryption by itself can provide a measure of
authentication. The analysis differs for symmetric and public-key encryption
schemes.
Symmetric Encryption: A message M transmitted from source A to destination B is
encrypted using a secret key K shared by A and B. If no other party knows the key,
then confidentiality is provided: No other party can recover the plaintext of the
message.
B is assured that the message was generated by A. Why? The message must have
come from A because A is the only other party that possesses K and therefore the
only other party with the information necessary to construct ciphertext that can be
decrypted with K. Furthermore, if M is recovered, B knows that none of the bits of M
have been altered, because an opponent that does not know K would not know how
to alter bits in the ciphertext to produce desired changes in the plaintext.
So we may say that symmetric encryption provides authentication as well as

confidentiality. However, this flat statement needs to be qualified. Consider exactly
what is happening at B. Given a decryption function D and a secret key K, the
destination will accept any input X and produce output Y = D(K, X). If X is the
ciphertext of a legitimate message M produced by the corresponding encryption
function, then Y is some plaintext message M. Otherwise, Y will likely be a
meaningless sequence of bits. There may need to be some automated means of
determining at B whether Y is legitimate plaintext and therefore must have come
from A.
Public-Key Encryption:The straightforward use of public-key encryption provides
confidentiality but not authentication. The source (A) uses the public key PU b of the
destination (B) to encrypt M. Because only B has the corresponding private key PR b,
only B can decrypt the message. This scheme provides no authentication because
any opponent could also use B's public key to encrypt a message, claiming to be A.
To provide authentication, A uses its private key to encrypt the message, and B uses
A's public key to decrypt. This provides authentication using the same type of
reasoning as in the symmetric encryption case: The message must have come from
A because A is the only party that possesses PR a and therefore the only party with
the information necessary to construct ciphertext that can be decrypted with PU a.
Again, the same reasoning as before applies: There must be some internal structure
to the plaintext so that the receiver can distinguish between well-formed plaintext
and random bits.
Message Authentication Code:-An alternative authentication technique involves
the use of a secret key to generate a small fixed-size block of data, known as a
cryptographic checksum or MAC that is appended to the message. This technique
assumes that two communicating parties, say A and B, share a common secret key
K.
When A has a message to send to B, it calculates the MAC as a function of the
message and the key: MAC = C (K, M), where
The message plus MAC are transmitted to the intended recipient. The recipient
performs the same calculation on the received message, using the same secret key,
to generate a new MAC. The received MAC is compared to the calculated MAC. If
we assume that only the receiver and the sender know the identity of the secret key,
and if the received MAC matches the calculated MAC, then
1. The receiver is assured that the message has not been altered. If an attacker
alters the message but does not alter the MAC, then the receiver's calculation of the
MAC will differ from the received MAC. Because the attacker is assumed not to know
the secret key, the attacker cannot alter the MAC to correspond to the alterations in
the message.
2. The receiver is assured that the message is from the alleged sender. Because no
one else knows the secret key, no one else could prepare a message with a proper
MAC.
3. If the message includes a sequence number (such as is used with HDLC, X.25,
and TCP), then the receiver can be assured of the proper sequence because an
attacker cannot successfully alter the sequence number.
A MAC function is similar to encryption. One difference is that the MAC algorithm
need not be reversible, as it must for decryption. In general, the MAC function is a
many-to-one function. The domain of the function consists of messages of some
arbitrary length, whereas the range consists of all possible MACs and all possible
keys.
The message plus MAC are transmitted to the intended recipient. The recipient
performs the same calculation on the received message, using the same secret key,
to generate a new MAC.
(~~~~~~~)
(2018)
Q.NO.2. Suppose Alice and Bob agree on the following values p = 550 and g = 10. Moreover,
Alice chooses a = 4 Bob chooses b = 12. Compute the shared secret key for both Alice and
Bob?
Q.NO.3. How many diferent security atacks network can encounter? Give the IP security
Architecture?
What Is a Network Attack?

A network attack is an attempt to gain unauthorized access to an
organization’s network, with the objective of stealing data or perform
other malicious activity. There are two main types of network attacks:
 Passive: Attackers gain access to a network and can monitor or steal
sensitive information, but without making any change to the data, leaving
it intacty
 Active: Attackers not only gain unauthorized access but also modify data,
either deleting, encrypting or otherwise harming ity
We distinguish network attacks from several other types of attacks:

 Endpoint attacks—gaining unauthorized access to user devices, servers or
other endpoints, typically compromising them by infecting them with
malwarey
 Malware attacks—infecting IT resources with malware, allowing attackers
to compromise systems, steal data and do damagey These also include
ransomware attacksy
 Vulnerabilities, exploits and attacks—exploiting vulnerabilities in software
used in the organization, to gain unauthorized access, compromise or
sabotage systemsy
 Advanced persistent threats—these are complex multilayered threats,
which include network attacks but also other attack typesy
In a network attack, attackers are focused on penetrating the corporate

network perimeter and gaining access to internal systems. Very ofen,
once inside attackers will combine other types of attacks, for example
compromising an endpoint, spreading malware or exploiting a
vulnerability in a system within the network.
What are the Common Types of Network

Attacks?
Following are common threat vectors attackers can use to penetrate
your network.
1. Unauthorized access
Unauthorized access refers to attackers accessing a network without
receiving permission. Among the causes of unauthorized access attacks
are weak passwords, lacking protection against social engineering,
previously compromised accounts, and insider threats.
2. Distributed Denial of Service (DDoS) attacks
Attackers build botnets, large fleets of compromised devices, and use
them to direct false trafic at your network or servers. DDoS can occur at
the network level, for example by sending huge volumes of SYN/ACC
packets which can overwhelm a server, or at the application level, for
example by performing complex SQL queries that bring a database to its
knees.
3. Man in the middle attacks
A man in the middle attack involves attackers intercepting trafic, either
between your network and external sites or within your network. If
communication protocols are not secured or attackers find a way to
circumvent that security, they can steal data that is being transmitted,
obtain user credentials and hijack their sessions.
4. Code and SQL injection attacks
Many websites accept user inputs and fail to validate and sanitize those
inputs. Attackers can then fill out a form or make an API call, passing
malicious code instead of the expected data values. The code is
executed on the server and allows attackers to compromise it.
5. Privilege escalation
Once attackers penetrate your network, they can use privilege
escalation to expand their reach. Horizontal privilege escalation
involves attackers gaining access to additional, adjacent systems, and
vertical escalation means attackers gain a higher level of privileges for
the same systems.
6. Insider threats
A network is especially vulnerable to malicious insiders, who already
have privileged access to organizational systems. Insider threats can be
dificult to detect and protect against, because insiders do not need to
penetrate the network in order to do harm. New technologies like User
and Even Behavioral Analytics (UEBA) can help identify suspicious or
anomalous behavior by internal users, which can help identify insider
attacks.
Network Protection Best Practices

Segregate Your Network
A basic part of avoiding network security threats is dividing a network
into zones based on security requirements. This can be done using
subnets within the same network, or by creating Virtual Local Area
Networks (VLANs), each of which behaves like a complete separate
network. Segmentation limits the potential impact of an attack to one
zone, and requires attackers to take special measures to penetrate and
gain access to other network zones.
Regulate Access to the Internet via Proxy Server
Do not allow network users to access the Internet unchecked. Pass all
requests through a transparent proxy, and use it to control and monitor
user behavior. Ensure that outbound connections are actually
performed by a human and not a bot or other automated mechanism.
Whitelist domains to ensure corporate users can only access websites
you have explicitly approved.
Place Security Devices Correctly
Place a firewall at every junction of network zones, not just at the
network edge. If you can’t deploy full-fledged firewalls everywhere, use
the built-in firewall functionality of your switches and routers. Deploy
anti-DDoS devices or cloud services at the network edge. Carefully
consider where to place strategic devices like load balancers – if they
are outside the Demilitarized Zone (DMZ), they won’t be protected by
your network security apparatus.
Use Network Address Translation
Network Address Translation (NAT) lets you translate internal IP
addresses into addresses accessible on public networks. You can use it
to connect multiple computers to the Internet using a single IP address.
This provides an extra layer of security, because any inbound or
outgoing trafic has to go through a NAT device, and there are fewer IP
addresses which makes it dificult for attackers to understand which
host they are connecting to.
Monitor Network Trafic
Ensure you have complete visibility of incoming, outgoing and internal
network trafic, with the ability to automatically detect threats, and
understand their context and impact. Combine data from diferent
security tools to get a clear picture of what is happening on the network,
recognizing that many attacks span multiple IT systems, user accounts
and threat vectors.
Achieving this level of visibility can be dificult with traditional security
tools. Cynet 360 is an integrated security solution ofering
advanced network analytics, which continuously monitors network
trafic, automatically detect malicious activity, and either respond to it
automatically or pass context-rich information to security staf.
Use Deception Technology
No network protection measures are 100% successful, and attackers
will eventually succeed in penetrating your network. Recognize this and
place deception technology in place, which creates decoys across your
network, tempting attackers to “attack” them, and letting you observe
their plans and techniques. You can use decoys to detect threats in all
stages of the attack lifecycle: data files, credentials and network
connections.
Cynet 360 is an integrated security solution with built-in deception
technology, which provides both of-the-shelf decoy files and the ability
to create decoys to meet your specific security needs. , while taking into
account your environment’s security needs.
IPSec Architecture
IPSec (IP Security) architecture uses two protocols to secure the
traffic or data flow. These protocols are ESP (Encapsulation Security
Payload) and AH (Authentication Header). IPSec Architecture
includes protocols, algorithms, DOI, and Key Management. All these
components are very important in order to provide the three main
services:
 Confidentiality
 Authentication
 Integrity
IP Security Architecture:
1. Architecture: Architecture or IP Security Architecture covers the

general concepts, definitions, protocols, algorithms, and security
requirements of IP Security technology.
2. ESP Protocol: ESP(Encapsulation Security Payload) provides a

confidentiality service. Encapsulation Security Payload is
implemented in either two ways:
 ESP with optional Authentication.
 ESP with Authentication.
Packet Format:
 Security Parameter Index(SPI): This parameter is used by Security

Association. It is used to give a unique number to the connection
built between the Client and Server.
 Sequence Number: Unique Sequence numbers are allotted to every
packet so that on the receiver side packets can be arranged
properly.
 Payload Data: Payload data means the actual data or the actual
message. The Payload data is in an encrypted format to achieve
confidentiality.
 Padding: Extra bits of space are added to the original message in
order to ensure confidentiality. Padding length is the size of the
added bits of space in the original message.
 Next Header: Next header means the next payload or next actual
data.
 Authentication Data This field is optional in ESP protocol packet
format.
3. Encryption algorithm: The encryption algorithm is the document
that describes various encryption algorithms used for Encapsulation
Security Payload.
4. AH Protocol: AH (Authentication Header) Protocol provides both
Authentication and Integrity service. Authentication Header is
implemented in one way only: Authentication along with Integrity.
Authentication Header covers the packet format and general issues

related to the use of AH for packet authentication and integrity.
5. Authentication Algorithm: The authentication Algorithm contains
the set of documents that describe the authentication algorithm used
for AH and for the authentication option of ESP.
6. DOI (Domain of Interpretation): DOI is the identifier that supports
both AH and ESP protocols. It contains values needed for
documentation related to each other.
7. Key Management: Key Management contains the document that
describes how the keys are exchanged between sender and
receiver.
Q.NO.4. How VPN is made? Why we need Network Address
Translation (NAT)?
Virtual private network

A virtual private network (VPN) extends a private network across a public
network and enables users to send and receive data across shared or public
networks as if their computing devices were directly connected to the private
networky[1] The benefts of a VPN include increases in functionality, security, and
management of the private networky It provides access to resources that are
inaccessible on the public network and is typically used for remote
workersy Encryption is common, although not an inherent part of a VPN
connectiony[2]
A VPN is created by establishing a virtual point-to-point connection through the
use of dedicated circuits or with tunneling protocols over existing networksy A
VPN available from the public Internet can provide some of the benefts of a wide
area network (WAN)y From a user perspective, the resources available within the
private network can be accessed remotelyy
VPN classifcation tree based on the topology frst, then on the technology usedy
VPN connectivity overview, showing intranet site-to-site and remote-work

confgurations used together
Virtual private networks may be classifed into several categories:
Remote access
A host-to-network confguration is analogous to connecting a computer to
a local area networky This type provides access to an enterprise network,
intranety This may be employed for remote
such as an
workers who need access to private resources, or to enable a mobile
worker to access important tools without exposing them to the public
Internety
Site-to-site
A site-to-site confguration connects two networksy This confguration
expands a network across geographically disparate ofces, or a group of
ofces to a data center installationy The interconnecting link may run over
a dissimilar intermediate network, such as two IPv6 networks connected
over an IPv4 networky[4]
Extranet-based site-to-site
In the context of site-to-site confgurations, the
terms intranet and extranet are used to describe two diferent
use casesy[5] An intranet site-to-site VPN describes a confguration where
the sites connected by the VPN belong to the same organization, whereas
an extranet site-to-site VPN joins sites belonging to multiple organizationsy
Typically, individuals interact with remote access VPNs, whereas

businesses tend to make use of site-to-site connections for business-
to-business, cloud computing, and branch ofce scenariosy
Despite this, these technologies are not mutually exclusive and, in a
signifcantly complex business network, may be combined to enable
remote access to resources located at any given site, such as an ordering
system that resides in a data centery
VPN systems also may be classifed by:
 The tunneling protocol used to tunnel the trafc

 The tunnel's termination point location, eygy, on the customer edge or
network-provider edge
 The type of topology of connections, such as site-to-site or network-to-
network
 The levels of security provided
 The OSI layer they present to the connecting network, such

as Layer 2 circuits or Layer 3 network connectivity
 The number of simultaneous connections
Network Address Translation (NAT))
A Network Address Translation (NAT) is the process of mapping an internet protocol (IP)
address to another by changing the header of IP packets while in transit via a router.
This helps to improve security and decrease the number of IP addresses an organization
needs.
How does Network Address Translation work?
A NAT works by selecting gateways that sit between two local networks: the internal
network, and the outside network. Systems on the inside network are typically assigned
IP addresses that cannot be routed to external networks (e.g., networks in the 10.0.0.0/8
block).
A few externally valid IP addresses are assigned to the gateway. The gateway makes
outbound traffic from an inside system appear to be coming from one of the valid
external addresses. It takes incoming traffic aimed at a valid external address and sends
it to the correct internal system.
This helps ensure security. Because each outgoing or incoming request must go through
a translation process that offers the opportunity to qualify or authenticate incoming
streams and match them to outgoing requests, for example.
NAT conserves the number of globally valid IP addresses a company needs and -- in
combination with Classless Inter-Domain Routing (CIDR) -- has done a lot to extend the
useful life of IPv4 as a result. NAT is described in general terms in IETF RFC 1631.
NAT techniques?
The NAT mechanism ("natting") is a router feature, and is often part of a

corporate firewall. NAT gateways can map IP addresses in several ways:
 from a local IP address to one global IP address statically;

 hiding an entire IP address space comprised of private IP addresses behind a
single IP address;
 to a large private network using a single public IP address using translation
tables;
 from a local IP address plus a particular TCP port to a global address or a
pool of public IP addresses; and
 from a global IP address to any of a pool of local IP addresses on a round-
robin basis.
In some cases, network administrators define policies that allow the gateway device to
assign mappings based on the intended destination ("pick this external address for
communications to partner A's area network; pick that external address for
communications to partner B's").
Policies can also be used on the protocols being used ("assign out of this pool
for HTTP traffic, that pool for HTTPS") or on other factors.
A newer way to use NAT focuses on translating an ISP provider's IPv4 addresses
to IPv6, and vice versa. This provides integration of IPv4 infrastructure and end nodes
into IPv6 environments, and allows IPv6 services to interact with IPv4 systems.
What is the difference between dynamic NAT (DNAT) and static NAT (SNAT)?
A dynamic NAT is common in larger organizations with complex internal networks. It

uses several available IP addresses during the translation.
An example of this can be seen with Cisco, which has developed a technique that uses
a NAT overload to map several private IP addresses to a single public IP address.
Conversely, a static NAT, also common in large organizations, provides a 1:1 mapping
between an internal IP address and a public network IP address.
Q.NO.5. Explain RSA and describe the ways for

atacking RSA?
RSA)
RSA (Rivest–Shamir–Adleman) is a public-key cryptosystem that is widely
used for secure data transmissiony It is also one of the oldesty
The acronym "RSA" comes from the surnames of Ron Rivest, Adi
Shamir and Leonard Adleman, who publicly described the algorithm in 1977y An
equivalent system was developed secretly in 1973 at GCHQ (the British signals
intelligence agency) by the English mathematician Cliford Cocksy That system
was declassifed in 1997y[1]
RSA
General
Ron Rivest, Adi Shamir,

Designers and Leonard Adleman
First 1977
published
Certifcatio PKCS#1, ANSI X9y31, IEEE

n 1363
Cipher detail
Key sizes 2,048 to 4,096 bit typical
Rounds 1
Best publiccryptanalysis
General number feld sieve for classical

computers;
Shor's algorithm for quantum computersy
An 829-bit key has been brokeny
In a public-key cryptosystem, the encryption key is public and distinct from

the decryption key, which is kept secret (private)y An RSA user creates and
publishes a public key based on two large prime numbers, along with an auxiliary
valuey The prime numbers are kept secrety Messages can be encrypted by
anyone, via the public key, but can only be decoded by someone who knows the
prime numbersy[2]
The security of RSA relies on the practical difculty of factoring the product of
two large prime numbers, the "factoring problem"y Breaking RSA encryption is
known as the RSA problemy Whether it is as difcult as the factoring problem is
an open questiony[3] There are no published methods to defeat the system if a
large enough key is usedy
RSA is a relatively slow algorithmy Because of this, it is not commonly used to
directly encrypt user datay More often, RSA is used to transmit shared keys
for symmetric-key cryptography, which are then used for bulk encryption–
decryptiony
Possible Attacks on RSA

The saying "A chain is no stronger than its weakest link" is a very suitable for describing
attacks on cryttosystess The attackers' insinct is to go for the weakest toint of
defense, and to extloit it Soseises the weakness say have atteared insignifcant to
the designer of the systes, or saybe the cryttanalyst will discover sosething that was
not seen by anyone before The istortant thing to resesber (and this has been
troven ise and ise again in the history of cryttograthy) is that no satter how
secure you think your systes is, there say be sosething you have not considered
At the sosent RSA seess to be extresely secure It has survived over 20 years of
scruiny and is in widestread use throughout the world The attack that is sost ofen
considered for RSA is the factoring of the tublic key If this can be achieved, all
sessages written with the tublic key can be decrytted The toint is that with very
large nusbers, factoring takes an unreasonable asount of ise (see the factorizaion
secion for sore details of the difculty) It has not been troven that breaking the RSA
algoriths is equivalent to factoring large nusbers (there say be another, easier
sethod), but neither has it been troven that factoring is not equivalent
I senioned before that a chain is only as strong as its weakest link In cryttlogy terss,
the links in the chain include key generaion, key sanagesent, the cryttograthic
algoriths and the cryttograthic trotocol If there is a weakness in any one of these
areas, it undersines the enire systes Isagine an eavesdrotter was able to generate
session keys in the sase order that an e-cosserce site web server used to get credit
card details securely fros custosers over the Internet; this would allow the
eavesdrotter to read all the transacions The secion on randos nusber
generators discusses this totic
It's now ise to get into the details of attacks on RSA
Searching the Message Space

One of the seesing weaknesses of tublic key cryttograthy is that one has to give away
to everybody the algoriths that encrytts the data If the sessage stace is ssall, then
one could sistly try to encrytt every tossible sessage block, unil a satch is found
with one of the cithertext blocks In tracice this would be an insursountable task
because the block sizes are quite large
Guessing d
Another tossible attack is a known cithertext attack This ise the attacker knows both
the tlaintext and cithertext (they sistly has to encrytt sosething) They then try to
crack the key to discover the trivate extonent, d This sight involve trying every
tossible key in the systes on the cithertext unil it returns to the original tlaintext
Once d has been discovered it is easy to fnd the factors of n (for exastle use the
algoriths in chatter 8 of The Handbook of Attlied Cryttograthy) Then the systes has
been broken costletely and all further cithertexts can be decrytted
The trobles with this attack is that it is slow There are an enorsous nusber of
tossible ds to try This sethod is a factorizing algoriths as it allows us to factor n
Since factorizing is an intractable trobles we know this is very difcult This sethod is
not the fastest way to factorize n Therefore one is suggested to focus efort into using
a sore efcient algoriths stecifcally designed to factor n This advice was given in
the original tater
Cycle Attack
This attack is very sisilar to the last The idea is that we encrytt the cithertext
reteatedly, couning the iteraions, unil the original text attears This nusber of re-
cycles will decrytt any cithertext Again this sethod is very slow and for a large key it
is not a tracical attack A generalisaion of the attack allows the sodulus to be
factored and it works faster the sajority of the ise But even this will sill have
difculty when a large key is used Also the use of t -- strong trises aids the security
The bottos line is that the generalized fors of the cither attack is another factoring
algoriths It is not efcient, and therefore the attack is not good enough costared
with sodern factoring algorithss (e g Nusber Field Sieve)
I noiced an istrovesent on this algoriths The suggested way is to use the tublic
extonent of the tublic key to re-encrytt the text However any extonent should work
so long as it is cotrise to (t-1) (q-1) (where t, q are factors of the sodulus) So I
suggest using an extonent such as 216 + 1 This nusber has only two 1s in its binary
retresentaion Using binary fast extoneniaion, we use only 16 sodular squarings
and 1 sodular sulitlicaion This is likely to be faster than the actual tublic extonent
The trouble is that we cannot be sure that it is cotrise to (t-1) (q-1) In tracice, sany
RSA systess use 216 + 1 as the encryting extonent for its steed
Common Modulus
One of the early weaknesses found was in a systes of RSA where the users within an
organizaion would share the tublic sodulus That is to say, the adsinistraion would
choose the tublic sodulus securely and generate tairs of encrytion and decrytion
extonents (tublic and trivate keys) and distribute thes all the estloyees/users The
reason for doing this is to sake it convenient to sanage and to write sofware for
However, Sissons shows how this would allow any eavesdrotter to view any
sessages encrytted with two keys; for exastle when a seso is sent to several
estloyees DeLaurenis went further to desonstrate how the systes was at even
sore risk fros insiders, who could break the systes costletely, allowing thes to view
all sessages and sign with anybody's key
Faulty Encryption
Joye and Quisquater showed how to catitalise on the cosson sodulus weakness due
to a transient error when transsitng the tublic key Consider the situaion where an
attacker, Malory, has access to the cossunicaion channel used by Alice and Bob In
other words, Malory can listen to anything that is transsitted, and can also change
what is transsitted Alice wishes to talk trivately to Bob, but does not know his tublic
key She requests by sending an esail, to which Bob retlies But during transsission,
Malory is able to see the tublic key and decides to fit a single bit in the tublic
extonent of Bob, changing (e,n) to (e',n)
When Alice receives the faulty key, she encrytts the tretared sessage and sends it to
Bob (Malory also gets it) But of course, Bob cannot decrytt it because the wrong key
was used So he lets Alice know and they agree to try again, staring with Bob re-
sending his tublic key This ise Malory does not interfere Alice sends the sessage
again, this ise encrytted with the correct tublic key
Malory now has two cithertexts, one encrytted with the faulty extonent and one with
the correct one She also knows both these extonents and the tublic sodulus
Therefore she can now attly the cosson sodulus attack to retrieve Alice's sessage,
assusing that Alice was foolish enough to encrytt exactly the sase sessage the
second ise
A desonstaion of the Cosson Modulus attack and the Faulty Encrytion attack can
be found in this Mathesaica notebook
Low Exponent
In the cycle attack secion above, I suggested that the encryting extonent could be
chosen to sake the systes sore efcient Many RSA systess use e=3 to sake
encryting faster However, there is a vulnerabilty with this attack If the sase sessage
is encrytted 3 ises with diferent keys (that is sase extonent, diferent soduli) then
we can retrieve the sessage The attack is based on the Chinese Resainder Theores
See The Handbook of Attlied Cryttograthy for an extlanaion and algoriths
Factoring the Public Key

Factoring the tublic key is seen as the best way to go about cracking RSA
Q.NO.6. How Public-key authority solves the

problem of management of public keys? Also
write Its drawbacks?
Disadvantages of Public Key Encryption
Encryption systems used by businesses fall into two broad categoriesy Private
key, or secret key, systems use the same key to encrypt and decrypt data, so
you need to keep your key hidden so that no one else can access ity In a public
key system, you use two keysy According to Cloudfare , your private key,
which you keep hidden, decrypts data, but the public key gets used to encrypt
the datay Because there's essentially no use to the public key other than to
encode information, you can safely share it with anyoney While this works well
in situations where you can't securely share a key, like over the Internet, there
are some disadvantages of encryption that uses a public keyy
Possible Performance Disadvantages of Encryption

Public key encryption works very well and is extremely secure, but it's based on
complicated mathematicsy Because of this, computers in the past had to work
very hard to both encrypt and decrypt data using the systemy In applications
where you needed to work with large quantities of encrypted data on a regular
basis, the computational overhead meant that public key systems could be very
slowy
Thankfully, this isn't as much of a problem today as systems run much fastery
However, TechBeacon warns that good encryption practices have to be used so
that you don't experience many speed disadvantages of encryption with a
public keyy This includes using as few network connections as possible and
sticking with close servers when you cany
Potential Certification Problems

Many public key systems use a third party to certify the reliability of public
keysy For instance, if you were to encrypt sensitive corporate data to send to
your attorney's computer, you'd want to be sure that the computer you were
sending it to was really tied to his law frmy The third party, called a certifcation
authority, digitally signs their public key, turning it into a digital certifcate, so
that you can be sure it's safe to usey
However, if the certifcation authority gets compromised, the criminal that did it
could issue false certifcates and fool people into sending data to the wrong
placey This has already happenedy
Potential for Direct Compromise

There are two ways to crack data encrypted with a public key systemy The frst
is to fnd a hole in the underlying mathematics that can be used to break the
ciphery As of the date of publication, no such hole is publicly knowny
The other way to crack the encryption is to guess the correct keyy Khan
Academy explains that public key encryption works on the basis of having an
extremely large number that is derived from multiplying a large number hidden
in the public key with a large number hidden in the private keyy So, if you could
factor that extremely large number, you could break the encryptiony
As computers become more powerful and as quantum computing, which uses
light to create even faster speeds than traditional supercomputers, becomes a
reality, brute force attacks on public key encrypted data become practicaly
False Sense of Security

No matter how safe your public key cryptography system is, it only protects
what it's designed to protecty For instance, when your customers send you their
credit card data over the Internet, that transfer is protected by a mixture of
public and private key encryption and is extremely safey However, once you
receive that credit card data, if you leave a computer with access to your
server out in the open, someone could sit down at the keyboard, download all
of the securely transferred data and steal ity Public key encryption won't protect
against that and, as such, it's only a part of an overall security systemy
(~~~~~~~~~)
(2018)
Q.NO.2.Explain the mechanism of DES?
Q.NO.3.How many diferent security atacks network
can encounter? Give the IP security Architecture?
Q.NO.4) a) Apply VIGENER CIPHER. Key = Encryption,
plain text = “We are Pakistani”
What will be a Cipher Text = ?
b) Write down the techniques for hiding
messages.
hiding messages)
Secret codes can be used to send fun messages between friendsy These codes
can also help messages get past censors in more serious situationsy Knowing
how to create, write, and send an encoded message using constrained language
can help get your messages out undetectedy Learning a few diferent constrained
language codes can help your messages become even more securey
Think of what you want to encode. Before you can create a coded message, you will need
to think of the message itself. You can encode any word or phrase using an acrostic code.
However, you should try to keep your messages short. Longer messages can be difcult to
encode and may be noticed by people that shouldn't see them.[1]
 For example, you might want to hide a message like "HELP IN

DANGER"
 You would likely want to avoid a message like "PLEASE HELP ME I AM

IN DANGER" because it's too longy
Break the word or phrase down into letters. Building an acrostic will require you to break
down each word into its individual letters. These letters will be inserted into a larger body of
text. It's important that you use each letter of your phrase or word in the acrostic code.[2]
 If you wanted to hide the word "HELP", you would need to use H, E, L,
and P in your messagey
 Make sure you don't miss any letters, as this can change the codey For
example, missing the letter L in "HELP" would result in the code
reading "HEP"y
Write a sentence for each letter. Now that you have each letter of your word ready, you
can begin building the code. Every letter will have its own sentence written after it. The code
will be revealed by reading each frst letter of every sentence. Make sure each letter is
included in the document you are creating to ensure the code will be readable. [3]
 As an example, imagine that you are trying to encode the word

"HELP"y
 Your frst sentence would have to start with the letter Hy "How is
everyone at home?" would be a good choicey
 The next sentence would need to start with the letter Ey "Everything
still going well in town?" could be used in this casey
 Continue in this way until the message is fully encodedy
 It's important that your sentences and message don't draw attention
to the encoded messagey Keep your tone and content neutral and
naturaly
Check your code. Complete the acrostic code and double-check it. You will want to
make sure that each letter of your original phrase or word is included. Every sentence in
your document should start with a letter from your original message. If you read the frst
letter of each sentence, you should fnd your original message.[4]
 If you missed any letters, add them to your encoded message to make
sure it's readabley
 Make sure you didn't add any sentences that aren't part of the codey
This could change the meaning of the original message you were
trying to encodey
 "How is everyone at home? Everything still good? Looking forward to
coming backy Please take care of my dog until then!" would be an
example of encoding the word "HELP" using the acrostic methody
Q.NO.5. Explain RSA and describe the ways for

atacking RSA?
Q.NO.6. What is symmetric key distribution? Write
down its problem and solution?
What is Symmetric Encryption?

Symmetric encryption is a type of encryption where only one key (a secret key) is
used to both encrypt and decrypt electronic data. The entities communicating via
symmetric encryption must exchange the key so that it can be used in the decryption
process. This encryption method difers from asymmetric encryption where a pair of
keys - one public and one private - is used to encrypt and decrypt messages.
By using symmetric encryption algorithms, data is "scrambled" so that it can't be

understood by anyone who does not possess the secret key to decrypt it. Once the
intended recipient who possesses the key has the message, the algorithm reverses
its action so that the message is returned to its original readable form. The secret
key that the sender and recipient both use could be a specifc password/code or it
can be random string of letters or numbers that have been generated by a secure
random number generator (RNG). For banking-grade encryption, the symmetric keys
must be created using an RNG that is certifed according to industry standards, such
as FIPS 140-2.
There are two types of symmetric encryption algorithms:
 Block algorithms. Set lengths of bits are encrypted in blocks of

electronic data with the use of a specifc secret key. As the data is
being encrypted, the system holds the data in its memory as it waits
for complete blocks.
 Stream algorithms. Data is encrypted as it streams instead of being

retained in the system’s memory.
Some examples of symmetric encryption algorithms include:
 AES (Advanced Encryption Standard)

 DES (Data Encryption Standard)
 IDEA (International Data Encryption Algorithm)
 Blowfsh (Drop-in replacement for DES or IDEA
 RC4 (Rivest Cipher 4)

AES, DES, IDEA, Blowfsh, RC5 and RC6 are block ciphers. RC4 is stream cipher.
DES
In “modern” computing, DES was the frst standardized cipher for securing electronic
communications, and is used in variations (e.g. 2-key or 3-key 3DES). The original DES is
not used anymore as it is considered too “weak”, due to the processing power of modern
computers. Even 3DES is not recommended by NIST and PCI DSS 3.2, as well as all 64-bit
ciphers. However, 3DES is still widely used in EMV chip cards because of legacy
applications that do not have a crypto-agile infrastructure.
AES
The most commonly used symmetric algorithm is the Advanced Encryption Standard (AES),
which was originally known as Rijndael. This is the standard set by the U.S. National
Institute of Standards and Technology in 2001 for the encryption of electronic data
announced in U.S. FIPS PUB 197. This standard supersedes DES, which had been in use
since 1977. Under NIST, the AES cipher has a block size of 128 bits, but can have three
diferent key lengths as shown with AES-128, AES-192 and AES-256.
What is Symmetric Encryption Used For?

While symmetric encryption is an older method of encryption, it is faster and more
efcient than asymmetric encryption, which takes a toll on networks due to
performance issues with data size and heavy CPU use. Due to the better
performance and faster speed of symmetric encryption (compared to asymmetric),
symmetric cryptography is typically used for bulk encryption / encrypting large
amounts of data, e.g. for database encryption. In the case of a database, the secret
key might only be available to the database itself to encrypt or decrypt. Industry
standard symmetric encryption is also less vulnerable to advances in quantum
computing compared to the the current standards for asymmetric algorithms (at the
time of writing).
Some examples of where symmetric cryptography is used are:

 Payment applications, such as card transactions where PII needs to
be protected to prevent identity theft or fraudulent charges
 Validations to confrm that the sender of a message is who he claims

to be
 Random number generation or hashing
Key management for symmetric encryption - what we

need to consider
Unfortunately, symmetric encryption does come with its own drawbacks. Its weakest
point is its aspects of key management, including:
Key Exhaustion
Symmetric Encryption sufers from behavior where every use of a key ‘leaks’ some
information that can potentially be used by an attacker to reconstruct the key. The
defenses against this behavior include using a key hierarchy to ensure that master or
key-encryption keys are not over-used and the appropriate rotation of keys that do
encrypt volumes of data. To be tractable, both these solutions require competent
key-management strategies as if (for example) a retired encryption key cannot be
recovered the data is potentially lost.
Attribution data
Unlike asymmetric (public-key) Certifcates, symmetric keys do not have embedded

metadata to record information such as expiry date or an Access Control List to
indicate the use the key may be put to - to Encrypt but not Decrypt for example.
The latter issue is somewhat addressed by standards such as ANSI X9-31 where a
key can be bound to information prescribing its usage. But for full control over what a
key can be used for and when it can be used, a key-management system is
required.
Key Management at large scale

Where only a few keys are involved in a scheme (tens to low hundreds), the management
overhead is modest and can be handled through manual, human activity. However, with a
large estate, tracking the expiration and arranging rotation of keys quickly becomes
impractical.
Consider an EMV payment card deployment: millions of cards multiplied by several keys-
per-card requires a dedicated provision and key-management system.
Problems with Symmetric Algorithms
One big issue with using symmetric algorithms is the key exchange problem, which can
present a classic catch-22. The other main issue is the problem of trust between two parties
that share a secret symmetric key. Problems of trust may be encountered when encryption is
used for authentication and integrity checking. As we saw in Chapter 3, a symmetric key can
be used to verify the identity of the other communicating party, but as we will now see, this
requires that one party trust the other.
The Key Exchange Problem

The key exchange problem arises from the fact that communicating parties must somehow
share a secret key before any secure communication can be initiated, and both parties must
then ensure that the key remains secret. Of course, direct key exchange is not always
feasible due to risk, inconvenience, and cost factors. The catch-22 analogy refers to the
question of how to securely communicate a shared key before any secure communication
can be initiated.
In some situations, direct key exchange is possible; however, much commercial data
exchange now takes place between parties that have never previously communicated with
one another, and there is no opportunity to exchange keys in advance. These parties
generally do not know one another sufficiently to establish the required trust (a problem
described in the next section) to use symmetric algorithms for authentication purposes
either. With the explosive growth of the Internet, it is now very often a requirement that
parties who have never previously communicated be able to spontaneously communicate
with each other in a secure and authenticated manner. Fortunately, this issue can be dealt
with effectively by using asymmetric algorithms. 1
The Trust Problem

Ensuring the integrity of received data and verifying the identity of the source of that data
can be very important. For example, if the data happens to be a contract or a financial
transaction, much may be at stake. To varying degrees, these issues can even be legally
important for ordinary email correspondence, since criminal investigations often center
around who knew what and when they knew it. A symmetric key can be used to check the
identity of the individual who originated a particular set of data, but this authentication
scheme can encounter some thorny problems involving trust.
Solving the key exchange problem

The soluion to last week's key exchange tuzzle can teach you sosething about
how cryttograthic key exchange works
In last week’s aricle, The key exchange puzzle, I shared a trobles with a known
soluion with you The soluion to this tuzzle desonstrates the Dife-Hellsan key
exchange trotocol Click the link to the key exchange tuzzle to see the original
tuzzle if you haven’t already, and cose back when you’re done, so you won’t
have the fun stoiled for you
The Solution
The answer is actually rather sistle, but non-obvious:
 Put your secret sessage in a box, and lock it Keet the key, and send the box to se
 When I receive the box, I’ll tut sy own lock on the box as well, and keet the key for it,
then send the box back to you
 When you get the box back with two locks on it, you use your key to unlock your lock
and take it of, then send the box back to se
 I can now unlock sy lock on the box with sy key, and there are no longer any locks on
the box I now have access to the secret sessage inside
(~~~~~~~)

DNS LONG PP Question

Uploaded by

Copyright:

Available Formats

You might also like

DNS LONG PP Question

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DNS LONG PP Question

Uploaded by

Copyright:

Available Formats

Samia farnaz

DNS LONG Question

Q.NO.3. how IPSEC can be used in diferent ways

3y Internet Key Exchange (IKE) –

o PGP uses a digital signature (a combination of hashing and public key

o PGP provides authentication through the use of Digital Signaturey

Following are the steps taken by PGP to create secure e-

o The secret key is encrypted by using a receiver's public keyy

PGP at the Sender site (A)

Following are the steps taken to show how PGP uses

PGP at the Receiver site (B)

Disadvantages of PGP Encryption

complicate the administrationy

o Complexityl PGP is a complex techniquey Other security schemes use

o No Recoveryl Computer administrators face the problems of losing their

Q.NO.4.(b) describe challange response of using

In computer security, challenge-response authentication is a set of protocols used to protect digital

What is challenge-response authentication?

In its simplest form, challenge-response authentication is composed of two basic

Challenge-response authentication wasn't always exclusive to digital use. In the early

One of the most common examples of a challenge-response protocol is password

Challenge-response is a barrier used to protect assets from unauthorized users,

An example of a two-factor authentication (2FA) process involves providing a password

Different uses of challenge-response authentication

Machine learning training

Examples of challenge-response authentication systems

In addition to its applications for verifying users and passwords, challenge-response

Challenge-response commonly incorporates the following authentication technologies:

 Secure Shell (SSH) protocol includes a challenge-response mechanism that

1. Change your router username and

2. Change the network name

For example, I might go with "Awesome-Funky-Cool-WiFi" as a name, but would avoid

3. Change the network password

5. Don't broadcast your SSID

6. Make sure your router frewall is enabled

7. Update your router's frmware

9. Filter MAC Addresses

Q.NO.6.Diffie-Hellman algorithm with example?

Q.NO.7.write down the steps of make sure wireless security?

Q.NO.2.How AES ensured security?

Q.NO.3.Explain encryption and decryption with playfair in deail?

 Generate the key Square(5×5):

o The initial alphabets in the key square are the unique

The Playfair cipher was the frst practical digraph substitution

 Generate the key Square(5×5):

 The initial alphabets in the key square are the

 Algorithm to encrypt the plain text: The plaintext is

1y Pair cannot be made with same lettery Break the letter in

Plain Text: "instrumentsz"

 Generate the key Square(5×5) at the receiver’s end:

o The initial alphabets in the key square are the unique

 Algorithm to decrypt the ciphertext: The ciphertext is split

Note: The ciphertext always have even number of characters.

 Rules for Decryption:

Plain Text: "gatlmzclrqtx"

Decrypted Text: instrumentsz

o Frequency analysis thus requires more cipher text to crack

o Another disadvantage is that playfair cipher is asymmetric