CCS354 Network Security
IAT-2
2 MARKS-Q&A
1. List the four EAP authentication methods.
EAP-TLS (EAP Transport Layer Security
EAP-TTLS (EAP Tunneled TLS)
EAP-GPSK (EAP Generalized Pre-Shared Key)
EAP-IKEv2:
2. Describe HTTPS.
HTTPS (HTTP over SSL) refers to the combination of HTTP and SSL to im-
plement secure communication between a Web browser and a Web server.
The HTTPS capability is built into all modern Web browsers. Its use depends
on the Web server supporting HTTPS communication.
For example,
some search engines do not support HTTPS. Google provides HTTPS as an option:
https://google.com.
3. Define Network Access Control.
Network access control (NAC) is an umbrella term for managing access to a network.
NAC authenticates users logging into the network and determines what data they can
access and actions they can perform. NAC also examines the health of the user’s
computer or mobile device Network access control comes with a number of benefits
for organizations.
4. List the Elements of a Network Access Control System.
NAC systems deal with three categories of components:
Access requestor (AR):
The AR is the node that is attempting to access the Network and may be any device
that is managed by the NAC system, including Workstations, servers, printers, cameras, and
other IP-enabled devices. ARs are also referred to as supplicants, or simply, clients.
Policy server:
Based on the AR’s posture and an enterprise’s defined policy, the policy server
determines what access should be granted. The policy server often relies on backend systems,
including antivirus, patch management, or a user directory, to help determine the host’s
condition.
Network access server (NAS):
The NAS functions as an access control point for users in remote locations
1
�connecting to an enterprise’s internal network. Also called a media gateway, a remote access
server (RAS), or a policy server, an NAS may include its own authentication services or rely
on a separate authentication service from the policy server.
5. Describe EAP.
The Extensible Authentication Protocol (EAP), defined in RFC 3748, acts as a
Framework for network access and authentication protocols. EAP provides a set of
protocol messages that can encapsulate various authentication methods to be used
between a client and an authentication server. EAP can operate over a variety of
network and link level facilities, including point-to-point links, LANs, and other
networks, and can accommodate the authentication needs of the various links and
networks.
6. Write the IP security services.
Access control
Connectionless integrity
Data origin authentication
Rejection of replayed packets (a form of partial sequence integrity)
Confidentiality (encryption)
Limited traffic flow confidentiality
7. Write any three authentication methods can be used with IKE key
determination.
Digital signatures: The exchange is authenticated by signing a mutually obtainable
hash; each party encrypts the hash with its private key. The hash is generated over
important parameters, such as user IDs and nonces.
Public-key encryption: The exchange is authenticated by encrypting parameters such
as IDs and nonces with the sender’s private key.
Symmetric-key encryption: A key derived by some out-of-band mechanism can be
used to authenticate the exchange by symmetric encryption of ex-change parameters
2
� 8. List the protocols used to provide IP security.
1. IP Packet consists of two parts, IP Header and Data. IPSec features are incorporated
into an additional IP Header called extension Header. Different Extension Header is used
for different services.
2. IPSec defines two protocol IPSec
1. AH
2. ESP
Authentication Encapsulating
Header(AH) Security
Payload(ESP)
9. Identify any three protocols that typically run on top of TCP in SSH.
10. Write Short notes on DKIM
Domain Keys Identified Mail (DKIM) is a specification for cryptographically signing
e-mail messages, permitting a signing domain to claim responsibility for a message in
the mail stream.
DKIM has been widely adopted by a range of e-mail providers, including
corporations, government agencies, Gmail, yahoo, and many Internet Service
Providers (ISPs).
11. Write the features of SSL.
SSL server authentication, allowing a user to confirm a server’s identity.
SSL client authentication, allowing a server to confirm a user’s identity.
An encrypted SSL session in which all information sent between browser and server
is encrypted by sending software and decrypted by the receiving software.
SSL supports multiple cryptographic algorithms.
12. Write the principal elements of a Mobile Device Security strategy.
Device Security
Traffic Security
Barrier Security
3
� 13. List the threats to a wireless network.
14. Give the steps for preparing envelope data MIME.
The steps for preparing an enveloped Data MIME entity are
Generate a pseudorandom session key for a particular symmetric encryption
algorithm.
4
� For each recipient, encrypt the session key with the recipient’s public RSA key.
Prepare a block for each recipient. Block is known as Recipient Info which contains
the sender public-key certificate, an identifier of the algorithm used to encrypt the
session key, and the encrypted session key.
Encrypt the message content with the session key.
Enveloped data is encoded into base64.A sample message is as follows:
Content-Type: application/pkcs7-mime;
smime-type=enveloped-data;
name=smime.p7m
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename=smime.p7m
Rfvbn756tbBghyHhHUujhJhjH77n8HHGT9HG4VQpfyF467GhIGfHfYT6
15. List the services provided by PGP services
Authentication
Confidentiality
Compression
E-mail Compatibility
Segmentation
16. Write the cryptographic keys used in PGP.
PGP makes use of four types of keys
1. One time session convention keys
2. Public keys
3. Private keys
4. Passphrase based convention keys
17. List some security threats related to Mobile Devices.
Lack of Physical Security Controls
Use of Untrusted Mobile Devices
Use of Untrusted Networks
Use of Applications Created By Unknown Parties
Interaction with Other Systems
Use of Untrusted Content
Use of Location Service
18. Give the headers fields defined in MIME.
MIME-Version:
Content-Type.
Content-Transfer-Encoding.
Content-ID.
Content-Description.
5
� 19. Write the key algorithms used in S/MIME.
1. S/MIME incorporates three public key algorithms
Digital Signature Standard (DSS)
Diffie-Hellman
Triple DES
2. RFC 2119 specify the requirement level for S/MIME.
MUST
SHOULD
20. Describe key Identifier.
The PGP protocol solves this problem by using the notation of a relatively short key
identifiers (key ID) and requiring that every PGP agent maintain its own list of
private/public keys, along with their associated key identifiers, for all the email
correspondents.
The former list is known as the private key ring and the later as public key right. The
keys for a particular user are uniquely identifiable through a combination of the user
ID and the key ID. The key ID associated with a public key consists of its least
significant 64-bits.
