Chap5_2

Question 1

S-BGP:

Answer 1

Secure BGP

Question 2

S-BGP makes three major additions to BGP

Answer 2

1-) It introduces a Public Key Infrastructure (PKI)
2-) A new transitive attribute is introduced to BGP updates. That attribute ensures the authorization of routing UPDATEs
3-) All routing message can be secured using IPsec, if routing confidentiality is a requirement.

Question 3

Address Attestations (AA)

Answer 3

Owner of one or more prefixes certifies that the origin
AS is authorized to advertise the prefixes
 Need a public-key infrastructure (PKI)

Question 4

Route Attestations (RA)

Attestation= proof

 Need a ………… public-key infrastructure - Certificates

Answer 4

 Router belonging to an AS (autonomous system) certifies that the next AS is authorized to propagate this route to its neighbors

 Need a separate public-key infrastructure - Certificates

Question 5

S-BGP Protocol Operation

Answer 5

 When generating an UPDATE, a router
generates a new RA that encompasses the path
and prefixes plus the AS number of the neighbor AS
 When receiving an UPDATE from a neighbor, it
 Verifies that its AS # is in the first RA
 Validates the signature on each RA in the UPDATE,
verifying that the signer represents the AS # in the
path
 Checks the corresponding AA to verify that the
origin AS was authorized to advertise the prefix by
the prefix “owner”

Question 6

Slide 6

Answer 6

TRUE

Question 7

Limitations of S-BGP

Answer 7

 Hierarchical PKI trusted by all participating ISPs.
 cryptographically intensive
 Routers may need a large memory space
 S-BGP cannot prevent “collusion attacks” (or the wormhole attack). Such attacks are possible when two compromised routers fake the presence of a direct link between them. For the rest of the Internet, it then appears as if those two ASes are connected

Question 8

Which security features most

desirable for e-mail?

Answer 8

 Confidentiality
 Integrity
 Authentication

Question 9

Confidentiality in E-mail is done by

Answer 9

 Secret key cryptography

 Public key cryptography

 Symmetric session key

Question 10

 Alice wants to send confidential e-mail, m, to Bob

Answer 10

Alice:
 Generates random symmetric session key, KS
.
 Encrypts message with KS
(for efficiency)
 Also encrypts KS with Bob’s public key.
 Sends both KS
(m) and KB
(KS) to Bob.
 Bob:
 Uses his private key to decrypt and recover KS
 Uses KS to decrypt KS(m) to recover m

Question 11

 Alice wants to provide sender authentication, message integrity.

Answer 11

 Alice:
 Applies a hash function to obtain a message digest
 Digitally signs with her private key
 Sends both message (in the clear) and digital signature.

Bob:
 Applies Alice’s public key to obtain a message digest;
 Compares with his own hash of the message;
 if same, pretty confident that the message came from Alice
and is unaltered.

Question 12

Alice wants to provide confidentiality, sender authentication, message integrity.

Answer 12

 Note: Alice uses three keys: her private key, Bob’s public key, newly created symmetric key

Question 13

Secure e-mail

One more important issue

Answer 13

 Requires
 Alice to obtain Bob’s public key
 Bob to obtain Alice’s public key
 Public Key management and distribution
 Publish at web page
 Send email
 Certificate authority

Question 14

Pretty Good Privacy (PGP)
 Internet e-mail encryption scheme, de-facto standard
 Uses symmetric key cryptography, public key
cryptography, hash function, and digital signature as
described
 Provides secrecy, sender authentication, integrity

Answer 14

TRUE

Question 15

PGP Operational Description

 Consist of five services:

Answer 15

 Authentication and integrity
 Confidentiality
 Compression
 E-mail compatibility
 Segmentation

Question 16

Slide 26-27

Answer 16

TRUE

Question 17

Why is PGP Popular?

Answer 17

It is available free on a variety of platforms.
 Based on well known algorithms
 Wide range of applicability
 Not developed or controlled by governmental
or standards organizations

Question 18

S/MIME

Answer 18

 Secure/Multipurpose Internet Mail Extension
 S/MIME will probably emerge as the industry
standard
 PGP for personal e-mail securit

Question 19

SSL

Answer 19

Secure Socket Layer
SSL is considered a presentation layer protocol
Can be used by any application

Question 20

TLS

Answer 20

Transport Layer Security

Question 21

HTTPs

Answer 21

HTTP + SSL

Question 22

SSL runs above ……. and below …….

Answer 22

SSL runs above TCP/IP and below high-level application protocols

Question 23

SSL server authentication allows a user to confirm a …….. identity

Answer 23

server’s

Question 24

SSL client authentication allows a server to confirm a ………… identity

Answer 24

user’s

Question 25

An encrypted SSL connection allows ............... , and detects .........

Answer 25

confidentiality tampering

Question 26

SSL Services

Answer 26

 Fragmentation: Divide data into blocks of 214 bytes or less  Compression: Using negotiated lossless compression method. (Optional)  Message Integrity: Keyed Hash to create MAC  Confidentiality: Data and MAC encrypted using symmetric cryptography  Framing: Add header

Question 27

SSL Record Protocol

Answer 27

 When an SSL connection is in place, all browser-toserver and server-to-browser are encrypted, including:  The URL of the requested document  The contents of the requested documents  The contents of any submitted fill-out forms  Cookies sent from browser to server  Cookies sent from server to browser  The contents of the HTTP header

Question 28

SSL Handshake Protocol

Answer 28

 Allow the client and server to select the cryptographic algorithms, or ciphers, that they both support.  Authenticate the server to the client.  Authenticate the client to the server (optionally)  Use public-key encryption techniques to generate shared secrets.  Establish an encrypted SSL connection.

Question 29

Slide 52

Answer 29

TRUE

Question 30

SSL Cipher Suites

Answer 30

 Combination of key exchange, hash and encryption algorithm | defines a cipher suite for the SSL session

Question 31

ChangeCipherSpec Protocol

Answer 31

ChangeCipherSpec message is sent to signal that the | security parameters can be used

Question 32

Alert Protocol

Answer 32

 Used by SSL to report errors and abnormal conditions  The alert message describes the problem and its level (warning or fatal)

Question 33

SSL-Summary

Answer 33

 Transport layer security to any TCP-based app using SSL services.  Used between Web browsers, servers for ecommerce.  Security services: server authentication - data encryption - client authentication (optional)  Server authentication:  SSL-enabled browser includes public keys for trusted CAs.  Browser requests server certificate, issued by trusted CA.  Browser uses CA’s public key to extract server’s public key from certificate.  Check your browser’s security menu to see its trusted CAs.

Question 34

Encrypted SSL session:

Answer 34

 Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server.  Using private key, server decrypts session key.  Browser, server know session key: All data sent into TCP socket (by client or server) encrypted with session key.  SSL can be used for non-Web applications, ex. IMAP.  Client authentication can be done with client certificates

Question 35

Transport Layer Security (TLS

Answer 35

 TLS is the IETF standard version of SSL

Question 36

TLS vs SSL

Answer 36

Differences in the:  Version number  Cipher suites: TLS doesn’t support all suites  Generation of cryptographic secrets more complex in TLS  Alert codes: TLS supports all alerts except NoCertificate. Adds new alerts  Certificate verify and Finished message: Are different  Message authentication code  Pseudorandom function  Client certificate types  Cryptographic computations  Padding placement

Question 37

Secure Electronic Transactions | SET

Answer 37

 An open encryption and security specification. |  Protect credit card transaction on the Internet.