Chap5_2

Question 1

S-BGP:

Answer 1

Secure BGP

Question 2

S-BGP makes three major additions to BGP

Answer 2

1-) It introduces a Public Key Infrastructure (PKI)
2-) A new transitive attribute is introduced to BGP updates. That attribute ensures the authorization of routing UPDATEs
3-) All routing message can be secured using IPsec, if routing confidentiality is a requirement.

Question 3

Address Attestations (AA)

Answer 3

Owner of one or more prefixes certifies that the origin
AS is authorized to advertise the prefixes
 Need a public-key infrastructure (PKI)

Question 4

Route Attestations (RA)

Attestation= proof

 Need a ………… public-key infrastructure - Certificates

Answer 4

 Router belonging to an AS (autonomous system) certifies that the next AS is authorized to propagate this route to its neighbors

 Need a separate public-key infrastructure - Certificates

Question 5

S-BGP Protocol Operation

Answer 5

 When generating an UPDATE, a router
generates a new RA that encompasses the path
and prefixes plus the AS number of the neighbor AS
 When receiving an UPDATE from a neighbor, it
 Verifies that its AS # is in the first RA
 Validates the signature on each RA in the UPDATE,
verifying that the signer represents the AS # in the
path
 Checks the corresponding AA to verify that the
origin AS was authorized to advertise the prefix by
the prefix “owner”

Question 6

Slide 6

Answer 6

TRUE

Question 7

Limitations of S-BGP

Answer 7

 Hierarchical PKI trusted by all participating ISPs.
 cryptographically intensive
 Routers may need a large memory space
 S-BGP cannot prevent “collusion attacks” (or the wormhole attack). Such attacks are possible when two compromised routers fake the presence of a direct link between them. For the rest of the Internet, it then appears as if those two ASes are connected

Question 8

Which security features most

desirable for e-mail?

Answer 8

 Confidentiality
 Integrity
 Authentication

Question 9

Confidentiality in E-mail is done by

Answer 9

 Secret key cryptography

 Public key cryptography

 Symmetric session key

Question 10

 Alice wants to send confidential e-mail, m, to Bob

Answer 10

Alice:
 Generates random symmetric session key, KS
.
 Encrypts message with KS
(for efficiency)
 Also encrypts KS with Bob’s public key.
 Sends both KS
(m) and KB
(KS) to Bob.
 Bob:
 Uses his private key to decrypt and recover KS
 Uses KS to decrypt KS(m) to recover m

Question 11

 Alice wants to provide sender authentication, message integrity.

Answer 11

 Alice:
 Applies a hash function to obtain a message digest
 Digitally signs with her private key
 Sends both message (in the clear) and digital signature.

Bob:
 Applies Alice’s public key to obtain a message digest;
 Compares with his own hash of the message;
 if same, pretty confident that the message came from Alice
and is unaltered.

Question 12

Alice wants to provide confidentiality, sender authentication, message integrity.

Answer 12

 Note: Alice uses three keys: her private key, Bob’s public key, newly created symmetric key

Question 13

Secure e-mail

One more important issue

Answer 13

 Requires
 Alice to obtain Bob’s public key
 Bob to obtain Alice’s public key
 Public Key management and distribution
 Publish at web page
 Send email
 Certificate authority

Question 14

Pretty Good Privacy (PGP)
 Internet e-mail encryption scheme, de-facto standard
 Uses symmetric key cryptography, public key
cryptography, hash function, and digital signature as
described
 Provides secrecy, sender authentication, integrity

Answer 14

TRUE

Question 15

PGP Operational Description

 Consist of five services:

Answer 15

 Authentication and integrity
 Confidentiality
 Compression
 E-mail compatibility
 Segmentation

Question 16

Slide 26-27

Answer 16

TRUE

Question 17

Why is PGP Popular?

Answer 17

It is available free on a variety of platforms.
 Based on well known algorithms
 Wide range of applicability
 Not developed or controlled by governmental
or standards organizations

Question 18

S/MIME

Answer 18

 Secure/Multipurpose Internet Mail Extension
 S/MIME will probably emerge as the industry
standard
 PGP for personal e-mail securit

Question 19

SSL

Answer 19

Secure Socket Layer
SSL is considered a presentation layer protocol
Can be used by any application

Question 20

TLS

Answer 20

Transport Layer Security

Question 21

HTTPs

Answer 21

HTTP + SSL

Question 22

SSL runs above ……. and below …….

Answer 22

SSL runs above TCP/IP and below high-level application protocols

Question 23

SSL server authentication allows a user to confirm a …….. identity

Answer 23

server’s

Question 24

SSL client authentication allows a server to confirm a ………… identity

Answer 24

user’s

Question 25

An encrypted SSL connection allows …………… , and detects ………

Answer 25

confidentiality

tampering

Question 26

SSL Services

Answer 26

 Fragmentation: Divide data into blocks of 214 bytes or
less
 Compression: Using negotiated lossless compression
method. (Optional)
 Message Integrity: Keyed Hash to create MAC
 Confidentiality: Data and MAC encrypted using
symmetric cryptography
 Framing: Add header

Question 27

SSL Record Protocol

Answer 27

 When an SSL connection is in place, all browser-toserver and server-to-browser are encrypted, including:

 The URL of the requested document
 The contents of the requested documents
 The contents of any submitted fill-out forms
 Cookies sent from browser to server
 Cookies sent from server to browser
 The contents of the HTTP header

Question 28

SSL Handshake Protocol

Answer 28

 Allow the client and server to select the cryptographic
algorithms, or ciphers, that they both support.
 Authenticate the server to the client.
 Authenticate the client to the server (optionally)
 Use public-key encryption techniques to generate
shared secrets.
 Establish an encrypted SSL connection.

Question 29

Slide 52

Answer 29

TRUE

Question 30

SSL Cipher Suites

Answer 30

 Combination of key exchange, hash and encryption algorithm

defines a cipher suite for the SSL session

Question 31

ChangeCipherSpec Protocol

Answer 31

ChangeCipherSpec message is sent to signal that the

security parameters can be used

Question 32

Alert Protocol

Answer 32

 Used by SSL to report errors and abnormal conditions
 The alert message describes the problem and its level
(warning or fatal)

Question 33

SSL-Summary

Answer 33

 Transport layer security to any TCP-based app using
SSL services.
 Used between Web browsers, servers for ecommerce.
 Security services: server authentication - data
encryption - client authentication (optional)
 Server authentication:
 SSL-enabled browser includes public keys for trusted CAs.
 Browser requests server certificate, issued by trusted CA.
 Browser uses CA’s public key to extract server’s public key from
certificate.
 Check your browser’s security menu to see its trusted
CAs.

Question 34

Encrypted SSL session:

Answer 34

 Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server.
 Using private key, server decrypts session key.
 Browser, server know session key: All data sent into TCP socket (by client or server) encrypted with session key.
 SSL can be used for non-Web applications, ex. IMAP.
 Client authentication can be done with client certificates

Question 35

Transport Layer Security (TLS

Answer 35

 TLS is the IETF standard version of SSL

Question 36

TLS vs SSL

Answer 36

Differences in the:
 Version number
 Cipher suites: TLS doesn’t support all suites
 Generation of cryptographic secrets more complex in TLS
 Alert codes: TLS supports all alerts except NoCertificate.
Adds new alerts
 Certificate verify and Finished message: Are different
 Message authentication code
 Pseudorandom function
 Client certificate types
 Cryptographic computations
 Padding placement

Question 37

Secure Electronic Transactions

SET

Answer 37

 An open encryption and security specification.

 Protect credit card transaction on the Internet.