Chap5_3

Question 1

Secure Electronic Transactions

SET

Answer 1

 An open encryption and security specification.
 Protect credit card transaction on the Internet.
 Companies involved:
 MasterCard, Visa, IBM, Microsoft, Netscape, RSA, Terisa and
Verisign
 Not a payment system
 Set of security protocols and formats

Question 2

SET

 Services

Answer 2

 Provides a secure communication channel in a transaction.
 Provides trust by the use of X.509v3 digital certificates.
 Ensures privacy.

Question 3

SET

 Complexity

Answer 3

 Specifications defined in 3 books

 Total is 971 pages versus SSL specifications in 63 pages

Question 4

Dual Signature

Answer 4

 Merchant does NOT need to know the customer’s credit
card number
 Bank does NOT need to know the customer’s order
 Extra protection in terms of privacy by keeping these
two items separate
 However, the two items must be linked in a way that can
be used to resolve disputes if necessary
 Objective: link two messages that are intended for two
different recipients
 Order info (OI) to the merchant
 Payment info (PI) to the bank

Question 5

Slide 11

Answer 5

TRUE

Question 6

Purchase Request

Answer 6

 Purchase request exchange:
 Initiate Request
 Initiate Response
 Purchase Request
 Purchase Respons

Question 7

Slide 19

Answer 7

TRUE

Question 8

Slide 20

Answer 8

TRUE

Question 9

Secure-HTTP (SHTTP)

Answer 9

Developed by Enterprise Integration Technologies (EIT) Inc.
 A security-enhanced extension of the Hypertext Transfer
Protocol
 S-HTTP works at the application level, encrypting the
contents of messages relayed between a browser and a
server using RSA’s system of public/private key algorithm
pairs
 S-HTTP is designed for flexibility, allowing client and server
to negotiate the strength and type of encryption to be used
 S-HTTP also authenticates the identity of both client and
server by using digital signatures
 Verifies the integrity of the data by using Message
Authentication Code (MAC)

Question 10

SSL and S-HTTP

Answer 10

Same: Cryptographic principles (digital envelopes, signed
certificates, message digests)
 Different:
 S-HTTP designed to work with the Web protocols only
 SSL is a lower-level protocol that can be used to encrypt many
types of network connections
 Different:
 S-HTTP was initially available in a modified version of NCSA
Mosaic that users had to purchase
 SSL was incorporated into a freeware browser
 S-HTTP sank into oblivion
 SSL rapidly became the predominant secure protocol on the Web
 SSL and S-HTTP are not mutually exclusive. Because they
operate on different levels, the protocols could be layered
to “double-encrypt” the data

Question 11

Basic Concepts of SNMP

Answer 11

Most widely used standard is Simple Network
Management Protocol (SNMP), published in 1988
 SNMPv1 had very basic security
 SNMPv3 has a more extensive set of security features

Question 12

Key elements of network management:
 Management station
 Management agent
 Management information base
 Network Management protocol: Get, Set and Notify

Answer 12

Management station:
 Typically stand alone device
 Provides interface to human network manager
 Management agent:
 Is on hosts, bridges, routers, etc.
 Responds to requests by management station, responds to
actions, provides unsolicited information
 Management information base (MIB):
 Collection of objects (resources in the network)
 Standardized across systems of particular class (ex. bridges)
 Network Management protocol
 Links management stations with agents
 SNMP is the protocol for managing TCP/IP networks

Question 13

SNMP Key Capabilities

Answer 13

 Get: Enables management station to retrieve the value
of objects at the agent
 Set: Enables management station to set the value of
objects at the agent
 Notify: Enables an agent to notify the management
station of significant events, also called Trap –an
unsolicited message (reporting an alarm condition)

Question 14

SNMP Operates over

Answer 14

UDP

Question 15

SSH SSH is a protocol for secure remote login and other secure network
services over an insecure network. It consists of three major
components:

Answer 15

 SSH operates over TCP
 In its simplest mode of operation, it connects to a
server, negotiates a shared secret key using Diffie
Hellman, then begins encrypting the session (typically
using the Blowfish cipher).
 A username and password are passed over the
encrypted session and, if authenticated, the server
starts a command shell over the encrypted session.
 In its simplest use, SSH represents a more secure
alternative to TELNET

Question 16

Secure File Transfer Protocol (SFTP)

Answer 16

 Is a version of FTP that encrypts any commands and
data transfers, helping keep your passwords secure and
your session private.
 Is a network protocol that provides file transfer and
manipulation functionality over any reliable data stream.
 It is typically used with the SSH2 to provide secure file
transfer
 But is intended to be usable with other protocols as well
 The protocol is not yet an Internet standard

Question 17

FTP over SSH

Answer 17

Refers to the practice of tunneling a normal FTP session over
an SSH connection.
 Because FTP uses multiple TCP connections it is particularly
difficult to tunnel over SSH.
 With many SSH clients, attempting to set up a tunnel for the
control channel (the initial client-to-server connection on
port 21) will protect only that channel
 When data is transferred, the FTP software at either end
will set up new TCP connections ( data channels ) which will
bypass the SSH connection, and thus have no protection
 If the FTP client is configured to use passive mode it is
possible to run all the FTP channels over the SSH connection
 Otherwise, it is necessary for the SSH client software to
have specific knowledge of the FTP protocol, and monitor and
rewrite FTP control channel messages and autonomously open
new forwarding for FTP data channels.
 FTP over SSH is sometimes referred to as secure FT