Units 9-12

Question 1

Explain the difference between pull technology and push technology when dealing with clients in a web application. State one approach to implementing push technology.

Answer 1

• Pull technology: the normal client-server approach where the client receives info/updates in response to a request sent to the server.
• Push technology: the server notifies clients of updates without clients having to make a request each time. Clients register with the server/subscribe to a service. The server may send updates individually or use multicasting.
• Push examples: multipart/x-mixed-replace, UDP, multicast UDP, TCP, messaging services (e.g. JMS).

Question 2

Give an example of a scenario in which you might want to make use of signatures, with a brief explanation of why the service is appropiate.

Answer 2

Scenario: recipient wants to check the sender’s identity.

The sender self-authenticates.

Could be used in communications where little is at stake, or where the recipient trusts the sender to self-authenticate - no thirdparty checking the sender’s identity.

Question 3

Give an example of a scenario in which you might want to make use of certificates, with a brief explanation of why the service is appropiate.

Answer 3

Scenario: the recipient wants to check the sender’s identity and requires third-party checking of the identity.

This might be used in more important communications, for example, where confidential information might be disclosed and it is important to fully authenticate the sender.

Question 4

Describe the main function of the ORB in CORBA.

Answer 4

• implementing an object request broker service;
• locating objects able to meet a software request;
• preparing an object to receive a software request;
• communicating data between two objects taking part in a software interaction.

In terms of support for transparencies:

• location transparency;
• implementation transparency;
• object activation state transparency;
• communication mechanism transparency.

Question 5

List and discuss three additional issues to consider if we wanted to provide access to an interactive web-based information system from mobile devices such as phones or PDAs. Assume the system involves payment processing.

Answer 5

• Limited resources: smaller screen space and other resources, the web tier and client tier would need to allow for different formatting of the interface.
• Communication bandwidth may be limited or more unreliable than with fixed network connections – may require a different interface. Emphasises the need to cope with intermittent communications failure.
• Security issues: interception of mobile communications is, in principle, easier than for fixed lines. Payment processes must be secure.

Question 6

Would you consider XML to be a form of middleware? Explain.

Answer 6

No, because XML is not a layer; it is just a way of representing a communication.

Question 7

Name two security services that are commonly employed in the database tier of the n-tier model and explain how they are put to use in this context.

Answer 7

Confidentiality, used to obscure stored information, e.g., encrypted passwords.

Integrity, used to check contents of stored files or check integrity of database file.

Authentication, used to check whether a user is allowed to access a file or record.

Auditing, used to keep track of actions carried out by users or traffic on a system.

Question 8

State one advantage for each of the following security services:

• Confidentiality
• Integrity
• Authentication
• Auditing

Answer 8

• Confidentiality: enhanced security of records.
• Integrity: increased robustness / security.
• Authentication: reduced risk of unauthorised access / modification etc.
• **Auditing: **increased non-repudiation, i.e. increased ability to determine who is responsible for actions or issues.

Question 9

Explain the difference between a block cipher and a stream cipher.

Answer 9

A block cipher is one that operates on chunks of data at a time, called blocks, whereas a stream cipher operates on a stream of data, typically a bit or a byte at a time.

Question 10

Would you typically use a block cipher or a stream cipher in wireless communication? Explain why.

Answer 10

Stream cipher.

• Computationally cheaper (particularly useful in this context since computing resources and bandwidth are typically more limited)
• Wireless communications are of unpredictable length, likely to suffer from a frequent requirement for padding or truncating if a block cipher is used

Question 11

Scenario: an organisation suffered an attack in which session cookies (containing info that could be used to authenticate a user) were captured and reused by the attackers to enter an existing session.

Briefly explain three security measures (in Java EE or otherwise) that might help to prevent such an attack from happening.

Answer 11

• Use of hash functions (and add salt)
• Use the SSL protocol
• Use end-to-end encryption
• Use a nonce value

(not wholly confident with this - needs more detail - suggestions welcome!)

Question 12

A programmer might use a thin client to implement communication between the client tier and a Java EE server. Give two other approaches that might be used.

Answer 12

Applet client.

Application client.

Question 13

Briefly explain two advantages of applet and application clients compared to a thin client.

Answer 13

Applets and application clients can provide a richer user interface and take some of the processing load away from the server for a more responsive client.

Question 14

True or false?

A message digest algorithm is quite likely to compute very similar message digests for two messages that contain very similar text.

Answer 14

False - A small change in plaintext will result in a significant change in the output message digest.

Question 15

True or false?

A message digest algorithm will compute a different message digest every time it is run using a particular message (containing the same text).

Answer 15

False: A message digest algorithm will compute the same message digest given the same text.

Question 16

True or false?

A recipient of a digitally signed message will have difficulty verifying the signature because its public key may not be available.

Answer 16

True: If the receiver is not already in possession of the sender’s public key then the receiver will not be able to validate the digital signature.

Question 17

One option for client communication is a browser-based, thin client. Briefly explain three limitations of thin clients.

Answer 17

• Browser interface is limited - webpages are limited to text, images, forms; sometimes more complexity required.
• Responsiveness - all processing done on server; could be more responsive if some processing could be done on the client.
• Browser uses request-response protocol (pull technology) - clients do not necessarily know if something on the server has changed.

Question 18

How is the public key used in the SSL communication between the client and server?

Answer 18

Once client and server have validated each other through an exchange of certificates, a shared means of encryption is established, and a public key-based protocol can be used to establish a secret session key. The secret key is then used to encrypt communications, according to the chosen encryption scheme

Question 19

What kind of encryption takes place in SSL communication, end-to-end, or link? Explain your answer.

Answer 19

End- to-end: the sending and receiving nodes of a message implement encryption and decryption using a shared key.

Question 20

Name an example of a protocol in which you would expect to find SSL in use.

Answer 20

HTTPS

FTPs

SMTPs

LDAPs

Question 21

Briefly explain what is meant by loose coupling between components.

Answer 21

A loosely coupled component is insulated from changes in another component due to the presence of a layer of indirection between them.

Question 22

Briefly describe two key differences and two key similarities between RMI and CORBA.

Answer 22

Differences:

• RMI is homogeneous, CORBA is heterogeneous
• RMI uses serialised (flattened) data, CORBA uses CDR
• RMI is a programming technology, CORBA is an integration technology
• RMI is synchronous, CORBA has more varied forms of interaction

Similarities:

• Both are object-oriented middleware
• ORB is similar to the RMI registry
• Both provide location transparency
• Both provide communication transparency
• Both support passing objects by value and by reference

Question 23

What is the difference between strong and weak code mobility?

Answer 23

Strong mobility has the ability to suspend an execution unit at its current site and capture its current state. transmit the execution unit and the code to the new site, and resume execution at exactly the same point in the new site.

Weak mobility is just the ability to move code (not a whole execution unit) between sites.

Question 24

What is SOAP and what is its role in heterogeneous systems?

Answer 24

SOAP is an XML-based protocol supporting communication between distributed systems and widely used in web services.

XML is a form of semantic markup of text. Provided that the communicating parties can process XML, have a shared idea of what a document means and can communicate over some channel (such as HTTP), they can communicate, regardless of the platform or the software implementation language.

Therefore, using SOAP and XML means that complex data structures can be exchanged between two parties using different languages or platforms, as long as there is an agreed-upon XML data description domain dictionary.

Question 25

Explain the difference between internal and external clock synchronization of hosts in a distributed system.

Answer 25

Internal synchronisation: a host compares its clock value with the clocks of other hosts in the same system, so all hosts can ensure that they have approximately the same clock time (which may differ from the correct time/UTC).

External synchronisation: keeping a clock accurate by regular comparisons with a more accurate external time source, such as a close approximation to UTC.

Question 26

What is logical time and in what circumstances might it be useful?

Answer 26

A system of recording time values so as to ensure that the order of events is consistent with causality – i.e. that the cause of an event (such as sending a message) occurs at an earlier logical time than the event itself (the arrival of the message). The time values are not normally related to the actual time shown on local or external clocks.

Used in some situations where synchronisation is not required, or the actual standard time is not needed.

Question 27

What does physical portability mean in the context of mobile computing?

Answer 27

Physical portability means the ability to move the computational device easily from one location to another, e.g. a mobile phone.

Question 28

Explain two problems that physical portability entails and, for each one, mention one hardware or software design challenge that the problem poses.

Answer 28

Screens are smaller: usability and human–computer interaction issues requiring different ways of presenting and inputting information (e.g. use of a stylus, touch screens)

Batteries: need frequent recharging; various techniques can be used to diminish power consumption, e.g. reducing the CPU’s voltage, but that requires new chips to be developed.

Memory: mobile devices have to be more rugged (carried around in pockets) therefore tend to use flash memories (solid state, non-volatile), however flash memories are slower than volatile memory chips and much more expensive (per gigabyte) than hard disks.

Question 29

Briefly explain how a cryptographic hash function could be of use in the following situations:

(i) A client must send an encrypted login and password to a server to authenticate itself. The confidentiality of the client’s credentials and security of the client’s account must be protected.
(ii) Checking the integrity of a message (whether encrypted or not) between client and server.

Answer 29

i) With a hash function, there is no key to be lost and, if the password file is compromised, it is still hard to reverse the encryption. The system may add salt before hashing, so that identical input values do not map to the same hashed value.
ii) Check that the hashed value, also known as a checksum, of a file has not changed. A small change in the file must lead to a change in the hashed value, so that an alteration can be detected. A checksum can be computed at the source of a communication and sent with it. On receipt, the checksum is recomputed with the same hashing algorithm. If they don’t match, it is very likely that the message has been altered in transit.

Question 30

Briefly explain what is meant by a collision and how the strength of a cryptographic hash function is related to collisions when using it.

Answer 30

A collision occurs in a hash function when two or more inputs generate the same output.

The strength of a hash can be quantified according to the likelihood of a collision and according to how much computational effort has to be expended in order to identify such an occurrence.

Question 31

Suppose that we would like a client to be able to employ a variety of authentication mechanisms, depending on the client’s preferred means of authentication, such as biometrics or smartcard. Briefly explain why JAAS (Java Authentication and Authorisation Service) is appropriate in this case.

Answer 31

JAAS provides a Subject class and a Principal interface and allows for a variety of authentication mechanisms.

JAAS provides a separation between the application code and the code performing the authentication. The whole system is highly configurable and ‘stackable’ in that different authentications can be layered on top of each other. The higher-level system need not change if the configuration or manner in which authentication is performed changes. New forms of authentication may be invented and plugged in transparently. The programmer need not know how to deal with the intricacies of individual authentication measures.

Question 32

Suppose that we have chosen to structure messages between our client and server using plain XML (eXtensible Markup Language).

State three advantages that the use of SOAP messsages would have over plain XML.

Answer 32

SOAP provides scope for sending complex information such as structures and objects, and their data, including user-defined data types.

Communicating nodes may take on one or more roles so that they can decide how they should act on the contents of a message, and role information may also be passed within a message.

SOAP automates marshalling and unmarshalling of method parameters and return values, thus supporting the development of APIs for web-based components (which we call web services).

SOAP incorporates an exception handling facility, which would have to be manually programmed if using XML over HTTP without SOAP.

Question 33

BlueTooth is an example of a wireless communication technology. Give the names of three other examples and briefly explain why no single such technology will be suitable for all purposes.

Answer 33

WiFi (LANs), WiMAX (WANs), ZigBee (wireless sensor networks).

Each type has various strengths and weaknesses that make it suitable for a certain purpose but not for all purposes. For example, Bluetooth could be used for wireless sensor networks, but ZigBee has been specially developed to consume less power and allow more connected devices than Bluetooth, so ZigBee is more suitable for wireless sensor networks.

WiMAX is good for long-range networks but would be significantly more expensive to set up for an office or home network compared to WiFi, which is cheaper and easier to set up but not as effective over a wide area.