Units 9-12 Flashcards
Explain the difference between pull technology and push technology when dealing with clients in a web application. State one approach to implementing push technology.
- Pull technology: the normal client-server approach where the client receives info/updates in response to a request sent to the server.
- Push technology: the server notifies clients of updates without clients having to make a request each time. Clients register with the server/subscribe to a service. The server may send updates individually or use multicasting.
- Push examples: multipart/x-mixed-replace, UDP, multicast UDP, TCP, messaging services (e.g. JMS).
Give an example of a scenario in which you might want to make use of signatures, with a brief explanation of why the service is appropiate.
Scenario: recipient wants to check the sender’s identity.
The sender self-authenticates.
Could be used in communications where little is at stake, or where the recipient trusts the sender to self-authenticate - no thirdparty checking the sender’s identity.
Give an example of a scenario in which you might want to make use of certificates, with a brief explanation of why the service is appropiate.
Scenario: the recipient wants to check the sender’s identity and requires third-party checking of the identity.
This might be used in more important communications, for example, where confidential information might be disclosed and it is important to fully authenticate the sender.
Describe the main function of the ORB in CORBA.
- implementing an object request broker service;
- locating objects able to meet a software request;
- preparing an object to receive a software request;
- communicating data between two objects taking part in a software interaction.
In terms of support for transparencies:
- location transparency;
- implementation transparency;
- object activation state transparency;
- communication mechanism transparency.
List and discuss three additional issues to consider if we wanted to provide access to an interactive web-based information system from mobile devices such as phones or PDAs. Assume the system involves payment processing.
- Limited resources: smaller screen space and other resources, the web tier and client tier would need to allow for different formatting of the interface.
- Communication bandwidth may be limited or more unreliable than with fixed network connections – may require a different interface. Emphasises the need to cope with intermittent communications failure.
- Security issues: interception of mobile communications is, in principle, easier than for fixed lines. Payment processes must be secure.
Would you consider XML to be a form of middleware? Explain.
No, because XML is not a layer; it is just a way of representing a communication.
Name two security services that are commonly employed in the database tier of the n-tier model and explain how they are put to use in this context.
Confidentiality, used to obscure stored information, e.g., encrypted passwords.
Integrity, used to check contents of stored files or check integrity of database file.
Authentication, used to check whether a user is allowed to access a file or record.
Auditing, used to keep track of actions carried out by users or traffic on a system.
State one advantage for each of the following security services:
- Confidentiality
- Integrity
- Authentication
- Auditing
- Confidentiality: enhanced security of records.
- Integrity: increased robustness / security.
- Authentication: reduced risk of unauthorised access / modification etc.
- **Auditing: **increased non-repudiation, i.e. increased ability to determine who is responsible for actions or issues.
Explain the difference between a block cipher and a stream cipher.
A block cipher is one that operates on chunks of data at a time, called blocks, whereas a stream cipher operates on a stream of data, typically a bit or a byte at a time.
Would you typically use a block cipher or a stream cipher in wireless communication? Explain why.
Stream cipher.
- Computationally cheaper (particularly useful in this context since computing resources and bandwidth are typically more limited)
- Wireless communications are of unpredictable length, likely to suffer from a frequent requirement for padding or truncating if a block cipher is used
Scenario: an organisation suffered an attack in which session cookies (containing info that could be used to authenticate a user) were captured and reused by the attackers to enter an existing session.
Briefly explain three security measures (in Java EE or otherwise) that might help to prevent such an attack from happening.
- Use of hash functions (and add salt)
- Use the SSL protocol
- Use end-to-end encryption
- Use a nonce value
(not wholly confident with this - needs more detail - suggestions welcome!)
A programmer might use a thin client to implement communication between the client tier and a Java EE server. Give two other approaches that might be used.
Applet client.
Application client.
Briefly explain two advantages of applet and application clients compared to a thin client.
Applets and application clients can provide a richer user interface and take some of the processing load away from the server for a more responsive client.
True or false?
A message digest algorithm is quite likely to compute very similar message digests for two messages that contain very similar text.
False - A small change in plaintext will result in a significant change in the output message digest.
True or false?
A message digest algorithm will compute a different message digest every time it is run using a particular message (containing the same text).
False: A message digest algorithm will compute the same message digest given the same text.
True or false?
A recipient of a digitally signed message will have difficulty verifying the signature because its public key may not be available.
True: If the receiver is not already in possession of the sender’s public key then the receiver will not be able to validate the digital signature.
One option for client communication is a browser-based, thin client. Briefly explain three limitations of thin clients.
- Browser interface is limited - webpages are limited to text, images, forms; sometimes more complexity required.
- Responsiveness - all processing done on server; could be more responsive if some processing could be done on the client.
- Browser uses request-response protocol (pull technology) - clients do not necessarily know if something on the server has changed.
How is the public key used in the SSL communication between the client and server?
Once client and server have validated each other through an exchange of certificates, a shared means of encryption is established, and a public key-based protocol can be used to establish a secret session key. The secret key is then used to encrypt communications, according to the chosen encryption scheme
What kind of encryption takes place in SSL communication, end-to-end, or link? Explain your answer.
End- to-end: the sending and receiving nodes of a message implement encryption and decryption using a shared key.
Name an example of a protocol in which you would expect to find SSL in use.
HTTPS
FTPs
SMTPs
LDAPs
Briefly explain what is meant by loose coupling between components.
A loosely coupled component is insulated from changes in another component due to the presence of a layer of indirection between them.
Briefly describe two key differences and two key similarities between RMI and CORBA.
Differences:
- RMI is homogeneous, CORBA is heterogeneous
- RMI uses serialised (flattened) data, CORBA uses CDR
- RMI is a programming technology, CORBA is an integration technology
- RMI is synchronous, CORBA has more varied forms of interaction
Similarities:
- Both are object-oriented middleware
- ORB is similar to the RMI registry
- Both provide location transparency
- Both provide communication transparency
- Both support passing objects by value and by reference
What is the difference between strong and weak code mobility?
Strong mobility has the ability to suspend an execution unit at its current site and capture its current state. transmit the execution unit and the code to the new site, and resume execution at exactly the same point in the new site.
Weak mobility is just the ability to move code (not a whole execution unit) between sites.
What is SOAP and what is its role in heterogeneous systems?
SOAP is an XML-based protocol supporting communication between distributed systems and widely used in web services.
XML is a form of semantic markup of text. Provided that the communicating parties can process XML, have a shared idea of what a document means and can communicate over some channel (such as HTTP), they can communicate, regardless of the platform or the software implementation language.
Therefore, using SOAP and XML means that complex data structures can be exchanged between two parties using different languages or platforms, as long as there is an agreed-upon XML data description domain dictionary.
