# CNS Unit Test 1 Question Bank ## Module No. 01 ### 1) Definition of Computer & Network security. It is with security of standalone computers it can be hardware and software. Security provided to a network from unauthorized access and risks. **Cyber Security** - Objective of cyber security is to protect information that can be stolen. ### 2) Write a short on goals, services and mechanisms. #### Goals  - **Confidentiality** - Privacy and unauthorized access. - **Integrity** - Data should be real / original. - **Availability** - It should be available 24/7 days. #### Services - Confidentiality - Integrity - Authentication - Non-Repudiation - Access Control #### Mechanisms - **Encipherment** - Hiding or covering data which helps data to become confidential. - **Access control** - **Notariztion** - Use of trusted third party. - **Integrity** - **Authentication Exchange** - **Bit Stuffing** - Add extra bit to data. - **Digital Signature** - Electronic signature added by sender and checkeed by | Security Services | Security Mechanisms | |--|--| | Confidentiality | Encipherment | | Integrity | Digital Signature | | Authentication | Digital Signature, Authentication exchange | | Non-Repudiation | Digital Signature, Notrization | | Access control | Access Control | ### 3) Steganography Concept.  ### 4) Defination of Attack & its types An attempt to gain an unauthorized access to information or damage the information.  #### Passive Attacks A Passive attack attempts to learn or make use of information from the system but does not affect system resources. Passive Attacks are in the nature of **eavesdropping** on or **monitoring transmission**. Passive attacks involve an attacker passively monitoring or collecting data without altering or destroying it.  #### Active Attacks Active attacks are a type of cybersecurity attack in which an attacker attempts to alter, destroy, or disrupt the normal operation of a system or network. Active attacks involve the attacker taking direct action against the target system or network. ##### Masqurade Pretending to be diffeeerent entity.  ##### Replay  ##### Modification of Message  ##### Denial of Service  ### 5) OSI Security model. The OSI (Open System Interconnection) Security Architecture defines a systematic approach to providing security at each layer. **Classification of OSI Security Architecture**  #### Security Attacks A security attack is an attempt by a person or entity to gain unauthorized access to disrupt or compromise the security of a system, network, or device. There are two type of Security Attacks: - Passive Attack - Active Attack (Check out [Defination of Attack & its types](#4-Defination-of-Attack-amp-its-types)) #### Security Mechanism The mechanism is built to identify any breach of security or attack on the organization, is called a security mechanism. Security Machanisms are also responsible for protecting a system, network, or device against unauthorized access, tampering, or other security threats. Examples of Security Mechanisms include: - **Encipherment (Encryption)** involves the use of algorithms to transform data into a form that can only be read by someone with appropriate decryption key. - **Digital Signature** (Check out [Digital Signature](#2-Digital-Signature)) - **Traffic padding** is a technique used to add extra data to a network traffic stream in an attempt to obscure the true content of the traffic and make it more difficult to analyze. - **Routing control** allows the selection of specific physically secure routes for specific data transmission and enables routing changes, particularly when a gap in security is suspected. #### Security Service Security services refer to the different services available for maintaining the security and safety of an organization. Security services are divided into 5 types: - **Authentication** is the process of verifying the identity of a user or device in order to grant or deny access to a system or device. - **Access control** involves the use of policies and procedures to determine who is allowed to access specific resources within a system. - **Data Confidentiality** is responsible for the protection of information from being accessed or disclosed to unauthorized parties. - **Data integrity** is a security mechanism that involves the use of techniques to ensure that data has not been tampered with or altered in any way during transmission or storage. - **Non-repudiation** involves the use of techniques to create a verifiable record of the origin and transmission of a message, which can be used to prevent the sender from denying that they sent the message. ## Module No. 02 ### 1) Algorithms such as AES & DES with diagrams. #### AES The more popular and widely adopted symmetric encryption algorithm likely to be encountered nowadays is the Advanced Encryption Standard (AES). It is found at least six time faster than triple DES. A replacement for DES was needed as its key size was too small. With increasing computing power, it was considered vulnerable against exhaustive key search attack. Triple DES was designed to overcome this drawback but it was found slow. The features of AES are as follows: - Symmetric key symmetric block cipher - 128-bit data, 128/192/256-bit keys - Stronger and faster than Triple-DES - Provide full specification and design details - Software implementable in C and Java **Operation of AES**  AES performs all the its computation on bytes rather then bits. Hence AES Treats the 128 bits of a plaintext block aas 16 bytes. These 16 bytes are arranged in four columns and four rows for processing a matrix. **Encryption Process**  - **Byte Substitution (SubBytes)** - The 16 input bytes are substituted by looking up a fixed table (S-box). - **Shiftrows** - Each four rows of the matrix is shifted to left. Shift is carried out as follows: - Fist row is not shifted. - Second row is shifted on (byte) position to the left. - Third row is shifted to positions to the left. - Fourth row is shifted three positions to the left. - **Mix Columns** - Each column of four bytes is now transformed using a special mathematical function. - This function takes as input the four bytes of one column and outputs four completely new bytes, which replace the original column. - The result is another new matrix consisting of 16 new bytes. - **Add Round Key** - The 16 bytes of the matrix are considered as 128 bits and XORed to the 128 bits of the round key. - If this is the last round then the is the ciphertext. - Otherwise the resulting 128 bits are interpreted as 16 bytes and we begin another similar round. **Decryption Process** Reverse of Encryption Process. #### DES The Data Encryption Standard (DES) is a symmetric-key block cipher published by the National Institute of Standards and Technology (NIST).  ##### Initial and Final Permutation The initial and final permutations are Permutation boxes (P-boxes) that are inverses of each other.  ##### Round Function  ##### Expansion Permutation Box   ##### XOR After the expansion permutation. DES does XOR operation on the expanded right section and the round key. ##### Substitution Boxes The S-boxes carry out the real mixing (confusion). DES uses 8 S-boxes, each with a 6-bit input and 4-bit output.  The S-box rule:  ##### Key Generation The round-key generation creates sixteen 48-bit key out of a 56-bit cipher key.  ### 2) Digital Signature Signature is a way of authenticating the data coming from a trusted individual. Similarly, digital signature is a way of authenticating a digital data coming from a trusted source. #### DSS (Digital Signature Standard) It is a Federal Information Processing Standard (FIPS) which defines algorithms that are used to generate digital signatures with the help of Secure Hash Algorithm (SHA) for authentication of electronic documents. DSS only provides us with the digital signature function and not with any encryption or key exchanging strategies.  **Sender Side** In DSS Approach, a hash code is generated out of the message and following inputs are given to the signature function: - The hash code. - The random number 'k' generated for that perticular signature. - The private key of the sender i.e., PR(a). - A global public key (which is a set of parameters for the communicating principles) i.e., PU(g). **Receiver Side** At the receiver end, verification of the sender is done. The hash code of the sent message is generated. There is a verification function which takes the following inputs: - The hash code generated by the receiver. - Signature components 's' and 'r'. - Public key of the sender. - Global public key. ### 3) Kerberos Kerberos is network authentication protocol. It is designed to provide strong authentication for client server applications by using secret-key cryptography. It has following characteristics: - It is secure: it never sends a password unless it is encrypted. - Only a single login is required per session. - The concept depends on a trusted third party - a Key Distribution Center (KDC). - It perfoms mutual authentication, where a client proves it identity to a server and a server proves it identity to the client. #### Ticket-Granting Server (TGS) 1. A client that wishes to use a server has to receive a ticket - a time-limited cryptographic message - giving it access to the server. 2. It also required an Authentication Server (AS) to verify client. 3. The two servers combined make up a Key Distribution Center(KDC). 4. Active Directory Performs the function of the KDC.  Here are steps how the Kerberos is performed: 1. The user logs on the workstation and requests service on the host. - The workstation sends a message to Authorization Server requesting a ticket grating ticket(TGT). 2. The Authorization Server verifies t he user's access rights in the user database and creates a TGT session key. - The Authorization Server encrypts the results using a key derived from the user's password an sends a message back to the user workstation. 3. When the user want access to a service, the workstation client application sends a request to the Ticket Grating Service containing the client name, realm name and a timestamp. 4. The TGS decrypts the ticket and authenticator, verifies the request, and creates a ticket for the requested server. 5. The service authenticates the request by decrypting the session key. 6. If mutual authentication is required, then the server will reply with a server authentication message. ### 4) Modes of operations of Block Cipher Block cipher is encryption algorithm that takes a fixed size of input say *b* bits and produces a ciphertext of *b* bits again. There are 5 types of block cipher: 1. Electronic Code Book (ECB) 2. Cipher Block Chaining (CBC) 3. Cipher Feedback Mode (CFM) 4. Output Feedback Mode (OFM) 5. Counter Mode (CTR) #### ECB Encryption  Decryption  Advantages: - Parallel encryption of block of bits is possible, thus it is a faster way of encryption. - Simple way of the block cipher. Disadvantages: - Prone to cryptanalysis since there is a direct relationship between plaintext and ciphertext. #### CBC A cipher block is produced by encrypting an XOR output of the previous cipher block and present plaintext block. Encryption  Decryption  Advantages: - CBC works well for input greater the *b* bits. - CBC is a good authentication mechanism. Disadvantages: - Paraller encryption is not possible since encryption requires a previous cipher. #### CFM Encryption  Decryption  Advantages: - Since, there is some data loss due to the use of shift register, thus it is difficult for applying cryptanalysis. #### OFM Encryption  Decryption  Advantages: - In the CFB, a single bit error is propagated to all subsequent blocks. The problem is solved by OFB as it is free from bit errors in the plaintext block. #### CTR Encryption  Decryption  Advantages: - Since there is different counter value for each block, the direct plaintext and ciphertext relationship is avoided. - This means thed the same plain text can map to different ciphertext. - Parallel execution of encryption is possible as outputs from previous stages are not chained as in the case of CBC. ## Numericals based on Playfair & RSA.