1) [Ch 3, Thought Questions, nos 7, 8, 9]—How are digital certificates and passports similar and how are they different? How are digital certificates and university diplomas similar and how are they different? How are digital certificates and movie tickets similar and how are they different?
Digital certificates are the electronic counterpart to passports and identification cards. There are given specifically from a certificate authority (CA), such as VeriSign. Digital certificates are electronic credentials used by virtual emails, signing documents, or other private computers. Unlike traditional identification Digital certificates can be used on handheld devices such as smart phones or tablets. Digital certificates will contain the true identity and the true party’s public key. A passport acts as a person’s identification; they are issued by recognized government authorities. The recognized government will only issue if the party meets all the needed requirements before issuing identification. Unlike the digital certificate, the passport will show the true party’s photo and other identifying information that can be easily verified.
Digital certificates are similar to university diplomas as they both are issued by a body of authority. They both contain a signature and a “document” that certifies that it is owned by a particular user. A diploma like the digital certificate is signed by a “trustworthy” third party. University diplomas must be certified by the government or a governing board in order to affirm the diplomas. However, the difference is that digital certificates are that they are encoded on digital documents, they are not in paper form that can be carried around to show your identity. Digital certificates and movie tickets have similarities as well. They both can be used digitally online, they do not need any identifying information, just the party’s name anyone can prove their validity and the information they specify. However, the difference is digital certificates cannot be used to purchase tickets. Movie tickets can be purchased online and in person. On a cinema ticket, no identifying information is needed or given just the movie title and cinema company.
2) [Ch 3, Harder Thought Questions, no. 1]—Identify potential security threats associated with authentication via digital signatures and digital certificates. Explain each and describe how you would address each threat.
A potential security threat is the problem digital certificates cannot be relied on solely in identifying a party. Unlike traditional identification, there is not picture, and the CA is an authority trusted by the party, not a recognized government body. Digital certificates must be used with digital signatures in order to verify a true authentication. A digital certificate alone cannot truly identify the person holding the digital certificate is the true party, and verifiers have no way of knowing this information without the digital signature. Another problem is that browsers have to accept the signature of the CA, the browser would not allow the party sign in or the CA could give a certificate to another person claiming to be the party.
3)[Ch 3, Harder Thought Questions, no. 2]—The Panko text describes how public key authentication is used for message-by-message authentication in digital signatures. However, public key authentication is widely used for initial authentication.
a)Describe the processes that the supplicant and verifier would use if public key encryption were used in initial challenge-response authentication.
b)Draw heavily on your understanding of digital signatures, but put this information in challenge–response context.
MS-Chap is a way to authenticate a public key, for example the MS-CHAP supplicant creates the response message by adding the shared password to the initial challenge message, and hashing the resulting string, the hash will be the response message. To verify, the server will repeat the suppliant’s actions. The server takes the challenge message it sent to the suppliant, appends password, and applies the same hashing algorithm the supplicant used. If the server’s hash is identical to the response message, then the server then logs in the authenticated user.
4)[Ch 4, Thought Questions, no. 2]—Why would it be desirable to protect all of a corporation’s IP traffic by IPsec? Give multiple reasons.
Since IPsecs operate at the internet layer, they protect everything in the data field within the IP packet which includes given transparent protection to the internet, transport, and application layer. Unlike SSL/TLS it has no central management. IPsec on the other hand can centrally manage IPsec on all connections between hosts. The transport layer is not aware of IPSec while in use. IPsec provides the most end to end protection for a business, although highly complex the transparent protection reduces implementation and operating costs.
5)[Ch 4, Harder Thought Questions, no. 4]—Pretty good privacy uses public key encryption and symmetric key encryption to encrypt long documents. How can this be done?
Pretty good privacy uses public key encryption, and symmetric key encryption to encrypt long documents. They can do this by using public-key cryptosystems including RSA, DSA, or private key cryptosystem IDEA. Furthermore, Pretty Good Privacy uses a method of random key generation that prevents the same key from being used by multiple users. So that it would be unlikely for two encrypted documents to use the same session key. As with digital signatures, Pretty Good Privacy is compatible with the one-way hash digital signing technique used for message authenticating and integrity check.
6)[Ch 4, Thought Questions, no. 3]—What wireless LAN security threats do 802.11i, and WPA not address?
Some of the problems are the weak security methods. WLAN chose to use RC4 cipher that is relatively weak encryption method. Although TKIP was designed to replace WEP it is still a security problem that is easily hacked into. WLAN is easily vulnerable to evil twin attack, when a pc has software that allows it to masquerade as a legitimate access point that allows for intrusion into access points, and the possibility of eavesdropping. When these problems arise confidential information, resources, and other pertinent document may be stolen. Not to mention, spyware, virus, and malware.
7) [Ch 4, Thought Questions, no. 4]—Given the weakness of commercial WAN security, why do you think companies continue to use WAN technology without added cryptographic protections?
Companies will continue to use WAN because it is a cheaper alternative to using other methods. Commercial WANs restrict who attaches to them, and not open to all servers, being exclusive reduces the risks. Another reason is that customers are not aware of information about traffic routes or supervisory functions. This prevents hackers from hacking into the company without the prior knowledge.