Академический Документы
Профессиональный Документы
Культура Документы
OF
CSE-213
ROLLNO-
B.C.A-
1. Que: A Password may become known to other users in a variety of ways. Is there a
simple method for detecting that such an event has occurred? Explain your answer.
Ans: A system and method for monitoring tamper events in a computer system in
accordance with the present invention is disclosed. The system comprises a detector
means for detecting at least one tamper event and for providing an indication when the
tamper event has occurred for longer than a predetermined time period. The system
also includes an adapter means coupled to the detector means for receiving the
indication and for disabling the computer system. The present invention is directed to a
computer system, which has the ability to functionally determine if a tamper event is
authorized and therefore allows the computer to operate after such an event. In a
preferred embodiment, the tamper event could be as simple as a toggle switch being
activated when the cover of the personal computer is removed.
2.Que:What is the purpose of using a “salt” along with the user-provided password?
Where should the “salt” be stored, and how should it be used?
For best security, the salt value is kept secret, separate from the database. This
provides an advantage when a password database is stolen, but the salt is not. To
determine a password from a stolen hash, an attacker cannot simply try common
passwords (such as English language words or names). Rather, they must calculate the
hashes of random characters (at least for the portion of the input they know is the salt),
which is much slower.
In some protocols, the salt is transmitted as cleartext with the encrypted data,
sometimes along with the number of iterations used in generating the key (for key
strengthening). Cryptographic protocols that use salts include SSL and Ciphersaber.
Early Unix systems used a 12-bit salt, but modern implementations use larger values.
Assume a user’s secret key is stolen and he is known to use one of 200,000 English
words as his password. The system uses a 32-bit salt. The salted key is now the
original password appended to this random 32-bit salt. Because of this salt, the
attacker’s pre-calculated hashes are of no value. He must calculate the hash of each
word with each of 232 (4,294,967,296) possible salts appended until a match is found.
The total number of possible inputs can be obtained by multiplying the number of words
in the dictionary with the number of possible salts:
To complete a brute-force attack, the attacker must now compute about 800 trillion
hashes, instead of only 200,000. Even though the password itself is known to be simple,
the secret salt makes breaking the password radically more difficult.
3.Que: Discuss a means by which managers of systems connected to the internet could
have designed their systems to limit or eliminate the damage done by a worm. What are
the drawbacks of making the change that you suggest?
Ans: The end result should not be surprising. We don’t have “real” security that
guarantees to stop bad things from happening, and the main reason is that people don’t
buy it. They don’t buy it because the danger is small, and because security is a pain.
• Since the danger is small, people prefer to buy features. A secure system has
fewer features because it has to be implemented correctly. This means that it takes
more time to build, so naturally it lacks the latest features.
• Security is a pain because it stops you from doing things, and you have to do
work to authenticate yourself and to set it up.
A secondary reason we don’t have “real” security is that systems are complicated, and
therefore both the code and the setup have bugs that an attacker can exploit. This is the
reason that gets all the attention, but it is not the heart of the problem.
Will things get better? Certainly if there are some major security catastrophes, buyers
will change their priorities and systems will become more secure. Short of that, the best
we can do is to drastically simplify the parts of systems that have to do with security:
• Users need to have at most three categories for authorization: me, my group or
company, and the world.
• Administrators need to write policies that control security settings in a uniform
way, since they can’t deal effectively with lots of individual cases.
• Everyone needs a uniform way to do end-to-end authentication and
authorization across the entire Internet.
Since people would rather have features than security, most of these things are unlikely
to happen.
On the other hand, don’t forget that in the real world security depends more on police
than on locks, so detecting attacks, recovering from them, and punishing the bad guys
are more important than prevention.
Section 2.3 discusses these points in more detail. For a fuller account, see Bruce
Schneier’s recent book
Organizations and people that use computers can describe their needs for information
security under four major headings [Error: Reference source not found]:
4. Que: What are three advantages of encrypting data stored in the computer system?
Ans: Encryption can play a very important role in your day-to-day computing and
communicating:
5. Que: Discuss how the asymmetric encryption algorithm can be used to achieve the
following goals:
a. Authentication: the receiver knows that only the sender could have
generated the message.
c. Authentication: only the receiver can decrypt the message, and the
receiver knows that only the sender could have generated the message.
Any message (text, binary files, or documents) that are encrypted by using the public
key can only be decrypted by applying the same algorithm, but by using the matching
private key. Any message that is encrypted by using the private key can only be
decrypted by using the matching public key.
This means that you do not have to worry about passing public keys over the Internet
(the keys are supposed to be public). A problem with asymmetric encryption, however,
is that it is slower than symmetric encryption. It requires far more processing power to
both encrypt and decrypt the content of the message.
6. Que: What are the benefits of DFS when compare to a file system in a centralized
system.
Ans: The Distributed File System (DFS) technologies in Windows Server 2003 R2 offer
wide area network (WAN)-friendly replication as well as simplified, fault-tolerant access
to geographically dispersed files. The two technologies in DFS are as follows:
If you are using Windows Server 2003 R2 and want to keep folders synchronized, we
recommend using DFS Replication instead of FRS. DFS Replication system in Windows
Server 2003 R2 has many benefits over File Replication Service (FRS), including
improved management tools, higher performance, and delegated management.
The Distributed File System (DFS) is used to build a hierarchical view of multiple file
servers and shares on a network. Instead of having to supply a specific machine name
for each set of files that are hosted on multiple servers, the user is only required
to supply one name. This will serve as the 'key' to a list of shares found on multiple
servers on the network. In summary, DFS can best be described as a logical list of
folders in one centralized view that contains links which point to one or more servers
that physically host those shares.
7. Que: What aspect of distributed system would you select for a system running on a
totally reliable network?
Ans: Microsoft has heavily invested in understanding and meeting the needs of both its
desktop and enterprise customers. Now that ERP systems have evolved to serve a
mission critical role, Microsoft understands the imperative that these systems be
deployed on a platform that provides a rich feature set that assures the following:
Ans: Yes, this approach is equivalent to including the access privileges of domain B in
those of domain A as long as the switch privileges associated with domain B are also
copied over to domain A.
10. Que: How does the principle of least privileges aid in the creation of protection
systems?
Ans: The principle of least privilege allows users to be given just enough privileges to
perform their tasks. A system implemented within the framework of this principle has the
property that a failure or compromise of a component does the minimum damage to the
system since the failed or compromised component has the least set of privileges
required to support its normal mode of operation.
11. Que: How can systems that implement the principle of least privileges still have
protection failures that lead to security violations?
Ans: The principle of least privileges only limits the damage but does not prevent the
misuse of access privileges associated with a module if the module were to be
compromised. For instance, if a system code is given the access privileges to deal with
the task of managing tertiary storage, a security loophole in the code would not cause
any damage to other parts of the system, but it could still cause protection failures in
accessing the tertiary storage.