Вы находитесь на странице: 1из 26


B.E. Sem. VII [CMPN]

System Security
Prelim Question Paper Solution


We use the term "security" in many ways in our daily lives. A "security system" protects our
house, warning the neighbors or the police if an unauthorized intruder tries to get in.
Computer security rests on confidentiality, integrity and availability. The interpretations of these
three aspects vary, as do the contexts in which they arise. The interpretation of an aspect in a given

environment is dictated by needs of the individuals, customs & laws of the particular organization.
1) Confidentiality : Confidentiality is the concealment of information or resources. The need for

keeping information secret arises from the use of computers in sensitive fields such as
government and industry.

2) Integrity : Integrity refers to the trust worthiness of data or resources, and it is usually
phrased in terms of preventing improper or unauthorized change, integrity includes data
integrity (the content of the information) and origin integrity. (the source of the data, often
called authentication). The source of information may bear on its accuracy and credibility
and on the trust that people place in the information.

3) Availability : Availability refers to the ability

to use the information or resource desired.
Availability is an important aspect of Confidentiality
reliability as well as of system design because
an unavailable system is at least as bad as no
system at all. The aspect of availability that
is relevant to security is that someone may Secure
deliberately arrange to deny access to data or
to a service by making it unavailable.
Integrity Availability
Figure above illustrates how the three goals

of security apply to data. In particular

confidentially prevents unauthorized
disclosure of a data item, integrity prevents
unauthorized modification, and availability
prevents denial of authorized access. Relationship between Confidentiality,
Integrity, and Availability

Another typical situation parallels a common human need: an order to transfer funds from one person
to another. In other words, we want to be able to send electronically the equivalent of a computerized
check. We understand how this transaction is handled in the conventional, paper mode:
 A check is a tangible object authorizing a financial transaction.
 The signature on the check confirms authenticity since (presumably) only the legitimate
signer can produce that signature.
 Once a check is cashed, it is canceled so that it cannot be reused.
 The paper check is not alterable. Or, most forms of alteration are easily detected.

Transacting business by check depends on tangible objects in a prescribed form. But tangible
objects do not exist for transactions on computers. Therefore, authorizing payments by computer
requires a different model. Let us consider the requirements of such a situation, both from the
standpoint of a bank and form the standpoint of a user.

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 1
Vidyalankar : B.E.  SS

Suppose Sandy sends her bank a message authorizing it to transfer $100 to Tim. Sandy’s bank
must be able to verify and prove that the message really came from Sandy if she should later
disavow sending the message. The bank also wants to know that the message is entirely Sandy’s,
that it has not been altered along the way. On her part, Sandy wants to be certain that her bank
cannot forge such messages. Both parties want to be sure that the message is ne w, not a reuse
of a previous message, and that it has not been altered during transmission. Using electronic
signals instead of paper complicates this process.

But we have ways to make the process work. A digital signature is a protocol that produces the same
effect as a real signature: It is a mark that only the sender can make, but other people can easily
recognize as belonging to the sender. Just like a real signature, a digital signature is used to confirm
agreement to a message.

Security processes should be atomic, that is, they should occur “all at once.” Race conditions can

arise when a security-critical process occurs in stages. In such cases, an attacker may be able to
make a change between the stages and thereby break the security. The term race condition refers
to a “race” between the attacker and the next stage of the processthough it’s not so much a race
as a matter of careful timing for the attacker.
Fig. 1 : How mkdir is supposed to work.

The race condition that we’ll consider occurs in an outdated version of the Unix command mkdir,
which creates a new directory. With this version of mkdir, there is a stage that determines
authorization followed by a stage that transfers ownership. If Trudy can make a change after the
authorization stage but before the transfer of ownership, then she can become the owner of any
directory on the system.
The way that this version of mkdir is supposed to work is illustrated in figure 1. Note that mkdir
is not atomic and that is what makes it susceptible to a race condition.

Trudy can exploit the mkdir race condition if she can somehow implement the attack in figure 2.
In this attack, after the space for the new directory is allocated to Trudy, a link is established from
the password file (which Trudy is not authorized to access) to this space before ownership of the
new directory is transferred to Trudy. The attack requires careful (or lucky) timing by Trudy.
Race conditions are probably fairly

common. But attacks based on race

conditions require careful timing, which
makes them much more difficult to
exploit than buffer overflow conditions.
The way to prevent race conditions is to
be sure that security-critical processes
are atomic. However, this is easier said
than done. Create link to
password file

Fig. 2 : Attack on the mkdir race condition.

2 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

1. (d) THREATS
There are 4 different types of threats are:
 An interception means that some unauthorized party has gained access to an asset. The
outside party can be a person, a program, or a computing system. Examples of this type of
failure are illicit copying of program or data files, or wiretapping to obtain data in a network.
Although a loss may be discovered fairly quickly, a silent interceptor may leave no traces by
which the interception can be readily detected.
 In an interruption, an asset of the system becomes lost, unavailable, or unusable. An
example is malicious destruction of a hardware device, erasure of a program or data file, or
malfunction of an operating system file manager so that it cannot find a particular disk file.

Fig. 1 : System security threats

If an unauthorized party not only accesses but tampers with an asset, the threat is a
modification. For example, someone might change the values in a database, alter a program
so that it performs an additional computation, or modify data being transmitted electronically.
It is even possible to modify hardware. Some cases of modification can be detected with
simple measures, but other, more subtle, changes may be almost impossible to detect.
 Finally, an unauthorized party might create a fabrication of counterfeit objects on a

computing system. The intruder may insert spurious transactions to a network communication
system or add records to an existing database. Sometimes these additions can be detected as
forgeries, but if skillfully done, they are virtually indistinguishable from the real thing.

 It is a system that supports authentication in distributed systems.
 Kerberos is used for authentication between intelligent processes such as clienttoserver

tasks or a user’s workstation to other host.

 To understand the working of a Kerberos in detail let us consider following example.
 Example : A user wants to access file server and database server, else he can’t do it directly.
 First he will have to get ‘ticket from Ticket Granting Server (TGS). And now using this ticket
he can access the server.
 Again for database server, he will have to gain another ticket and then access database server.
 One more server is involved here i.e. authentication server or Kerberos server (AS / KS) to
verify user’s identity.
 Notations:
 KAS  TGS  Key present between AS and TGS
i.e. AS and TGS communicate using this key.

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 3
Vidyalankar : B.E.  SS

 KFS  TGS  Similar to upper one.

 EKAS  TGS (m)  Message (m) is encrypted by key between AS and TGS.
 Public key of AS, KUAS is known to all users.

Fig. 1

 Actual communication flow in system is as follows:

 Say user wants to access file server:
1) User passes its identity to AS.
2) If authenticated, AS passed ticket to granting server (TG) and (SG) secret key to user. As
also passes SG to TGS. Now in future, user and TGS communication is done using SG.
3) But if SG is sent as it is, attacker may get it, so encrypt it using shared secret key. To TGS
EKAS  TGS (SG) is sent.
4) To user EKRAS(SG + TG) sent. (Communication between servers is done using shared
secret key but between user and server, server encrypts using its private key so that user
decrypts it using public key).


 Further for obtaining access to file server:

1) User sends request (to access file server) and TG to TGS. Looking at TG, TGS
understands that user is an authenticated user. So, TGS generates TF (ticket to file server)
and SF (secret key for communication between file server and user).
2) TGS sends to user 
3) Now user decrypts it, as it has SG and get SF but EFS  TGS(SF + TF) can be decrypted by
FS and TGS only. User does not get this.
4) User passes this as it is to file server; file server can decrypt and see internal message.
5) It then gets SF (which may be used for future communication between file server and user.
6) Looking at TF, it understands that it’s a valid user.

4 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

Fig. 3


The Diffie–Hellman key agreement was invented in 1976 during a collaboration between
Whitfield Diffie and Martin Hellman and was the first practical method for establishing a shared

secret over an unprotected communications channel.

Diffie–Hellman establishes a shared secret that can be used for secret communications by
exchanging data over a public network.

Here is an explanation which includes the encryption's mathematics:


The simplest, and original, implementation of the protocol uses the multiplicative group of

integers modulo p, where p is prime and g is primitive root mod p.

Here is an example of the protocol, with non-secret values in green, and secret values in boldface red:

Alice Bob

Secret Public Calculus Calculus Public Secret

p, g p, g
a b
g mod p …
… g mod p
b a
(g mod p) mod p (ga mod p)b mod p

1) Alice and Bob agree to use a prime number p=23 and base g=5.
2) Alice chooses a secret integer a=6, then sends Bob A = ga mod p
A = 56 mod 23 = 8.

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 5
Vidyalankar : B.E.  SS

3) Bob chooses a secret integer b=15, then sends Alice B = gb mod p

B = 515 mod 23 = 19.
4) Alice computes s = B a mod p
196 mod 23 = 2.
5) Bob computes s = A b mod p
815 mod 23 = 2.
 Both Alice and Bob have arrived at the same value, because gab and gba are equal mod p. Note
that only a, b and gab = gba mod p are kept secret. All the other values – p, g, ga mod p, and gb
mod p – are sent in the clear.
 Once Alice and Bob compute the shared secret they can use it as an encryption key, known
only to them, for sending messages across the same open communications channel.

Here's a more general description of the protocol:
1) Alice and Bob agree on a finite cyclic group G and a generating element g in G. (This is

usually done long before the rest of the protocol; g is assumed to be known by all attackers.)
We will write the group G multiplicatively.
2) Alice picks a random natural number a and sends ga to Bob.
3) Bob picks a random natural number b and sends gb to Alice.
4) Alice computes (gb)a.
5) Bob computes (ga)b.
Both Alice and Bob are now in possession of the group element gab, which can serve as the shared
secret key.

Spoofing is a means to hide one’s true identity on the network.

Countermeasures: To avoid the risk

 Filter the incoming packets that appear to come from an internal IP address at you perimeter.
 Filter the outgoing packets that appear to originate from an invalid local IP address.

ARP spoofing is a computer hacking techniques whereby an attacker sends fake Address
Resolution Protocol (ARP) messages onto a Local Area Network.

Generally, the aim is to associate the attacker's MAC address with IP address of another host.
Causing any traffic meant for that IP address to be sent to the attacker instead.
ARP spoofing may allow an attacker to interecept data frames on a LAN, modify its traffic or
stop the traffic altogether. Often the attack is used as an opening for other attacks such as denial
of service, man in the middle, or session hijacking attacks.
The attack can only be used on networks that make use of ARP and is limited to local network



In cases where there are many senders and one receiver, this level of secrecy can be inconvenient.
The solution is public key encryption. In this method, every user had the same encryption
algorithm and key. The decryption algorithm and key however are kept secret. Anyone can
encrypt information, but only the authorized receiver can decrypt it. The decryption algorithm is
not the inverse of the encryption algorithm.

The RSA Public-Key Encryption Algorithm

One of the first public-key schemes developed by Ron Rivest, Adi Shamir and Len Adleman at
Encryption key is made public and decryption key is secret.

6 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

1) Choose two large primes, p and q (typically1024 bits).
2) Compute n = p x q and z = (p - 1) x (q - 1)
3) Choose a number relatively prime to z and call it d(decryption key/secret key,Ks).
4) Find e (encryption key/public key,Kp)such that e x d = 1 mod z.

To encrypt a message P, compute C = Pe (mod n).

To decrypt C, compute = P = Cd (mod n).
The security of the method is based on the difficulty of factoring large numbers.

Example :
Step1 : Choose two large prime primes p and q.
Let p=7 and q=17

Step 2 : Calculate N and z
N = p x q = 7 x 17 = 119

Z = (p-1) x (q-1) = 6 x 16 = 96
Step 3 : Select Ks (i.e d) such that it is not a factor of z i.e. 96
Factors of 96 are
96= 2  2  2  2  2  3
Choose Ks = 5
Step 4 : To find Kp(i.e. e)

i.e. e  d mod z = 1
Select ‘e’ such that e x d = 1 mod z

96 5 x e

i.e. 96 x n + 1 = 5e
e = 96 x n + 1

n Ks

1 97/5
2 193/5 Not an integer
3 289/5
4 385/5 = 77

e = 77

The Strength of RSA

To decrypt a message that was encrypted using a 129-decimal digit number as their public
modulus would require 40 quadrillion years with the current technology to crack the code.
Note : Currently 1024-bit key size is considered strong enough for virtually all applications.


After the perimeter controls, firewall, and authentication and access controls block certain
actions, some users are admitted to sue a computing system. Most of these controls are
preventive: they block known bad things from happening. Many studies have shown that most
computer security incidents are caused by insiders, people who would not be blocked by a
firewall. And insiders require access with significant privileges to do their daily jobs. The vast
majority of harm from insiders is not malicious; it is honest people making honest mistakes.
Then, too, there are the potential malicious outsiders who have somehow passed the screens of

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 7
Vidyalankar : B.E.  SS

firewalls and access controls. Prevention, although necessary, is not a complete computer security
control; detection during an incident copes with harm that cannot be prevented in advance. Halme
and Bauer survey the range of controls to address intrusions.

Intrusion detection systems complement these preventive controls as the next line of defense. An
intrusion detection system (IDS) is a device, typically another separate computer, that monitors
activity to identify malicious or suspicious events. An IDS is a sensor, like a smoke detector, that
raises an alarm if specific things occur. A model of an IDS is shown in figure 1. The components
in the figure are the four basic elements of an intrusion detection system, based on the Common
Intrusion Detection Framework. An IDS receives raw inputs from sensors. It saves those inputs,
analyzes them, and takes some controlling action.

IDSs perform a variety of functions :

 monitoring users and system activity
 auditing system configuration for

vulnerabilities and misconfigurations
 assessing the integrity of critical system and
data files
 recognizing known attack patterns in system
 identifying abnormal activity through
statistical analysis
 managing audit trails and highlighting user
violation of policy or normal activity
 correcting system configuration errors ,
 installing and operating traps to record Fig. 1 : Common Components of an Intrusion
information about intruders Detection Framework.

No one IDS performs all of these functions. Let us look more closely at the kinds of IDSs and
their use in providing security.

Types of IDSs
he two general types of intrusion detection systems are signature based and heuristic. Signature-
based intrusion detection systems perform simple pattern-matching and report situations that

match a pattern corresponding to a known attack type. Heuristic intrusion detection systems, also
known as anomaly based, build a model of acceptable behavior and flag exceptions to that model;
for the future, the administrator can mark a flagged behavior as acceptable so that the heuristic
IDS will now treat that previously unclassified behavior as acceptable.

Intrusion detection devices can be network based or host based. A network-based IDS is a stand-
alone device attached to the network to monitor traffic throughout that network; a host-based IDS
runs on a single workstation or client or host, to protect that one host.

Early intrusion detection systems worked after the fact, by reviewing logs of system activity to
spot potential misuses that had occurred. The administrator could review the results of the IDS to
find and fix weaknesses in the system. Now, however, intrusion detection systems operate in real
time (or near real time), watching activity and raising alarms in time for the administrator to take
protective action.

Signature-Based Intrusion Detection

A simple signature for a known attack type might describe a series of TCP SYN packets sent to
many different ports in succession and at times close to one another, as would be the case for a
port scan. An intrusion detection system would probably find nothing unusual in the first SYN,
say, to port 80, and then another (from the same source address) to port 25. But as more and more
ports receive SYN packets, especially ports that are not open, this pattern reflects a possible port

8 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

scan. Similarly, some implementations of the protocol stack fail if they receive an ICMP packet
with a data length of 65535 bytes, so such a packet would be a pattern for which to watch.

The problem with signature-based detection is the signatures themselves. An attacker will try to
modify a basic attack in such a way that it will not match the known signature of that attack. For
example, the attacker may convert lowercase to uppercase letters or convert a symbol such as
"blank space" to its character code equivalent %20. The IDS must necessarily work from a
canonical form of the data stream in order to recognize that %20 matches a pattern with a blank
space. The attacker may insert malformed packets that the IDS will see, to intentionally cause a
pattern mismatch; the protocol handler stack will discard the packets because of the
malformation. Each of these variations could be detected by an IDS, but more signatures require
additional work for the IDS, which reduces performance.

Of course, signature-based IDSs cannot detect a new attack for which a signature is not yet
installed in the database. Every attack starts as a new attack at some time, and the IDS is helpless

to warn of its existence.

Ideally, signatures should match every instance of an attack, match subtle variations of the attack,
but not match traffic that is not part of an attack. However, this goal is grand but unreachable.

Heuristic Intrusion Detection

Because signatures are limited to specific, known attack patterns, another form of intrusion
detection becomes useful. Instead of looking for matches, heuristic intrusion detection looks for
behavior that is out of the ordinary. The original work in this area focused on the individual,
trying to find characteristics of that person that might be helpful in understanding normal and
abnormal behavior. For example, one user might always start the day by reading e-mail, write
many documents using a word processor, and occasionally back up files. These actions would be
normal. This user does not seem to use many administrator utilities. If that person tried to access
sensitive system management utilities, this new behavior might be a clue that someone else was
acting under the user's identity. The approach has been extended to networks. Later work sought
to build a dynamic model of behavior, to accommodate variation and evolution in a person's
actions over time. The technique compares real activity with a known representation of normality.

Alternatively, intrusion detection can work from a model of known bad activity. For example,
except for a few utilities (login, change password, create user), any other attempt to access a

password file is suspect. This form of intrusion detection is known as misuse intrusion detection.
In this work, the real activity is compared against a known suspicious area.

All heuristic intrusion detection activity is classified in one of three categories: good/benign,
suspicious, or unknown. Over time, specific kinds of actions can move from one of these categories
to another, corresponding to the IDS's learning whether certain actions are acceptable or not.

As with pattern-matching, heuristic intrusion detection is limited by the amount of information

the system has seen (to classify actions into the right category) and how well the current actions
fit into one of these categories?


Sometimes the encryption and decryption keys are the same, so P = D (K, E (K, P)). This form is
called symmetric encryption because D and E are mirrorimage processes. At other times,
encryption and decryption keys come in pairs. Then, a decryption key, KD, inverts the encryption
of key KE, so that P = D(KD, E(KE, P)). Encryption algorithms of this form are called
asymmetric because converting C back to P involves a series of steps and a key that are different
from the steps and key of E. The difference between symmetric and asymmetric encryption is
shown in the following figure.

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 9
Vidyalankar : B.E.  SS

Plaintext Ciphertext Plaintext
Encryption Decryption

(a) Symmetric Cryptosystem

Encryption Key Decryption

Plaintext Ciphertext Plaintex
Encryption Decryption

(b)Asymmetric Cryptosystem

Fig. 2
Date 1976 1999
Block size 64 bits 128 bits
Key length
Encryption primitives
Cryptographic primitives
56 bits (effective length)
Substitution, permutation
Confusion, diffusion
128, 192, 256 (and possibly more) bits
Substitution, shift, bit mixing
Confusion, diffusion
Design Open Open
Design rationale Closed Open
Selection process Secret Secret, but accepted open public comment
Source IBM, enhanced by NSA Independent Dutch cryptographers
A firewall is a device that filers all traffic between a protected or “inside” network and less
trustworthy or “outside” network. Usually a firewall runs on a dedicated device: because it is a
single point through which traffic is channeled, performance is important. Which means
nonfirewall functions should not be done on the same machine. Because a firewall is executable

code, the attacker could compromise that code and execute from the firewall’s device. Thus, the
fewer pieces of code on the device, the fewer tools the attacker would have by; compromising the
firewall. Fire wall code usually runs on a proprietary or carefully minimized operating system.

The purpose of a firewall is to keep “bad” things outside a protected environment. To accomplish
that, firewalls implement a security polity that is specifically designed to address what bad things
might happen. For example, the policy might be to prevent any access from outside (while still

allowing traffic to pass from the inside to the outside). Alternatively, the policy might permit
accesses only from certain places, from certain users, or for certain activities. Part of the
challenge of protecting a network with a firewall is determining which security polity meets the
needs of the installation.

People in the firewall community (users, developers, and security experts) disagree about how a
firewall should work. In particular, the community is divided about a firewall’s default behavior.
We can describe the two schools of thought as “that which is not expressly forbidden is
permitted” (default permit) and “that which is not expressly permitted is forbidden” (default
deny). Users, always interested in new features, prefer the former. Security experts, relying on
several decades of experience, strongly counsel the latter. An administrator implementing or
configuring a firewall must choose one of the two approaches, although the administrator can
often broaden the policy by setting the firewall’s parameters.

10 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

Design of Firewalls
A reference monitor must be
 always invoked
 tamperproof
 small and simple enough for rigorous analysis

A firewall is a special form of reference monitor. By carefully positioning a firewall within a

network, we can ensure that all network accesses that we want to control must pass through it.
This restriction meets the "always invoked" condition. A firewall is typically well isolated,
making it highly immune to modification. Usually a firewall is implemented on a separate
computer, with direct connections only to the outside and inside networks. This isolation is
expected to meet the "tamperproof requirement. And firewall designers strongly recommend
keeping the functionality of the firewall simple.

Types of Firewalls

Firewalls have a wide range of capabilities. Types of firewalls include
 packet filtering gateways or screening routers
 stateful inspection firewalls
 application proxies
 guards
 personal firewalls

Packet Filtering Gateway

A packet filtering gateway or screening router is the simplest, and in some situations, the most
effective type of firewall. A packet filtering gateway controls access to packets based on packet
address (source or destination) or specific transport protocol type (such as HTTP web traffic).
putting ACLs on routers may severely impede their performance. But a separate firewall behind (on
the local side) of the router can screen traffic before it gets to the protected network. figure 1 shows
a packet filter that blocks access from (or to) addresses in one network; the filter allows HTTP
traffic but blocks traffic using the Telnet protocol.

Fig. 3 : Packet Filter Blocking Addresses and Protocols.

For example, suppose an international company has three LANs at three locations throughout the
world, as shown in figure 2. In this example, the router has two sides: inside and outside. We say
that the local LAN is on the inside of the router, and the two connections to distant LANs through
wide area networks are on the outside. The company might want communication only among the
three LANs of the corporate network. It could use a screening router on the LAN at to
allow in only communications destined to the host at and tallow out only communica-

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 11
Vidyalankar : B.E.  SS

tions addressed either to address or (for example, allowing certain Telnet
commands while blocking other services) is beyond the capability of a packet filter.

an Fig. 2 : Three Connected LANs.
Packet filters can perform the very important service of ensuring the validity of inside addresses.
Inside hosts typically trust other inside hosts for all the reasons described as characteristics of
LANs. But the only way an inside host can distinguish another inside host is by the address
shown in the source field of a message. Source addresses in packets can be forged, so an inside
application might think it was communicating with another host on the inside instead of an
outside forger. A packet filter sits between the inside network and the outside net, so it can know
if a packet from the outside is forging an inside address, as shown in figure 3. A screening packet
filter might be configured to block all packets from the outside that claimed their source address
was an inside address. In this example, the packet filter blocks all packets claiming to come from
any address of the form 100.50.25.x (but, of course, it permits in any packets with destination

Fig. 3 : Filter Screening Outside Addresses

The primary disadvantages of packet filtering routers is a combination of simplicity and complexity.
The router’s inspection is simplistic; to perform sophisticated filtering, the filtering rules set needs
to be very detailed. A detailed rules set will be complex and therefore prone to error. For example,
blocking all port 23 traffic (Telnet) is simple and straightforward. But if some Telnet traffic is to be
allowed, each IP address from which it is allowed must be specified in the rules; in this way, the
rule set can become very long.

12 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

Stateful Inspection Firewall

Filtering firewalls work on packets one at a time, accepting or rejecting each packet and moving on to
the next. They have no concept of “state” or “context” from one packet to the next. A stateful
inspection firewall maintains state information from one packet to another in the input stream.

One classic approach used by attackers is breaking an attack into multiple packets by forcing
some packets to have very short lengths so that a firewall will not be able to detect the signature
of an attack split across two or more packets. (Remember that with the TCP protocols, packets
can arrive in any order, and the protocol suite is responsible for reassembling the packet stream in
proper order before passing it along to the application.) A stateful inspection firewall would track
the sequence of packets and conditions from one packet to another to thwart such an attack.

Application Proxy

Packet filters look only at the headers of packets, not at the data inside the packets. Therefore, a
packet filter would pass anything to port 25, assuming its screening rules allow inbound

connections to that port. But applications are complex and sometimes contain errors. Worse,
application (such as the e-mail delivery agent) often act on behalf of all users, so they require
privileges of all users (for example, to store incoming mail messages so that inside users can read
them). A flawed application, running with all users privileges, can cause much damage.

An application proxy gateway, also called a bastion host, is a firewall that simulates the (proper)
effects of an application so that the application will received only requests to act properly. A
proxy gateway is a two-headed device : It looks to the inside as if it is the outside (destination)
connection, while to the outside it responds just as the insider would.

An application proxy runs pseudoapplications, For instance, when electronic mail is transferred to
a location, a sending process at one site and a receiving process at the destination communicate
by a protocol that establishes the legitimacy of a mail transfer and then actually transfers the mail
message. The protocol between sender and destination is carefully defined. A proxy gateway
essentially intrudes in the middle of this protocol exchange, seeming like a destination in
communication with the sender that is outside the firewall, and seeming like the sender in
communication with the real destination on the inside. The proxy in the middle has the
opportunity to screen the mail transfer, ensuring that only acceptable e-mail protocol commands
are send to the destination.

Fig. 4 : Actions of Firewall Proxies.

As an example of application proxying, consider the FTP (file transfer) protocol. Specific
protocol commands fetch (get) filts from a remote location, store (put) files onto a remote host,

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 13
Vidyalankar : B.E.  SS

list files (ls) in a directory on a remote host, and position the process (cd) at a particular point in a
directory tree on a remote host. Some administrators might want to permit gets but block puts,
and to list only certain files or prohibit changing out of a particular directory (so that an outsider
could retrive only files from a pre-specified directory). The proxy would simulate both sides of
this protocol exchange. For example, the proxy might accept get commands, reject put
commands, and filter the local response to a request to list files.

A guard is a sophisticated firewall. Like a proxy firewall, it receives protocol data units, interprets
them, and passes through the same or different protocol data units that achieve either the same
result or a modified result. The guard decides what services to perform on the user’s behalf in
accordance with its available knowledge, such as whatever it can reliably know of the (outside)
user’s identity, previous interactions, and so forth. The degree of control a guard can provide is

limited only by what is computable. But guards and proxy firewalls are similar enough that the
distinction between them is sometimes fuzzy. That is, we can add functionality to a proxy firewall

until it starts to look a lot like a guard.

Guard activities can be quite sophisticated, as illustrated in the following examples:

 A university wants to allow its students to use e-mail up to a limit of so many messages or so
many characters of e-mail in the last so many days. Although this result could be achieved by
modifying e-mail handlers, it is more easily done by monitoring the common point through
which all e-mail flows, the mail transfer protocol.
 A school wants its students to be able to access the World Wide Web but, because of the slow
speed of its connection to the web,' it will allow only so many characters per downloaded image
(that is, allowing text mode and simple graphics, but disallowing complex graphics, animation,
music, or the like).
 A library wants to make available certain documents but, to support fair use of copyrighted
matter, it will allow a user to retrieve only the first so many characters of a document. After
that amount, the library will require the user to pay a fee that will be forwarded to the author.
 A company wants to allow its employees to fetch files via ftp. However, to prevent
introduction of viruses, it will first pass all incoming files through a virus scanner. Even
though many of these files will be non-executable text or graphics, the company
administrator thinks that the expense of scanning them (which should pass) will be negligible.

Personal Firewalls

Firewalls typically protect a (sub)network of multiple hosts. University students and employees in
offices are behind a real firewall. Increasingly, home users, individual workers, and small
businesses use cable modems or DSL connections with unlimited, always-on access. These
people need a firewall, but a separate firewall computer to protect a single workstation can seem
too complex and expensive. These people need a firewall's capabilities at a lower price.

A personal firewall is an application program that runs on a workstation to block unwanted


traffic, usually from the network. A personal firewall can complement the work of a conventional
firewall by screening the kind of data a single host will accept, or it can compensate for the lack
of a regular firewall, as in a private DSL or cable modem connection.

Just as a network firewall screens incoming and outgoing traffic for that network, a personal
firewall screens traffic on a single workstation. A workstation could be vulnerable to malicious code
or malicious active agents (ActiveX or Java applets), leakage of personal data stored on the
workstation, and vulnerability scans to identify potential weaknesses. Commercial implementations
of personal firewalls include Norton Personal Firewall from Symantec, McAfee Personal Firewall,
and Zone Alarm from Zone Labs.

The personal firewall is configured to enforce some policy. For example, the user may decide that
certain sites, such as computers on the company network, are highly trustworthy, but most other

14 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

sites are not. The user defines a policy permitting download of code, unrestricted data sharing,
and management access from the corporate segment, but not from other sites. Personal firewalls
can also generate logs of accesses, which can be useful to examine in case something harmful
does slip through the firewall.

Combining a virus scanner with a personal firewall is both effective and efficient. Typically,
users forget to run virus scanners daily, but they do remember to run them occasionally, such as
sometime during the week. However, leaving the virus scanner execution to the user's memory
means that the scanner detects a problem only after the fact—such as when a virus has been
downloaded in an e-mail attachment. With the combination of a virus scanner and a personal
firewall, the firewall directs all incoming e-mail to the virus scanner, which examines every
attachment the moment it reaches the target host and before it is opened.

A personal firewall runs on the very computer it is trying to protect. Thus, a clever attacker is
likely to attempt an undetected attack that would disable or reconfigure the firewall for the future.

Still, especially for cable modem, DSL, and other "always on" connections, the static workstation
is a visible and vulnerable target for an ever-present attack community. A personal firewall can
provide reasonable protection to clients that are not behind a network firewall.

5. (b) DES
 DES algorithm uses a careful and complex combination of two fundamental encryption
techniques: substitution and transposition.
 This algorithm derives its strength from repeated application of these two techniques one on
top of another for 16 cycles.
 In other words there are 16 iterations of substitution and transposition.
1) Plain text is divided into blocks of 64 bits. Key is 64 bit long, in fact it can be any 56 bit number
case, extra 8 bits are used as check bits, but that does not affect encryption in any way.
2) The transformation are done as shown in figure 1

Fig. 1

 Substitution Provides Confusion and Transposition Provides Diffusion

 Plain text is affected by a series of cycles of a substitution then a permutation.
 Iterative substitution and permutation is performed.
 DES uses standard arithmetic and logical operations on numbers upto 64 bits; so it is
suitable for implementation in software on most current computer.

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 15
Vidyalankar : B.E.  SS

 Motivation for Double and Triple DES

 Computing power has rapidly increased in past few decades and promises to continue to
do so.
 For this reason, DES 56 bit key length is not long enough for some people to feel
 To address this discomfort it was suggested to have double encryption for better secrecy.

 Double DES
 We take two keys k1 and k2, and perform two encryption, one on top of other, E(k2, E(k1, m)).
 Theoretically this approach should multiply (increase) difficulty of breaking encryption
since two lock are harder to pick than one.
 But this assumption was false.

 It was proved that it was no better than one.
 Equivalent to key length = 57 bits

 Triple DES
 With 3 keys : k1, k2, k3.
C = E(k3, D(k2, E(k1, m))
 With 2 keys : k1, k2.
C = E(k3, D(k2, E(k1, m)))
 Here you encrypt with one key and decrypt with other key and then again encrypt with
first key.
 It is called Triple DES because of triple application of DES algorithm.
3 keys k1, k2, k3, Effective key length = 112 bit.
2 keys k1, k2, Effective key length = 80 bits.
 Denial of service or the DOS attack is an attack on the availability of resources (resource may
be data or service).
 This type of attack is much more significant in networks than in other contexts.
 In this attack the authorized users are denied of the services and data they have access to.
 There are two main reasons for such a denial:
 Connection is broken.
 Congestion on the line.

 Breaking of connection can be accident or could be done deliberately by an attacker.

 Congestion on the line could be due to high traffic in network or deliberate flooding of
network by an attacker.
 We can categorize these attacks based on the technique used as follows:
1) Transmission failure.
2) Connection flooding.

1) Transmission Failur
 A simple cut or break in communication link (i.e. wire or cable) can cause transmission
 Failure of a machine along the transmission path due to hardware or software reasons can also
cause transmission failure. Such a device is then removed from service for repair and testing.
When a device is saturated it simply rejects all incoming data until it can clear its overload.
 This is a physical threat.

2) Connection Floodin
 It is the most primitive denial of service attack.
 Connection flooding simply means exceed of bandwidth.
 This could be unintentional (increase in traffic) or intentional (attacker floods the network).

16 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

 An attacker places so much data on the link that the communication cannot take place.
 A more sophisticated attack uses elements of internet protocols. In addition to TCP and
UDP there is a third class of protocol, ICMP i.e. Internet Control Message Protocol.
 These protocols do not have any associated user applications.
 They are used only for system diagnosis.
 Ping: Requests a destination to return a reply to show that the destination system is
reachable and functioning.
 Echo: Requests destination to echo or return the data sent to it. It is to show that the
connection link is reliable. Ping is a version of echo.
 Destination Unreachable: Destination address cannot be accessed.
 Source Quench: Destination becoming saturated and source should suspend sending
packets for a while.

 These protocols are important for network management. But these can be used to attack a
system and may be difficult to detect.

Following are attacks:

i) Echo Chargen
 Works between two hosts.
 Chargen is a protocol that generates stream of packets, used to test network’s capacity.
 An attacker sets up a chargen process on host A that generates packets as echo
packets with destination as host B. Then host A produces stream of packets to which
B replies by echoing them back to host A.

This puts infrastructure of A and B into an endless loop.
Ping of Death
 It is a simple attack.
 Ping requires recipient to respond to the ping request.
 So attacker needs to send a flood of pings to the intended victim.
 If attacker is on 10 MB connection and path to victim is 100 MB or more then
attacker cannot mathematically flood victim alone.
 But attack succeeds if numbers are reversed.
iii) Smurf
 Variation of a ping attack.

 Also uses ping packet, but with two extra twists.

 Attacker spoof’s the source address in ping packet so that it appears to come from victim.
 Then attacker sends this request to network in broadcast mode by setting last byte of
address to all 1’s.
 Everybody in network pings the victim and victim saturates.
 And thus availability of the service on the network is done away, hence Smurf is
availability attack.

Fig. 1
iv) Syn Flood : (Synchronization Packets)
 It uses TCP protocol suite and makes session oriented nature of these protocols work
against victim.

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 17
Vidyalankar : B.E.  SS

Fig. 2
 A session is established using a three way TCP handshake.
 To initiate TCP connection, originator sends a packet with the SYN bit on.
 If recipient is ready to establish a connection it replies with both SYN and ACK bits on.
 First party then completes exchange to demonstrate clear and complete
communication channel by sending packet with ACK bit on.
 Attacker can causer denial of service to target by sending many SYN requests and

never responding with ACKs, thereby filling victim’s SYNRECV queues.

v) Tear Drop
 This attack misuses the features designed to improve network communication.
 A network IP datagram is variable length object. The datagram protocol permits a
single data nit to be fragmented i.e. broken into pieces and transmitted separately.
This is done in order to support different applications and conditions.
 Each fragment indicates its length and relative position within the data unit.
 In tear drop attack, attacker sends a series of datagram that cannot fit together properly.
 For example : One datagram might say it is position 0 and length 30 bytes, another with
position 10 and length 120 bytes and another with position 60 and length 90 bytes.
 These three fragments will overlap and cannot be reassembled properly.
 In an extreme case of this attack, the operating system locks up with these partial data
units and cannot reassemble, thus causing denial of service.
vi) Traffic Redirection
 A router is a device that forwards traffic on its way through intermediate networks
between a source host’s network and a destination’s network.
 So if an attacker can corrupt the routing, traffic can be disrupted.
 Routers use complex algorithms to decide how to route traffic.
 Routers essentially seek the best path.
 Suppose a router advertises to its neighbours that it has best path to every other

address in whole network.

 Soon all routers will direct all traffic to that one router.
 That router may become flooded or may simply drop much of its traffic.
 A lot of traffic never makes it to the intended destination.
vii) DNS Attacks
 Class of attack based on concept of domain name server.

 Domain name server (DNS) is a table that converts domain names like ABC.com into
network address like This is called resolving domain names.
 By overtaking a name server or causing it to cache false entries, an attacker can
redirect the routing of any traffic resulting into denial of service.
 This overtaking of name server is known as DNS cache poisoning.

6. (b) IPSec (IP Security)

 IPSec is somewhat similar to SSL.
 It supports authentication and confidentiality in a way that does not require significant change
in applications or TCP protocols.
 IPSec provides security to IP packets.
 Independent of specific cryptographic protocols, it allows two communicating parties to
agree on a mutually supported set of protocols.
18 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

Fig. 1
 TCP  IP Packet

Fig. 2
 IPSec Packet

Fig. 3

 Basic of IPSec is called Security Association. It is a set of security parameters for a secured

communication channel.
It includes
 Encryption algorithm and mode.
 Encryption key.
 Encryption parameters, such as initialization vector.
 Authentication protocol and key.
 Lifespan of association.
 Address of opposite end of association.
 Sensitivity level of protected data.
 The fundamental data structure of IPSce are:
ESP : Encapsulated Security Payload.
AH : Authentication Header.

Fig. 4

 ESP replaces (includes) conventional TCP header and data portion of a packet.
 ESP contains both an encryption portion and authentication portion.

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 19
Vidyalankar : B.E.  SS

Fig. 5
 The sequence number is incremented by one for each packet transmitted to same address
using same SPI to preclude packet replay attack.

Fig. 6

 With a packet we may attach security information in form of AH or ESP.


Fig. 7
 IP Security Mode
 Transport Mode
 Tunnel Mode
 Transport Mode
 User to user communication.
 Whatever security information added is checked at end user.

Fig. 8

20 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

 Tunnel Mode
 IP security provided by user, will be checked at other end by Networking device or fire wall.

Fig. 9
Anti-Replay Window
 Window size is communicated (sender may ask receiver to keep a certain window of size
 For e.g. Say window size = 12
This indicates receiver will receiver 12 packets. Packets may arrive out of order. Receiver

marks the window numbers as packets arrive.
Now suppose an attacker copies a particular packet and keeps on sending it (replay attack);
then the receiver will know that packets are being replayed.

 Anti replay window, as the name suggests, prevents replay of packets.
Advantages of IPSec
 Provide security in connection less service.
 Anti replay window prevents replay attack. Also, the window can be used to accumulate
(packets) messages and transmit to upper layer (TCP) at receiver end.
IPSec Provides
 Confidentiality (ESP  encryption).
 Authenticity (MAC).
 Integrity (Hash).

 A honeypot is a computer system or a network segment that is loaded with servers, devices
and data.
 A honeypot is open to attackers.
 Its basic purpose is to lure an attacker, so that the attacker attacks it.
 Honeypots can be sued for following reasons:
 To watch what attackers do (observe in order to learn what new attacks are performed so
that we can strengthen defenses against these new attacks).

 To lure an attacker to a place in which we may be able to learn enough about the attacker
to identify and stop him.
 To provide a lucrative but diversionary playground (here honeypot acts as a diversion so
that the attacker leaves the real system alone).
 Even though we want the attacker to have an access; we may use a firewall in a honeypot.
 It is used just for monitoring the system. Monitoring is to be done very carefully so that the

attacker doesn’t know that he is being monitored.

 The only problem with setting up a honeypot is:
 Putting up a believable and attractive false environment.
 Confining and monitoring the attacker surreptitiously.

7. (b) MD5
 In cryptography, MD5 (Message-Digest algorithm 5) is a widely used cryptographic hash
function with a 128-bit hash value.
 MD5 has been employed in a wide variety of security applications, and is also commonly
used to check the integrity of files.
 However, it has been shown that MD5 is not collision resistant as such, MD5 is not suitable
for applications like SSL certificates or digital signatures that rely on this property.
 An MD5 hash is typically expressed as a 32-digit hexadecimal number.
1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 21
Vidyalankar : B.E.  SS

Fig.10 : One MD5 operation. MD5 consists of 64 of these operations, grouped in four rounds of
16 operations. F is a nonlinear function; one function is used in each round. Mi denotes a 32-bit
block of the message input, and Ki denotes a 32-bit constant, different for each operation. s
denotes a left bit rotation by s places; s varies for each operation. denotes addition modulo 232.

MD5 processes a variable-length message into a fixed-length output of 128 bits.
The input message is broken up into chunks of 512-bit blocks (sixteen 32-bit little endian
integers); the message is padded so that its length is divisible by 512.

The padding works as follows:

 First a single bit, 1, is appended to the end of the message. This is followed by as many zeros
as are required to bring the length of the message up to 64 bits fewer than a multiple of 512.
The remaining bits are filled up with a 64-bit integer representing the length of the original
message, in bits.
The main MD5 algorithm operates on a 128-bit state, divided into four 32-bit words, denoted
A, B, C and D. These are initialized to certain fixed constants.
 The main algorithm then operates on each 512-bit message block in turn, each block
modifying the state.

 The processing of a message block consists of four similar stages, termed rounds; each round
is composed of 16 similar operations based on a non-linear function F, modular addition, and
left rotation.

Figure illustrates one operation within a round. There are four possible functions F; a different
one is used in each round:
F (X, Y, Z) = (X  Y)  (X  Z)

G (X, Y, Z) = (X  Z)  (Y  Z)
H (X, Y, Z) = X  Y  Z
I (X, Y, Z) = Y  (X  Z)
, , ,  denote the XOR, AND, OR and NOT operations respectively.


 RC4 is a stream cipher designed in 1987 by Ron Rivest for RSA Security.
 It is a variable key-size stream cipher with byte-oriented operations.
 The algorithm is based on the use of a random permutation.
 Analysis shows that the period of the cipher is overwhelmingly likely to be greater than 10100.
 Eight to sixteen machine operations are required per output byte, and the cipher can be
expected to run very quickly in software.

22 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

 RC4 is used in the SSL/TLS (Secure Sockets Layer/Transport Layer Security) standards that
have been defined for communication between Web browsers and servers. It is also used in
the WEP (Wired Equivalent Privacy) protocol and the newer WiFi Protected Access (WPA)
protocol that are part of the IEEE 802.11 wireless LAN standard. RC4 was kept as a trade
secret by RSA Security.
 A variable-length key of from 1 to 256 bytes (8 to 2048 bits) is used to initialize a 256-byte
state vector S, with elements S[0], S[1],..., S[255].
 At all times, S contains a permutation of all 8-bit numbers from 0 through 255.
 For encryption and decryption, a byte k is generated from S by selecting one of the 255
entries in a systematic fashion.
 As each value of k is generated, the entries in S are once again permuted.

Initialization of S
 To begin, the entries of S are set equal to the values from 0 through 255 in ascending order;
that is; S[0] = 0, S[1] = 1,..., S[255] = 255.

 A temporary vector, T, is also created. If the length of the key K is 256 bytes, then K is
transferred to T. Otherwise, for a key of length keylen bytes, the first keylen elements of T
are copied from K and then K is repeated as many times as necessary to fill out T.

Figure illustrates the RC4 logic.


Fig. 1 : RC4

These preliminary operations can be summarized as follows:

/* Initialization */
for i = 0 to 255 do
S[i] = i;
T[i] = K[i mod keylen];

1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 23
Vidyalankar : B.E.  SS

Next we use T to produce the initial permutation of S. This involves starting with S[0] and going
through to S[255], and, for each S[i], swapping S[i] with another byte in S according to a scheme
dictated by T[i]:
/* Initial Permutation of S */
j = 0;
for i = 0 to 255 do
j = (j + S[i] + T[i]) mod 256;
Swap (S[i], S[j]);

Because the only operation on S is a swap, the only effect is a permutation. S still contains all the
numbers from 0 through 255.

7. (d) CAPTCHA

The Turing test was proposed by computing pioneer Alan Turing in 1950. The test has a human ask
questions to one other human and one computer. The questioner, who can’t see either respondent,

must try to determine which respondent is the human and which is the computer. If the human
questioner can’t solve this puzzle, the computer passes the Turning test. This test is the “gold
standard” in artificial intelligence, and no computer has yet come close to passing the Turning test.
A “completely automated public Turning test to tell computers and humans apart,” or CAPTCHA is
a test that a human can pass, but a computer can’t pass with a probability better than guessing. This
could be considered as an inverse Turning test. The assumptions here are the test is generated by a
computer program and graded by a computer program, yet no computer can pass the test, even if
that computer has access to the source code used to generate the test. In other words, a “CAPTCHA
is a program that can generate and grade tests that it itself cannot pass, much like some professors”.
It seems paradoxical that a computer can create and scores a test that it cannot pass.

Since CAPTCHAs are designed to restrict access to resources to humans, a CAPTCHA can be
viewed as a form of access control. The original motivation for CAPTCHAs was an online poll that
asked users to vote for the best computer science graduate program. It quickly become obvious that
automated responses from MIT and Carnegie-Mellon were skewing the results. So researchers
developed the idea of a CAPTCHA to prevent automated “bots” from voting. Today, CAPTCHAs
are used by free e-mail services, such as Yahoo, to prevent spammers from automatically signing up
for large numbers of e-mail accounts.

The requirements for a CAPTCHA are that it must be easy for most humans to pass and that it
must be difficult or impossible for a machines to pass, even if the machine has access to the
CAPTCHA software. From the attacker’s perspective, the only unknown is some randomness that
is used to generate the specific CAPTCHA. It is also desirable to have different types of
CAPTCHAs in case some person cannot pass one particular type. For example, blind individuals
can’t pass a visual CAPTCHA.

Fig. 1 : CAPTCHA (Courtesy of Luis von Ahn)

For the example in figure 1, Trudy would know the set of possible words that could appear and
she would know the general format of the image. The only unknown is a random number that is
used to select the overlapping words and to distort the resulting images.

24 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS
Prelim Question Paper Solution

There are several types of visual CAPTCHAs of which figure 1 is one example. There are also
audio CAPTCHAs in which the audio is distorted in some way. The human ear is very good at
removing such distortion, while automated methods are relatively easy to confuse. Currently,
there are no text-based CAPTCHAs.


At its most fundamental level, DRM is an attempt to provide “remote control” over digital
content. We would like to distribute digital content, but we want to retain some control-remote
control-over its use after it has been delivered.

Suppose Trudy wants to sell her new book, For the Hack of It, in digital form online. Since there
is a huge potential market on the Internet and Trudy can keep all of the profits and she won’t need
to pay any shipping, this seems like an ideal solution. However, after a few moments of reflection

Trudy realizes that there is a serious problem. What happens if, say, Alice buys Trudy’s digital
book and then redistributes it for free online.

The fundamental problem is that it’s trivial to make a perfect copy of digital content and almost
as easy to redistribute it to virtually anyone. This is a dramatic change from the pre-digital era,
when copying a book was costly, and redistributing it was relatively difficult.

Persistent protection is the buzzword for the required level of DRM protection. That is, we must
protect the digital content so that the protection stays with the content after it’s delivered.
Examples of the kinds of persistent protection restrictions that we might want to enforce on a
digital book include the following :
 No copying
 Read once
 Do not open until Christmas
 No forwarding
among many other possibilities.
What can be done to enforce persistent protection? One option is to rely on the honor system,
whereby we do not actually force users to obey the rules but instead simply expect that they will,
since most people are good, honest, decent, and trustworthy.

Another DRM option is to simply give up on enforcing DRM on an open platform such as a PC.
In the previous section, we saw that SRE attacks render software on a PC highly vulnerable. This
implies that, if we try to enforce persistent protection through software in a PC, we are likely
doomed to failure.

However, the lure of Internet sales has created a strong interest in DRM, even if it can’t be made
perfectly robust.

If we decide that it’s worthwhile to attempt DRM on a PC, one option is to build a weak
software-based DRM. Several of these type of systems have been deployed, and most are
extremely weak. For example, such a DRM system for protecting digital documents might be
defeated by a user who is knowledgeable enough to operate a screen capture program.

A reasonably high level of DRM protection can be achieved. Closed systems, such as game system,
are very good at enforcing restrictions similar to the persistent protection requirements mentioned
above. Currently, there is work underway to include closed system features in future PCs.

In much of the hype surrounding DRM today, it is claimedor at least strongly impliedthat
cryptography is the solution to the DRM problem. That this is not the case can easily be seen by
considering the generic black box crypto diagram in figure 1, which illustrates a symmetric key
1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS 25
Vidyalankar : B.E.  SS

Fig. 1 : Cryptography and DRM

In the standard crypto scenario, the attacker Trudy has access to the ciphertext and perhaps some
plaintext and some side-channel information. In the DRM scenario, we are trying to enforce
persistent protection on a remote computer. What’s more, the legitimate recipient is a potential


Suppose Trudy is the legitimate recipient of a DRM-protected document. Then Trody has access
to everything within the dashed box in figure 10. In particular, Trudy has access to the key. We
certainly can’t expect crypto to solve the persistent protection problem if we give the attacker the

With DRM it’s necessary to use encryption so that the data can be securely delivered, and so that
Trudy can’t trivially remove the persistent protection. But if Trudy is clever, she won’t try to attack
the crypto directly. Instead, she will try to find the key, which is hidden somewhere in the software.
One of the fundamental problems in DRM can be reduced to the problem of playing “hide and seek”
with a key in software.

Software-based DRM systems are forced to rely on security by obscurity; that is, the security
resides in the fact that Trudy doesn’t completely understand, for example, how and where the key
is hidden. Security by obscurity is generally considered a derogatory term in the security field,
since once the obscurity is gone, so is the security. However, in software-based DRM, there does
not appear to be any other viable option.

Software obfuscation and the other techniques discussed in the previous section are also examples
of security by obscurity. It’s always preferable not to rely on security by obscurity, but, when
there is no other option, then we need to consider whether we can derive any useful measure of

security from some clever application of obscurity.

There is a fundamental limit on the effectiveness of any DRM system, since the so called analog
hole is present in any DRM system. That is, when the content is rendered, it can be captured in
analog form. For example, when digital music is played, it can be recorded using a microphone,
regardless of the strength of the DRM protection. Similarly, a digital book can be captured in
unprotected form using a digital camera to photograph the pages displayed on a computer screen.

No DRM system can prevent such attacks.

Another interesting feature of DRM is the degree to which human nature matters. For software-
based systems, it’s clear that absolute DRM security is impossible. So the challenge is to develop
something that works in practice.


26 1113/Engg/BE/Pre Pap/2013/CMPN/Soln/SS