1. Use RFC 4949 and discuss how the RFC distinguishes between confidentiality and privacy. In the context of network security, confidentiality is a technical term. Then discuss “confidentiality services and mechanisms” as specified by Recommendation X.800.
RFC (“request for comments”) documents serve as one of the major documents formulating principles of Internet. These documents are published by the IETF and describe new methods, research, innovations and new definitions relating to the functioning of the Internet. RFC 4949 is an Internet Security Glossary, one of the longest RFC documents providing specification of RFC 2828 Security Glossary. This document contains exact definitions of privacy and confidentiality.
Privacy is defined by this document in two ways. First of all, privacy is “the right of an entity (normally a person), acting in its own behalf, to determine the degree to which it will interact with its environment, including the degree to which the entity is willing to share its personal information with others” (RFC 4949, 2007). Secondly, privacy can also be understood as the right of individual to control/influence what information related to this individual can be collected and stored, by whom it can be collected and stored, and to whom it can be disclosed (RFC 4949, 2007).
Also, RFC 4949 defines data confidentiality in two way: first of all, data is not disclosed to system entities unless they are authorized to get access to this data (RFC 4949, 2007). Alternatively, confidentiality can be defined as the property that “information is not made available or disclosed to unauthorized individuals, entities, or processes (i.e., to any unauthorized system entity)” (RFC 4949, 2007). Thus, one of major differences between confidentiality and privacy, according to RFC 4949, is the fact that privacy is the right of an individual and confidentiality is the property of information.
Recommendation X.800 describes the architecture of OSI and contains descriptions of systematic approach to security and confidentiality. In this document, security services and mechanisms are described. With regard to data confidentiality, which is determined as the protection of data from unauthorized disclosure, 4 services are identified (CCITT, 1991): connection confidentiality (protection of the connection and user data sent over it), connectionless confidentiality (protection of a single block of data), selective field confidentiality (protection of selected data fields within a single block of data) and traffic-flow confidentiality (protection of the pattern of traffic flow).
2. Explain the distinction between the concepts of “integrity” and “authentication” as used in network security services. Given that X.800 and RFC 2828 / RFC 4949 definitions are accepted as correct ( which they are ): what is the source of common misuse or confusion when the terms “integrity” and “authentication” are used?
According to RFC 4949, data integrity is the property that data wasn’t changed, lost or destroyed in an accidental or unauthorized manner. Data integrity relates to the confidence of data and trustworthiness of the source of the data. Authentication is defined in RFC 4949 as “The process of verifying a claim that a system entity or system resource has a certain attribute value” (RFC 4949, 2007). Most common type of authentication is authentication of the identity of users; however, this term can be applied to any attribute (and not only identity of a user).
Integrity in common parlance is considered as being trustworthy, and “authenticated” is also understood as “trustworthy”; this is why confusion might happen when these terms are used. However, integrity means the correctness and reliability of data, while authentication means the process of verifying a certain attribute.
3. Classify each of the five attacks below as active or passive. For each, identify the X.800 Category of Security Service that aims to provide protection.
# Category Type Security service
1 unauthorized user reads a file with information that had required protection from disclosure (release of message contents) Passive Confidentiality
2 content of a message is maliciously changed between the time it was sent and received (modification of message) Active Data integrity
3 a message is sent by one party falsely claiming the identity of another party (masquerade attack) Active Authentication (peer entity authentication, access control authentication) and access control
4 a legitimate message is delayed with a malicious intent (a form of denial of service by way of an unauthorized used of system resources; recall that any violation of a security policy is an attack) Active Availability
5 a message sender falsely denies having sent the message Active Non-repudiation
4. What are the major differences between network security and web security?
In general, it is reasonable to use the definition of “security” provided in RFC 4949: “A system condition in which system resources are free from unauthorized access and from unauthorized or accidental change, destruction, or loss” (RFC 4949, 2007). The same can be stated with regard to network security. However, web security is a different term and relates to a specific type of applications: “client/server applications running on the Internet and TCP/IP intranets” (Stallings, 2007). While network security relates to all types of network connections and interactions, web security relates only to the above-mentioned type of applications.
5. To submit user input to an e-commerce server, between HTTP GET and HTTP POST, which is more secure? Why?
For HTTP GET method, the headers are visible in the address line and all symbols after “?” sign are interpreted as key-value pairs. Server applications read these pairs and change the page dynamically. However, for HTTP GET method, user can see the line and key-value pairs, and thus someone can alter these values with a malicious intent.
HTTP POST method is also used to exchange data with the server, but the data is sent to the server as separate payload, and key-value pairs are not shown in the address line of the browser. As a result, users cannot access or alter the data sent to the server in other ways than using standard methods of the website. HTTP POST method is more secure and should be used for the transactions involving change of data on the server. Thus, in case of submitting user input to an e-commerce server, HTTP POST should be used.
6. How does the web browser sandbox secure your computer against attacking applets?
A sandbox is a special virtual environment which is used to separate running programs, especially untested and unverified ones. The sandbox controls the resources which the guest program might use (e.g. disk space and RAM space), and generally does not allow the guest program to access the network, inspect host system or get access to input devices. The connection of applet and sandbox is often used in web browsers, to avoid execution of malicious code. Such sandboxes as Java VM, Silverlight and Adobe Flash provide virtual environment, with some disk storage and limited settings of interaction with the host computer for active elements which might be present on web pages.
7. How do the Intrusion Detection Systems protect your server systems?
The purpose of Intrusion Detection Systems is to detect suspected intrusions in the network such as malicious activities, policy violations etc. and to report about these attempts. Two most common ways of detecting intrusions are detection of statistical anomalies and pattern matching. Pattern matching is meant to detect and prevent already known types of attack, while anomaly detection process might keep track of new attacks. However, pattern matching is a process which almost eliminates false detections, and anomaly detection approach might result in greater number of false detections until the system distinguishes the type of activity.
The combination of these approaches allows to protect server systems against intrusions.
Currently, firewalls have functions similar to an intrusion detection system, but the best approach is to use the combination firewall and IDS to reach maximal security level. Also, there exist host-based and network-based Intrusion Detection Systems. In addition to general network-based IDS, it is recommended to install host-based IDS on servers.
8. What is the session hijacking attack?
Session hijacking attack is based on the use of a TCP session key, used to authorize the user, for gaining unauthorized access to data. Session tokens can be compromised using session sniffing, client-side attacks, attacks of man-in-the-middle type and predicting session tokens if it is possible. Session hijacking can also be performed using cookies stored on the user’s computer. In addition to stealing session keys, attacker can also fix a session by sending already known session key to the user or use cross-site scripting, when scripts which seem to be trustworthy are executed on the user’s computer.