Topic 3

1. Your friend wishes to set up an E-commerce site for her business and she is
worried about security. In particular, she is worried that:

# Customers might not trust her website – a cyber-criminal may have set up a
‘spoof site’
# Customers’ credit card details could be stolen by intercepting traffic on the
Internet.
She has been told that TLS is a possible solution but does not understand what it
means.

What does TLS stand for?

TLS – Transport Layer Security.

2. Explain how TLS helps customers trust that her website is authentic.

Digital Certificates are used on the E-commerce Server to bind it to the

domain. Browsers check the certificate's validity and show a green
padlock/URL/https in the address bar.

3. Explain how TLS helps ensure credit card details transmitted to the E-commerce
server cannot be easily stolen. You should discuss the TLS handshake.

TLS Handshake
 Browser requests certificate with Public Key.
 Browser generates Symmetric ( session) Key.
 And, then encrypts with public key, sending to Server.
 Server decrypts with Private key.
 And, then uses Symmetric (session) Key for all relevant data
exchange.

4. TLS is a security protocol developed from SSL. Explain what is meant by the
acronym TLS and briefly explain the primary purpose of TLS/SSL.

 TLS = Transport Layer Security

 Netscape created it in 1995 to secure and authenticate browser-
server connections.
5. List THREE (3) security services provided by TLS. For each security service,
explain how it works.

 Authentication of Server via Digital Certificate.

 Encryption ensures message confidentiality.
 Integrity via Message Digest.

6. In April 2014, the ‘Heartbleed’ security bug was disclosed. It was a vulnerability in
the implementation of TLS in the OpenSSL Library. It was believed to leave
around half a million secure Internet web servers open to attack.

One of your friends says that this information proves that the ‘Web is broken and
TLS must be redesigned’.

Do you agree with this assessment? Explain your answer

 It is an implementation bug not design.

 It has been fixed by patch so the Web is not broken.

7. Public Key Infrastructure (PKI) is a security architecture that has been introduced
to provide an increased level of confidence for exchanging information. E-
Commerce makes use of Public Key Infrastructure using TLS when customers
make a purchase. State what the acronym TLS stands for and explain how a
browser uses TLS to ensure that an E-commerce server is an authentic website.

 TLS: Transport Layer Security.

 The browser checks the validity of the Digital Certificate.
 The browser makes an HTTPS connection to the web server
 The web server sends its Digital Certificate to the browser.
 As long as the Digital certificate was issued to a trusted third party
(CA), the CA is ready to attest for the validity of the certificate.
8. Below is a diagram of the Open Systems Interconnection (OSI) 7-layer model for
open networks. Complete the corresponding diagram to show how the TCP/IP
model is used over the Internet

Ans:

9. Internet Protocol Security (IPSec) provides security at the Internet Protocol (IP)
layer for other TCP/IP protocols and applications to use. There are four steps for
an IPSec connection. State what the FOUR (4) steps are.

 Agree a set of security protocols.

 Decide on an encryption algorithm.
 Exchange the keys.
 Encrypt data and send it across the network using the accepted
protocols, algorithms, and keys.
10. Internet Protocol Security (IPSec) has TWO (2) core protocols. State them both,
giving their full name and acronym.

Authentication Header and Encapsulating Security Payload.

11. As part of vulnerability prevention, port scanning can be carried out to ensure
that ports are not left open, and therefore vulnerable to attack. There are many
types of port scanning. Most use TCP, however UDP (User Datagram Protocol)
Scans are also used. Explain how a UDP Scan is carried out.

A UDP packet is sent to the target port. If it receives a ICMP port

unreachable message the port is closed. If not, message is
received it is assumed that the port is open.

12. User Datagram Protocol (UDP) is considered less reliable than TCP Scans. State
TWO (2) reasons why it is considered less reliable.

 UDP scans are slow.

 No acknowledgement.
 No handshake process is used.

13. Produce a diagram to demonstrate how Transport Level Security (TLS) fits with
other common Internet protocols in a protocol stack. Your table should be
illustrated by showing named protocols.

Ans:
14. Internet Protocol Security (IPSec) provides security at the IP layer for other
TCP/IP protocols and applications to use. One IPSec Core Protocol is the IPSec
Authentication Header (AH). State TWO (2) actions the AH provides.

Encapsulating Security Payload (ESP)

 AH ensures integrity but not privacy.
 Encrypts the payload of the IP datagram.

15. State what TCP/IP stands for and its core purpose

Transmission Control Protocol/Internet Protocol. The most important thing

it does is help people communicate over the Internet.

16. TLS is typically implemented as Secure Sockets Layer (SSL). What is an SSL
Connection?

 SSL connections are peer-to-peer relationships.

 These SSL connections are temporary, lasting for a specified amount
of time, and are associated with a session.

17. Below is a diagram of the OSI 7-layer model for open networks. Complete the
corresponding diagram to show how the TCP/IP model is used over the Internet

Q/NO 8.

18. Internet Protocol Security (IPSec) provides security for other TCP/IP protocols
and applications to use. One IPSec Core Protocol is the IPSec Authentication
Header (AH). State 4 actions the AH provides.

 Authentication services are provided.

 Verifies who sent a message.
 Verifies that the data has not been changed while in route.
 It protects against replay attacks.
19. State the second core IPSec protocol including the full name and acronym and
state TWO (2) ways in which it differs from AH.

Q/NO 14.

20. The web presents us with some security issues that may not be present in other
networks, state FOUR (4) security issues presented when using the web:

 Two-way systems.
 Multiple types of communication.
 Importance to business.
 Complex software.
 Multiple connections to a server.
 Untrained users.

21. The diagram below demonstrates how the common Internet protocols in a
protocol stack work together. State the full name for each protocol.

 Hypertext Transfer Protocol

 File Transfer protocol
 Simple Mail Transfer Protocol
 Secure Sockets Layer
 Transport Layer Security
 Transmission Control Protocol
 Internet Protocol
22. Internet Protocol Security (IPSec) provides security at the IP layer for other
TCP/IP protocols and applications to use. State the FOUR (4) steps involved
when establishing an IPSec connection.

Q/NO 9.

23. The Open Web Application Security Project (OWASP) publishes known
vulnerabilities to help system designers and programmers from repeating past
mistakes. Describe any THREE (3) vulnerabilities from the list

 Injection
 Broken Authentication
 Broken Access Control
 Cross-Site Scripting (XSS)

24. HTTPS can be encrypted using TWO (2) alternative protocols. State their names.
Which protocol should not be used because of security weaknesses? Explain
those weaknesses.

 SSL
• TLS
 It's not safe to use SSL because of things like a poodle or Beast.

25. State the port numbers for HTTP and HTTPS.

HTTP = 80
HTTPS = 443