Free Essay

Lab 8

In:

Submitted By jnrferg
Words 1540
Pages 7
Jack Ferguson

12 May 14

Lab #8

In cryptography, encryption is the process of encoding messages in such a way that eavesdroppers or hackers cannot read it, but that authorized parties can. In an encryption scheme, the message or information (referred to as plaintext) is encrypted using an encryption algorithm, turning it into an unreadable ciphertext . This is usually done with the use of an encryption key, which specifies how the message is to be encoded. Any adversary that can see the ciphertext should not be able to determine anything about the original message. An authorized party, however, is able to decode the ciphertext using a decryption algorithm, that usually requires a secret decryption key that adversaries do not have access to. For technical reasons, an encryption scheme usually needs a key-generation algorithm to randomly produce keys. There are two basic types of encryption schemes: Symmetric-key and public-key encryption. In symmetric-key schemes, the encryption and decryption keys are the same. Thus communicating parties must agree on a secret key before they wish to communicate. In public-key schemes, the encryption key is published for anyone to use and encrypt messages. However, only the receiving party has access to the decryption key and is capable of reading the encrypted messages. Public-key encryption is a relatively recent invention: historically, all encryption schemes have been symmetric-key (also called private-key) schemes. Data privacy is the ability to control the information one reveals about oneself over the Internet, and who can access that information, has become a growing concern. These concerns include whether email can be stored or read by third parties without consent, or whether third parties can continue to track the web sites someone has visited. Another concern is which web sites which are visited collect, store, and possibly share personally identifiable information about users. Data security is the Data of raw form of information stored as columns and rows in our databases, network servers and personal computers. This may be a wide range of information from personal files and intellectual property to market analytics and details intended to top secret. Data could be anything of interest that can be read or otherwise interpreted in human form.

Symmetric Encryption

Symmetric encryption is the oldest and best-known technique. A secret key, which can be a number, a word, or just a string of random letters, is applied to the text of a message to change the content in a particular way. This might be as simple as shifting each letter by a number of places in the alphabet. As long as both sender and recipient know the secret key, they can encrypt and decrypt all messages that use this key.

Asymmetric Encryption

The problem with secret keys is exchanging them over the Internet or a large network while preventing them from falling into the wrong hands. Anyone who knows the secret key can decrypt the message. One answer is asymmetric encryption, in which there are two related keys--a key pair. A public key is made freely available to anyone who might want to send you a message. A second, private key is kept secret, so that only you know it.

Any message (text, binary files, or documents) that are encrypted by using the public key can only be decrypted by applying the same algorithm, but by using the matching private key. Any message that is encrypted by using the private key can only be decrypted by using the matching public key.

This means that you do not have to worry about passing public keys over the Internet (the keys are supposed to be public). A problem with asymmetric encryption, however, is that it is slower than symmetric encryption. It requires far more processing power to both encrypt and decrypt the content of the message. The NSRL is a collection of hashes of "known" software. If you find a random file on your system, and are not sure if it is part of some software you installed, enter the hash here and see if we find it. The NSRL database may contain software that is considered "bad" in some environments. For example games and steganography software is included, as well as security software like Nessus and Nmap that is sometimes classified as a "hacking tool". Which software is appropriate for a given environment is a matter of policy. To use asymmetric encryption, there must be a way for people to discover other public keys. The typical technique is to use digital certificates (also known simply as certificates). A certificate is a package of information that identifies a user or a server, and contains information such as the organization name, the organization that issued the certificate, the user's e-mail address and country, and the user's public key.

When a server and client require a secure encrypted communication, they send a query over the network to the other party, which sends back a copy of the certificate. The other party's public key can be extracted from the certificate. A certificate can also be used to uniquely identify the holder. In cryptography, a web of trust is a concept used in PGP, GnuPG, and other OpenPGP-compatible systems to establish the authenticity of the binding between a public key and its owner. Its decentralized trust model is an alternative to the centralized trust model of a public key infrastructure (PKI), which relies exclusively on a certificate authority (or a hierarchy of such). As with computer networks, there are many independent webs of trust, and any user (through their identity certificate) can be a part of, and a link between, multiple webs. Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. Conversely, Single sign-off is the property whereby a single action of signing out terminates access to multiple software systems.
Simple public-key infrastructure Another alternative, which does not deal with public authentication of public-key information, is the simple public-key infrastructure (SPKI) that grew out of three independent efforts to overcome the complexities of X.509 and PGP's web of trust. SPKI does not associate users with persons, since the key is what is trusted, rather than the person. SPKI does not use any notion of trust, as the verifier is also the issuer. This is called an "authorization loop" in SPKI terminology, where authorization is integral to its design The virtual private network (VPN) is increasingly becoming an invaluable part of every business network. With broadband available in more and more places, small- and medium-size businesses are taking advantage of VPN technology and leveraging the investment they've made in their internal private networks, expanding services available to customers, partners, and staff. This article focuses on VPN tunneling. Because it is also necessary to understand the basic principles of data encryption, this article will also summarize the set of technologies that form a Public Key Infrastructure (PKI). We will see how to ensure privacy in a virtual private network.

OpenSSL

OpenSSL is primarily a library of cryptographic functions that provides an extensive crypto API to programmers. However, it also includes a shell tool that exposes that API to users and batch scripts. Start the shell by typing openssl at the command line. From there, you can type commands at the OpenSSL> prompt.
Digital Certificates for IPsec VPNs

That pre-shared keys and digital certificates are two primary authentication methods in IKE that can be used in the context of IPsec VPN deployments. You also saw that pre-shared keys with IKE Main Mode cannot be used for remote access scenarios in which the responder does not know the source IP address of the initiator in advance. Although Aggressive Mode can alleviate this issue, given that Aggressive Mode does not offer any form of ID protection, such a solution may not be acceptable. You also saw XAUTH provide an additional level of authentication for Aggressive Mode with pre-shared keys. Another solution for such a scenario is the use of digital certificates instead of pre-shared keys.

Federal Public Key Infrastructure Policy Authority

The Federal Public Key Infrastructure Policy Authority (FPKIPA), an interagency body established under the CIO Council, determines that the appropriate levels of assurance are satisfied by the policies supported in the PKI domain and that the PKI domain fulfills its responsibilities under these policies. It enforces digital certificate standards for trusted identity authentication across and between federal agencies and non-federal organizations. The policies of the FPKIPA help to create and environment in which different organizations can trust each other's PKI credentials.
Current NIST research and standardization for BCAs is focused on developing test suites for X.509 certification path building and validation to provide a sanity check for performance and scalability measures.

|PKI Policy Bodies and Other Authentication Frameworks |

|This section presents a number of large scale infrastructure initiatives, typically deployed by government or by vertical industry groups |
|for the benefit of defined user groups, in order to provide technology and legal support for secure e-business programs. |

Similar Documents

Free Essay

Lab # 8

...enumerates them, what would be a model? Common Vulnerability Enumeration (CVE) 6. What is the standard formula to rank potential threats? Decompose the application, determine and rank threats, and determine countermeasures and mitigation. 7. If an organization is identified as not using any password policies for any of its applications what would be two suggestions to note in the assessment? That the organization is a great risk without any password policies. 8. Should newly-released patches for a known vulnerability be applied to production system once released? Yes 9. What is the importance of having a security incident response plan in an organization? So that when there is a security incident all employees involved know the correct way to handle the incident. 10. What would an auditor be trying to verify if he/she is asking to view logs for certain dates? To view what was enter in on that day to match the reports. 11. How could the findings from the Skipfish and rats scanning performed in lab #7 be...

Words: 473 - Pages: 2

Premium Essay

Lab 8

...Lab #8 – Assessment Worksheet Performing a Web Site and Database Attack by Exploiting Identified Vulnerabilities Course Name and Number: Student Name: Instructor Name: Lab Due Date: Overview In this lab, you performed simple tests to verify a cross-site scripting (XSS) exploit and an SQL injection attack using the Damn Vulnerable Web Application (DVWA), a tool left intentionally vulnerable to aid security professionals in learning about Web security. You used a Web browser and some simple command strings to identify the IP target host and its known vulnerabilities, and then attacked the Web application and Web server using cross-site scripting (XSS) and SQL injection to exploit the sample Web application running on that server. Lab Assessment Questions & Answers 1. Why is it critical to perform a penetration test on a Web application and a Web server prior to production implementation? To make sure no one can penetrate your web application before you put it in a live situation. 2. What is a cross-site scripting attack? Explain in your own words. Cross-site scripting is a type of computer security vulnerability typically found in web applications that enables attacks to inject client side script into web pages viewed by others 3. What is a reflective cross-site scripting attack? A reflective attack a type of computer security vulnerability it involves the web application dynamically generating a response using...

Words: 442 - Pages: 2

Free Essay

Lab 8

...Lab 8.1 Step 2: The hour is 1 continue loop till the hour is 24 then stop. Step 3: Constant Integer Max_Minutes = 60 Declare Integer minutes For minutes = 1 to Max_Minutes Display “The minute is “, minutes End For Step 4: Constant Integer Max_Seconds = 60 Declare Integer seconds For seconds = 1 to Max_Seconds Display “The second is “, seconds End For Step 6: The number is 2 The number is 4 The number is 6 The number is 8 The number is 10 Step 7: Constant Integer Max_VALUE = 200 Declare Integer counter For counter = 20 to Max_VALUE step 20 Display “The number is “, counter End For Step 9: Enter the number of students in class Display however many numbered students you enter Step 11: Loop five times, each asking you to enter a number Displaying the total at the end Step 12: Declare Integer counter Declare Integer totalAge = 0 Declare Real averageAge = 0 Declare Integer age Declare Integer number Display “How many ages do you want to enter: “ Input number For counter = 1 to number Display “Enter age “ Input age Set totalAge = totalAge + age End For averageAge = totalAge / number Display “The average age is “, averageAge Lab 8.2 Lab 8.3 Module Module1 Sub Main() Dim anotherDay As String = "yes" While anotherDay = "yes" Dim totalSpeed As Double = 0 Dim averageSpeed As Double = 0 enterSpeeds(totalSpeed) calcAverage(totalSpeed, averageSpeed) ...

Words: 324 - Pages: 2

Premium Essay

Lab 8

...1. What are some common risks, threats, and vulnerabilities commonly found in the Remote Access Domain that must be mitigated through a layered security strategy? Some common risks, threats, and vulnerabilities commonly found in the Remote Access Domain that must be mitigated through a layered security strategy are: • Private data or confidential data is compromised remotely (Kim & Solomon, 2012). • Unauthorized remote access to IT systems, applications, and data (Kim & Solomon, 2012). • Mobile worker laptop is stolen (Kim & Solomon, 2012). • Multiple logon retries and access control attacks (Kim & Solomon, 2012). 2. What default configuration should be placed on host-based firewalls when accessing the network remotely? The deny-by-default rulesets for incoming traffic should be placed on host-based firewalls when accessing the network remotely to prevent malware incidents (Wikia, n.d.). 3. What risks, threats, and vulnerabilities are introduced by implementing a Remote Access Server? Risks, threats, and vulnerabilities introduced by implementing a Remote Access Server are: • External hosts gain access to internal resources (Scarfone, Hoffman, & Souppaya, 2009) • An unauthorized user eavesdrops on remote access communications and manipulate them using a compromised server (Scarfone, Hoffman, & Souppaya, 2009) • Partially patched remote access servers (Scarfone, Hoffman, & Souppaya, 2009) 4. What is a recommended best practice when implementing a Remote Access Policy...

Words: 917 - Pages: 4

Premium Essay

Lab 8

...Joshua Reynolds FW9135 Psy1010 Section 052 TA Monica De Iorio 8th Lab Assignment There are many ways to cope with stress but we learned about 3 specific strategies in lab. These three included cognitive, behavioral, and avoidance strategies. Active cognitive strategies include actively thinking about a situation to adjust more effectively to it. This strategy is one of the better ways to cope with stress. Then you have active behavioral strategies and this involves actively taking some type of action to improve a problem situation that is stressing you out. This is the other strategy that is best for relieving stress. The third strategy that we had learned about was the avoidance strategy. This strategy is not a good strategy to use and can sometimes make things worse. Avoidance involves keeping the stressful situation and circumstances out of awareness. This could potentially cause more stress. The strategy that I tend to use the most is the active behavioral strategy. I like to take action in everything that I do, especially when it involves things that are causing or will cause myself to stress out. An example of that would be of someone had a problem with me I would go talk to them about it and try to figure out what the problem is. Instead of avoiding it or just thinking about it I would go do something about it. Another example could be if I had a bad grade in a class I would go see my professor to see what I could do about it and make that extra effort. The strategies...

Words: 315 - Pages: 2

Premium Essay

Lab 8

...12 failed log in attempts Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 5/30/2014 8:30:18 AM Event ID: 4625 Task Category: Logon Level: Information Keywords: Audit Failure User: N/A Computer: TarWin2012DC.securelabsondemand.com Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: TARGET2012B$ Account Domain: SECURELABSONDEM Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xC000006D Sub Status: 0xC000006A Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: TARGET2012B Source Network Address: 172.30.0.18 Source Port: 49304 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are...

Words: 711 - Pages: 3

Free Essay

Lab 8

...1. Define the five server roles. Exchange Organization Administrator- Full permission to all components of Exchange as well as Exchange-related objects and information in AD. Exchange Recipient Administrator- Ability to modify the properties of any recipient object including users, contacts, groups, and public folders, as well as mailbox and UM settings for recipient objects. Exchange Public Folder Administrator- Ability to create and delete public folders as well as manage all public folder properties that are not related to specific recipient objects. This administrative role is only available in Exchange Server 2007 SP1 and later. Exchange View-Only Administrator- Ability to view all Exchange-related information on Exchange servers and within AD. Exchange Server Administrator- Full permission to administer all Exchange-related components on a specific Exchange server. 2. What is the function of the DNS, MX, and A records? They are all used to locate email servers for organizations on the Internet, The Exchange servers in your organization that host the Edge or Hub roles contact a DNS server when they need to resolve the names and IP address of foreign email servers to which they need to relay email. 3. Define Postmaster. The postmaster is a special email address that represents the person who is responsible for the ongoing operation of the email server, users who have problems sending or receiving email will see the postmaster email address on their delivery...

Words: 923 - Pages: 4

Free Essay

Nos 230 Lab 8

...Lab 8 Creating and Configuring Virtual Machine Storage | | This lab contains the following exercises and activities: Exercise 8.1Exercise 8.2Exercise 8.3 Exercise 8.4Exercise 8.5Lab Challenge | Creating a Virtual Hard DiskEditing a Virtual Hard Disk FileCreating a Virtual Machine with an Existing Virtual Hard DiskConfiguring QOS on a Virtual Hard DiskCreating a Pass-Through DiskCreating a Checkpoint | BEFORE YOU BEGIN The lab environment consists of three servers connected to a local area network, one of which is configured to function as the domain controller for a domain called adatum.com. The computers required for this lab are listed in Table 8-1. Table 8-1 Computers Required for Lab 8 Computer | Operating System | Computer Name | Domain controller 1 | Windows Server 2012 R2 | SERVERA | Member server 2 | Windows Server 2012 R2 | SERVERB | Member server 3 | Windows Server 2012 R2 | SERVERC | In addition to the computers, you also require the software listed in Table 8-2 to complete Lab 8. Table 8-2 Software Required for Lab 8 Software | Location | Lab 8 student worksheet | Lab08_worksheet.docx (provided by instructor) | Working with Lab Worksheets Each lab in this manual requires that you answer questions, take screen shots, and perform other activities that you will document in a worksheet named for the lab, such as Lab08_worksheet.docx. It is recommended that you use a USB flash drive to store your worksheets, so you can submit them to...

Words: 1958 - Pages: 8

Free Essay

Lab 8 Discussion

...Experiment 8 Lab Report Analysis of Oxidizing Capacity of Bleach The goal of this lab is to perform a titration of a sample of bleach with thiosulfate, figuring the end point with a starch indicator. We will determine the percent mass of sodium hypochlorite in bleach by using the volume of sodium thiosulfate needed to reach the end point. This value represents the oxidizing capacity of the unknown bleach. At the end, we will create two redox reactions to determine the overall chemical reaction that occurs during this process. I think that my oxidizing capacity will be 5.0g. Most bleach contains salts with the hypochlorite ion, the oxidizing agent that removes stains and whitens them. The hypochlorite ion usually comes in the form of sodium hypochlorite, NaOCl, or calcium hypochlorite. The two oxidation reduction reactions that occur during this experiment are first the oxidation of iodide to iodine, I2(aq), by the hypochlorite ion and then making the aqueous iodine reduce back to iodide by titrating it with sodium thiosulfate. The overall stoichiometry of the reaction is one mole of hypochlorous acid, formed by placing the sodium hypochlorite into acidic solution, plus two moles of the thiosulfate ion plus hydrogen ions from the solution yielding one mole of chlorite anions, one mole of the tetrasulfur hexoxide anion and one mole of liquid water. We began the titration of aqueous iodine by adding .05M sodium thiosulfate until the brown colored solution began to turn a...

Words: 818 - Pages: 4

Premium Essay

Pt1420 Lab 8

...Lab 8.1 Step 2: The hour is 1 continue loop till the hour is 24 then stop. Step 3: Constant Integer Max_Minutes = 60 Declare Integer minutes For minutes = 1 to Max_Minutes Display “The minute is “, minutes End For Step 4: Constant Integer Max_Seconds = 60 Declare Integer seconds For seconds = 1 to Max_Seconds Display “The second is “, seconds End For Step 6: The number is 2 The number is 4 The number is 6 The number is 8 The number is 10 Step 7: Constant Integer Max_VALUE = 200 Declare Integer counter For counter = 20 to Max_VALUE step 20 Display “The number is “, counter End For Step 9: Enter the number of students in class Display however many numbered students you enter Step 11: Loop five times, each asking you to enter a number Displaying the total at the end Step 12: Declare Integer counter Declare Integer totalAge = 0 Declare Real averageAge = 0 Declare Integer age Declare Integer number Display “How many ages do you want to enter: “ Input number For counter = 1 to number Display “Enter age “ Input age Set totalAge = totalAge + age End For averageAge = totalAge / number Display “The average age is “, averageAge Lab 8.2 Lab 8.3 Module Module1 Sub Main() Dim anotherDay As String = "yes" While anotherDay = "yes" Dim totalSpeed As Double = 0 Dim averageSpeed As Double = 0 enterSpeeds(totalSpeed) calcAverage(totalSpeed, averageSpeed) ...

Words: 324 - Pages: 2

Premium Essay

Unit 8 Lab

...Lab 8 Assessment 1. Where can you store your public keys or public certificate files in the public domain? Is this the same thing as a public key infrastructure (PKI) server? Certificate stores 2. What do you need if you want to decrypt encrypted messages and files from a trusted sender? Decryption key 3. When referring to IPSec tunnel mode, what two types of headers are available and how do they differ? Authentication Header is used to prove the identity of the sender and ensure the data is not tampered with while Encapsulated Security Payload provides authentication and encryption and encrypts the IP packets and ensures their integrity. 4. Provide a step by step progression for a typical Certificate Enrollment process with a Certificate Authority. Create Enrollment Object Set Enrollment Parameters Create Request Submit Request Process request Get Certificate Accept Certificate 5. When designing a PKI infrastructure what are the advantages and disadvantages of making the CA available publicly over the Internet or keeping it within the private network? Advantages Straight-forward Concept Chain-length limit Less time to obtain a usable certificate within the CA Disadvantages Scalability Single point of trust Still need an impeccable CA 6. Designing a PKI involves several steps. Per the Windows Best Practices for Designing a PKI, what are those steps? In your words, explain what each step is meant to do? * Outline...

Words: 634 - Pages: 3

Premium Essay

Lab 8 Assessment

...1. Why is it critical to perform a penetration test on a Web application and a Web server prior to production implementation? To make sure no attackers can penetrate your web application before the Web App goes live. It is critical to perform a penetration test on a Web application because the Web application is running on an Application Server or a Web Server, if an attacker is able to access the application code for how the database is called, it may be able to retrieve information about the database (name, attributes, IP address, etc.) and or access the Web Server and attempt a DoS attack. If a Web form cannot handle the unexpected data and fails to return the expected outcome. You have uncovered a vulnerability in this form; penetration testing in this area help IT security identify the vulnerabilities a Web Application may have.  2. What is a cross-site scripting attack? The goal of an XSS attack is see if the Web Application allows the attacker to have administrative read/write access to the functionality of the Web Application. This attack is a type of computer security vulnerability typically found inweb applications that enables attacks to inject client-side script into web pages viewed and accessed by other users. 3. What is a reflective cross-site scripting attack? If the attacker can type a script in a text field and the script alters or creates a pop-up display, the attacker can use these windows to navigate users off the Web Application pages and to constructed...

Words: 849 - Pages: 4

Premium Essay

Is4680 Lab 8

...Aaron Douglas 09428009 IS4680 Unit 1 Assignment 1: Compliance Laws I believe the correct law that will work for my organization is the HIPPA compliance law. This law stands for Health Insurance Portability and Accountability Act. This law fits for what our organization needs to give auditors the table they need. The HIPPA law will also provide employees and citizens to maintain and get health insurance coverage in the case of any serious health problems. Also it improves efficiency and effectiveness of the American health care system. It will combat waste, fraud, and abuse in both health insurance and the delivery of health care overall so everyone is treated fairly. The requirements that will help our organization are: * Title I; Health Care Access, Portability, and Renewability * Title II; Preventing Health Care Fraud and Abuse, Administrative, Simplification, and Medical Liability Reform. * Title III; Tax-Related Health Provisions * Title IV; Application and Enforcement of Group Health Plan Requirements * Title V; Revenue Offsets These requirements will give the auditors what they need to do so that way we can get our goals accomplished on our end. Title I offers protection of health insurance coverage without regard to pre-existing conditions to those who lose or change jobs, locations. Title II provides requirements for the privacy and security of health information from fraud and hackers. This is often referred to as...

Words: 270 - Pages: 2

Premium Essay

Nt1310 Unit 8 Lab 8

...The objective of lab eight was to describe the fronts there are on different types of maps. II. Methods: The materials that we used for lab eight was four different websites and our textbook. The first website was http://www.state.nj.us/dep/seeds/wssym.htm and we used this to help us read the different types of symbols that were on the maps. http://weather.uwyo.edu/surface/front.html was used to look at the map that had fonts of the day. http://weather.rap.ucar.edu/surface/ we used this website to look at weather symbols of a specific area from the previous map. The last website was http://earth.nullschool.net where we looked at the flow of the air on the map. I used my book to learn how to read a station model. All of the things that were used for this lab were very important in order to get it done. III. Results:...

Words: 515 - Pages: 3

Free Essay

Nt2580 Lab 8

...client side script into web pages viewed by others 3. A reflective attack involves the web application dynamically generating a response using non-sanitized data from the client scripts 4. methods, including character scrambling and masking, numeric variance and nulling, rely on an array of built-in SQL Server system functions that are used for string manipulation. 5. to enter the database with administrator rights, best way to avoid this using Java on the website. 6. Well-coordinated and regularly audited security checks are the best way forward. 7. Large numbers of binary planting vulnerabilities known as “dll spoofing” or “dll preloading attacks” have been discovered in third party applications running on Microsoft windows platforms. 8. SQL Inject Me allows you to test for SQL injection vulnerabilities that hackers can use to hijack your data and modify the contents of a database. Some of these vulnerabilities will even allow an attacker to execute administrative operations on the database, which is disastrous. 9. The primary components that make up your network infrastructure are routers, firewalls, and switches. They act as the gatekeepers guarding your servers and applications from attacks and intrusions. 10. The C-I-A pf production web application and web servers is the responsibility of certified information systems security personnel in any given IT project fullfiment...

Words: 252 - Pages: 2