安全与认证Week3 Tutorial+历年题补充


1) 什么是重放攻击?

        It is when an attacker re-uses a valid sequence of data in order to access a particular service.



2) What is Kerberos system? What security services does it provide?


        • Kerberos is a centralised authentication service designed for use in a distributed environment.


        • It makes use of a trusted third-party authentication service that enables clients and servers to establish authenticated communication. Also, it provides access control.



3) A simple way for a server to authenticate a client, is to ask for a password. In Kerberos this authentication is not used, why? How does Kerberos authenticate the server and the clients?


        • The main security weakness is that the password is transmitted. So anybody eavesdropping can get hold of it.


        • A better way is: the client request from the server a “service granting ticket”. The client sends the request for using the server, and the user’s ID. The server, which knows the users password, creates a session key using the user’s password. Using this session key, the server sends the ticket granting a service. The client asks the user for his/her password, generates the session key and recovers the ticket. The password is never transmitted between server-client.



4) Kerberos的四个要求是什么?Kerberos系统中使用什么机制来实现这些需求?


Provided by the secure steps, mostly achieved by using conventional encryption. 

AUTHENTICATION is an alternative answer. 

ReliableDistributed architecture. Uses mirrored system backups. 

Limitation of user interaction to the authentication with the client

 (password, or other methods). 

ScalablePrinciple of Kerberos realms.

5) What is a public-key certificate? Explain what information a certificate contains


        It is used to authenticate public-keys of users. A public--key certificate consists of a public—key, the user ID of the key owner and the whole block signed by the trusted third party, is signed and acreated by a certificate authority, and is given to the participant. A participant conveys its key information to another by transmitting its certificate. Other participants can verify that the certificate was created by the authority.



6)定义X.509标准。给出三个证书在到期前应被撤销的理由? 如何撤销X.509证书?(“撤销”另一种问法:证书颁发机构(ca)如何保持所有用户的最新有效性并避免无效密钥?)


        • X.509 defines a framework for the provision of authentication services by the X.500 directory to its users.

        • the public key of a user and is signed with the private key of a trusted certification authority.

        • The X.509 defines alternative authentication protocols based on the use of public-key certificates.





        · User’s Private-Key has been compromised

        · Certification Authority has been compromised

        · User is no longer certified by this Authority





        • Each CA must maintain a certificate revocation list (CRL) consisting of all revoked certificates issued by that CA.

        • The list is signed by the issuer and includes the issuer’s name, the date the list was created, the date the next CRL is scheduled to be issued, and an entry for each revoked certificate. Each entry consists of the serial number of a certificate and revocation date for that certificate.

        • The user could check the CRL list each time a certificate is received to determine the certificate is not revoked.


        • 每个CA必须维护一个证书撤销列表(CRL),其中包含由该CA颁发的所有已撤销证书。

        • 该列表由颁发者签名,并包括颁发者的名称、创建列表的日期、计划颁发下一个CRL的日期以及每个被吊销证书的条目。每个条目由证书的序列号和该证书的撤销日期组成。

        • 用户可以在每次收到证书时检查CRL列表,以确定证书未被吊销。

        • 绘制x.509堆栈和crl?


7) What is IPsec?  Why is it significant?


        • IPSec stands for IPSecurity as it protects IP packets


        • It is vital for providing additional security at the IP layer, and protects packets of all applications including security-ignorant applications


        • It provides: confidentiality, authentication, or both for IP packets.



8) What are the two modes of operations in IPsec? How can they achieve protection against traffic analysis?


        • Tunnel Mode: protects entire packet.


        • Transport Mode: protects payload.  ESP provides protection against traffic analysis.


        * In tunnel mode ESP provides protection against traffic analysis where the host on the internet networks use the Internet transportof data but do not interact with other Internet-based hosts.


        * In Transport Mode, ESP only protects the payload, hence the IP header will not be hidden (limited protection against traffic analysis).



9) List the services provided by IPSec.


        Access control - 访问控制

        Connectionless integrity - 无连接完整性

        Data origin authentication - 数据来源认证

        Rejection of replayed packets - 拒绝重放的数据包

        Confidentiality (encryption) - 机密性(加密)

        Limited traffic flow confidentiality - 有限的流量机密性


10) In IPSec, what is the domain of interpretation (DOI)?


        Contains values to relate the different specifications of the protocol 


        Identifiers for encryption and authentication algorithms 


        Operational parameters, key lifetimes, key exchange, etc. 



11)在IPSec中,传输模式和隧道模式有什么区别? 简要介绍IPSec中隧道模式和传输模式的工作原理。


        Transport mode: Provides protection primarily for upper-layer protocols. That is, transport mode protection extends to the payload of an IP packet. 

        Tunnel mode: Provides protection to the entire IP packet.




        Transport mode, in this mode the load of the datagram is encrypted (ESP) or authenticated (AH) depending which protocol is used.

        Tunnel mode the whole IP packet is encrypted (ESP) or authenticated (AH).    This mode can be used to create a virtual private network VPN.


        隧道模式对整个IP报文进行ESP (encryption)或AH (authenticated)加密。该方式可用于创建虚拟私网VPN。


12) What are the parameters used to characterize the nature of a particular SA?


        Sequence Number Counter(序列号计数器)

        Sequence Counter Overflow(序列计数器溢出)

        Anti-Replay Window(防重放窗口)

        AH Information(身份验证头信息)

        ESP Information(封装安全有效负载信息)

        Lifetime of this Security Association(安全关联的生命周期)

        IPSec Protocol Mode(IPSec协议模式)

        Path MTU(路径最大传输单元)


13) What are the roles of the Oakley key determination protocol and ISAKMP in IPsec?


        ISAKMP by itself does not dictate a specific key exchange algorithm; rather, ISAKMP consists of a set of message types that enable the use of a variety of key exchange algorithms. 


        Oakley is the specific key exchange algorithm mandated for use with the initial version of ISAKMP. 



14) In Firewalls, what is a circuit-level gateway? Support your answer with a diagram


AKA Network Address Translation (NAT) 网络地址转换(NAT)
Translates the addresses of internal hosts in order to hide them from the
outside world. 转换内部主机的地址,以便对外部世界隐藏它们。



15) List two techniques used by firewalls to control access and enforce a security policy.      Explain each of them.


        • Service control: Determines the types of Internet services that can be accessed, inbound or outbound.     The firewall may filter traffic on the basis of IP address and TCP port number;      may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service.


        • Direction control: Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall.


        • User control: Controls access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter (local users). It may also be applied to incoming traffic from external users;    the latter requires some form of secure authentication technology, such as is provided in IPSec.


        • Behaviour control: Controls how particular services are used.  For example, the firewall may filter e-mail to eliminate spam, or it may enable external access to only a portion of the information on a local Web server.






