CCS354 – NETWORK SECURITY

INTENSIVE COACHING ASSESSMENT

PART A (10x2=20)

1. What is symmetric key distribution?

• A method to securely share a secret key between two parties.
• Both parties use the same key for encryption and decryption.
• Requires a secure channel for key exchange.
2. Explain the concept of a Certificate Authority (CA) in the context of public key
distribution.
• A CA is a trusted third party that issues digital certificates.
• Verifies the identity of the certificate holder.
• Helps in secure public key distribution by signing public keys.
3. How are X.509 certificates used in secure web browsing (HTTPS)?
• They authenticate the identity of websites.
• Contain the website’s public key and the CA’s digital signature.
• Browsers trust a site if the certificate is valid and issued by a trusted CA.
4. What is IEEE 802.1X, and what is its primary purpose in network security?
• A network access control protocol for wired and wireless LANs.
• Provides port-based authentication.
• Ensures only authorized devices can connect to the network.
5. What are the challenges that organizations may face when implementing IEEE
802.1X?
• Complex setup and configuration.
• Compatibility issues with legacy devices.
• User authentication management.
• Requires a RADIUS server for authentication.
6. What is a digital certificate? How is it related to SSL/TLS in web security?
• A digital document proving ownership of a public key.
• Includes the owner's identity and CA signature.
• SSL/TLS uses digital certificates to establish trust and secure web communications.
7. List the limitations of SMTP/RFC 822.
• No native support for message encryption or authentication.
• Limited support for non-text (binary) data.
• Lacks mechanisms for spam and phishing prevention.
• Doesn't guarantee message integrity.
8. What are the services provided by PGP (Pretty Good Privacy)?
• Confidentiality (encryption of messages).
• Authentication (digital signatures).
• Integrity (message hashing).
• Compression and compatibility.
9. Name any four cryptographic keys used in PGP.
• Public Key
• Private Key
• Session Key (for message encryption)
• One-time Symmetric Key (used temporarily for each session)
10. How to secure Wireless Networks?
• Use strong WPA3 or WPA2 encryption.
• Change default router passwords and SSIDs.
• Enable MAC address filtering.
• Use firewalls and VPNs.
• Regularly update firmware and disable WPS.
 PART – B (5x16=80)
11. a) How are public keys distributed securely, and what are the common methods
used to ensure their authenticity?

How Public Keys Are Distributed Securely

1. Certificate Authorities (CAs):
• Trusted organizations that issue digital certificates.
• Verify the identity of the certificate requester before issuing the certificate.
• The certificate includes the user's public key, identity, and the CA’s digital
signature.
• Browsers and operating systems trust certificates from known CAs by
default.
2. Public Key Infrastructure (PKI):
• A hierarchical system that manages keys and certificates.
• Components: Certificate Authority (CA), Registration Authority (RA), and
Certificate Database.
• PKI ensures secure key lifecycle management (issuance, renewal,
revocation).
• Widely used in HTTPS, email security, and VPNs.
3. Web of Trust (PGP model):
• Decentralized trust model where users verify and sign each other’s keys.
• No central authority; trust is based on personal endorsements.
• Used mainly in PGP and GPG for email encryption.
• Users build a network of trust based on whom they know and trust.
4. Key Servers:
• Public repositories where users can upload and download public keys.
• Common in PGP-based systems (e.g., MIT PGP key server).
• Anyone can search for a user’s public key using an email or key ID.
• Less secure without additional validation methods.
5. DNS-based Authentication of Named Entities (DANE):
• Uses DNS to publish public keys or certificates.
• Secured with DNSSEC (DNS Security Extensions) to prevent tampering.
• Reduces reliance on Certificate Authorities.
• Not widely adopted yet but growing in use.
6. Direct (Out-of-Band) Exchange:
• Public keys are exchanged manually through secure, trusted channels (e.g.,
face-to-face, phone call, or secure USB).
• Ideal in environments where infrastructure is not available or in smaller
trusted groups.
• Fingerprint verification is commonly used to ensure the key is genuine.
 Methods to Ensure Authenticity of Public Keys
1. Digital Certificates (X.509):
• Issued by CAs and include the user’s public key, identity info, expiration date,
and CA’s signature.
• Validity of the certificate is verified through the CA's public key.
• Used in HTTPS, email, and software signing.
2. Digital Signatures:
• The CA digitally signs the certificate using its private key.
• The recipient verifies the signature using the CA’s known public key.
• Ensures the certificate has not been tampered with.
3. Certificate Revocation Lists (CRLs) and Online Certificate Status Protocol
(OCSP):
• CRLs: Lists of revoked certificates published by CAs.
• OCSP: Allows real-time checking of a certificate's revocation status.
4. Public Key Pinning (HTTP Public Key Pinning - HPKP):
• Websites specify which public keys are valid for their domain.
• Helps prevent man-in-the-middle attacks using fraudulent certificates.
• Deprecated due to complexity and risks if misconfigured.
5. Fingerprint Verification:
• A unique hash of the public key (called a fingerprint) is shared and verified
through a secure channel.
• Users compare fingerprints to ensure the key hasn’t been replaced or
altered.

OR

11. b)
i) What are the fundamental principles of remote user authentication, and why is it
critical in network security?
Fundamental Principles of Remote User Authentication
1. Identification:
• The user claims an identity (e.g., by entering a username or user ID).
• This step provides the system a reference point for verification.
2. Authentication:
• The system verifies the user's identity through credentials.
• Based on one or more of the following factors:
• Something you know: Password, PIN.
• Something you have: Smart card, OTP token, mobile device.
• Something you are: Biometrics (fingerprint, facial recognition).
 • Somewhere you are: Location-based checks (IP, GPS).
• Something you do: Behavioral biometrics (typing pattern, mouse movement).
3. Authorization (Post-Authentication):
• Determines what resources the user is allowed to access.
• Often managed by access control policies.
4. Accountability:
• Ensures user actions can be traced back to their identity.
• Achieved through logging and auditing mechanisms.
5. Secure Transmission of Credentials:
• Credentials must be protected in transit (e.g., via TLS/SSL).
• Prevents interception or replay attacks.
6. Mutual Authentication (Optional but recommended):
• Both user and server authenticate each other.
• Prevents man-in-the-middle attacks (e.g., phishing).

Why Remote User Authentication is Critical in Network Security

1. Prevents Unauthorized Access:
• Ensures only legitimate users can access sensitive systems or data.
2. Mitigates Identity Theft and Impersonation:
• Strong authentication prevents attackers from easily pretending to be
someone else.
3. Supports Confidentiality & Integrity:
• Acts as a gatekeeper, ensuring that only verified users can send or receive
secure data.
4. Essential for Secure Remote Access (e.g., VPNs, cloud apps):
• With remote work and cloud services, authentication ensures secure
connections over the internet.
5. Enables Auditing and Forensics:
• Authenticated sessions can be logged, helping in detecting and investigating
breaches.
6. Regulatory Compliance:
• Required by standards like HIPAA, GDPR, and PCI-DSS for protecting user
data.
b) ii) Compare and contrast the use of symmetric and asymmetric encryption in key
management and user authentication.
Aspect Symmetric Encryption Asymmetric Encryption
Key Used Same key for encryption and Public key for encryption, private
decryption key for decryption
Key Requires secure channel for key Easier key distribution via public
Management exchange keys
Scalability Poor scalability; number of keys Better scalability; one key pair per
grows rapidly with users user
Speed Faster encryption/decryption Slower compared to symmetric
encryption
Security of Key Vulnerable unless secure method More secure as private key is
Exchange is used for key sharing never transmitted
Authentication Limited; often combined with Supports digital signatures for
Capability other methods strong user authentication
Common Used in challenge-response Used in digital signatures,
Usage in protocols (e.g., HMAC) certificates, and SSL/TLS
Authentication
Key Key must be kept secret between
Only private key needs to
Confidentiality both parties
be kept secret
Example AES, DES, RC4 RSA, ECC, DSA
Algorithms

12. a) What is the structure of an X.509 certificate, and how does it ensure the integrity
and authenticity of public keys?

Structure of an X.509 Certificate

Version:
• Indicates the X.509 version (v1, v2, or v3 – v3 is most common today).
• Determines what fields are present in the certificate.
Serial Number:
• A unique identifier assigned by the Certificate Authority (CA).
• Helps in identifying and revoking individual certificates.
Signature Algorithm Identifier:
• Specifies the algorithm used by the CA to sign the certificate (e.g., SHA-256
with RSA).
Issuer Name:
• The Distinguished Name (DN) of the CA that issued the certificate.
Validity Period:
• Not Before and Not After dates define when the certificate is valid.
Subject Name:
 • The Distinguished Name (DN) of the entity the certificate belongs to (e.g.,
domain name or person).
Subject Public Key Information:
• Contains the public key and the algorithm used (e.g., RSA, ECC).
• This is the key being validated and distributed.
Extensions (v3 only):
• Optional fields for additional information such as:
• Key usage (e.g., digital signature, key encipherment)
• Subject Alternative Names (e.g., additional domains)
• Certificate policies, CRL distribution points, etc.
Signature (by CA):
• A digital signature created by the CA using its private key.
• Covers all fields above to ensure integrity.
How It Ensures Integrity and Authenticity
Integrity:
• The CA signs the entire certificate data (excluding the signature field itself).
• Any modification to the certificate after signing will invalidate the signature.
Authenticity of Public Key:
• The public key in the certificate is bound to the identity (subject name) by the
CA’s signature.
• If the CA is trusted, then the public key is assumed to be authentic.
Verification Process:
• The client (e.g., a browser) uses the CA’s public key to verify the CA’s
signature on the certificate.
• If the signature is valid and the certificate is within the validity period, it is
trusted.

OR

12. b) What is Kerberos, and how does it provide secure remote user authentication in
distributed environments?
What is Kerberos?
• Kerberos is a network authentication protocol.
• Developed by MIT, based on symmetric key cryptography.
• Designed to allow secure authentication over insecure networks.
• Commonly used in enterprise networks, such as Windows Active Directory.
How Kerberos Provides Secure Remote User Authentication
Trusted Third Party (Key Distribution Center - KDC):
• Central authority that manages authentication.
Composed of two parts:
• Authentication Server (AS)
 • Ticket Granting Server (TGS)
Authentication Process Overview:
Kerberos uses a ticket-based system and follows these main steps:
Step 1: Initial Authentication (Login)
• User enters username and password.
• The client sends a request to the Authentication Server (AS).
• AS verifies the user and returns a Ticket Granting Ticket (TGT) encrypted with
the user’s secret key (derived from the password).
Step 2: Ticket Granting
• The client uses the TGT to request access to a specific service from the Ticket
Granting Server (TGS).
• The TGS issues a Service Ticket, encrypted using the service's secret key.
Step 3: Service Access
• The client presents the Service Ticket to the target service.
• If the ticket is valid, the service grants access without requesting credentials
again.
Session Keys:
• Temporary symmetric keys used to encrypt communication between client
and server during each session.
Security Features of Kerberos
Mutual Authentication:
• Both client and server verify each other’s identity.
No Password Transmission:
• Passwords are never sent over the network, even in encrypted form.
• Only tickets and session keys are exchanged.
Time-based Validity:
• Tickets have timestamps and expiration times to prevent replay attacks.
Single Sign-On (SSO):
• Users authenticate once to access multiple services without re-entering
credentials.
Centralized Authentication Management:
• Easy administration and policy enforcement across distributed systems.

13. a) i) What is Network Access Control (NAC), and how does it enhance the security
of enterprise networks?
What is NAC?
• Network Access Control (NAC) is a security solution that enforces policies to
control who and what can access a network.
• It evaluates devices and users before granting network access.
• Often used in corporate environments to ensure that only compliant and
authorized devices/users are allowed in.
 How NAC Enhances Security:
Pre-Admission Checks:
• Validates user credentials and device security posture (e.g., antivirus,
patches) before allowing access.
Post-Admission Monitoring:
• Continuously monitors user/device behavior and can restrict or block access
if violations occur.
Role-Based Access Control:
• Provides different access levels based on user roles or device types.
Guest Management:
• Securely allows temporary access for visitors without compromising internal
security.
Remediation:
• Redirects non-compliant devices to a quarantine zone for updates or
security fixes.
Integration with Identity Systems:
• Works with Active Directory, RADIUS, and LDAP to enforce identity-based
access.
Supports BYOD Policies:
• Enables secure access from personal or unmanaged devices with limited
privileges.

ii) How does the Extensible Authentication Protocol (EAP) support multiple
authentication methods in network access?
What is EAP?
• Extensible Authentication Protocol (EAP) is a flexible authentication
framework used in network access scenarios (like Wi-Fi, VPN, 802.1X).
• It is not an authentication method by itself, but a container for different
methods.
How EAP Supports Multiple Authentication Methods:
Protocol Independence:
• EAP works over multiple link layers (e.g., PPP, IEEE 802.1X for LAN/wireless).
Supports Many Authentication Types:
Examples include:
• EAP-TLS: Certificate-based mutual authentication.
• EAP-TTLS: Secure tunnel for username/password exchange.
• EAP-PEAP: Encapsulates EAP within a secure TLS tunnel.
• EAP-MSCHAPv2: Password-based method used in Microsoft environments.
• EAP-SIM/EAP-AKA: Used for SIM-based authentication in mobile networks.
Flexibility:
• Organizations can choose an EAP method based on their security needs and
infrastructure.
 Strong Security:
• Methods like EAP-TLS offer mutual authentication, encryption, and
resistance to replay attacks.
• Integration with RADIUS:
• EAP is commonly used with RADIUS servers for centralized authentication
and policy enforcement.

OR

b) i) What are the Primary Goals of IP Security (IPSec) and How It Ensures Secure IP
Communication
Primary Goals of IPSec:
Confidentiality:
• Encrypts IP packets to protect data from eavesdropping.
Integrity:
• Ensures data hasn’t been tampered with during transmission using hash
functions.
Authentication:
• Verifies the identity of the sender using digital signatures or pre-shared keys.
Anti-Replay Protection:
• Prevents attackers from resending captured packets to disrupt
communication.
Access Control:
• Controls which systems can communicate securely.
How IPSec Ensures Secure Communication:
Security Associations (SA):
• Defines encryption/authentication parameters for secure sessions.
Protocols Used:
• Authentication Header (AH): Provides data integrity and origin authentication
(no encryption).
• Encapsulating Security Payload (ESP): Provides encryption, integrity, and
authentication.
Key Management:
• Uses Internet Key Exchange (IKE) protocol to establish and manage security
keys automatically.
Modes of Operation:
• Transport Mode: Encrypts only the payload, keeps original IP header (used in
end-to-end communication).
• Tunnel Mode: Encrypts entire IP packet and adds a new IP header (used in
VPNs).
ii) List the Cloud Security Risks and Counter Measures.

Risk Description
Countermeasures
Data Unauthorized access to sensitive - Use strong encryption (at rest and
Breaches cloud-stored data. in transit)
- Multi-factor authentication (MFA)
- Data access controls
Insecure Vulnerabilities in cloud provider - Use secure coding practices
APIs APIs can be exploited. - Regular API audits
- Implement strong authentication
for API access
Account Stolen credentials lead to - Enforce MFA
Hijacking unauthorized access. - Monitor account activity
- Use IAM policies to limit privileges
Data Loss Accidental deletion, corruption, - Regular backups
or overwriting of data. - Data versioning
- Redundant storage systems
Insider Malicious or careless actions by - Role-based access control
Threats employees or contractors - User behavior monitoring
- Logging and auditing
Lack of Difficulty monitoring data and - Use Cloud Security Posture
Visibility activities in the cloud. Management (CSPM) tools
- Implement centralized logging and
SIEM systems
Non- Failing to meet legal or industry- - Regular compliance audits
Compliance specific regulations. - Use certified cloud providers
- Document and enforce data
governance policies
Denial of Overwhelming cloud services to - Use rate limiting and firewalls
Service make them unavailable. - Deploy DDoS protection services
(DoS) - Monitor network traffic for
anomalies

14. a) What are the improvements made in Transport Layer Security (TLS) over SSL, and
why is TLS the preferred protocol today?
Improvements in TLS over SSL
1. Stronger Cryptographic Algorithms
• TLS supports modern, more secure algorithms (e.g., AES, SHA-256, ECDHE).
• SSL (especially SSL 2.0/3.0) used outdated and weaker algorithms (e.g., RC4,
MD5).
 2. Secure Key Exchange
• TLS introduces Ephemeral key exchange methods (like ECDHE) that provide
forward secrecy.
• SSL did not support forward secrecy well.
3. Message Authentication Improvements
• TLS uses HMAC (Hash-Based Message Authentication Code) for data
integrity.
• SSL used a less secure MAC method, making it more vulnerable to
tampering.
4. Protection Against Known Attacks
• TLS addresses vulnerabilities like:
• POODLE (Padding Oracle On Downgraded Legacy Encryption) – affects SSL
3.0.
• BEAST and CRIME – mitigated by changes in how TLS handles encryption and
compression.
5. Protocol Design Enhancements
• Better handshake process for negotiation and authentication.
• TLS separates record layer and handshake layer, making it more modular and
secure.
6. Formal Specification and Open Development
• TLS is openly standardized by the IETF (Internet Engineering Task Force).
• SSL was proprietary (originally developed by Netscape).
7. Backward Compatibility and Versioning
• TLS allows fallback to older versions when necessary, but also supports
secure version negotiation.
• SSL lacked proper version negotiation, making it vulnerable to downgrade
attacks.

Why TLS is the Preferred Protocol Today

• SSL is deprecated and insecure – All versions (SSL 2.0/3.0) are considered obsolete
and vulnerable.
• TLS is actively maintained and updated – Latest version is TLS 1.3, which is faster
and more secure.
• Widely adopted – TLS is used in HTTPS, email encryption, VPNs, and secure VoIP.
• Compliance Requirements – TLS is required by most security standards and
regulations (e.g., PCI-DSS, HIPAA).
• Forward Secrecy – Critical in modern security to protect past communications even
if a key is compromised later.

OR
b) How does the HTTPS standard ensure secure web transactions, and what are the
components involved in its setup?
How HTTPS Ensures Secure Web Transactions
1. Encryption
• All data between the browser and web server is encrypted using TLS.
• Prevents eavesdropping and data tampering during transmission.
2. Authentication
• HTTPS uses digital certificates (X.509) issued by Certificate Authorities (CAs).
• Confirms that the website is legitimate and not a malicious impersonator.
3. Data Integrity
• Ensures that the data sent and received hasn’t been altered using message
authentication codes (MACs).
• Protects against man-in-the-middle (MITM) and replay attacks.

Components Involved in HTTPS Setup

TLS/SSL Protocol
• The underlying security protocol used by HTTPS.
• TLS 1.2 and TLS 1.3 are the most widely used.
Web Server Certificate
• A digital certificate (issued by a CA) that contains the server's public key and
identity.
• Installed on the web server to enable secure communication.
Public and Private Keys
• Public key: Shared via certificate; used by the client to initiate secure
communication.
• Private key: Kept secret on the server; used to decrypt data and complete the
TLS handshake.
Certificate Authority (CA)
• A trusted entity that verifies and issues the website’s digital certificate.
• Browsers trust CAs pre-listed in their trust stores.
Browser and Web Server
• The browser initiates the secure request (HTTPS://).
• The web server handles the TLS handshake and encrypted data
transmission.

15. a) How does Pretty Good Privacy (PGP) ensure the confidentiality, integrity, and
authenticity of email communication?
How PGP Ensures Secure Email Communication
1. Confidentiality
• Goal: Protect message content from unauthorized access.
• Method:
 • PGP uses symmetric encryption (e.g., AES) to encrypt the actual
message.
• The symmetric session key (used for encrypting the message) is itself
encrypted with the recipient's public key (asymmetric encryption).
• Only the recipient's private key can decrypt the session key and, in
turn, the message.
2. Integrity
• Goal: Ensure the message hasn’t been altered during transmission.
• Method:
• PGP generates a hash (e.g., SHA-256) of the message.
• This hash is included with the message and is used by the recipient to
verify integrity.
• If the computed hash doesn’t match the received one, the message
was tampered with.
3. Authenticity
• Goal: Verify the sender’s identity.
• Method:
• The sender digitally signs the message using their private key.
• The recipient uses the sender’s public key to verify the digital
signature.
• If verification succeeds, the sender is authenticated and the message
is confirmed as original.
Combined Operation Flow
Sender:
• Creates the message.
• Computes a hash of the message.
• Signs the hash using their private key (digital signature).
• Encrypts the message and signature using a random session key (symmetric
encryption).
• Encrypts the session key with the recipient's public key (asymmetric
encryption).
• Sends the encrypted session key + encrypted message + signature to the
recipient.
Recipient:
• Uses their private key to decrypt the session key.
• Uses the session key to decrypt the message and signature.
• Uses the sender’s public key to verify the signature.
• Recalculates the hash to ensure the message was not altered.

OR
b) i) What are the main threats to mobile device security, and how can they be
mitigated?
Main Threats:
Malware and Malicious Apps
• Apps that steal data, spy, or take control of the device.
Phishing Attacks
• Fake messages/emails that trick users into revealing sensitive data.
Unsecured Wi-Fi Networks
• Public Wi-Fi can be exploited for man-in-the-middle attacks.
Device Loss or Theft
• Physical access may expose stored personal and corporate data.
Outdated Operating Systems
• Lack of security patches leads to vulnerabilities.
Data Leakage via Apps
• Apps accessing and sharing personal or corporate data.
Jailbreaking or Rooting
• Disables built-in security features and increases attack surface.
Mitigation Measures:
• Install apps only from trusted sources (e.g., Google Play, Apple App Store).
• Use mobile security software and antivirus apps.
• Enable screen locks (PIN, biometrics).
• Encrypt device storage and use secure containers for sensitive data.
• Avoid public Wi-Fi or use VPNs.
• Keep OS and apps updated regularly.
• Use Mobile Device Management (MDM) to enforce policies and wipe data
remotely.
• Educate users on phishing awareness and app permissions.

ii) What are the best practices and technologies used to secure data on mobile
devices?
Best Practices:
Enable Full Device Encryption
• Protects stored data even if the device is stolen.
Use Strong Authentication
• Biometric authentication (fingerprint/face ID), strong passwords, or 2FA.
App Permission Management
• Limit access to contacts, location, camera, and microphone.
Remote Lock and Wipe
• In case of loss/theft, remotely disable or erase data.
Regular Backups
• Keep encrypted backups to restore data after incidents.
Disable Unused Services
 • Turn off Bluetooth, NFC, or location when not needed.

Technologies Used:
Mobile Device Management (MDM)
• Centralized control of device settings, app installs, and security policies.
Mobile Application Management (MAM)
• Manages specific apps, especially in BYOD (Bring Your Own Device)
environments.
Virtual Private Network (VPN)
• Encrypts data in transit on untrusted networks.
Secure Enclaves / Trusted Execution Environment (TEE)
• Hardware-based isolation for sensitive operations.
Containerization
• Isolates work data from personal apps and environments.
Endpoint Detection and Response (EDR)
• Monitors devices for suspicious activity and provides incident response.