Answers to Chapter Review Questions

     
A1:

Non- repudiation is the act of not being able to deny certain actions. In the context of cryptography, it means the act of not being able to deny that you sent a particular message. It is commonly implemented using asymmetric keys, whereby the sender uses his private key to digitally sign the message. On receiving the message, the signature can be checked by using the sender's public key. If a match is found, the receiver knows who sent it and also knows that the sender cannot deny sending it; the only person with the private key that matches the public key is the sender himself.

A2:

IPSec uses Diffie-Hellman as a means of establishing a secret key between two parties. IPSec will use either preshared keys or asymmetric cryptography as a means of avoiding the well-known man-in-the-middle problem with Diffie-Hellman, i.e., the need to authenticate the other party. As a result of using authenticated Diffie-Hellman to establish a secret key, IPSec is using symmetric key cryptography to encrypt IP datagrams.

An IPSec Authentication Header ( AH ) computes an authentication value that is basically a message digest or checksum of the entire IP datagram excluding any fields that will change during transit. The Authentication Header offers both integrity and authentication because, on receipt of the IP datagram, the authentication value can be recalculated, and if it matches, then we know the datagram has not been tampered with (integrity) and that the sender was the person we think it was; the sender is the only one with the particular secret key used for secure communications. An IPSec AH does not offer privacy because no encryption of the datagram is performed.

An IPSec Encapsulated Security Payload ( ESP ) offers privacy for an IP datagram because the datagram is encrypted using an encryption algorithm. The ESP is not authenticated or checked for integrity by default. This can be accomplished by nesting an AH and an ESP together.

A3:

Here are six reasons:

  1. Configures daemons and system settings to be more secure.

  2. Turns off unneeded services such as pwgrd .

  3. Helps create chroot jails that partially limit the vulnerability of common Internet services such as web servers and DNS.

  4. Has a user interface designed to educate users.

  5. Configures Security Patch Check to run automatically.

  6. Configures an IPFilter-based firewall.

A4:

When IPFilter is monitoring inbound or outbound packets on a session-by-session basis, if a ruleset says that IPFilter should establish a state table entry, IPFilter will establish in the kernel the parameters that constitute whether communication is allowed or disallowed for the particular session. Subsequent packets that match an entry in the state table pass through IPFilter without being checked against rulesets. This can significantly improve the performance of IPFilter, because no subsequent rulesets are checked against. In some IPFilter configurations, there can be tens or hundreds of rulesets to check against. Such an exhaustive search for every packet transmitted would significantly slow communications.

A5:

The private/public keys used in HIDS are used by the HIDS Clients to encrypt their alert reports before being transmitted to the HIDS Server. On receipt, the HIDS Server will use the private/public key to decrypt the alert reports. The keys are created on the HIDS Server. The keys should be distributed to all HIDS Clients by as secure a means as possible, e.g., over a secure channel using IPSec/ssh or manually via a disk/tape that is subsequently destroyed .



HP-UX CSE(c) Official Study Guide and Desk Reference
HP-UX CSE(c) Official Study Guide and Desk Reference
ISBN: N/A
EAN: N/A
Year: 2006
Pages: 434

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net