Summative Assessment On Cryptography: Cyber Security Assignment Answer

pages Pages: 4word Words: 890

Question :

Summative Assessment Brief

Task 1 (50%)

Task 1


A new cryptography start-up, Super Secure Networks (SSN), announces a new product: Cryptography as a Service (CaaS). The basic idea is that CaaS acts as a trusted intermediary, ensuring that messages exchanged between two participants are encrypted with One-Time Pad (OTP) encryption. This also means their clients do not have to rely on any traditional public key infrastructure (PKI), which SSN attests have demonstrated weaknesses in the past.

Figure 1 shows an example of how this product will work, where Alice and Bob wish to exchange messages, and have agreed to use SSN’s CaaS solution:

Alice will connect to CaaS via a TLS session (arrow #1), specifying that they wish to communicate with Bob.

CaaS then generates a new OTP for their connection and sends it back to Alice (arrow #2) in the same session.

CaaS also sends the same OTP on to Bob, via a separate TLS session (arrow #3).

Now Alice and Bob have both received the OTP key, they can then use it to directly exchange encrypted messages (arrow #4). 

Alice using CaaS to communicate with Bob

Figure 1: Alice using CaaS to communicate with Bob

The TLS connections from and to CaaS use TLS version 1.2, with 256-bit elliptic curve points for a Diffie-Hellman handshake, signed with 1024-bit RSA keys (issued/signed by SSN itself, aka self-signed) and a SHA256 hash function. The encryption uses the 128-bit AES GCM cipher suite, and sessions are also signed with the SHA256 hash function. The messages between Alice and Bob are encrypted with the OTP using the exclusive-or (XOR) function.


Describe three differences between encryption with a one-time pad with XOR and AES encryption, and compare the security guarantees the two encryption techniques offer, if any.

Comment on the RSA key size and discuss the advantages/disadvantages of it.

SSN argue that using CaaS requires no more trust than the existing certificate authority model used by TLS connections today.

Explain how public key cryptography signing works to preserve integrity and authenticity, using the context of Alice signing a message that they can then send to Bob, and Bob verifying that the message came from Alice and has not been altered. You may assume that both Alice and Bob have access to a cryptographic hash function, and a signing and verification function. If it helps, you may assume these are: SHA256 and RSA respectively. 

Describe the traditional hierarchical PKI, as used by TLS, and explain how key signing in the above system works, using the context of a server S who provides a secure service via TLS, a client C that intends to access the service from S, and a single certificate authority CA who they both trust and have the public key for, including a description of how C can validate they have received an encryption key from S.

Compare the traditional hierarchical PKI to the CaaS solution – is their assertion correct? Why or why not?

SSN claims that CaaS enables perfectly secure communications. 

  1. Critically evaluate this statement and with reference to their service discuss any potential vulnerabilities within their security model. 

ii)   Using your answer to part (i) suggest ways of making the current CaaS service more secure

(Task 1 approximately 1500 words)

Task 2 (20%)

For this task, you should discuss the benefits of using a VPN and explain the uses of both remote access and site-2-site VPNs. You should implement the following VPN shown in the topology below and explain how this can keep online transactions safe.

Using Packet Tracer 7.1 or a real network kit with Cisco Routers and Switches, if you have approved access to it, use IPsec to create a VPN tunnel from Router A to Router B and a separate VPN tunnel from Router X to Router Y. You should use the provided IP addressing table to fully configure the given network topology. 

As part of your submission, you must provide justification of how you accomplished this task, details of the IPsec tunnel configurations and proof that they are working, along with a copy of the Packet Tracer file fully configured and saved as StudentName.pkt (e.g. JohnSmith.pkt if your name is John Smith).

Network Topology

(Task 2 Approximately 500 words – not including tables or screen shots)

Network Topology

Task 3 (15%)

Review the current top 3 OWASP application Vulnerabilities. For each one. Describe the attack vector, list any vulnerability that is exploited and explain any countermeasures that may mitigate the risk of exploitation. Draw on knowledge from your workplace where practicable and appropriate.

(Task 3 Approximately 500 words – not including tables or screen shots)

Show More

Answer :

Task 1

  1. Difference between Encryption with a one-time pad with XOR and AES encryption:
One-Time Pad encryptionAES encryption
  • One-Time Encryption algorithm uses the key of same size as that of message or plain text size.
  • AES uses key size of 128, 192 or 256 bits.
  • Encryption in one-time pad is based on XOR operation means XOR result of two identical bits either one or zero is zero and XOR of two different bits is one.
  • The data in AES is encrypted by using keys of 128 bits for AES-128, 192 bits for AES-192 and 256 bits for AES-256.
  • It provides faster speed of operation as compared to advanced encryption standard.  
  • Lesser speed of operation than One-Time Pad encryption.

Both one-time pad encryption and AES encryption guarantees security in their respective algorithm. We will discuss the comparison between security guaranteed by One-Time Pad and AES encryption:

AES (Advanced Encryption Standard) is supposed to be most secure encryption algorithm. It uses symmetric encryption algorithm to protect the data. In symmetric encryption method, the same key is used for encryption and decryption. This method encrypts 128-bit data and uses keys of 128-bit, 192-bit and 256-bit sizes. The computation in AES is performed on bytes rather than bits. Initially the data was encrypted with a 56-bit key size that was vulnerable to attack and easy to crack. But AES offers large key sizes, with which data can be encrypted in a more secure way.

One-Time Pad Encryption:

One-Time Pad Encryption uses XOR operation to encrypt the data or message. The key generated is random and is of the size of message. The generated key is used only one time, after this the key will get automatically discarded. To ensure security in One-Time Pad Encryption method, the generated key must be random, and the size of key must be as long as the message. This is how security in One-time Pad encryption method has been guaranteed. 

  1. RSA key size 

While creating an RSA key pair, you need to specify the size of the key according to your requirement. The RSA key is of different lengths and each length key is used according to the level of security. RSA key size of 1024 bits is used for medium security purpose where not high security is required. To secure high confidential data, the higher key size is required. For this 2048-bit key should be considered. The data encrypted with 2048-bit key size could be kept confidential for more than 1 year. However, the data encrypted with larger key size is more secure as compared to small key size but the issue with long size key encryption is that the decryption of data becomes slower and takes more time for decryption. (Javamax, n.d.)

Advantages of RSA key size:

The strength of encryption depends on the key size. The larger the key size, stronger is the encryption. Increase in key size, increases the strength of encryption. The data with strong encryption is more secure as compared to data encrypted with small key size. The data can be secured for more than one year with larger key encryption.

Disadvantages of RSA key size:

The larger key size impact the performance of encryption and decryption. With longer key, the encryption and decryption become slower. The larger key size has more impact on decryption as compared to encryption because decryption become much slower than encryption as the exponent of decryption is large as compared to encryption. The data encrypted with smaller key size is less secure as compared to data encrypted with large key size. (Rouse, 2019)

  1. i) Public key cryptography uses two different keys for data encryption and decryption. Before starting the transfer of data, the key pair is generated by both the sender and receiver participating in the communication. In this scenario, Alice want to communicate with Bob through public key encryption. For this, initially both Alice and Bob generate a key pair of public and private key. RSA is used to generate key pair with SHA 256 algorithm. From which, the public key of Alice is transferred to Bob and Bob’s public key is transferred to Alice. These public keys will be used to encrypt the message. From the pair of public private keys, private keys will be kept by Alice and Bob respectively. Alice send a message by encrypting the message with Bob’s public key given to Alice and the message is digitally signed by Alice’s private key. The signing of the message helps the receiver to identify the sender of the message. The receiver that is Bob will verify the signature with the public key of Alice that was already shared with Bob. 

Bob will decrypt the message with its own private key and make sure that the message was send by Alice by verifying the digital signature with the public key shared by Alice. Hence, verifying the digital signature ensures that the message was send by Alice. Hence, Public key encryption preserves the authenticity. After verifying the signature, Bob checks the content of the message whether the received message matches the send message. If there is a change in message found even a slight change, the decryption process fails. Hence, integrity is also preserved in the public key cryptography. (SURVEILLANCE SELF-DEFENSE, 2018) (Globalsign, 2019)

ii) Traditional hierarchical PKI

Public Key infrastructure consists of mainly five components: Digital certificate, CA (Certification authority), Private key tokens, Registration authority and certificate management system. 

CA (Certificate authority) will assign the digital certificate to both client C and server S. Public keys are stored in digital certificates that are digitally signed by CA with its own private key and assigned to client and server. Then the assigned public keys are exchanged between client and server where client C wants to access some data from Server S. 

CA (Certificate Authority) is responsible for generating Key pair either individually or with client. Digital signatures ensure that the content in the certificate is not modified. Before, getting started the communication, Server S will share its public key assigned by certificate authority with Client C along with digital signature. Client C will verify the public key by verifying the digital signatures with its own public key that was also assigned by Certificate authority. Once the keys were shared, client can access the data from server. 

iii) In Public key infrastructure, certificate authority assigns the digital certificate that contains public key along with digital signature to both the actors participating in communication. These digital signatures are digitally signed by CA with its private key. The sender will send the message with digital signature so that receiver will identify that the message was send by the authorised sender. 

In CaaS (Cryptography as a service), sender will ask for a shared key to CaaS and in return of this CaaS will provide the One-Time pad to Sender and the same One-Time pad will be given to receiver. After, receiving One-time Pad both sender and receiver can directly communicate with each other. 

SaaS claims that One-Time Pad is the secure method for communication between two parties but before transmitting the message, the keys need to be shared and if during the process of sharing the keys, if the keys gets revealed the message can be deciphered easily. 

  1. i) CaaS claims that Its One-Time pad encryption method is highly secure, but some vulnerabilities have been noticed in CaaS’s one-Time Pad encryption system. One-Time Pad uses random keys along with messages that are used to encrypt the message and the same key will be used by receiver to decrypt the message. The keys can be used only once after this key are automatically discarded. One-Time Pad does not offer message integrity and authenticity. There is no method to verify the authenticity of message if the message got corrupted, no one can identify whether the message was corrupted by transmission errors or by an interceptor.  If the same key is used for more than once, the data could be compromised. 

ii) The current CaaS service can be secured by using Hash algorithm on the plain message and this hash output along with message will be then send to recipient. In this way, the person with correct hash function will be able to decrypt the message and hash function. Once the message will be received by the recipient, it can be checked by matching the hash value from the received message.

Another issue with One-Time Pad is the distribution of keys. As each key can be used only once, so it is difficult to share a large number of different unique keys securely. For this, mass key distribution should be used in which many Terabytes of key bytes can be exchanged at one time by bundling them into mass storage version of briefcase. (Rijmenants, 2019)

Task 2

A VPN or Virtual Private Network is a secure connection between user or device and servers. A secure VPN tunnel is created between two users, using the VPN service, and the communication between the users is encrypted, so that any third person or unauthorized person cannot eavesdrop the network traffic. VPN allow the user to work remotely by accessing their company’s server or secure internal network. This service is widely used in corporates where home users use this secure service to connect to the company’s network. This service is provided by the VPN service provider where a VPN server is installed. The client needs a VPN client to establish a secure connection to the server. When the connection is established, a secure encrypted VPN tunnel is created between server and user. (Advantages of VPN, 2019)

There are several benefits of using a VPN. Some of them are listed here –

  • It hides our online identity by encrypting the network traffic
  • It helps us bypass geo blocks by hiding our local/real IP address
  • It secures our online communication, confidential details from being stolen by the intruder
  • By using VPN, we can prevent bandwidth throttling, as our ISP never investigate how and what we were used.
  • By VPN we can bypass firewalls and can access restricted web sites blocked by some ISPs.
  • It provides secure surfing and downloading while using torrents.
  • It makes us able to use geo-graphically restricted application like online games that may be restricted in our region.

What are remote access and site to site VPN?

Remote access VPN – This VPN service allow an individual user to connect to the remote company’s secure network and use the secure resources of the company by the VPN connection. Two components are needed to create a remote access VPN. One is “Network or Remote access server” and another is “Remote access VPN client” application. The VPN client software is required to make the connection request to the server. Now the remote access server will authenticate the client request by checking its credentials and create a secure VPN tunnel. (Remote Access VPN, 2019)

Site to Site VPN – This type of VPN connection allows multiple office locations to connect via a VPN connection using internet. This will extend company’s resources and make them available at another location by a secure means. Site to Site VPN are o two types – intranet and extranet based. (Site to Site VPN, 2019)

Implementing VPN topology

Implementing VPN topology

How VPN can keep online transaction safe?

A VPN is one of the most secure mean of using internet banking. It adds an extra layer of security and restrict hackers from eavesdropping into our network traffic. It creates a secure tunnel between the user and server so any unauthorize user can’t steal our confidential information. 

Configuration of IPsec tunnel

Configuration on router A

# conf t

# int tunnel 10

# ip add

# tunnel source fa0/1

# tunnel destination 

# no shut

# end

# show interface tunnel 10

Configuration on router B

Configuration on router B 

# conf t

# int tunnel 20

# ip add

# tunnel source fa0/1

# tunnel destination 

# no shut

# end

# show interface tunnel 20

Configuration on router X

Configuration on router X 

# conf t

# int tunnel 100

# ip add

# tunnel source fa0/1

# tunnel destination

# no shut

# end

# show interface tunnel 100

Configuration on router Y

Configuration on router Y 

# conf t

# int tunnel 200

# ip add

# tunnel source fa0/1

# tunnel destination

# no shut

# end

# show interface tunnel 200

ping and tracert to check the tunnel connectivity between PCs

Proof of working – using ping and tracert to check the tunnel connectivity between PCs.

 ping and tracert to check the tunnel connectivity between PCs 1

 ping and tracert to check the tunnel connectivity between PCs 2

 ping and tracert to check the tunnel connectivity between PCs 3

 ping and tracert to check the tunnel connectivity between PCs 4

Task 3 OWASP Application Vulnerability

The top three OWASP application vulnerabilities are (OWASP Vulnerabilities, 2019) – 

  1. Injection – this type of vulnerability has happened when an attacker injects some malicious code in to the web application that forced it to do something different from what that application was programmed to do. The most common type of attack in this category is SQL injection where a SQL query is altered with some code by the hacker and the query generates the different results from it was designed to do. Prevention of code injection vulnerability is totally depending on the technology we are using like word press application, to write the query. The developer needs to use several security measures to develop or design a software like using minimum themes and plugins, don’t use dynamic SQL, use updated software and firewalls. (Code Injection – OWASP, 2019)
  2. Broken authentication – it is the type of attack where an attacker will gain access of any user account in our system what he wants to. In some worse cases he will take complete control over the system. Several web sites are prone to this type of vulnerability where the application isn’t having as much secure authentication mechanism. To prevent from this attack, one should put into practise to not leaving login page open that can be accessible publicly. Broken authentication vulnerability can be seen by using brute force attack on the login page of a web site. To mitigate this vulnerability, the developer need use some best practises to do the security audit of their web site and test the code before deploying it to the web site. Some more countermeasures that can be taken into account to avoid broken authentication are – use multi factor authentication, do not use default authentication and weak password and keep logs of any authentication failure. (Broken Authentication – OWASP, 2019)
  3. Sensitive data exposure – This is one of the most common type of vulnerability. It exposes the confidential data that need to be protected. Confidential data like passwords, credit card number, social security number, PIN number etc. This sensitive data is of two types – stored and transmitting. Both type of data needs to be protected. A best way to do this on a web server, is using an SSL certificate. The SSL will secure the communication between host and server and there is lesser chance of eavesdropping by an intruder. To mitigate the risk of this vulnerability we need to use some prevention mechanisms, like – identify the sensitive data that need to be protected and classify it according to the privacy laws, do no store sensitive data on the servers and online systems and make sure the data is always kept encrypted. To protect the transmitting data, use secure protocols such as TLS, HTTPS etc. (Series, A., 2019)