Fundamental Security Requirements Are Authentication Message Integrity Computer Science Essay

Published: Last Edited:

This essay has been submitted by a student. This is not an example of the work written by our professional essay writers.

Non-repudiation and confidentiality. Beside those, the requirements of access control, availability, traceability, privacy and authentication of ID, property and location are also important. In reality, some security requirements in fact become challenges for VANETs, for example, authentication wants to bind each driver to a single identity, which violates the rule of privacy, and availability is also a problem because only 50-60% of vehicle's neighbors can receive a broadcast message according to the evaluation of DSRC. Additionally, Low Tolerance for Error, especially in collision avoidance or warning systems, due to the dense structure and road obstacles, signal absorption, reflection, refraction, diffraction, scattering of road signals quite often happen. Mobility and key distribution are the other security challenges for VANETs because each vehicle has a constantly shifting set of neighbors so that the traffic information is very limited to be shared, and the questions, like: When or where to install the keys? how many to install? Who is certification authority? are still remained unsolved.

In VANETs, pseudonyms need go through the following steps in order to become credentials:

master key generation that includes vehicle master public/secret key pair generation and organization master public/secret key pair generation.

pseudonym generation, meaning registration to authority.

registration with the organization in order to get the pseudonym authentication and issue a credential

Issue a credential after pseudonyms authentication

Transfer of a credential.

Q3. Let V = each vehicle ( node )

i = i-th pseudonyms

Cert = certificate

CA = Certificate Authority

K = key

M = message

KiV = i-th pseudonym public key

σKiV( ) = private key stand for vehicle's digital signature under i-th

pseudonym and the signed message

Zero knowledge and bit commitment algorithm mean the pseudonyms procedure should start from the baseline. Each vehicle (node) V is built with a group of pseudonyms, this implies the public keys are certified by the CA without any information identifying V . After the i-th pseudonym KiV (public keys) are buried in V ,the CA need issue a certificate, written as CertCA ( KiV ), this notation tells us a CA signature is simply attached on the public key KiV. The private key KiV corresponding to the pseudonym KiV is used by the node to digitally sign messages. To enable message validation, the pseudonym and certificate of the signer are attached in each message. With σKiV( ) saying V 's signature under its i-th pseudonym and m the signed message payload, the message format is: M, σKiV(m ), KiV, CertCA(KiV )

The CA keeps mapping from the long-term identity of V to the {KiV} set of pseudonyms provided to a node. If presented with the above message format, CA can perform the inverse mapping and identify the signer. Each pseudonym is used at most for a period and then discarded, this is a typical dynamic pseudonym usage algorithm, pseudonym numbers change frequently, sometimes unnecessarily, especially in the TCP connection to access point and interactions with the network stack. Anyway, this pre-load or the frequently refilling with a number of pseudonym (KiV) public keys and the corresponding private keys (KiV), CertCA(KiV ) can affect the usability of the system. Upon receipt of the signed message, a node with the public key of the CA is assumed available and validates CertCA(KiV ).



Ettercap is a first multipurpose software that is capable to sniff many protocols in LAN, even ciphered ones, such as: SSH, HTTP, SSL, in full and duplex connections, OS fingerprint, password, packet filtering or dropping, and remote traffic sniffing. Because this software supports the plugins operation, data injection and dropping in an established connection get possible. This plugin attack can also sniff all the packets that pass on the cable, if a packet acting as a bridge is plugged in the gateway connecting to two networks, it will not only steal all the data from both sides but also forward the false traffic information from one to the other, but there is no way to find out that someone is in the middle during the transmission. As we know, ettercap needs root privileges to open the link layer sockets, and this privileges drops a clue that can help us trace the sniff attack. For example, after the initialization, the root privileges are not needed anymore, therefore, ettercap drops them to UID = 65535 (nobody), also this attack is usually in the form MAC address or IP address or PORT number, you can run the log file to trace it out if in UNIX or Linux system, or run software like ARPWatch to detect changes in MAC addresses on your network that may point to sniffers. Trying to run tools like Sniffdet and Sentinel is the other choice to detect network cards in promiscuous mode that may be running sniffing software. Using a VPN, like wi-fi, to connect to the network, locking down workstations so users can't install sniffing software or boot from a CD like Knoppix, and keep the public terminals on a separate LAN from the staff workstations and servers.


Dsniff actually is a collection of peeping tools for the network, just like a webspy , passively monitors a network for the interesting data, like: passwords, e-mail address, message contents, etc. There are several techniques and countermeasures that can help you to cope with it, first, you can enable the port security on a switch or enforce the static entries for the certain hosts to avoid the data spoof redirection, but this strategy can cause the inconvenience for the users. Secondly, you can use IPSEC paired with secure, authenticated naming services (DNSSEC) to prevent the dnsspoof redirection and trivial passive sniffing. Last one is avoiding giving a permission of proprietary, insecure application protocols or legacy cleartext protocols on your network. Generally speaking, except having the users to enable SSH's, StrictHostKeyChecking option and to distribute server key signatures to mobile clients, leveraging an authenticated naming service like DNSSEC for secure key distribution is another better solution.


According to, Achille is defined as a free Windows based tool that is designed for testing the security of web applications. Actually Achilles is a proxy server acting as a man-in-the-middle during an HTTP session. If intercept mode is on, the attacker is able read and modify client communication before it is sent to the intended server, for example, the client is requesting a Google search for the term "Microsoft ", At this stage the attacker could modify this search from "microsoft" to "linux" before sending the query to the Google server. Similarly, the attacker is able to intercept and modify server communication before it reaches the client. With both of these approaches, the attacker is able to compromise the integrity of communication between the client and server. The attacker could also compromise the availability of data by choosing not to forward the communication in either direction. If the attacker only wishes to compromise the confidentiality of thecommunication, intercept mode should be disabled and all communication logged to a text file. In this mode, the proxy server can passively gather datawithout any interaction from the attacker. Achilles is able to compromise confidentiality, integrity and availability, which is unreliable.

To deal with data integrity problem, we can use the countermeasure of detection data injection of SQL and cross-site script , This is because no matter how strong your firewall rule sets are or how diligent your patching mechanism may be, if your Web application developers haven't followed secure coding practices, attackers will walk right into your systems through port 80. The two main attack techniques that have been used widely are SQL Injection and Cross Site Scripting attacks. SQL Injection refers to the technique of inserting SQL meta-characters and commands into Web-based input fields in order to manipulate the execution of the back-end SQL queries. These are attacks directed primarily against another organization's Web server. Cross Site Scripting attacks work by embedding script tags in URLs and enticing unsuspecting users to click on them, ensuring that the malicious Javascript gets executed on the victim's machine. These attacks leverage the trust between the user and the server and the fact that there is no input/output validation on the server to reject Javascript characters. For confidentiality problem, Snort Pattern Matching is a better way to solve this problem because Snort utilizes a pattern matching model for detection of network attack signatures and using identifiers such as TCP fields, IP addresses, TCP/UDP port numbers, ICMP

type/code, and strings contained in the packet payload.


Netcat is said as a network swiss army knife. A simple Unix utility which reads and writes data across network connections, using TCP or UDP protocol. It is designed to be a reliable "back-end" tool that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need and has several interesting built-in capabilities.


Reverse shell means to start a session outbound through a firewall towards an attacker. The attacker's replies then come back through the firewall as legitimate traffic.Loki is able to create a ICMP tunnel to send covert commands and other information in the data fields. ICMP Shell (ISH) is a telnet session tunneled through an ICMP session. To block ICMP tunnels, you can block ICMP traffic. But ACK packets are usually not filtered. Therefore, ACK packets can be used as a tunneling mechanism to send covert data.

Honeypots refer to false targets deliberately deployed to lure hackers. Honey Pots can let you locate and track hackers, but you cannot use Honey Pots to prosecute a hacker. In law, a Honey Pot is an "attractive nuisance" and is not usable as evidence. Honeypot software include Back Officer, Bait N Switch, KFSensor, ManTrap, NetFacade, Single-Honeypot, Specter, Tiny Honeypot, and the Deception Toolkit. Administrators usually focus on securing the perimeter of the network. However, a lot of attacks originate from inside the network. Therefore, it is good practice to protect internal server farms, and other important targets.Vulnerability scanners like Nessus are both offensive and defensive tools to note. Scanners like Nessus can perform thousands of exploits on a host, and then report their findings in a nice HTML form. Cheops allow visual mapping of a network. Useful when used with other tools like Nmap or Nessus. Scanlogd allows to detect when port scans are going on. Abacus Portsentry can detect port scans and can also act as a firewall and send alarms like an IDS.