web安全試題及答案整理涵蓋考點考題

1、Part1.ExplanationofTerms30pointsNOTE:Givethedefinitionsexplanationsofthefollowingterms5pointsfeach.(1)DataIntegrityAssuresthatinfmationprogramsarechangedonlyinaspecifiedauthizedmanner.Ininfmationsecurityintegritymeanstha

2、tdatacannotbemodifiedundetectably.Integrityisviolatedwhenamessageisactivelymodifiedintransit.Infmationsecuritysystemstypicallyprovidemessageintegrityinadditiontodataconfidentiality(2)InfmationSecurityAuditAninfmationsecu

3、rityauditisanauditonthelevelofinfmationsecurityinanganization(3)PKIPKIprovideswellconceivedinfrastructurestodeliversecurityservicesinanefficientunifiedstyle.PKIisalongtermsolutionthatcanbeusedtoprovidealargespectrumofsec

4、urityprotection.(4)X.509IncryptographyX.509isanITUTstardfapublickeyinfrastructure(PKI)fsinglesignon(SSO單點登錄)PrivilegeManagementInfrastructure(PMI特權(quán)管理基礎(chǔ)架構(gòu)).TheITUTrecommendationX.509definesadirectyservicethatmaintainsadat

5、abaseofinfmationaboutusersftheprovisionofauthenticationservices…(5)DenialofServiceAttackDoS(DenialofService)isanattemptbyattackerstomakeacomputerresourceunavailabletoitsintendedusers.(6)SOA(ServiceientedArchitecture)SOAi

6、saflexiblesetofdesignprinciplesusedduringthephasesofsystemsdevelopmentintegrationincomputing.AsystembasedonaSOAwillpackagefunctionalityasasuiteofinteroperableservicesthatcanbeusedwithinmultipleseparatesystemsfromseveralb

7、usinessdomains.(7)AccessControlAccesscontrolisasystemthatenablesanauthitytocontrolaccesstoareasresourcesinagivenphysicalfacilitycomputer‐basedinfmationsystem.Anaccesscontrolsystemwithinthefieldofphysicalsecurityisgeneral

8、lyseenasthesecondlayerinthesecurityofaphysicalstructure.(Accesscontrolreferstoexertingcontroloverwhocaninteractwitharesource.Oftenbutnotalwaysthisinvolvesanauthitywhodoesthecontrolling.Theresourcecanbeagivenbuildinggroup

9、ofbuildingscomputerbasedinfmationsystem.Butitcanalsorefertoarestroomstallwhereaccessiscontrolledbyusingacointoopenthedo)(8)SaltedValueIncryptographyasaltconsistsofrombitscreatingoneoftheinputstoaonewayfunction.Theotherin

10、putisusuallyapasswdpassphrase.Theoutputoftheonewayfunctioncanbested(alongsidethesalt)ratherthanthepasswdstillbeusedfauthenticatingusers.Theonewayfunctiontypicallyusesacryptographichashfunction.Atosuccessfullychallengethe

11、authshipofthestatementvalidityofanassociatedcontract.Thetermisoftenseeninalegalsettingwhereintheauthenticityofasignatureisbeingchallenged.Insuchaninstancetheauthenticityisbeing“repudiated“.(17)BastionHostAbastionhostisac

12、omputersonawkspecificallydesignedconfiguredtowithstattacks.It’sidentifiedbythefirewalladminasacriticalstrongpointinthewk’ssecurity.Thefirewalls(application‐levelcircuit‐levelgateways)routerscanbeconsideredbastionhosts.Ot

13、hertypesofbastionhostsincludewebmailDNSFTPservers.(18)CSRFCrossSiteRequestFgery(CSRF)isanattackthatfcesanendusertoexecuteunwantedactionsonawebapplicationinwhichtheyrecurrentlyauthenticated.CSRFattacksspecificallytargetst

14、atechangingrequestsnottheftofdatasincetheattackerhasnowaytoseetheresponsetothefgedrequest.Withalittlehelpofsocialengineering(suchassendingalinkviaemailchat)anattackermaytricktheusersofawebapplicationintoexecutingactionso

15、ftheattackerschoosing.IfthevictimisanmaluserasuccessfulCSRFattackcanfcetheusertoperfmstatechangingrequestsliketransferringfundschangingtheiremailaddresssofth.IfthevictimisanadministrativeaccountCSRFcancompromisetheentire

16、webapplication.Part2.BriefQuestions40pointsNOTE:AnswerthefollowingHOWTOquestionsinbrief8pointsfeach.(1)AsymmetricCryptographicMethod.非對稱加密算法需要兩個密鑰：公開密鑰(public‐key)和私有密鑰(private‐key)。公開密鑰與私有密鑰一一配對，如果用一個公開密鑰對數(shù)據(jù)進(jìn)行加密，則只有用其對應(yīng)

17、的私有密鑰才能實施解密；如果用一個私有密鑰對數(shù)據(jù)進(jìn)行加密，那么也只有用其對應(yīng)的公開密鑰才能解密。加密和解密使用的是兩個不同的密鑰，所以這種算法被稱為非對稱加密算法。具體在2.3.1(2)SecurityinCloudComputing:HowtodiscerntheSecurityinCloudComputinginyourpointofview.Theresponsibilitygoesbothwayshowever:theprovi

18、dermustensurethattheirinfrastructureissecurethattheirclients’dataapplicationsareprotectedwhiletheusermusttakemeasurestoftifytheirapplicationusestrongpasswdsauthenticationmeasures.(3)MD5:Howtobeusedfpasswdprotection.平時作業(yè)中

19、布置了(4)ARPPoisoning:HowtocarryoutanARPCachePoisoningAttack.(5)VulnerabilitiesofFirewall:Howtoperateafirewallillustratedwithatleast3examples.(6)Kerberos:HowKerberoswks(7)PacketFilteringFirewall:Howtoperateapacketfilteringf