Top Banner
Enhanced Security for Online Exam Using Group Cryptography Complete Proposal: Development of the Web has contributed to the growth of Internet learning and online exams, Internet and Online exams have not been extensively adopted. An Internet based exam is defined in this project as one that take place over the unsure of yourself web, and where no proctor is in the same place as the examinees. My project propose an improved safe filled Internet exam organization setting mediated by group cryptography methods using distant monitoring and control of ports and input. The objective domain of this project is that of Internet exams for any subject’s contest in any level of Education, as well as exams in online university courses with students in various different locations. Project proposes a trouble-free solution to the issue of security and cheating for online exams. This solution uses an enhanced in the Online Exam safety organized system which is based on group cryptography with e-monitoring methods Existing System Different dishonest patterns exists in present organization together with photocopying the answers of others, inter-
100

Enhanced Security for Online Exam Using Group Cryptography

Nov 27, 2014

Download

Documents

Vamsi Kaza
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Enhanced Security for Online Exam Using Group Cryptography

Enhanced Security for Online Exam Using Group Cryptography

Complete Proposal:

Development of the Web has contributed to the growth of Internet learning and online

exams, Internet and Online exams have not been extensively adopted. An Internet based

exam is defined in this project as one that take place over the unsure of yourself web, and

where no proctor is in the same place as the examinees. My project propose an improved

safe filled Internet exam organization setting mediated by group cryptography methods

using distant monitoring and control of ports and input. The objective domain of this

project is that of Internet exams for any subject’s contest in any level of Education, as

well as exams in online university courses with students in various different locations.

Project proposes a trouble-free solution to the issue of security and cheating for online

exams. This solution uses an enhanced in the Online Exam safety organized system

which is based on group cryptography with e-monitoring methods

Existing System

Different dishonest patterns exists in present organization together with photocopying the

answers of others, inter-changing answers, penetrating the web for answers, using the

information and software saved on the student’s computer and discussing the exam by

mailing system, phone, or immediate messaging or using Zigbee etc.

Disadvantages

1) Stages of contact between teachers and students decreases.

2) The tendency to copy in the online exams and cheat by students increases.

3) The system must rely on students’ sincerity, honesty or their having an reputation

code

Proposed System

Page 2: Enhanced Security for Online Exam Using Group Cryptography

Project introduces a clarification to the issue of safety and cheating for web based exams.

This solution uses an enhanced safety organize system in the Online Exam which is

based on collection based cryptography with an e-monitoring methodologies.

The cryptography supports superior safety organizes for the web exam process, as well as

validation and veracity. The e-monitoring provides a proctor role to distinct location

examinees to prevent copying and cheating over the internet based online examination

systems, and thus removes the prerequisite of having to go to a permanent location. The

target of this project is web based exams of any type and exams in online university

courses with students at distinct locations.

Project undergoes administer an internet based examination at a static time with the same

questions for all examinees, just like an off-line exam, but without restricting the physical

place of the examinees. This system enable many kinds of tests to be given online, it can

provide teachers with well again evaluation principles for students and may put in to

improving the quality of education.

Advantages

1) web based exam management system having some monitoring method to prevent

and to detect cheating and copying

2) Without regard to position and time.

3) Avoid intercepting or interfering with communications during an exam conducted through web.

Software Requirements

• Operating system :- Windows XP Professional

• Front End :- Visual Studio 2008, ASP.net, C#

• Backend :- SQL Server 2005

Hardware Requirements

• SYSTEM : Pentium IV

• HARD DISK : 40 GB

Page 3: Enhanced Security for Online Exam Using Group Cryptography

• RAM : 512 MB

Project Plans and Methods Involved:

The modules involved are:

Administrator

Key Generation

Student Exam Modules

Results and Reports

Video Conference and Desktop Capturing

Administrator:-

In this module Administrator is having the task to manage the information

about the Examiners, Proctors and students and he can also add, update or

delete the information about the Examination centers and the candidates

applying for the exams through internet. Also schedule the information about

the exams and generate keys using Asymmetric algorithms accessing the

question papers upload by different type of examiners who are uploading

question papers to the database and he can also add the marks for the

student after completion of their exams. Here key management plays a vital

role in providing security and safety to the online examination processes.

Admin will encrypt the answer upload by the examiners who are preparing

online exams using AES algorithm.

Key Generation:-

In this module Admin has the work to schedule the information about the

Exams and he is able to send public and private keys to the students based

on the requested schedule in order to generate keys we user group key

generator based algorithms in this application this module place a role of

identifying the student attending the exam using photo comparisons and able

to monitor the systems where students are access the online examination

application by desktop capturing mechanism.

Page 4: Enhanced Security for Online Exam Using Group Cryptography

Students Exam Modules:-

In this module student can check the information provided by the

administrator public keys and privates. By using keys he is able login

to the exam window can answer the question. Immediately after exam

starts a video conference between examiners and students to identify

the behaviors of the students and capturing of images for every 2 to 3

seconds in order to identify the genuinely of the student at the time of

results. All the USB Ports of the C.P.U are disabling in order to avoid

copying of answers from third party devices. An interface is developing

in such a ways which avoids access of keyboard and other menus of

Operating system.

Results and Reports:-

This module contains all the information about the results generated

by the Administrator and a lot rank cards to the students based on

their behaviors and performance during the online examination. Admin

can generate reports based on grades allotted by online examination

system

Video Conference and Desktop Capturing

This module contains all the information about Video conference

between student and examiner these 2 modules will be automatically

initialized immediately after starting up the application [Online

Examination systems] a live video will be telecasted of student and

save to the student database to the server. The events and behaviors

of the student during the online exam process

Page 5: Enhanced Security for Online Exam Using Group Cryptography

Research Methods:

1. Logging-client registers his/her personal data (login, password)

a. confirmation is taking place after submitting data

b. authentication error is signalized by fault message

c. if authentication doesn’t return error, user is allowed to system

2. Managing students – called by examiner

a. inspector adds, removes and modifies students data.

b. if examiner did not insert required data (login, password, and image will uploaded to the server database at the time of registration) else system returns error message

c. if data is registered and users enter all valid information with valid data correctly, accepting message is being shown

3. Preparing exams

a. examiner is permitted to decide categories and number of questions from individual exam

b. examiner adds the amount of correct answers (in %) required to pass the exam and answers entered by examiner will be encrypted using AES/DES algorithm to provide security to the answers from hackers or intruders.

c. examiner sets time and schedule of exam

4. Activating Exam

a. Examiner activate exam using a public and private key generated by the examiners so that students can run it.

5. Managing questions

a. examiner adds, edits and removes questions and categories

b. He can also subscribe questions to categories

6. Viewing results

Page 6: Enhanced Security for Online Exam Using Group Cryptography

a. examiner can view condensed results of all students that have been passing this test

b. after clicking one student’s login he can enter “Viewing personal FeedBack”

7. Viewing personal FeedBack

a. user is allowed to exam results of one student;

b. examiner can view results of each student at every time

c. student can see results of exam only once – just after passing the exam.

8. Running test

a. student is choosing one of available exams, because of what personalized test with random questions is being created

b. after student finishes test, its results and questions are being saved in exam.

c. Video conference module is add to monitor student from distinct places

d. Desktop capturing mechanism helps in capturing the events and actions performed by the users or student during the examination process

e. USB Disable and enables automatically immediately after examination starts

Initial Literature Review:

The recent service and eventual extensive acceptance of electronic monitoring in groping students and a variety of classes In this project , we examine the impacts, connected challenges and safety lapses of the existing electronic-examination structure with the aim of ameliorating and emergent a new satisfactory e-Exam system that takes care of the existing system’s challenges and safety measures lapses. Students that participated in the online exams were chosen for interview and questionnaire. Based on the examination of the interviews and study of the existing electronic online test and examination system, some anomalies were exposed and a new e-exams system was developed to wipe out these anomalies. The new system uses data encryption in order to protect the questions sent to

Page 7: Enhanced Security for Online Exam Using Group Cryptography

the e-Examination center through the internet or intranet and a video conference based devices are connected to avoid cheating in the online examination process. Online examination has been highly paying attention and appropriate in both learning and educational aspects. The best method to evaluate the ability and knowledge of an individual is through examination process. To this conclusion, various methods has been in work in examining the capability of an personality, starting from manual means of using paper and pencil to electronic, from spoken to write, practical to theoretical and many others.The current information technology way of examining students is the use of electronic systems in position of manual or paper technique which was characterized by huge examination leakages, impersonations, demand for satisfaction by teachers, inducement-taking by supervisors and invigilators of examinations.

There is a rising body of investigation is focused on mounting improved ways to supervise e-exams methods and e-learning systems. Some of this research focused on a variety of section of the system and these includes: Schramm looked at a e-learning web based system that could simply offer and grade mathematical questions with infinite lack of complaint. Therefore it needs the ability for in and output of numerical formulas, the dynamic generation of plots and the generation of random words and statistics.This is web based online examination scheme, the system carry out the test and auto-grading for students exams. The system facilitates conducting exams, collection of answers, auto marking the submissions and manufacture of reports for the exam. It supports many kinds of queries. It was used through online and is therefore suitable for both limited and distant examination. The system could assist lecturers, instructors, teachers and others who are prepared to create new exams or edit presented ones as well as students participating in the exams

Literature Survey:

Page 8: Enhanced Security for Online Exam Using Group Cryptography

Fraud and Cheating control:

Research is on case study that describes the researchers’ attempts to article and stop

frauds and cheating on their web based exams. They present facts of their hard work to

decrease both the probability and force of cheating on-line. Suggestions are offered that

are planned to provide direction for others wishing to pursue web based online exams in

their classes over the past several years, a number of academics have espoused the value

of using on-line exams in classes as opposed to the face-to-face paper exams that are

traditionally given in the college classroom. Most often, on-line exams are used in

conjunction with a distance-learning course where all the course material is administered

on-line. Theoretically, however, many of the benefits associated with using online exams

in a distance e-learning course should also be present if on-line exams are used in a more

traditional course. This paper used on-line exams in just that style. Although we teach

divide sections of lessons that get together face-to-face twice a week, and decided to

explore the possibility of administering web based online exams to our learners on-line.

The possible remuneration of doing this are many and comprise ever-increasing grading

correctness, minimizing the grading time, and provided that students with instant

feedback. Possibly even more importantly, web based internet exams can free of charge

up time in class to pursue other knowledge behaviors. In most lessons, the time available

always seems to run out earlier than the amount of main material that requirements to be

covered. If exams are taken out of the classroom and administer over the web, then many

instructors would find four or more extra class session in which they could cover added

material. Or, they may wish to cover the same amount of information to be shared to the

students attending online exams, but cover it in better depth. As this paper will essay, we

establish all of these profit and more when administering our exams web based exams.

While I am very pleased with our first knowledge, a irritating question persisted. Namely,

i concerned that student may have been cheating or doing fraud on the exams, and that

the cheating and fraud may have been widespread. As such, i took a number of steps to

aim to notice any cheating on the web baesd exams. In adding, I took a amount of steps

to try to minimize the impact of whatever cheating did occur that did not get detected. In

the sections that follow, we will first describe our course and learning environment in

detail. Additionally, we will seek to document many of the ways that students could

Page 9: Enhanced Security for Online Exam Using Group Cryptography

potentially cheat on on-line exams. Furthermore, we will outline the specific steps we

took to detect it and minimize its impact. To conclude, we will share some of our positive

experiences with on-line testing in general, and will outline additional steps we plan to

take in the future to improve their effectiveness in the classroom. Before describing the

various means of cheating on the exam, it is important for us to discuss our testing

protocol so that it is clear what students are and are not allowed to do. At the beginning

of every exam, we include a paragraph that reads in part, “This is not an open book or

open notes exam. This exam is to be taken during the allotted time period without the aid

of books, notes, or other students. You have approximately 45 seconds per question to

complete this exam. This exam must be taken on-line from start to finish. Do not

download it to take it or distribute it to anyone. The statistics feature of On course will

monitor and report how you take this exam.” We also verbally announce this statement in

class prior to each exam and answer any questions students might have with regard to

what is and is not allowed on the exam. As such, we have identified the following

potential ways to cheat on our on-line exams: Having someone other than the student take

the exam Exceeding the posted time limit Collaborating with others during the exam

Downloading or distributing the exam to others Using material that is not allowed

(textbook or class notes) Identifying the possible means of compromising the integrity of

the exam was an important first step, but it was only a first step. After devising this list,

we then set out to try to detect whether or not cheating occurred.

STEPS TO MINIMIZE THE IMPACT OF CHEATING

Some of the ways we minimize the impact of cheating rely on the same tools we use to

detect it as outlined in the previous section. For instance, timing the exam helps lessen

the opportunity that students have to utilize inappropriate material. If our exams had no

time limit, the temptation to avoid studying and rely instead on looking up answers

during the exam would be greater. By providing only forty-five seconds per question, we

limit the students’ ability to engage in this. We also tend to ask lengthy, application-based

questions. These questions take more time to process and are more difficult to look up in

the textbook because the answers require a synthesis of information as opposed to a

simple recitation of a fact. While we could take this one step further and require essay

Page 10: Enhanced Security for Online Exam Using Group Cryptography

questions, we have not pursued that yet, but may do so in the future. Timing the tests also

makes it more difficult for students to collaborate during the exam. We add a further

level of difficulty to any attempt at collaboration by scrambling the order of the test

questions on each exam. This prevents students from simply asking each other the answer

to question six, for example, because the question order will be different on each exam.

In a similar vein, we also take steps to minimize the likelihood that someone other than

the student is taking the exam. One of the primary ways we do this is to have multiple

assignments due during the course of the semester. In a typical semester, each student

will need to submit over twenty separate assignments on-line. Although it may be

relatively easy for them to get help on one of them or even a few of them, it will be

considerably tougher and / or more costly to find someone willing to complete every

on-line activity for them. Yet another way we minimize the impact of collaboration is to

require a cumulative, face-to-face final exam at the end of the semester. This exam is

weighted more heavily than the other exams and has a pronounced impact on the

students’ final grades. If they have not been keeping up with the material throughout the

semester (i.e., they have had someone else doing their work), they are very likely to fail

the final exam. If they fail the final, it carries enough points that they are unlikely to get

an A or a B in the course regardless of how well they did on any other assignment.

All told, these steps help us minimize the impact that cheating has in our classroom.

While we certainly have not eradicated its occurrence, we suggest that totally eliminating

it is not likely on any exam, face to face or on-line. Instead, these steps have allowed us

to lessen the likelihood of cheating and also lessen the temptation for cheating to the

students. This has allowed us to realize many benefits in the classroom that we would not

have had if we had given our exams in the traditional manner.

OVERALL ASSESSMENT OF ON-LINE EXAMS

Overall, we are quite pleased with the impact that using on-line exams has had in our

classes. By using this method, we have freed up three entire class periods worth of time.

We have used this time to have class discussions that were more in-depth and focused

than time normally allowed. We have also been able to add more group activities and

experiences that require students to take some of the theoretical concepts we discuss in

class and apply them to their personal lives. Student satisfaction with this approach has

Page 11: Enhanced Security for Online Exam Using Group Cryptography

been high. Not only do the students enjoy the flexibility of taking the exams at a time that

is convenient for them, they also report learning more in the classroom. Because we are

able to use experiential exercises in class that we did not have time to use before, they

also report greater satisfaction with the material. It is more meaningful to them because

they have internalized more of it. This would be more difficult to accomplish if we were

not able to free up class time by using on-line exams. On-line exams would not be

possible if we did not have cheating under control. By taking the steps we have to detect

cheating and minimize its impact, we have been able to take class exams offline

and have had a more rewarding classroom experience for our students. We are very

encouraged by the initial results.

FUTURE STEPS

While this study does help provide some insight as to how to detect cheating and

minimize its impact, the work in this area is just beginning. As more and more academics

decide to explore the possibility of using this form of testing, additional steps need to be

taken to ensure that cheating is minimized. As such, it is important that further research

be devoted to this crucial topic. One area ripe for further exploration is to undertake

additional steps to enhance the testing protocol that is used. As an example, some schools

have reported success in having students formally sign honor codes before taking exams.

It may be beneficial to see what impact this might have in an online testing environment.

Another potentially promising area that we plan to explore is to look at whether or not

student personality characteristics might influence their propensity to cheat. We are

currently collecting data on such variables as student self-efficacy and self-esteem to see

whether or not there might be a significant relationship between them and subsequent

cheating on exams. To conclude, we encourage other instructors to engage in this field of

research. The benefits of using online exams are numerous, but until teachers and

administrators can be reasonably assured that cheating is not rampant, they will not be

fully utilized in the classroom and many of these benefits will go unrealized. By

continuing to explore the topic of cheating on online exams, the problem can be further

minimized and the general classroom experience can be enhanced.

Page 12: Enhanced Security for Online Exam Using Group Cryptography

Group Cryptography:

Exam Groups:

Page 13: Enhanced Security for Online Exam Using Group Cryptography

Algorithms:

The DES (Data Encryption Standard) algorithm is the most widely used encryption algorithm in the world. For many years, and among many people, "secret code making" and DES have been synonymous. And despite the recent coup by the Electronic Frontier Foundation in creating a $220,000 machine to crack DES-encrypted messages, DES will live on in government and banking for years to come through a life- extending version called "triple-DES."

How does DES work? This article explains the various steps involved in DES-encryption, illustrating each step by means of a simple example. Since the creation of DES, many other algorithms (recipes for changing data) have emerged which are based on design principles similar to DES. Once you understand the basic transformations that take place in DES, you will find it easy to follow the steps involved in these more recent algorithms.

But first a bit of history of how DES came about is appropriate, as well as a look toward the future.

The DES Algorithm Illustrated

DES is a block cipher--meaning it operates on plaintext blocks of a given size (64-bits) and returns ciphertext blocks of the same size. Thus DES results in a permutation among

Page 14: Enhanced Security for Online Exam Using Group Cryptography

the 2^64 (read this as: "2 to the 64th power") possible arrangements of 64 bits, each of which may be either 0 or 1. Each block of 64 bits is divided into two blocks of 32 bits each, a left half block L and a right half R. (This division is only used in certain operations.)

Example: Let M be the plain text message M = 0123456789ABCDEF, where M is in hexadecimal (base 16) format. Rewriting M in binary format, we get the 64-bit block of text:

M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111L = 0000 0001 0010 0011 0100 0101 0110 0111R = 1000 1001 1010 1011 1100 1101 1110 1111

The first bit of M is "0". The last bit is "1". We read from left to right.

DES operates on the 64-bit blocks using key sizes of 56- bits. The keys are actually stored as being 64 bits long, but every 8th bit in the key is not used (i.e. bits numbered 8, 16, 24, 32, 40, 48, 56, and 64). However, we will nevertheless number the bits from 1 to 64, going left to right, in the following calculations. But, as you will see, the eight bits just mentioned get eliminated when we create subkeys.

Example: Let K be the hexadecimal key K = 133457799BBCDFF1. This gives us as the binary key (setting 1 = 0001, 3 = 0011, etc., and grouping together every eight bits, of which the last one in each group will be unused):

K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001

The DES algorithm uses the following steps:

Step 1: Create 16 subkeys, each of which is 48-bits long.

The 64-bit key is permuted according to the following table, PC-1. Since the first entry in the table is "57", this means that the 57th bit of the original key K becomes the first bit of the permuted key K+. The 49th bit of the original key becomes the second bit of the permuted key. The 4th bit of the original key is the last bit of the permuted key. Note only 56 bits of the original key appear in the permuted key.

Page 15: Enhanced Security for Online Exam Using Group Cryptography

PC-1

57 49 41 33 25 17 9 1 58 50 42 34 26 18 10 2 59 51 43 35 27 19 11 3 60 52 44 36 63 55 47 39 31 23 15 7 62 54 46 38 30 22 14 6 61 53 45 37 29 21 13 5 28 20 12 4

Example: From the original 64-bit key

K = 00010011 00110100 01010111 01111001 10011011 10111100 11011111 11110001

we get the 56-bit permutation

K+ = 1111000 0110011 0010101 0101111 0101010 1011001 1001111 0001111

Next, split this key into left and right halves, C0 and D0, where each half has 28 bits.

Example: From the permuted key K+, we get

C0 = 1111000 0110011 0010101 0101111 D0 = 0101010 1011001 1001111 0001111

With C0 and D0 defined, we now create sixteen blocks Cn and Dn, 1<=n<=16. Each pair of blocks Cn and Dn is formed from the previous pair Cn-1 and Dn-1, respectively, for n = 1, 2, ..., 16, using the following schedule of "left shifts" of the previous block. To do a left shift, move each bit one place to the left, except for the first bit, which is cycled to the end of the block.

Iteration Number of Number Left Shifts

1 1 2 1 3 2 4 2 5 2 6 2 7 2 8 2 9 1 10 2 11 2 12 2 13 2 14 2 15 2 16 1

Page 16: Enhanced Security for Online Exam Using Group Cryptography

This means, for example, C3 and D3 are obtained from C2 and D2, respectively, by two left shifts, and C16 and D16 are obtained from C15 and D15, respectively, by one left shift. In all cases, by a single left shift is meant a rotation of the bits one place to the left, so that after one left shift the bits in the 28 positions are the bits that were previously in positions 2, 3,..., 28, 1.

Example: From original pair C0 and D0 we obtain:

C0 = 1111000011001100101010101111D0 = 0101010101100110011110001111

C1 = 1110000110011001010101011111D1 = 1010101011001100111100011110

C2 = 1100001100110010101010111111D2 = 0101010110011001111000111101

C3 = 0000110011001010101011111111D3 = 0101011001100111100011110101

C4 = 0011001100101010101111111100D4 = 0101100110011110001111010101

C5 = 1100110010101010111111110000D5 = 0110011001111000111101010101

C6 = 0011001010101011111111000011D6 = 1001100111100011110101010101

C7 = 1100101010101111111100001100D7 = 0110011110001111010101010110

C8 = 0010101010111111110000110011D8 = 1001111000111101010101011001

C9 = 0101010101111111100001100110D9 = 0011110001111010101010110011

C10 = 0101010111111110000110011001D10 = 1111000111101010101011001100

C11 = 0101011111111000011001100101D11 = 1100011110101010101100110011

C12 = 0101111111100001100110010101D12 = 0001111010101010110011001111

Page 17: Enhanced Security for Online Exam Using Group Cryptography

C13 = 0111111110000110011001010101D13 = 0111101010101011001100111100

C14 = 1111111000011001100101010101D14 = 1110101010101100110011110001

C15 = 1111100001100110010101010111D15 = 1010101010110011001111000111

C16 = 1111000011001100101010101111D16 = 0101010101100110011110001111

We now form the keys Kn, for 1<=n<=16, by applying the following permutation table to each of the concatenated pairs CnDn. Each pair has 56 bits, but PC-2 only uses 48 of these.

PC-2

14 17 11 24 1 5 3 28 15 6 21 10 23 19 12 4 26 8 16 7 27 20 13 2 41 52 31 37 47 55 30 40 51 45 33 48 44 49 39 56 34 53 46 42 50 36 29 32

Therefore, the first bit of Kn is the 14th bit of CnDn, the second bit the 17th, and so on, ending with the 48th bit of Kn being the 32th bit of CnDn.

Example: For the first key we have C1D1 = 1110000 1100110 0101010 1011111 1010101 0110011 0011110 0011110

which, after we apply the permutation PC-2, becomes

K1 = 000110 110000 001011 101111 111111 000111 000001 110010

For the other keys we have

K2 = 011110 011010 111011 011001 110110 111100 100111 100101K3 = 010101 011111 110010 001010 010000 101100 111110 011001K4 = 011100 101010 110111 010110 110110 110011 010100 011101K5 = 011111 001110 110000 000111 111010 110101 001110 101000K6 = 011000 111010 010100 111110 010100 000111 101100 101111K7 = 111011 001000 010010 110111 111101 100001 100010 111100K8 = 111101 111000 101000 111010 110000 010011 101111 111011K9 = 111000 001101 101111 101011 111011 011110 011110 000001K10 = 101100 011111 001101 000111 101110 100100 011001 001111

Page 18: Enhanced Security for Online Exam Using Group Cryptography

K11 = 001000 010101 111111 010011 110111 101101 001110 000110K12 = 011101 010111 000111 110101 100101 000110 011111 101001K13 = 100101 111100 010111 010001 111110 101011 101001 000001K14 = 010111 110100 001110 110111 111100 101110 011100 111010K15 = 101111 111001 000110 001101 001111 010011 111100 001010K16 = 110010 110011 110110 001011 000011 100001 011111 110101

So much for the subkeys. Now we look at the message itself.

Step 2: Encode each 64-bit block of data.

There is an initial permutation IP of the 64 bits of the message data M. This rearranges the bits according to the following table, where the entries in the table show the new arrangement of the bits from their initial order. The 58th bit of M becomes the first bit of IP. The 50th bit of M becomes the second bit of IP. The 7th bit of M is the last bit of IP.

IP

58 50 42 34 26 18 10 2 60 52 44 36 28 20 12 4 62 54 46 38 30 22 14 6 64 56 48 40 32 24 16 8 57 49 41 33 25 17 9 1 59 51 43 35 27 19 11 3 61 53 45 37 29 21 13 5 63 55 47 39 31 23 15 7

Example: Applying the initial permutation to the block of text M, given previously, we get

M = 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111IP = 1100 1100 0000 0000 1100 1100 1111 1111 1111 0000 1010 1010 1111 0000 1010 1010

Here the 58th bit of M is "1", which becomes the first bit of IP. The 50th bit of M is "1", which becomes the second bit of IP. The 7th bit of M is "0", which becomes the last bit of IP.

Next divide the permuted block IP into a left half L0 of 32 bits, and a right half R0 of 32 bits.

Example: From IP, we get L0 and R0

L0 = 1100 1100 0000 0000 1100 1100 1111 1111 R0 = 1111 0000 1010 1010 1111 0000 1010 1010

Page 19: Enhanced Security for Online Exam Using Group Cryptography

We now proceed through 16 iterations, for 1<=n<=16, using a function f which operates on two blocks--a data block of 32 bits and a key Kn of 48 bits--to produce a block of 32 bits. Let + denote XOR addition, (bit-by-bit addition modulo 2). Then for n going from 1 to 16 we calculate

Ln = Rn-1 Rn = Ln-1 + f(Rn-1,Kn)

This results in a final block, for n = 16, of L16R16. That is, in each iteration, we take the right 32 bits of the previous result and make them the left 32 bits of the current step. For the right 32 bits in the current step, we XOR the left 32 bits of the previous step with the calculation f .

Example: For n = 1, we have

K1 = 000110 110000 001011 101111 111111 000111 000001 110010 L1 = R0 = 1111 0000 1010 1010 1111 0000 1010 1010 R1 = L0 + f(R0,K1)

It remains to explain how the function f works. To calculate f, we first expand each block Rn-1 from 32 bits to 48 bits. This is done by using a selection table that repeats some of the bits in Rn-1 . We'll call the use of this selection table the function E. Thus E(Rn-1) has a 32 bit input block, and a 48 bit output block.

Let E be such that the 48 bits of its output, written as 8 blocks of 6 bits each, are obtained by selecting the bits in its inputs in order according to the following table:

E BIT-SELECTION TABLE

32 1 2 3 4 5 4 5 6 7 8 9 8 9 10 11 12 13 12 13 14 15 16 17 16 17 18 19 20 21 20 21 22 23 24 25 24 25 26 27 28 29 28 29 30 31 32 1

Thus the first three bits of E(Rn-1) are the bits in positions 32, 1 and 2 of Rn-1 while the last 2 bits of E(Rn-1) are the bits in positions 32 and 1.

Example: We calculate E(R0) from R0 as follows:

R0 = 1111 0000 1010 1010 1111 0000 1010 1010 E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101

(Note that each block of 4 original bits has been expanded to a block of 6 output bits.)

Page 20: Enhanced Security for Online Exam Using Group Cryptography

Next in the f calculation, we XOR the output E(Rn-1) with the key Kn:

Kn + E(Rn-1).

Example: For K1 , E(R0), we have

K1 = 000110 110000 001011 101111 111111 000111 000001 110010 E(R0) = 011110 100001 010101 010101 011110 100001 010101 010101 K1+E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111.

We have not yet finished calculating the function f . To this point we have expanded Rn-1 from 32 bits to 48 bits, using the selection table, and XORed the result with the key Kn . We now have 48 bits, or eight groups of six bits. We now do something strange with each group of six bits: we use them as addresses in tables called "S boxes". Each group of six bits will give us an address in a different S box. Located at that address will be a 4 bit number. This 4 bit number will replace the original 6 bits. The net result is that the eight groups of 6 bits are transformed into eight groups of 4 bits (the 4-bit outputs from the S boxes) for 32 bits total.

Write the previous result, which is 48 bits, in the form:

Kn + E(Rn-1) =B1B2B3B4B5B6B7B8,

where each Bi is a group of six bits. We now calculate

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8)

where Si(Bi) referres to the output of the i-th S box.

To repeat, each of the functions S1, S2,..., S8, takes a 6-bit block as input and yields a 4-bit block as output. The table to determine S1 is shown and explained below:

S1

Column NumberRowNo. 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

0 14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 1 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 2 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 3 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

If S1 is the function defined in this table and B is a block of 6 bits, then S1(B) is determined as follows: The first and last bits of B represent in base 2 a number in the decimal range 0 to 3 (or binary 00 to 11). Let that number be i. The middle 4 bits of B represent in base 2 a number in the decimal range 0 to 15 (binary 0000 to 1111). Let that

Page 21: Enhanced Security for Online Exam Using Group Cryptography

number be j. Look up in the table the number in the i-th row and j-th column. It is a number in the range 0 to 15 and is uniquely represented by a 4 bit block. That block is the output S1(B) of S1 for the input B. For example, for input block B = 011011 the first bit is "0" and the last bit "1" giving 01 as the row. This is row 1. The middle four bits are "1101". This is the binary equivalent of decimal 13, so the column is column number 13. In row 1, column 13 appears 5. This determines the output; 5 is binary 0101, so that the output is 0101. Hence S1(011011) = 0101.

The tables defining the functions S1,...,S8 are the following:

S1

14 4 13 1 2 15 11 8 3 10 6 12 5 9 0 7 0 15 7 4 14 2 13 1 10 6 12 11 9 5 3 8 4 1 14 8 13 6 2 11 15 12 9 7 3 10 5 0 15 12 8 2 4 9 1 7 5 11 3 14 10 0 6 13

S2

15 1 8 14 6 11 3 4 9 7 2 13 12 0 5 10 3 13 4 7 15 2 8 14 12 0 1 10 6 9 11 5 0 14 7 11 10 4 13 1 5 8 12 6 9 3 2 15 13 8 10 1 3 15 4 2 11 6 7 12 0 5 14 9

S3

10 0 9 14 6 3 15 5 1 13 12 7 11 4 2 8 13 7 0 9 3 4 6 10 2 8 5 14 12 11 15 1 13 6 4 9 8 15 3 0 11 1 2 12 5 10 14 7 1 10 13 0 6 9 8 7 4 15 14 3 11 5 2 12

S4

7 13 14 3 0 6 9 10 1 2 8 5 11 12 4 15 13 8 11 5 6 15 0 3 4 7 2 12 1 10 14 9 10 6 9 0 12 11 7 13 15 1 3 14 5 2 8 4 3 15 0 6 10 1 13 8 9 4 5 11 12 7 2 14

S5

2 12 4 1 7 10 11 6 8 5 3 15 13 0 14 9 14 11 2 12 4 7 13 1 5 0 15 10 3 9 8 6 4 2 1 11 10 13 7 8 15 9 12 5 6 3 0 14 11 8 12 7 1 14 2 13 6 15 0 9 10 4 5 3

S6

12 1 10 15 9 2 6 8 0 13 3 4 14 7 5 11 10 15 4 2 7 12 9 5 6 1 13 14 0 11 3 8 9 14 15 5 2 8 12 3 7 0 4 10 1 13 11 6 4 3 2 12 9 5 15 10 11 14 1 7 6 0 8 13

S7

Page 22: Enhanced Security for Online Exam Using Group Cryptography

4 11 2 14 15 0 8 13 3 12 9 7 5 10 6 1 13 0 11 7 4 9 1 10 14 3 5 12 2 15 8 6 1 4 11 13 12 3 7 14 10 15 6 8 0 5 9 2 6 11 13 8 1 4 10 7 9 5 0 15 14 2 3 12

S8

13 2 8 4 6 15 11 1 10 9 3 14 5 0 12 7 1 15 13 8 10 3 7 4 12 5 6 11 0 14 9 2 7 11 4 1 9 12 14 2 0 6 10 13 15 3 5 8 2 1 14 7 4 10 8 13 15 12 9 0 3 5 6 11

Example: For the first round, we obtain as the output of the eight S boxes:

K1 + E(R0) = 011000 010001 011110 111010 100001 100110 010100 100111.

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010 1011 0101 1001 0111

The final stage in the calculation of f is to do a permutation P of the S-box output to obtain the final value of f:

f = P(S1(B1)S2(B2)...S8(B8))

The permutation P is defined in the following table. P yields a 32-bit output from a 32-bit input by permuting the bits of the input block.

P

16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10 2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25

Example: From the output of the eight S boxes:

S1(B1)S2(B2)S3(B3)S4(B4)S5(B5)S6(B6)S7(B7)S8(B8) = 0101 1100 1000 0010 1011 0101 1001 0111

we get

f = 0010 0011 0100 1010 1010 1001 1011 1011

R1 = L0 + f(R0 , K1 )

Page 23: Enhanced Security for Online Exam Using Group Cryptography

= 1100 1100 0000 0000 1100 1100 1111 1111 + 0010 0011 0100 1010 1010 1001 1011 1011 = 1110 1111 0100 1010 0110 0101 0100 0100

In the next round, we will have L2 = R1, which is the block we just calculated, and then we must calculate R2 =L1 + f(R1, K2), and so on for 16 rounds. At the end of the sixteenth round we have the blocks L16 and R16. We then reverse the order of the two blocks into the 64-bit block

R16L16

and apply a final permutation IP-1 as defined by the following table:

IP-1

40 8 48 16 56 24 64 32 39 7 47 15 55 23 63 31 38 6 46 14 54 22 62 30 37 5 45 13 53 21 61 29 36 4 44 12 52 20 60 28 35 3 43 11 51 19 59 27 34 2 42 10 50 18 58 26 33 1 41 9 49 17 57 25

That is, the output of the algorithm has bit 40 of the preoutput block as its first bit, bit 8 as its second bit, and so on, until bit 25 of the preoutput block is the last bit of the output.

Example: If we process all 16 blocks using the method defined previously, we get, on the 16th round,

L16 = 0100 0011 0100 0010 0011 0010 0011 0100 R16 = 0000 1010 0100 1100 1101 1001 1001 0101

We reverse the order of these two blocks and apply the final permutation to

R16L16 = 00001010 01001100 11011001 10010101 01000011 01000010 00110010 00110100

IP-1 = 10000101 11101000 00010011 01010100 00001111 00001010 10110100 00000101

which in hexadecimal format is

85E813540F0AB405.

This is the encrypted form of M = 0123456789ABCDEF: namely, C = 85E813540F0AB405.

Page 24: Enhanced Security for Online Exam Using Group Cryptography

Decryption is simply the inverse of encryption, follwing the same steps as above, but reversing the order in which the subkeys are applied.

DES Modes of Operation

The DES algorithm turns a 64-bit message block M into a 64-bit cipher block C. If each 64-bit block is encrypted individually, then the mode of encryption is called Electronic Code Book (ECB) mode. There are two other modes of DES encryption, namely Chain Block Coding (CBC) and Cipher Feedback (CFB), which make each cipher block dependent on all the previous messages blocks through an initial XOR operation.

Cracking DES

Before DES was adopted as a national standard, during the period NBS was soliciting comments on the proposed algorithm, the creators of public key cryptography, Martin Hellman and Whitfield Diffie, registered some objections to the use of DES as an encryption algorithm. Hellman wrote: "Whit Diffie and I have become concerned that the proposed data encryption standard, while probably secure against commercial assault, may be extremely vulnerable to attack by an intelligence organization" (letter to NBS, October 22, 1975).

Diffie and Hellman then outlined a "brute force" attack on DES. (By "brute force" is meant that you try as many of the 2^56 possible keys as you have to before decrypting the ciphertext into a sensible plaintext message.) They proposed a special purpose "parallel computer using one million chips to try one million keys each" per second, and estimated the cost of such a machine at $20 million.

Fast forward to 1998. Under the direction of John Gilmore of the EFF, a team spent $220,000 and built a machine that can go through the entire 56-bit DES key space in an average of 4.5 days. On July 17, 1998, they announced they had cracked a 56-bit key in 56 hours. The computer, called Deep Crack, uses 27 boards each containing 64 chips, and is capable of testing 90 billion keys a second.

Despite this, as recently as June 8, 1998, Robert Litt, principal associate deputy attorney general at the Department of Justice, denied it was possible for the FBI to crack DES: "Let me put the technical problem in context: It took 14,000 Pentium computers working for four months to decrypt a single message . . . . We are not just talking FBI and NSA [needing massive computing power], we are talking about every police department."

Responded cryptograpy expert Bruce Schneier: " . . . the FBI is either incompetent or lying, or both." Schneier went on to say: "The only solution here is to pick an algorithm with a longer key; there isn't enough silicon in the galaxy or enough time before the sun burns out to brute- force triple-DES" (Crypto-Gram, Counterpane Systems, August 15, 1998).

Triple-DES

Page 25: Enhanced Security for Online Exam Using Group Cryptography

Triple-DES is just DES with two 56-bit keys applied. Given a plaintext message, the first key is used to DES- encrypt the message. The second key is used to DES-decrypt the encrypted message. (Since the second key is not the right key, this decryption just scrambles the data further.) The twice-scrambled message is then encrypted again with the first key to yield the final ciphertext. This three-step procedure is called triple-DES.

Triple-DES is just DES done three times with two keys used in a particular order. (Triple-DES can also be done with three separate keys instead of only two. In either case the resultant key space is about 2^112.)

RSA Overview:

Generating Public and Private KeysFirst, as we mentioned above, before any transmission happens, the Server had calculated its public and secret keys.  Here is how. 

1.1) pick two prime numbers, we'll pick p = 3 and q = 111.2) calculate n = p * q = 3 * 11 = 331.3) calculate z = ( p - 1 ) * ( q - 1 ) = ( 3 - 1 ) * ( 11 - 1 ) = 201.4) choose a prime number k, such that k is co-prime to z, i.e, z is not divisible by k. We have several choices for k: 7, 11, 13, 17, 19 (we cannot use 5, because 20 is divisible by 5). Let's pick k=7 (smaller k, "less math").1.5) So, the numbers n = 33 and k = 7 become the Server's public key.1.6) Now, still done in advance of any transmission, the Server has to calculate it's secret key. Here is how.1.7) k * j = 1 ( mod z )1.8) 7 * j = 1 ( mod 20 )1.9) ( 7 * j ) / 20 = ? with the remainder of 1 (the "?" here means: "something, but don't wory about it"; we are only interested in the remainder). Since we selected (on purpose) to work with small numbers, we can easily conclude that 21 / 20 gives "something" with the remainder of 1. So, 7 * j = 21, and j = 3. This is our secret key. We MUST NOT give this key away.

Now, after the Server has done the above preparatory calculations in advance, we can begin our message transmission from our Browser to the Server. First, the Browser requests from the Server, the Server's public key, which the Server obliges, i.e., it sends n=33 and k=7 back to the Browser.  Now, we said that the Browser has a Plain message P=14, and it wants to encrypt it, before sending it to the Server. Here is how the encryption happens on the Browser.

Page 26: Enhanced Security for Online Exam Using Group Cryptography

Section 2. Encrypting the messageHere is the encryption math that Browser executes.

2.1) P ^ k = E ( mod n ) "^" means "to the power of"P is the Plain message we want to encryptn and k are Server's public key (see Section 1)E is our Encrypted message we want to generate

After plugging in the values, this equation is solved as follows:2.2) 14 ^ 7 = E ( mod 33 )This equation in English says: raise 14 to the power of 7, divide this by 33, giving the remainder of E.2.3) 105413504 / 33 = 3194348.606 (well, I lied when I said that this is "Pencil and Paper" method only. You might want to use a calculator here).2.4) 3194348 * 33 = 105413482.5) E = 105413504 - 10541348 = 20

So, our Encrypted message is E=20.  This is now the value that the Browser is going to send to the Server. When the Server receives this message, it then proceeds to Decrypt it, as follows.

Section 3. Decrypting the MessageHere is the decryption math the Server executes to recover the original Plain text message which the Browser started with.

3.1) E ^ j = P ( mod n)E is the Encrypted message just receivedj is the Server's secret keyP is the Plain message we are trying to recovern is Server's public key (well part of; remember that Server's public key was calculated in Section 1 as consisting of two numbers: n=33 and k=7).

After plugging in the values:3.2) 20 ^ 3 = P ( mod 33 )3.3) 8000 / 33 = ? with the remainder of P.  So to calculate this remainder, we do:3.4) 8000 / 33 = 242.424242...3.5) 242 * 33 = 79863.6) P = 8000 - 7986 = 14, which is exactly the Plain text message that the

Page 27: Enhanced Security for Online Exam Using Group Cryptography

Browser started with!

Well that's about it. While we did not discuss the theory behind the formulae involved I hope that you got at least a basic idea of how the public key cryptography using the RSA algorithm works.

4. DESIGN

4.1 An Overview of Uml

The UML is a language for

Visualizing

Specifying

Constructing

Documenting

These are the artifacts of a software-intensive system. The three major elements of UML

are:

The UML’s basic building blocks

The rules that dictate how those building blocks may be put together.

Some common mechanisms that apply throughout the UML.

4.2 Basic Building Blocks of Uml

The vocabulary of UML encompasses three kinds of building blocks:

Things.

Relationships.

Diagrams.

4.2.1 Things in Uml

They are the abstractions that are first-class citizens in a model. There are four

kinds of things in the UML

Structural things.

Page 28: Enhanced Security for Online Exam Using Group Cryptography

Behavioral things.

Grouping things.

Annotational things.

These things are the basic object oriented building blocks of the UML. They are

used to write well-formed models.

4.2.1.1 Structural things

Structural things are the nouns of the UML models. These are mostly static parts

of the model, representing elements that are either conceptual or physical. In all, there are

seven kinds of Structural things.

Class

A class is a description of a set of objects that share the same attributes,

operations, relationships, and semantics. A class implements one or more interfaces.

Graphically a class is rendered as a rectangle, usually including its name, attributes and

operations, as shown below.

Collaboration

Collaboration defines an interaction and is a society of roles and other elements

that work together to provide some cooperative behavior that’s bigger than the sum of all

the elements. Graphically, collaboration is rendered as an ellipse with dashed lines,

usually including only its name as shown below.

Use Case

Main Distance Table

Link : StringDistance:IntergerCost:IntergerPredecessor:StringSucessor:String

UpDate()

Chain of Responsibility

Page 29: Enhanced Security for Online Exam Using Group Cryptography

Use case is a description of a set of sequence of actions that a system performs

that yields an observable result of value to a particular thing in a model. Graphically, Use

Case is rendered as an ellipse with dashed lines, usually including only its name as shown

below.

Active Class

An active class is a class whose objects own one or more processes or threads and

therefore can initiate control activity. Graphically, an active class is rendered just like a

class, but with heavy lines usually including its name, attributes and operations as shown

below.

4.2.1.2 Behavioral things

Behavioral Things are the dynamic parts of UML models. These are the verbs of a

model, representing behaviour over time and space.

Interaction

An interaction is a behavior that comprises a set of messages exchanged among a

set of objects within a particular context to accomplish a specific purpose. Graphically, a

message is rendered as a direct line, almost always including the name if its operation, as

shown below. Display

4.2.2 Relationships in Uml

There are four kinds of relationships in the Uml

1. Dependency

2. Association

3. Generalization

4. Realization

1. Dependency: This is relationship between two classes whenever one class is

completely dependent on the other class. Graphically the dashed line represents it with

arrow pointing to the class that it is being depended on.

2. Association: It is a relationship between instances of the two classes. There is an

association between two classes if an instance of one class must know about the other in

Page 30: Enhanced Security for Online Exam Using Group Cryptography

order to perform its work. In a diagram, an association is a link connecting two classes.

Graphically it is represented by line as shown.

3. Generalization: An inheritance is a link indicating one class is a super class of the

other. A generalization has a triangle pointing to the super class. Graphically it is

represented by line with a triangle at end as shown.

4. Realization:

4.2.3 Diagrams in Uml

Diagrams play a very important role in the UML. The some of the modeling diagrams

as follows:

Use Case Diagram.

Class Diagram.

Object Diagram.

Sequence Diagram.

Collaboration Diagram.

State Chart Diagram.

Activity Diagram.

Component Diagram.

Deployment Diagram

Use case diagram

A use case diagram identifies the functionality provided by the system (Use cases),

identifies users who interact with system (Actor) and provides association between users

and Use cases. These models behavior of system with respect to users. It shows dynamic

aspects of the system when user interacts with the system. A Use case can have all

possible interaction of users with use cases graphically. Thus Use case diagram models

use cases view of a system.

Definition

A Use case diagram is a set of use cases, actors and relationships between them.

Page 31: Enhanced Security for Online Exam Using Group Cryptography

A use case diagram contains:

Use cases.

Actors.

Association between them.

Generalization between Actors.

Include, extend, generalization, relationships.

Use Case:

Page 32: Enhanced Security for Online Exam Using Group Cryptography
Page 33: Enhanced Security for Online Exam Using Group Cryptography
Page 34: Enhanced Security for Online Exam Using Group Cryptography

Deployment:

State:

Page 35: Enhanced Security for Online Exam Using Group Cryptography

./

Class Diagram:

Registration

name : Stringpassword : StringPhotograph : Byte

Connect DB()Add Users()

Login

username : StringPassword : StringImage : Byte

Authenticate()GenerateKeys()

Home Page.

privateKey : StringSchedule : Date

accessExam()videoConference()desktopRestrict()

Marker

studentDetails : IntegeraccessQA

updateMarks()contactExaminer()

Result

studentIdexamDetails

getResult()getGrade()

Data Flow:

Page 36: Enhanced Security for Online Exam Using Group Cryptography

An Introduction to .NET FrameworkAn Introduction to .NET Framework The .NET Framework is a Microsoft's development platform.

It offers to develop software applications.

It was released by Microsoft Corporation in 2002. Later on several

improvements take place in .NET Framework, which makes it as much strong,

advanced and more efficient platform for building different kinds of software

applications.

Why it is called as “platform” is, it acts as platform for multiple languages,

tools and libraries.

It offers visually stunning user experiences, which is mostly required today’s

competitive programming world.

It offers much advanced security features never before.

Supports dozens of languages like C#, VB.NET, VC++.NET, COBOL, Pascal,

Python etc.

Features of .NET Framework

Student

Registration

Login

Access Exam

Video Capturing

DesktopCapture

Submit

ExamDB

Page 37: Enhanced Security for Online Exam Using Group Cryptography

Next Generation User Experiences:

.NET offers a Framework for building applications and high-fidelity

experiences in Windows that blend together application UI, documents,

and media content, while exploiting the full power of the computer. WPF

(Windows Presentation Foundation) offers developers support for 2D and

3D graphics, hardware accelerated effects, scalability to different form

factors, interactive data visualization, and superior content readability.

Seamless and Secured Environment:

Application security is a big deal these days; perhaps the most

closely examined feature of any new application. .NET offers its best

secured environment at run time. So that it is highly impossible to access

the .NET application and its related data by the un-authorized users /

hackers.

The assembly (the compiled code of .NET framework) contains

the security information like which categories of users or who can access

the class or method. So that we can say that .NET Framework applications

are much secured.

The security can be improved in the ASP.NET Web Sites by

Security models like Integrated Windows Authentication, Microsoft

Passport Authentication, Forms Authentication, and Client Certificate

authentication.

Multi Language Support:

.NET provides a multi-language development platform, so you

can work in the programming language you prefer. The Common Language

Runtime (A part of .NET Framework) provides support for 3 Microsoft

developed languages and several other languages from other vendors.

Languages Supported by .NET FrameworkLanguages from

Microsoft

Visual C#.NETVisual Basic.NETVisual C++.NET

Languages from other APL,Cobol,

Page 38: Enhanced Security for Online Exam Using Group Cryptography

vendors

Perl,Pascal,Component Pascal,Curriculum,Eiffel,Forth,Fortran,Haskell,J#,Mercury,Mondrian,Oberon,Python,IronPython,RPG,Scheme,Small Talk,Standard ML

Flexible Data Access:

.NET Framework supports flexible accessibility of database data

with ADO.NET (ActiveX Data Objects .NET). ADO.NET is a set of classes

that expose data access services to the .NET programmer. ADO.NET

provides a rich set of components for creating distributed, data-sharing

applications. It is an integral part of the .NET Framework, providing access

to relational, XML, and application data.

Modules of .NET

1. C#.NET (C Sharp.NET) –(Language)

It is highly used .NET programming language, used by most of the .NET programmers.

It borrows some programming features from “C” and some other programming features from “C++”. In addition to these, it borrows few of the good features of java language.

It is the object oriented programming language.

2. VB.NET (Visual Basic.NET) –(Language)

It is the Microsoft’s recommended language for beginners of windows programming.

Page 39: Enhanced Security for Online Exam Using Group Cryptography

But in fact, it is used in very few of the projects in the real-time development world, because most of the programmers usually comes with “C” and “C++” background; hence they feel comfortable with “C#”.

It borrows some programming features from VB (Visual Basic) language.

It is the object oriented programming language.

3. ASP.NET (Active Server Pages.NET) – (Web Technology)

It is the Microsoft’s web technology.

It is used for web sites development.

It offers much attractive and user friendly user interfaces in the server side applications.

It is the new version to another Microsoft’s technology called ASP (Active Server Pages), which is a famous web technology before introducing ASP.NET.

It requires HTML for web page designing.

It requires a .NET language (like C#, VB.NET, VC++.NET etc.) for server side logic implementation.

4. ADO.NET (ActiveX Data Objects.NET) – (Database Technology)

It is the Microsoft’s database technology. It offers necessary programming libraries to

access the local / server databases.

It is the new version to another Microsoft’s technology called ADO (ActiveX Data Objects), which is a famous database technology, used with VB, VC++ and ASP languages.

It requires a .NET language (like C#, VB.NET, VC++.NET etc.) for logic implementation.

offered to develop the following types of applications.

1. Console Applications

Page 40: Enhanced Security for Online Exam Using Group Cryptography

These applications contains similar user interface to the operating systems like MS-DOS and UNIX.

Known as C.U.I (Character User Interface) applications.

These are similar to C/C++ applications.

These are smaller in size.

Doesn’t contain any graphical features like mouse pointer, colors, fonts, buttons etc.

2. Windows Applications

These applications are designed similar to the “Windows” operating system.

Known as G.U.I (Graphical User Interface) applications.

Offers graphical features like mouse pointer, colors, fonts, buttons, text boxes etc.

Page 41: Enhanced Security for Online Exam Using Group Cryptography

3. Windows Services

A Windows service is a long-running executable application.

These can run only on windows platforms.

These perform specific functions as background process.

Doesn’t contain user interface or doesn’t require any user interaction.

Windows services can be configured to start when the operating system is booted and run in the background as long as Windows is running, or they can be started manually when required.

Examples:

i. Windows Time.

ii. Windows Audio.

iii. Anti-Virus Security.

iv. Database services like Sql Server, My Sql, Oracle etc.

v. IIS State Services.

vi. Battery Power Supply Status on Laptops.

etc. To see the all the installed windows services on the system, click on

“Start” – “Control Panel” – “Administrative Tools” – “Services”.

Page 42: Enhanced Security for Online Exam Using Group Cryptography

4. Web Sites / Web Applications

These are most frequently used applications by every internet literature.

In modern life every business (commercial) / educational / service oriented organizations are having their own web sites.

Some other web sites are offering general purpose services that can be used by anybody like E-Mail, Search Engines, and Blogs etc.

So, there is much demand for these applications in modern software development industry.

In .NET Framework, the web sites can be developed using the technology called ASP.NET.

Ex:

i. http://www.yahoo.com/

ii. http://www.google.co.in/

iii. http://www.orkut.com/

iv. http://www.hotmail.com/

Page 43: Enhanced Security for Online Exam Using Group Cryptography

5. Web Services

Web Services are simple and easy to understand.

These can be developed using again ASP.NET.

These are also known as “web applications” similar to “web sites”. But Web sites expose certain user interface (in the form of web pages) to the end-user; Web services expose a certain programming logic which can be accessed through another web site.

Examples:

i. Online shopping requires credit card authentication.

ii. www.way2sms.com accesses the mail services of Yahoo and Gmail.

What we need to learn .NETWhat we need to learn .NET

To get started with .NET Programming, the programmer must have

previous knowledge in the following languages.

C

(For Procedural Programming Experience)

Page 44: Enhanced Security for Online Exam Using Group Cryptography

C++ (or) OOP Knowledge

(For Object Oriented Programming Experience)

SQL

(For db queries)

HTML

(For web page designing)

Before .NETBefore .NET

Branches of Microsoft Programming:

In the late 1990s, Windows programming using the Microsoft platform had

divided into a number of branches.

Most programmers were using Visual Basic (VB).

Some other programmers were using Visual C++ (VC++) with MFC

(Microsoft Foundational Classes).

The remaining programmers were using C or C++ in a combination with

raw Win32 API.

Difficulties and Limitations:

All of these technologies had their own problems and difficulties.

The raw Win32 API was not object-oriented, doesn’t supports a full-pledged

graphical application because of limited libraries.

MFC was object-oriented, but was inconsistent and getting old and it is very

much complex in actual coding.

Promises by Microsoft:Promises by Microsoft:

While introducing .NET Framework, Microsoft Corporation given a

promise to the software industry to deliver a standard Framework which overcomes

the old problems and along with following:

Page 45: Enhanced Security for Online Exam Using Group Cryptography

Multiple platforms: The system runs on a broad range of computers, from

servers and desktop machines, smart phones and cell phones.

Industry standards: The system uses industry standard communication

protocols, such as XML, HTTP, SOAP, and WSDL.

Security: The system can provide a much safer execution environment,

which can’t be hacked or robbed by others.

Introduction This white paper covers some of the operational and administrative tasks associated with Microsoft® SQL Server™ 2005 security and enumerates best practices and operational and administrative tasks that will result in a more secure SQL Server system. Each topic describes a feature and best practices. For additional information on the specifics of utilities, features, and DDL statements referenced in this white paper, see SQL Server 2005 Books Online. Features and options that are new or defaults that are changed for SQL Server 2005 are identified. Coding examples for operational tasks use Transact-SQL, so understanding Transact-SQL is required for you to get the most out of this paper.

Surface Area ReductionSQL Server 2005 installation minimizes the "attack surface" because by default, optional features are not installed. During installation the administrator can choose to install:

Database Engine

0

3650Analysis Services Engine

Reporting Services11

Integration Services

Notification Services

Documentation and Samples

It is a good practice to review which product features you actually need and install only those features. Later, install additional features only as needed. SQL Server 2005 includes sample databases for OLTP, data warehousing, and Analysis Services. Install sample databases on test servers only; they are not installed by default when you install the corresponding engine feature. SQL Server 2005 includes sample code covering every feature of the product. These samples are not installed by default and should be installed only on a development server, not on a production server. Each item of sample code has undergone a review to ensure that the code follows best practices for security. Each sample uses Microsoft Windows® security principals and illustrates the principal of least privilege.

SQL Server has always been a feature-rich database and the number of new features in SQL Server 2005 can be overwhelming. One way to make a system more secure is

Page 46: Enhanced Security for Online Exam Using Group Cryptography

to limit the number of optional features that are installed and enabled by default. It is easier to enable features when they are needed than it is to enable everything by default and then turn off features that you do not need. This is the installation policy of SQL Server 2005, known as "off by default, enable when needed." One way to ensure that security policies are followed is to make secure settings the default and make them easy to use.

SQL Server 2005 provides a "one-stop" utility that can be used to enable optional features on a per-service and per-instance basis as needed. Although there are other utilities (such as Services in Control Panel), server configuration commands (such as sp_configure), and APIs such as WMI (Windows Management Instrumentation) that you can use, the SQL Server Surface Area Configuration tool combines this functionality into a single utility program. This program can be used either from the command line or via a graphic user interface.

SQL Server Service Area Configuration divides configuration into two subsets: services and connections, and features. Use the Surface Area Configuration for Services and Connections tool to view the installed components of SQL Server and the client network interfaces for each engine component. The startup type for each service (Automatic, Manual, or Disabled) and the client network interfaces that are available can be configured on a per-instance basis. Use the Surface Area Configuration for Features tool to view and configure instance-level features.

The features enabled for configuration are:

CLR Integration

Remote use of a dedicated administrator connection

OLE Automation system procedures

System procedures for Database Mail and SQL Mail

Ad hoc remote queries (the OPENROWSET and OPENDATASOURCE functions)

SQL Server Web Assistant

xp_cmdshell availability

The features enabled for viewing are:

HTTP endpoints

Service Broker endpoint

The SQL Server Surface Area Configuration command-line interface, sac.exe, permits you to import and export settings. This enables you to standardize the configuration of a group of SQL Server 2005 instances. You can import and export settings on a per-instance basis and also on a per-service basis by using command-line parameters. For a list of command-line parameters, use the -? command-line option. You must have sysadmin privilege to use this utility. The following code is an example of exporting all settings from the default instance of SQL Server on server1 and importing them into server2:

sac out server1.out –S server1 –U admin –I MSSQLSERVER

sac in server1.out –S server2

When you upgrade an instance of SQL Server to SQL Server 2005 by performing an in-place upgrade, the configuration options of the instance are unchanged. Use SQL Server Surface Area Configuration to review feature usage and turn off features

Page 47: Enhanced Security for Online Exam Using Group Cryptography

that are not needed. You can turn off the features in SQL Server Surface Area Configuration or by using the system stored procedure, sp_configure. Here is an example of using sp_configure to disallow the execution of xp_cmdshell on a SQL Server instance:

-- Allow advanced options to be changed.

EXEC sp_configure 'show advanced options', 1

GO

-- Update the currently configured value for advanced options.

RECONFIGURE

GO

-- Disable the feature.

EXEC sp_configure 'xp_cmdshell', 0

GO

-- Update the currently configured value for this feature.

RECONFIGURE

GO

In SQL Server 2005, SQL Server Browser functionality has been factored into its own service and is no longer part of the core database engine. Additional functions are also factored into separate services. Services that are not a part of the core database engine and can be enabled or disabled separately include:

SQL Server Active Directory Helper

SQL Server Agent

SQL Server FullText Search

SQL Server Browser

SQL Server VSS Writer

The SQL Server Browser service needs to be running only to connect to named SQL Server instances that use TCP/IP dynamic port assignments. It is not necessary to connect to default instances of SQL Server 2005 and named instances that use static TCP/IP ports. For a more secure configuration, always use static TCP/IP port assignments and disable the SQL Server Browser service. The VSS Writer allows backup and restore using the Volume Shadow Copy framework. This service is disabled by default. If you do not use Volume Shadow Copy, disable this service. If you are running SQL Server outside of an Active Directory® directory service, disable the Active Directory Helper.

Best practices for surface area reduction

Install only those components that you will immediately use. Additional components can always be installed as needed.

Enable only the optional features that you will immediately use.

Review optional feature usage before doing an in-place upgrade and disable unneeded features either before or after the upgrade.

Page 48: Enhanced Security for Online Exam Using Group Cryptography

Develop a policy with respect to permitted network connectivity choices. Use SQL Server Surface Area Configuration to standardize this policy.

Develop a policy for the usage of optional features. Use SQL Server Surface Area Configuration to standardize optional feature enabling. Document any exceptions to the policy on a per-instance basis.

Turn off unneeded services by setting the service to either Manual startup or Disabled.

Service Account Selection and ManagementSQL Server 2005 executes as a set of Windows services. Each service can be configured to use its own service account. This facility is exposed at installation. SQL Server provides a special tool, SQL Server Configuration Manager, to manage these accounts. In addition, these accounts can be set programmatically through the SQL Server WMI Provider for Configuration. When you select a Windows account to be a SQL Server service account, you have a choice of:

Domain user that is not a Windows administrator

Local user that is not a Windows administrator

Network Service account

Local System account

Local user that is a Windows administrator

Domain user that is a Windows administrator

When choosing service accounts, consider the principle of least privilege. The service account should have exactly the privileges that it needs to do its job and no more privileges. You also need to consider account isolation; the service accounts should not only be different from one another, they should not be used by any other service on the same server. Only the first two account types in the list above have both of these properties. Making the SQL Server service account an administrator, at either a server level or a domain level, bestows too many unneeded privileges and should never be done. The Local System account is not only an account with too many privileges, but it is a shared account and might be used by other services on the same server. Any other service that uses this account has the same set up privileges as the SQL Server service that uses the account. Although Network Service has network access and is not a Windows superuser account, it is a shareable account. This account is useable as a SQL Server service account only if you can ensure that no other services that use this account are installed on the server.

Using a local user or domain user that is not a Windows administrator is the best choice. If the server that is running SQL Server is part of a domain and must access domain resources such as file shares or uses linked server connections to other computers running SQL Server, a domain account is the best choice. If the server is not part of a domain (for example, a server running in the perimeter network (also known as the DMZ) in a Web application) or does not need to access domain resources, a local user that is not a Windows administrator is preferred.

Creating the user account that will be used as a SQL Server service account is easier in SQL Server 2005 than in previous versions. When SQL Server 2005 is installed, a Windows group is created for each SQL Server service, and the service account is placed in the appropriate group. To create a user that will serve as a SQL Server

Page 49: Enhanced Security for Online Exam Using Group Cryptography

service account, simply create an "ordinary" account that is either a member of the Users group (non-domain user) or Domain Users group (domain user). During installation, the user is automatically placed in the SQL Server service group and the group is granted exactly the privileges that are needed.

If the service account needs additional privileges, the privilege should be granted to the appropriate Windows group, rather than granted directly to the service user account. This is consistent with the way access control lists are best managed in Windows in general. For example, the ability to use the SQL Server Instant File Initialization feature requires that the Perform Volume Maintenance Tasks user rights be set in the Group Policy Administration tool. This privilege should be granted to SQLServer2005MSSQLUser$MachineName$MSSQLSERVER group for the default instance of SQL Server on server "MachineName."

SQL Server service accounts should be changed only by using SQL Server Configuration Manager, or by using the equivalent functionality in the WMI APIs. Using Configuration Manager ensures that the new service account is placed in the appropriate Windows group, and is thus granted exactly the correct privileges to run the service. In addition, using SQL Server Configuration Manager also re-encrypts the service master key that is using the new account. For more information on the service master key, see Encryption later in this paper. Because SQL Server service accounts also abide by Windows password expiration policies, it is necessary to change the service account passwords at regular intervals. In SQL Server 2005, it is easier to abide by password expiration policies because changing the password of the service account does not require restarting SQL Server.

SQL Server 2005 requires that the service account have less privilege than in previous versions. Specifically, the privilege Act As Part of the Operating System (SE_TCB_NAME) is not required for the service account unless SQL Server 2005 is running on the Microsoft Windows Server™ 2000 SP4 operating system. After doing an upgrade in place, use the Group Policy Administration tool to remove this privilege.

The SQL Server Agent service account requires sysadmin privilege in the SQL Server instance that it is associated with. In SQL Server 2005, SQL Server Agent job steps can be configured to use proxies that encapsulate alternate credentials. A CREDENTIAL is simply a database object that is a symbolic name for a Windows user and password. A single CREDENTIAL can be used with multiple SQL Server Agent proxies. To accommodate the principal of least privilege, do not give excessive privileges to the SQL Server Agent service account. Instead, use a proxy that corresponds to a CREDENTIAL that has just enough privilege to perform the required task. A CREDENTIAL can also be used to reduce the privilege for a specific task if the SQL Server Agent service account has been configured with more privileges than needed for the task. Proxies can be used for:

ActiveX scripting

Operating system (CmdExec)

Replication agents

Analysis Services commands and queries

SSIS package execution (including maintenance plans)

Best practices for SQL Server service accounts

Page 50: Enhanced Security for Online Exam Using Group Cryptography

Use a specific user account or domain account rather than a shared account for SQL Server services.

Use a separate account for each service.

Do not give any special privileges to the SQL Server service account; they will be assigned by group membership.

Manage privileges through the SQL Server supplied group account rather than through individual service user accounts.

Always use SQL Server Configuration Manager to change service accounts.

Change the service account password at regular intervals.

Use CREDENTIALs to execute job steps that require specific privileges rather than adjusting the privilege to the SQL Server Agent service account.

If an agent user needs to execute a job that requires different Windows credentials, assign them a proxy account that has just enough permissions to get the task done.

Authentication ModeSQL Server has two authentication modes: Windows Authentication and Mixed Mode Authentication. In Windows Authentication mode, specific Windows user and group accounts are trusted to log in to SQL Server. Windows credentials are used in the process; that is, either NTLM or Kerberos credentials. Windows accounts use a series of encrypted messages to authenticate to SQL Server; no passwords are passed across the network during the authentication process. In Mixed Mode Authentication, both Windows accounts and SQL Server-specific accounts (known as SQL logins) are permitted. When SQL logins are used, SQL login passwords are passed across the network for authentication. This makes SQL logins less secure than Windows logins.

It is a best practice to use only Windows logins whenever possible. Using Windows logins with SQL Server achieves single sign-on and simplifies login administration. Password management uses the ordinary Windows password policies and password change APIs. Users, groups, and passwords are managed by system administrators; SQL Server database administrators are only concerned with which users and groups are allowed access to SQL Server and with authorization management.

SQL logins should be confined to legacy applications, mostly in cases where the application is purchased from a third-party vendor and the authentication cannot be changed. Another use for SQL logins is with cross-platform client-server applications in which the non-Windows clients do not possess Windows logins. Although using SQL logins is discouraged, there are security improvements for SQL logins in SQL Server 2005. These improvements include the ability to have SQL logins use the password policy of the underlying operating system and better encryption when SQL passwords are passed over the network. We'll discuss each of these later in the paper.

SQL Server 2005 uses standard DDL statements to create both Windows logins and SQL logins. Using the CREATE LOGIN statement is preferred; the sp_addlogin and sp_grantlogin system stored procedures are supported for backward compatibility only. SQL Server 2005 also provides the ability to disable a login or change a login name by using the ALTER LOGIN DDL statement. For example, if you install SQL Server 2005 in Windows Authentication mode rather than Mixed Mode, the sa

Page 51: Enhanced Security for Online Exam Using Group Cryptography

login is disabled. Use ALTER LOGIN rather than the procedures sp_denylogin or sp_revokelogin, which are supported for backward compatibility only.

If you install SQL Server in Windows Authentication mode, the sa login account is disabled and a random password is generated for it. If you later need to change to Mixed Mode Authentication and re-enable the sa login account, you will not know the password. Change the sa password to a known value after installation if you think you might ever need to use it.

Best practices for authentication mode

Always use Windows Authentication mode if possible.

Use Mixed Mode Authentication only for legacy applications and non-Windows users.

Use the standard login DDL statements instead of the compatibility system procedures.

Change the sa account password to a known value if you might ever need to use it. Always use a strong password for the sa account and change the sa account password periodically.

Do not manage SQL Server by using the sa login account; assign sysadmin privilege to a knows user or group.

Rename the sa account to a different account name to prevent attacks on the sa account by name.

Network ConnectivityA standard network protocol is required to connect to the SQL Server database. There are no internal connections that bypass the network. SQL Server 2005 introduces an abstraction for managing any connectivity channel—entry points into a SQL Server instance are all represented as endpoints. Endpoints exist for the following network client connectivity protocols:

Shared Memory

Named Pipes

TCP/IP

VIA

Dedicated administrator connection

In addition, endpoints may be defined to permit access to the SQL Server instance for:

Service Broker

HTTP Web Services

Database mirroring

Following is an example of creating an endpoint for Service Broker.

CREATE ENDPOINT BrokerEndpoint_SQLDEV01

AS TCP

( LISTENER_PORT = 4022 )

FOR SERVICE_BROKER

Page 52: Enhanced Security for Online Exam Using Group Cryptography

( AUTHENTICATION = WINDOWS )

SQL Server 2005 discontinues support for some network protocols that were available with earlier versions of SQL Server, including IPX/SPX, Appletalk, and Banyon Vines.

In keeping with the general policy of "off by default, enable only when needed," no Service Broker, HTTP, or database mirroring endpoints are created when SQL Server 2005 is installed, and the VIA endpoint is disabled by default. In addition, in SQL Server 2005 Express Edition, SQL Server 2005 Developer Edition, and SQL Server 2005 Evaluation Edition, the Named Pipes and TCP/IP protocols are disabled by default. Only Shared Memory is available by default in those editions. The dedicated administrator connection (DAC), new with SQL Server 2005, is available only locally by default, although it can be made available remotely. Note that the DAC is not available in SQL Server Express Edition by default and requires that the server be run with a special trace flag to enable it. Access to database endpoints requires the login principal to have CONNECT permission. By default, no login account has CONNECT permission to Service Broker or HTTP Web Services endpoints. This restricts access paths and blocks some known attack vectors. It is a best practice to enable only those protocols that are needed. For example, if TCP/IP is sufficient, there is no need to enable the Named Pipes protocol.

Although endpoint administration can be accomplished via DDL, the administration process is made easier and policy can be made more uniform by using the SQL Server Surface Area Configuration tool and SQL Server Configuration Manager. SQL Server Surface Area Configuration provides a simplified user interface for enabling or disabling client protocols for a SQL Server instance, as shown in Figure 1 and Figure 2. Configuration is described in Knowledge Base article KB914277, How to configure SQL Server 2005 to allow remote connections, as well as in SQL Server 2005 Books Online. A screenshot showing the remote connections configuration dialog box is shown in Figure 1.

Page 53: Enhanced Security for Online Exam Using Group Cryptography

Figure 1   Configuring remote connections

In the Surface Area Configuration for Services and Connections dialog box, you can see if any HTTP or Service Broker endpoints are defined for the instance. New endpoints must be defined by using DDL statements; SQL Server Surface Area Configuration cannot be used to define these. You can use the Surface Area Configuration for Features tool to enable remote access to the dedicated administrator connection.

SQL Server Configuration Manager provides more granular configuration of server protocols. With Configuration Manager, you can:

Choose a certificate for SSL encryption.

Allow only encryption connections from clients.

Hide an instance of SQL Server from the server enumeration APIs.

Enable and disable TCP/IP, Shared Memory, Named Pipes, and VIA protocols.

Configure the name of the pipe each instance of SQL Server will use.

Configure a TCP/IP port number that each instance listens on for TCP/IP connections.

Choose whether to use TCP/IP dynamic port assignment for named instances.

The dialog for configuring TCP/IP address properties such as port numbers and dynamic port assignment is shown in Figure 2.

Page 54: Enhanced Security for Online Exam Using Group Cryptography

Figure 2   TCP/IP Addresses configuration page in SQL Server Configuration Manager

SQL Server 2005 can use an encrypted channel for two reasons: to encrypt credentials for SQL logins, and to provide end-to-end encryption of entire sessions. Using encrypted sessions requires using a client API that supports these. The OLE DB, ODBC, and ADO.NET clients all support encrypted sessions; currently the Microsoft JDBC client does not. The other reason for using SSL is to encrypt credentials during the login process for SQL logins when a password is passed across the network. If an SSL certificate is installed in a SQL Server instance, that certificate is used for credential encryption. If an SSL certificate is not installed, SQL Server 2005 can generate a self-signed certificate and use this certificate instead. Using the self-signed certificate prevents passive man-in-the-middle attacks, in which the man-in-the-middle intercepts network traffic, but does not provide mutual authentication. Using an SSL certificate with a trusted root certificate authority prevents active man-in-the-middle attacks and provides mutual authentication.

In SQL Server 2005, you can GRANT, REVOKE, or DENY permission to CONNECT to a specific endpoint on a per-login basis. By default, all logins are GRANTed permission on the Shared Memory, Named Pipes, TCP/IP, and VIA endpoints. You must specifically GRANT users CONNECT permission to other endpoints; no users are GRANTed this privilege by default. An example of granting this permission is:

GRANT CONNECT ON MyHTTPEndpoint TO MyDomain\Accounting

Page 55: Enhanced Security for Online Exam Using Group Cryptography

Best practices for network connectivity

Limit the network protocols supported.

Do not enable network protocols unless they are needed.

Do not expose a server that is running SQL Server to the public Internet.

Configure named instances of SQL Server to use specific port assignments for TCP/IP rather than dynamic ports.

If you must support SQL logins, install an SSL certificate from a trusted certificate authority rather than using SQL Server 2005 self-signed certificates.

Use "allow only encrypted connections" only if needed for end-to-end encryption of sensitive sessions.

Grant CONNECT permission only on endpoints to logins that need to use them. Explicitly deny CONNECT permission to endpoints that are not needed by users or groups.

Lockdown of System Stored ProceduresSQL Server uses system stored procedures to accomplish some administrative tasks. These procedures almost always begin with the prefix xp_ or sp_. Even with the introduction of standard DDL for some tasks (for example, creating logins and users), system procedures remain the only way to accomplish tasks such as sending mail or invoking COM components. System extended stored procedures in particular are used to access resources outside the SQL Server instance. Most system stored procedures contain the relevant security checks as part of the procedure and also perform impersonation so that they run as the Windows login that invoked the procedure. An example of this is sp_reserve_http_namespace, which impersonates the current login and then attempts to reserve part of the HTTP namespace (HTTP.SYS) by using a low-level operating system function.

Because some system procedures interact with the operating system or execute code outside of the normal SQL Server permissions, they can constitute a security risk. System stored procedures such as xp_cmdshell or sp_send_dbmail are off by default and should remain disabled unless there is a reason to use them. In SQL Server 2005, you no longer need to use stored procedures that access the underlying operating system or network outside of the SQL Server permission space. SQLCLR procedures executing in EXTERNAL_ACCESS mode are subject to SQL Server permissions, and SQLCLR procedures executing in UNSAFE mode are subject to some, but not all, security checks. For example, to catalog a SQLCLR assembly categorized as EXTERNAL_ACCESS or UNSAFE, either the database must be marked as TRUSTWORTHY (see Database Ownership and Trust) or the assembly must be signed with a certificate or asymmetric key that is cataloged to the master database. SQLCLR procedures should replace user-written extended stored procedures in the future.

Some categories of system stored procedures can be managed by using SQL Server Surface Area Configuration. These include:

xp_cmdshell - executes a command in the underlying operating system

Database Mail procedures

SQL Mail procedures

COM component procedures (e.g. sp_OACreate)

Page 56: Enhanced Security for Online Exam Using Group Cryptography

Enable these procedures only if necessary.

Some system stored procedures, such as procedures that use SQLDMO and SQLSMO libraries, cannot be configured by using SQL Server Surface Area Configuration. They must be configured by using sp_configure or SSMS directly. SSMS or sp_configure can also be used to set most of the configuration feature settings that are set by using SQL Server Surface Area Configuration.

The system stored procedures should not be dropped from the database; dropping these can cause problems when applying service packs. Removing the system stored procedures results in an unsupported configuration. It is usually unnecessary to completely DENY all users access to the system stored procedures, as these stored procedures have the appropriate permission checks internal to the procedure as well as external.

Best practices for system stored procedures

Disable xp_cmdshell unless it is absolutely needed.

Disable COM components once all COM components have been converted to SQLCLR.

Disable both mail procedures (Database Mail and SQL Mail) unless you need to send mail from SQL Server. Prefer Database Mail as soon as you can convert to it.

Use SQL Server Surface Area Configuration to enforce a standard policy for extended procedure usage.

Document each exception to the standard policy.

Do not remove the system stored procedures by dropping them.

Do not DENY all users/administrators access to the extended procedures.

Password PolicyWindows logins abide by the login policies of the underlying operating system. These policies can be set using the Domain Security Policy or Local Security Policy administrator Control Panel applets. Login policies fall into two categories: Password policies and Account Lockout policies. Password policies include:

Enforce Password History

Minimum and Maximum Password Age

Minimum Password Length

Password Must Meet Complexity Requirements

Passwords are Stored Using Reversible Encryption (Note: this setting does not apply to SQL Server)

Account Lockout policies include:

Account Lockout Threshold (Number of invalid logins before lockout)

Account Lockout Duration (Amount of time locked out)

Reset Lockout Counter After n Minutes

In SQL Server 2005, SQL logins can also go by the login policies of the underlying operating system if the operating system supports it. The operating system must support the system call NetValidatePasswordPolicy. Currently, the only operating system that supports this is Windows Server 2003 and later versions. If you use SQL logins, run SQL Server 2005 on a Windows Server 2003 or later operating system.

Page 57: Enhanced Security for Online Exam Using Group Cryptography

CREATE LOGIN parameters determine whether the login goes by the operating system policies. These parameters are:

CHECK_POLICY

CHECK_EXPIRATION

MUST_CHANGE

CHECK_POLICY specifies that the SQL login must abide by the Windows login policies and Account Lockout policies, with the exception of password expiration. This is because, if SQL logins must go by the Windows password expiration policy, underlying applications must be outfitted with a mechanism for password changing. Most applications currently do not provide a way to change SQL login passwords. In SQL Server 2005, both SSMS and SQLCMD provide a way to change SQL Server passwords for SQL logins. Consider outfitting your applications with a password-changing mechanism as soon as possible. Having built-in password changing also allows logins to be created with the MUST_CHANGE parameter; using this parameter requires the user to change the password at the time of the first login. Administrators should be aware of the fact that password length and complexity policies, but not expiration policies, apply to passwords used with encryption keys as well as to passwords used with SQL logins. For a description of encryption keys, see Encryption.

When SQL logins are used on pre-Windows 2003 operating systems, there is a series of hard-coded password policies in lieu of the domain or operating system policies if CHECK_POLICY = ON. These policies are enumerated in SQL Server Books Online.

Best practices for password policy

Mandate a strong password policy, including an expiration and a complexity policy for your organization.

If you must use SQL logins, ensure that SQL Server 2005 runs on the Windows Server 2003 operating system and use password policies.

Outfit your applications with a mechanism to change SQL login passwords.

Set MUST_CHANGE for new logins.

Administrator PrivilegesSQL Server 2005 makes all permissions grantable and also makes grantable permissions more granular than in previous versions. Privileges with elevated permissions now include:

Members of the sysadmin server role.

The sa built-in login, if it is enabled.

Any login with CONTROL SERVER permission.

CONTROL SERVER permission is new in SQL Server 2005. Change your auditing procedures to include any login with CONTROL SERVER permission.

SQL Server automatically grants the server's Administrators group (BUILTIN\administrators) the sysadmin server role. When running SQL Server 2005 under Microsoft Windows Vista™, the operating system does not recognize membership in the BUILTIN\Administrators group unless the user has elevated themselves to a full administrator. In SP2, you can use SQL Server Surface Area Configuration to enable a

Page 58: Enhanced Security for Online Exam Using Group Cryptography

principal to act as administrator by selecting Add New Administrator from the main window as shown in Figure 3.

Figure 3   Adding a new administrator in SP2 SQL Server Surface Area Configuration

Clicking on this link opens the SQL Server 2005 User Provisioning Tool for Vista as shown in Figure 4. This tool can also be automatically invoked as the last step of an SQL Server 2005 SP2 installation.

Page 59: Enhanced Security for Online Exam Using Group Cryptography

Figure 4   The SQL Server 2005 User Provisioning Tool for Vista

When running SQL Server Express SP2 under the Vista operating system, Set Up incorporates the specification of a specific principal to act as administrator. SQL Server Express SP2 Set Up also allows command-line options to turn user instances on or off (ENABLERANU) and to add the current Set Up user to the SQL Server Administrator role (ADDUSERASADMIN). For more detailed information, see Configuration Options (SQL   Server Express) in SQL Server 2005 SP2 Books Online. For additional security-related considerations when running SQL Server 2005 with the Windows Vista operating system, see the SQL   Server   2005   SP2 Readme file . In particular, see section 5.5.2 "Issues Caused by User Account Control in Windows Vista."

For accountability in the database, avoid relying on the Administrators group and add only specific database administrators to the sysadmin role. Another option is to have a specific DatabaseAdministrators role at the operating system level. Minimizing the number of administrators who have sysadmin or CONTROL SERVER privilege also makes it easier to resolve problems; fewer logins with administrator privilege means fewer people to check with if things go wrong. The permission VIEW SERVER STATE is useful for allowing administrators and troubleshooters to view server information (dynamic management views) without granting full sysadmin or CONTROL SERVER permission.

Best practices for administrator privileges

Use administrator privileges only when needed.

Minimize the number of administrators.

Provision admin principals explicitly.

Have multiple distinct administrators if more than one is needed.

Avoid dependency on the builtin\administrators Windows group.

Page 60: Enhanced Security for Online Exam Using Group Cryptography

Database Ownership and TrustA SQL Server instance can contain multiple user databases. Each user database has a specific owner; the owner defaults to the database creator. By definition, members of the sysadmin server role (including system administrators if they have access to SQL Server through their default group account) are database owners (DBOs) in every user database. In addition, there is a database role, db_owner, in every user database. Members of the db_owner role have approximately the same privileges as the dbo user.

SQL Server can be thought of as running in two distinct modes, which can be referred to as IT department mode and ISV mode. These are not database settings but simply different ways to manage SQL Server. In an IT department, the sysadmin of the instance manages all user databases. In an Internet service provider environment (say, a Web-hosting service), each customer is permitted to manage their own database and is restricted from accessing system databases or other user databases. For example, the databases of two competing companies could be hosted by the same Internet service provider (ISV) and exist in the same SQL Server instance. Dangerous code could be added to a user database when attached to its original instance, and the code would be enabled on the ISV instance when deployed. This situation makes controlling cross-database access crucial.

If each database is owned and managed by the same general entity, it is still not a good practice to establish a "trust relationship" with a database unless an application-specific feature, such as cross-database Service Broker communication, is required. A trust relationship between databases can be established by allowing cross-database ownership chaining or by marking a database as trusted by the instance by using the TRUSTWORTHY property. An example of setting the TRUSTWORTHY property follows:

ALTER DATABASE pubs SET TRUSTWORTHY ON

Best practices for database ownership and trust

Have distinct owners for databases; not all databases should be owned by sa.

Minimize the number of owners for each database.

Confer trust selectively.

Leave the Cross-Database Ownership Chaining setting off unless multiple databases are deployed at a single unit.

Migrate usage to selective trust instead of using the TRUSTWORTHY property.

Schemas SQL Server 2005 introduces schemas to the database. A schema is simply a named container for database objects. Each schema is a scope that fits into the hierarchy between database level and object level, and each schema has a specific owner. The owner of a schema can be a user, a database role, or an application role. The schema name takes the place of the owner name in the SQL Server multi-part object naming scheme. In SQL Server 2000 and previous versions, a table named Employee that was part of a database named Payroll and was owned by a user name Bob would be payroll.bob.employee. In SQL Server 2005, the table would have to be part of a

Page 61: Enhanced Security for Online Exam Using Group Cryptography

schema. If payroll_app is the name of the SQL Server 2005 schema, the table name in SQL Server 2005 is payroll.payroll_app.employee.

Schemas solve an administration problem that occurs when each database object is named after the user who creates it. In SQL Server versions prior to 2005, if a user named Bob (who is not dbo) creates a series of tables, the tables would be named after Bob. If Bob leaves the company or changes job assignments, these tables would have to be manually transferred to another user. If this transfer were not performed, a security problem could ensue. Because of this, prior to SQL Server 2005, DBAs were unlikely to allow individual users to create database objects such as tables. Each table would be created by someone acting as the special dbo user and would have a user name of dbo. Because, in SQL Server 2005, schemas can be owned by roles, special roles can be created to own schemas if needed—every database object need not be owned by dbo. Not having every object owned by dbo makes for more granular object management and makes it possible for users (or applications) that need to dynamically create tables to do so without dbo permission.

Having schemas that are role-based does not mean that it’s a good practice to have every user be a schema owner. Only users who need to create database objects should be permitted to do so. The ability to create objects does not imply schema ownership; GRANTing Bob ALTER SCHEMA permission in the payroll_app schema can be accomplished without making Bob a schema owner. In addition, granting CREATE TABLE to a user does not allow that user to create tables; the user must also have ALTER SCHEMA permission on some schema in order to have a schema in which to create the table. Objects created in a schema are owned by the schema owner by default, not by the creator of the object. This makes it possible for a user to create tables in a known schema without the administrative problems that ensue when that user leaves the company or switches job assignments.

Each user has a default schema. If an object is created or referenced in a SQL statement by using a one-part name, SQL Server first looks in the user's default schema. If the object isn't found there, SQL Server looks in the dbo schema. The user's default schema is assigned by using the CREATE USER or ALTER USER DDL statements. If the default schema is specified, the default is dbo. Using named schemas for like groups of database objects and assigning each user's default schema to dbo is a way to mandate using two-part object names in SQL statements. This is because objects that are not in the dbo schema will not be found when a one-part object name is specified. Migrating groups of user objects out of the dbo schema is also a good way to allow users to create and manage objects if needed (for example, to install an application package) without making the installing user dbo.

Best practices for using schemas

Group like objects together into the same schema.

Manage database object security by using ownership and permissions at the schema level.

Have distinct owners for schemas.

Not all schemas should be owned by dbo.

Minimize the number of owners for each schema.

Page 62: Enhanced Security for Online Exam Using Group Cryptography

AuthorizationAuthorization is the process of granting permissions on securables to users. At an operating system level, securables might be files, directories, registry keys, or shared printers. In SQL Server, securables are database objects. SQL Server principals include both instance-level principals, such as Windows logins, Windows group logins, SQL Server logins, and server roles and database-level principals, such as users, database roles, and application roles. Except for a few objects that are instance-scoped, most database objects, such as tables, views, and procedures are schema-scoped. This means that authorization is usually granted to database-level principals.

In SQL Server, authorization is accomplished via Data Access Language (DAL) rather than DDL or DML. In addition to the two DAL verbs, GRANT and REVOKE, mandated by the ISO-ANSI standard, SQL Server also contains a DENY DAL verb. DENY differs from REVOKE when a user is a member of more than one database principal. If a user Fred is a member of three database roles A, B, and C and roles A and B are GRANTed permission to a securable, if the permission is REVOKEd from role C, Fred still can access the securable. If the securable is DENYed to role C, Fred cannot access the securable. This makes managing SQL Server similar to managing other parts of the Windows family of operating systems.

SQL Server 2005 makes each securable available by using DAL statements and makes permissions more granular than in previous versions. For example, in SQL Server 2000 and earlier versions, certain functions were available only if a login was part of the sysadmin role. Now sysadmin role permissions are defined in terms of GRANTs. Equivalent access to securables can be achieved by GRANTing a login the CONTROL SERVER permission.

An example of better granularity is the ability to use SQL Server Profiler to trace events in a particular database. In SQL Server 2000, this ability was limited to the special dbo user. The new granular permissions are also arranged in a hierarchy; some permissions imply other permissions. For example, CONTROL permission on a database object type implies ALTER permission on that object as well as all other object-level permissions. SQL Server 2005 also introduces the concept of granting permissions on all of the objects in a schema. ALTER permission on a SCHEMA includes the ability to CREATE, ALTER, or DROP objects in that SCHEMA. The DAL statement that grants access to all securables in the payroll schema is:

GRANT SELECT ON schema::payroll TO fred

The advantage of granting permissions at the schema level is that the user automatically has permissions on all new objects created in the schema; explicit grant after object creation is not needed. For more information on the permission hierarchy, see the Permission Hierarchy section of SQL Server Books Online.

A best practice for authorization is to encapsulate access through modules such as stored procedures and user-defined functions. Hiding access behind procedural code means that users can only access objects in the way the developer and database administrator (DBA) intend; ad hoc changes to objects are disallowed. An example of this technique would be permitting access to the employee pay rate table only through a stored procedure "UpdatePayRate." Users that need to update pay rates would be granted EXECUTE access to the procedure, rather than UPDATE access to the table itself. In SQL Server 2000 and earlier versions, encapsulating access was

Page 63: Enhanced Security for Online Exam Using Group Cryptography

dependent on a SQL Server feature known as ownership chains. In an ownership chain, if the owner of stored procedure A and the owner of table B that the stored procedure accesses are the same, no permission check is done. Although this works well most of the time, even with multiple levels of stored procedures, ownership chains do not work when:

The database objects are in two different databases (unless cross-database ownership chaining is enabled).

The procedure uses dynamic SQL.

The procedure is a SQLCLR procedure.

SQL Server 2005 contains features to address these shortcomings, including signing of procedural code, alternate execution context, and a TRUSTWORTHY database property if ownership chaining is desirable because a single application encompasses multiple databases. All of these features are discussed in this white paper.

A login only can only be granted authorization to objects in a database if a database user has been mapped to the login. A special user, guest, exists to permit access to a database for logins that are not mapped to a specific database user. Because any login can use the database through the guest user, it is suggested that the guest user not be enabled.

SQL Server 2005 contains a new type of user, a user that is not mapped to a login. Users that are not mapped to logins provide an alternative to using application roles. You can invoke selective impersonation by using the EXECUTE AS statement (see Execution Context later in this paper) and allow that user only the privileges needed to perform a specific task. Using users without logins makes it easier to move the application to a new instance and limits the connectivity requirements for the function. You create a user without a login using DDL:

CREATE USER mynewuser WITHOUT LOGIN

Best practices for database object authorization

Encapsulate access within modules.

Manage permissions via database roles or Windows groups.

Use permission granularity to implement the principle of least privilege.

Do not enable guest access.

Use users without logins instead of application roles

Page 64: Enhanced Security for Online Exam Using Group Cryptography

Source Code:

using System;using System.Configuration;using System.Data;using System.Linq;using System.Web;using System.Web.Security;using System.Web.UI;using System.Web.UI.HtmlControls;using System.Web.UI.WebControls;using System.Web.UI.WebControls.WebParts;using System.Xml.Linq;using System.Data.SqlClient;using System.Diagnostics;

public partial class _Default : System.Web.UI.Page { string cnstr = "Server=.;Trusted_Connection=true;Database=asp;"; SqlConnection cn; protected void Page_Load(object sender, EventArgs e) {

} protected void btnSubmit_Click(object sender, EventArgs e) { if ((txtUname.Text == "Admin") && (txtPwd.Text == "Admin")) { Session["username"] = txtUname.Text; Response.Redirect("Admin.aspx");

} else {

cn = new SqlConnection(cnstr); cn.Open(); string str = "select * from login"; SqlCommand cmd = new SqlCommand(str, cn); cmd.Parameters.Add("@username", SqlDbType.VarChar); cmd.Parameters["@username"].Value = txtUname.Text; cmd.Parameters.Add("@password", SqlDbType.VarChar); cmd.Parameters["@password"].Value = txtPwd.Text; SqlDataReader dr = cmd.ExecuteReader(); while (dr.Read()) { if (dr.GetValue(0).Equals(txtUname.Text)) { if (dr.GetValue(1).Equals(txtPwd.Text)) {

Page 65: Enhanced Security for Online Exam Using Group Cryptography

Session["username"] = txtUname.Text; Response.Redirect("welcome.aspx"); } } } }

}}

using System;using System.Collections;using System.Configuration;using System.Data;using System.Linq;using System.Web;using System.Web.Security;using System.Web.UI;using System.Web.UI.HtmlControls;using System.Web.UI.WebControls;using System.Web.UI.WebControls.WebParts;using System.Xml.Linq;using System.Data.SqlClient;using System.Windows.Forms;using System.Security.Cryptography;using System.IO;using System.Text;using System.Diagnostics;

public partial class MyExam : System.Web.UI.Page{ SqlConnection cn; SqlCommand cmd; SqlDataReader dr; SqlDataAdapter adp; DataTable dt; static int RowIndex; string cnstr = "Server=.;Trusted_Connection=true;Database=asp;"; static byte[] bytes = ASCIIEncoding.ASCII.GetBytes("ZeroCool"); protected void Page_Load(object sender, EventArgs e) {

Page 66: Enhanced Security for Online Exam Using Group Cryptography

username.Text = Convert.ToString(Session["username"]); string str = "select examtype from login where username='" + username.Text + "'"; cn = new SqlConnection(cnstr); cn.Open(); cmd = new SqlCommand(str,cn); dr = cmd.ExecuteReader(); if (dr.Read()) { etype.Text = Convert.ToString(dr.GetValue(0));

} dr.Close(); cn.Close(); string sqlstr = "select * from newquestions where subject='"+etype.Text+"'"; cn = new SqlConnection(cnstr); adp = new SqlDataAdapter(sqlstr, cn); DataSet ds = new DataSet(); cn.Open(); adp.Fill(ds); dt = ds.Tables[0]; // RowIndex = 0; display(); cn.Close(); } public static string Decrypt(string cryptedString) { if (String.IsNullOrEmpty(cryptedString)) { throw new ArgumentNullException ("The string which needs to be decrypted can not be null."); } DESCryptoServiceProvider cryptoProvider = new DESCryptoServiceProvider(); MemoryStream memoryStream = new MemoryStream (Convert.FromBase64String(cryptedString)); CryptoStream cryptoStream = new CryptoStream(memoryStream, cryptoProvider.CreateDecryptor(bytes, bytes), CryptoStreamMode.Read); StreamReader reader = new StreamReader(cryptoStream); return reader.ReadToEnd(); } private void display() { DataRow drow; drow = dt.Rows[RowIndex]; txtqno.Text = Convert.ToString(drow[1]); txtQues.Text = Convert.ToString(drow[2]);

Page 67: Enhanced Security for Online Exam Using Group Cryptography

txtChoice1.Text = Decrypt(Convert.ToString(drow[3])); txtChoice2.Text = Decrypt(Convert.ToString(drow[4])); txtChoice3.Text = Decrypt(Convert.ToString(drow[5])); txtChoice4.Text = Decrypt(Convert.ToString(drow[6])); } protected void btnpre_Click(object sender, EventArgs e) { RowIndex--; if (RowIndex < 0) { //RowIndex = 0; MessageBox.Show("Already at First Question"); } display();

} protected void btnNex_Click(object sender, EventArgs e) { int val = RowIndex + 1;

string sqlquery = "select answer from newquestions where qno="+val+" and subject='"+etype.Text+"'"; cn = new SqlConnection(cnstr); cn.Open(); cmd = new SqlCommand(sqlquery,cn); dr = cmd.ExecuteReader(); if (dr.Read()) { if (RadioButtonList1.SelectedItem.Text == "Choice1") { string str = txtChoice1.Text; if (str.Equals(Decrypt(dr.GetString(0)))) { // MessageBox.Show("Correct Answer Choice1"); } } else if (RadioButtonList1.SelectedItem.Text == "Choice2") { string str = txtChoice2.Text; if (str.Equals(Decrypt(dr.GetString(0)))) { // MessageBox.Show("Correct Answer Choice2"); } } else if (RadioButtonList1.SelectedItem.Text == "Choice3") { string str = txtChoice3.Text; if (str.Equals(Decrypt(dr.GetString(0)))) {

Page 68: Enhanced Security for Online Exam Using Group Cryptography

// MessageBox.Show("Correct Answer Choice3"); } } else //if (RadioButtonList1.SelectedItem.Text == "Choice4") { string str = txtChoice4.Text; if (str.Equals(Decrypt(dr.GetString(0)))) { //MessageBox.Show("Correct Answer Choice4"); } } }

RowIndex++; if (RowIndex == dt.Rows.Count) { RowIndex = dt.Rows.Count - 1; btnSubmit.Visible = true; } display(); } protected void btnSubmit_Click(object sender, EventArgs e) { Session["username"] = null; Response.Redirect("Default.aspx"); }}

#region Using directives

///kishor datta gupta///[email protected]///www.kishordgupta.wordpress.com

using System;using System.Collections.Generic;using System.ComponentModel;using System.Drawing;using System.Data;using System.Text;using System.Windows.Forms;using AviFile;using System.Threading;using System.IO;#endregion

Page 69: Enhanced Security for Online Exam Using Group Cryptography

namespace ScreenCapture{ public partial class Form1 : Form { AviManager aviManager = new AviManager("output.avi", false); int ScreenWidth = Screen.PrimaryScreen.Bounds.Width; int ScreenHeight = Screen.PrimaryScreen.Bounds.Height; VideoStream aviStream = null; public Form1() { InitializeComponent(); } public void startrecording() { Graphics g; Bitmap b = new Bitmap(ScreenWidth, ScreenHeight); g = Graphics.FromImage(b); g.CopyFromScreen(Point.Empty, Point.Empty, Screen.PrimaryScreen.Bounds.Size); aviStream.AddFrame(b); b.Dispose(); } private void button1_Click(object sender, EventArgs e) { Graphics g; Bitmap bi = new Bitmap(ScreenWidth, ScreenHeight); g = Graphics.FromImage(bi); g.CopyFromScreen(Point.Empty, Point.Empty, Screen.PrimaryScreen.Bounds.Size); aviStream = aviManager.AddVideoStream(true,4, bi); bi.Dispose(); ; ; timer1.Enabled = true; } private void button2_Click(object sender, EventArgs e) { timer1.Enabled = false; aviManager.Close(); }

private void timer1_Tick(object sender, EventArgs e) { startrecording();

}

private void Form1_Load(object sender, EventArgs e) {

}

Page 70: Enhanced Security for Online Exam Using Group Cryptography

}}

using System;using System.Collections;using System.Configuration;using System.Data;using System.Linq;using System.Web;using System.Web.Security;using System.Web.UI;using System.Web.UI.HtmlControls;using System.Web.UI.WebControls;using System.Web.UI.WebControls.WebParts;using System.Xml.Linq;using System.Data.SqlClient;using System.Windows.Forms;using System.Security.Cryptography;using System.IO;using System.Text;

public partial class Admin : System.Web.UI.Page{ string cnstr = "Server=.;Trusted_Connection=true;Database=asp;"; SqlConnection cn; SqlDataReader dr; string c1, c2, c3, c4, ans; static byte[] bytes = ASCIIEncoding.ASCII.GetBytes("ZeroCool"); SqlCommand cmd; int qno; protected void Page_Load(object sender, EventArgs e) { sessionName.Text = Convert.ToString(Session["username"]);

} protected void btnSubmit_Click(object sender, EventArgs e) { string sqlquery = "select count(subject) as qtype from newquestions where subject='" + DropDownList1.Text + "'"; cn = new SqlConnection(cnstr); cn.Open();

Page 71: Enhanced Security for Online Exam Using Group Cryptography

cmd = new SqlCommand(sqlquery, cn); dr = cmd.ExecuteReader(); if (dr.Read()) { try { qno = Convert.ToInt16(dr.GetValue(0)); qno = qno + 1; } catch (InvalidCastException ex) { MessageBox.Show(ex.Message); }

} c1 = Encrypt(txtChoice1.Text); c2 = Encrypt(txtChoice2.Text); c3 = Encrypt(txtChoice3.Text); c4 = Encrypt(txtChoice4.Text); ans = Encrypt(txtAns.Text); dr.Close(); string query = "insert into newquestions values('"+DropDownList1.Text+"','"+Convert.ToString(qno)+"','" + txtQues.Text + "','" + c1 + "','" + c2 + "','" + c3 + "','" + c4 + "','" + ans + "')"; cmd = new SqlCommand(query, cn); cmd.ExecuteNonQuery(); MessageBox.Show("Question Updated Succesfully"); cn.Close();

Response.Redirect("Admin.aspx");

} public static string Encrypt(string originalString) { if (String.IsNullOrEmpty(originalString)) { throw new ArgumentNullException ("The string which needs to be encrypted can not be null."); } DESCryptoServiceProvider cryptoProvider = new DESCryptoServiceProvider(); MemoryStream memoryStream = new MemoryStream(); CryptoStream cryptoStream = new CryptoStream(memoryStream,

Page 72: Enhanced Security for Online Exam Using Group Cryptography

cryptoProvider.CreateEncryptor(bytes, bytes), CryptoStreamMode.Write); StreamWriter writer = new StreamWriter(cryptoStream); writer.Write(originalString); writer.Flush(); cryptoStream.FlushFinalBlock(); writer.Flush(); return Convert.ToBase64String(memoryStream.GetBuffer(), 0, (int)memoryStream.Length); } }

Screens:

Page 73: Enhanced Security for Online Exam Using Group Cryptography
Page 74: Enhanced Security for Online Exam Using Group Cryptography
Page 75: Enhanced Security for Online Exam Using Group Cryptography
Page 76: Enhanced Security for Online Exam Using Group Cryptography
Page 77: Enhanced Security for Online Exam Using Group Cryptography
Page 78: Enhanced Security for Online Exam Using Group Cryptography
Page 79: Enhanced Security for Online Exam Using Group Cryptography
Page 80: Enhanced Security for Online Exam Using Group Cryptography
Page 81: Enhanced Security for Online Exam Using Group Cryptography
Page 82: Enhanced Security for Online Exam Using Group Cryptography
Page 83: Enhanced Security for Online Exam Using Group Cryptography