Question 3. Security (20 marks) (a) Kerberos involves three (bi-directional) exchanges, one between the client and the Key Distribution Center (KDC), one between the client and the Ticket Granting Service (TGS), and one between the client and the server (S) chosen by the client. Describe the main Kerberos components and explain the purpose of each of the three exchanges mentioned above. (b) Describe some of how conventional Web applications are vulnerable to eavesdropping, cross-site request forgery, injections, replay and denial of service attacks. Suggest methods by which Web applications could be protected against each of these forms of attack. (c) There is no authentication in the Diffie-Hellman key-exchange protocol. By exploiting this property, a malicious third party can easily break into the key exchange taking place between Alice and Bob, and subsequently, ruin the security. Explain how this would work. (d) Suppose that you were asked to develop a distributed application that would allow the PEO office to set up exams. Give at least three state- ments that would be part of the security policy for such an application