Networks Chapter 8
Suppose Alice has a message that she is ready to send to anyone who asks. Thousands of people want to obtain Alice's message, but each wants to be sure of the integrity of the message. In this context, do you think a MAC-based or a digital-signature-based integrity scheme is more suitable? Why?
- For a MAC-based scheme, Alice would have to establish a shared key with each potential recipient. - With digital signatures, she uses the same digital signature for each recipient; the digital signature is created by signing the hash of the message with her private key. - less message integrity in MAC scheme and more in Digital-signature-based integrity scheme - Digital signatures are clearly a better choice here.
Internet entities (routers, switches, DNS servers, Web servers, user end systems, and so on) often need to communicate securely. Give three specific example pairs of Internet entities that may want secure communication.
- User's laptop and a web server - two routers - two DNS name servers.
Suppose n=10000, a=10023 and b=10004. Use an identity of modular arithmetic to calculate in your head (a*b)mod n.
- a mod n = 23 - b mod n = 4 - (a*b) mod n = 23*4 mod 10000 = 92 mod 10000 = 92
Suppose that Bob receives a PGP message from Alice. How does Bob know for sure that Alice created the message (rather than, say, Trudy)? Does PGP use a MAC for message integrity?
Pretty Good Privacy (PGP): an e-mail encryption scheme PGP message: digitally signed message - Alice provides a digital signature, from which Bob can verify that message came from Alice. - Alice encrypts messages digest with her private key and sends as PGP message - Bob receives digitally signed message and decrypts the signature using Alice's public key and calculate message digest - if results are same, Bob knows message was created and sent by Alice - PGP uses digital signatures, not MACs, for message integrity.
In what way does a hash provide a better message integrity check than a checksum (such as the Internet checksum)?
input (m) fixed size string H(m) - cryptographic hash function has an additional property - it is computationally infeasible to find any two different messages, x and y, such that H(x) = H(y) - no two messages x and y have similar hash values - if (m, H(m)) are the message and hash of the message created by the sender, then the intruder cannot forge the contents of another message y that has the same value as the original message. - therefore, this enables hash to provide a better message integrity check One requirement of a message digest is that given a message M, it is very difficult to find another message M' that has the same message digest and, as a corollary, that given a message digest value it is difficult to find a message M'' that has that given message digest value. We have "message integrity" in the sense that we have reasonable confidence that given a message M and its signed message digest that the message was not altered since the message digest was computed and signed. This is not true of the Internet checksum, where we saw in Figure 7.18 that it easy to find two messages with the same Internet checksum.
Signature-based IDSs and IPSs inspect into the payloads of TCP and UDP segments. True or false?
True
Suppose an SSL session employs a block cipher with CBC. True or false: The server sends to the client the IV in the clear.
True. The IV is always sent in the clear. In SSL, it is sent during the SSL handshake.
An IKE SA and an IPsec SA are the same thing. True or false?
False. An IKE SA is used to establish one or more IPsec SAs.
Suppose that TCP is being run over IPsec between headquarters and the branch office in Figure 8.28. If TCP retransmits the same packet, then the two corresponding packets sent by R1 packets will have the same sequence number in the ESP header. True or false?
False. IPsec will increment the sequence number for every packet it sends.
In the SSL record, there is a field for SSL sequence numbers. True or false?
False. SSL uses implicit sequence numbers.
Consider sending a stream of packets from Host A to Host B using IPsec. Typically, a new SA will be established for each packet sent in the stream. True or false?
False. Typically an IPsec SA is first established between Host A and Host B. Then all packets in the stream use the SA.
Stateful packet filters maintain two data structures. Name them and briefly describe what they do.
Filter table and connection table. The connection table keeps track of connections, allowing for a finer degree of packet filtering.
Why must an application gateway work in conjunction with a router filter to be effective?
If there isn't a packet filter, than users inside the institution's network will still be able to make direct connections to hosts outside the institution's network. The filter forces the users to first connect to the application gateway. - provide high level security
Is the message integrity scheme based on HMAC susceptible to playback attacks? If so, how can a nonce be incorporated into the scheme to remove this susceptibility?
In a man-in-the-middle attack, the attacker can acquire Bob's and Alice's secret keys during key exchange, then send bogus messages to Bob as if sent by Alice - public key encryption can remove this susceptibility - when a hashed message is received by Bob from Alice, Bob first chooses a nonce, encrypts it with Alice's public key and sends it to Alice - Alice decrypts the message using her private key and sends the original nonce to Bob - if both equal, Bob knows message is from Alice and accepts the hashed message
Suppose N people want to communicate with each of N-1 other people using symmetric key encryption. All communication between any two people, i and j, is visible to all other people in this group of N, and no other person in this group should be able to decode their communication. How many keys are required in the system as a whole? Now suppose that public key encryption is used. How many keys are required in this case?
In symmetric key encryption, each pair of users must have a shared symmetric key - # of people who want to communicate = N - Number of people with whom each user wants to communicate = N-1 - # of possible pairs of communications = N x (N -1) / 2 - symmetric key system requires N x (N -1) / 2 keys for N x (N -1) / 2 pairs to communicate with With a public key system, each user has a public key which is known to all, and a private key (which is secret and only known by the user). There are thus 2N keys required to communicate N users with (N-1) other users in the public key system.
From a service perspective, what is an important difference between a symmetric-key system and a public-key system?
In symmetric key systems both the sender and receiver must know the same (secret) key. In public key systems, the encryption and decryption keys are distinct.
Suppose that an intruder has an encrypted message as well as the decrypted version of that message. Can the intruder mount a ciphertext-only attack, a known-plaintext attack, or a chosenplaintext attack?
In this case, a known plaintext attack is performed. If, somehow, the message encrypted by the sender was chosen by the attacker, then this would be a chosenplaintext attack.
Consider a traditional (stateless) packet filter. This packet filter may filter packets based on TCP flag bits as well as other header fields. True or false?
True
In WEP, an IV is sent in the clear in every frame. True or false?
True
In a traditional packet filter, each interface can have its own access control list. True or false?
True
Consider an 8-block cipher. How many possible input blocks does this cipher have? How many possible mappings are there? If we view each mapping as a key, then how many possible keys does this cipher have?
An 8-block cipher has 2^8 possible input blocks. Each mapping is a permutation of the 2^8 input blocks; - possible mappings = 2^8! = 256! - possible keys = 2^8! = 256!
Suppose Bob initiates a TCP connection to Trudy who is pretending to be Alice. During the handshake, Trudy sends Bob Alice's certificate. In what step of the SSL handshake algorithm will Bob discover that he is not communicating with Alice?
After the client will generate a pre-master secret (PMS), it will encrypt it with Alice's public key, and then send the encrypted PMS to Trudy. Trudy will not be able to decrypt the PMS, since she does not have Alice's private key. Thus Trudy will not be able to determine the shared authentication key. She may instead guess one by choosing a random key. During the last step of the handshake, she sends to Bob a MAC of all the handshake messages, using the guessed authentication key. When Bob receives the MAC, the MAC test will fail, and Bob will end the TCP connection. - last step (step 6) of SSL hand shake algorithm
In what way does the public-key encrypted message hash provide a better digital signature than the public-key encrypted message?
- encryption and decryption are computationally expensive in public-key encryption - encrypting whole message in digital signatures takes more time - encrypting message hash takes less time bc message is short - easy and takes less time for receiver to verify the digital signature of a message hash than of the whole message - computational time can be reduced significantly by encrypting message hash instead of whole message A public-key signed message digest is "better" in that one need only encrypt (using the private key) a short message digest, rather than the entire message. Since public key encryption with a technique like RSA is expensive, it's desirable to have to sign (encrypt) a smaller amount of data than a larger amount of data.
Consider WEP for 802.11. Suppose that the data is 10101100 and the keystream is 1111000. What is the resulting ciphertext?
01011100
Suppose you want to encrypt the message 10101111 by encrypting the decimal number that corresponds to the message. What is the decimal number?
175
What are the differences between message confidentiality and message integrity? Can you have confidentiality without integrity? Can you have integrity without confidentiality? Justify your answer.
Message Confidentiality: property that ensures the attacker cannot understand the original plaintext message even if he gains access to the encrypted message - ensures only the sender and receiver can understand original message - encryption and decryption is used - encryption is applied on plain text Message integrity: property that the receiver can detect whether the message sent (whether encrypted or not) was altered in transit. - ensures that original message is not changed in the process of transmission - check summing techniques are used - check summing is applied on encryption data - confidentiality and integrity are independent and different from one another. The messages can have one of these techniques without the other - The attacker can change the encrypted message. Even though the attacker modifies the message, he cannot understand the original message. The integrity of the message is lost, but the confidentiality of the message is maintained - sometimes the attacker may have modified the message and be successful in detecting the plaintext message which is sent to the receiver. The confidentiality of the message is lot, but integrity remains
Can you "decrypt" a hash of a message to get the original message? Explain your answer.
No. - a hash function is a one-way function. it is impossible to get the original message (m) from the hash value (h) - the value of the hash changes even for the slightest modification of the original message - in digital signatures, the user receives the original message and hash value, and compute the hash value again on the original message using the shared secret key. The user accepts the message only if the hash value generated is similar to hash value received.
What does it mean to say that a nonce is a once-in-a-lifetime value? In whose lifetime?
Once in a lifetimes means that the entity sending the nonce will never again use that value to check whether another entity is "live".
What does it mean for a signed document to be verifiable and nonforgeable?
Suppose Bob sends an encrypted document to Alice. To be verifiable, Alice must be able to convince herself that Bob sent the encrypted document. To be non-forgeable, Alice must be able to convince herself that only Bob could have sent the encrypted document (e.g.,, no one else could have guessed a key and encrypted/sent the document) To be non-reputable, Alice must be able to convince someone else that only Bob could have sent the document. To illustrate the latter distinction, suppose Bob and Alice share a secret key, and they are the only ones in the world who know the key. If Alice receives a document that was encrypted with the key, and knows that she did not encrypt the document herself, then the document is known to be verifiable and non-forgeable (assuming a suitably strong encryption system was used). However, Alice cannot convince someone else that Bob must have sent the document, since in fact Alice knew the key herself and could have encrypted/sent the document. also look at chegg
What is the purpose of a nonce in an end-point authentication protocol?
The purpose of the nonce is to defend against the replay attack.
What is the purpose of the random nonces in the SSL handshake?
The purpose of the random nonces in the handshake is to defend against the connection replay attack ("play back attack" connection)
Suppose certifier.com creates a certificate for foo.com. Typically, the entire certificate would be encrypted with certifier.com's public key. True or false?
This is false. To create the certificate, certifier.com would include a digital signature, which is a hash of foo.com's information (including its public key), and signed with certifier.com's private key.
Consider a variation of the MAC algorithm (Figure 8.9 ) where the sender sends (m, H(m)+s) where H(m)+s is the concatenation of H(m) and s. Is this variation flawed? Why or why not?
This is scheme is clearly flawed. Trudy, an attacker, can first sniff the communication and obtain the shared secret s by extracting the last portion of digits from H(m)+s. - Trudy can then masquerade as the sender by creating her own, bogus message t and send (t, H(t)+s).
