Midterm. Name: Andrew user id:

Transcription

1 Midterm 6 March 2008 Name: Andrew user id: Scores: Problem 0 (10 points): Problem 1 (10 points): Problem 2 (15 points): Problem 3 (10 points): Problem 4 (20 points): Problem 5 (10 points): Problem 6 (10 points): Problem 7 (15 points): Total (Max 100 points): 1

2 Problem 0: Very Simple Warmup Problems (10 Points) a) (2 points) A TCP ISN is generated by computing a block cipher encrypt operation on the current ISN with an N-bit key that provides sufficient security until year The following ISN is the least 32 bits of the block cipher output. More formally: ISN i+1 = [{ISN i } K ] 32. What value would you suggest for the key size N? If the attacker uses 1 million 1GHz processor machines in parallel, how many years would it take to predict the next ISN? Justify your answer. b) (2 points) What is the probability of a forged packet with a MAC of length n bits to be accepted by the receiver? c) (2 points) What is the minimal size of the MAC if one wants a probability of less than 10 9 for a forged packet to be accepted? d) (4 points) Suppose that a hash function H takes an 8-bit input and has an 8-bit output. Graph the probability of finding two different inputs with the same hash value given a certain number of trials. No need to compute any fancy equations, simply draw an approximate curve. 2

3 Problem 1: Next Generation Secure Internet (10 Points) a) (5 points) One of the major features of the AIP protocol is to provide self-certification for the public key of a domain. Using such a self-certification scheme, can the AIP protocol be implemented completely without the use of a PKI? If yes, explain why is it possible. If not, provide a case where AIP does rely on a PKI. b) (5 points) Recall the accountability service mechanism we read in the paper by Bender et al. Their Strawman approach relies on each sender having a PKI certificate and the sender signing each packet with the private key. To achieve a more efficient mechanism, the authors propose to essentially set up shared secret keys using Diffie-Hellman-based public-key certificates and using the shared secret to attach a MAC to each packet (no need to go into more details here). Is non-repudiation still achieved in the more efficient version? Explain why or why not. If not, how would you redesign the scheme to achieve non-repudiation? 3

4 Problem 2: SSL (15 Points) Recall the SSL handshake protocol taught in class, in this case using ephemeral DH key agreement: C client hello S server hello server certificate server key exchange server hello done Ephemeral DH key exchange Contains RSA public key certificate g, p, g s mod p, {H(g,q,g s mod p)} KS 1 client key exchange change cipherspec finished g c mod p Compute keys, set up ciphers Contains authenticator for early messages change cipherspec finished Compute keys, set up ciphers Contains authenticator for early messages a) (5 points) An attacker wants to perform a computational DoS attack on the server using one of the messages of the SSL handshake protocol. Which message or sequence of messages should the attacker use to launch a DoS attack on the server? Explain why. 4

5 b) (5 points) Using the attack you came up with in a), how many messages should the attacker send to saturate the computational resources of the server? Explain your reasoning. c) (5 points) Describe a scheme to prevent such a DoS attack. 5

6 Problem 3: TCP/IP Defenses (10 points) Guessing or knowing the initial TCP sequence number (ISN) that a server will choose enables an attacker to establish a TCP connection with a server impersonating another node. What are the advantages and disadvantages of the following solutions with respect to mitigating the attack? What modifications in the behavior of TCP result by implementing the solution? a) (3 points) The server selects an initial sequence number based on the following oneway hash chain construction. The server picks a random 128-bit value v 0, and derives subsequent one-way chain values with v i+1 = MD5(v i ). For connection i, the server uses the least significant 32 bits of one-way chain value [v i ] 32. b) (3 points) The server selects an initial sequence number based on the following one-way hash chain construction. The server picks a random 128-bit value v n, and derives previous one-way chain values with v i = MD5(v i+1 ). For connection i, the server uses the least significant 32 bits of one-way chain value [v i ] 32. c) (4 points) The server selects an initial sequence number based on the following one-way hash chain construction. The server picks a random 32-bit value v n, and derives previous one-way chain values with v i = [MD5(v i+1 )] 32. For connection i, the server uses the 32 bit one-way chain value v i for the ISN. 6

7 Problem 4: Securing BGP (20 Points) 1. (12 points) An attack has happened and we would like you to explain what is the likely cause of the attack and what is the likely defense measure that the victim has taken. To illustrate the attack, we provide the three consecutive snapshots. Each graph represents the BGP routing activity for the destination IP address at a given time. A number in a snapshot represents a BGP Autonomous System (AS) number. A solid line indicates a route to the destination (i.e., ). Describe the most likely scenario that could explain the sequence of depicted snapshots. In particular, describe the actions taken between every two snapshots. Figure 1: Snapshot 1. 7

8 Figure 2: Snapshot 2. Figure 3: Snapshot 3. 8

9 2. (8 points) In class, we have seen that the current BGP protocol is vulnerable to prefix hijack. Researchers have proposed several schemes to detect that a prefix is being hijacked. One of the proposal consists in collecting BGP updates from a large number of collection points (i.e., from different parts of the world). Upon noticing a change in the originating Autonomous System (i.e., the first inserted AS in the AS PATH), e.g., from AS XYZ to AS ABC, an would be automatically sent to network XYZ to notify it of a potential prefix hijack. The following figure depicts the infrastructure of the proposal. We assume that the deployment of the infrastructure is not an issue, and that we can indeed collect BGP UPDATES from a large and diverse number of sites. We further assume that at the initial state, there is no prefix hijack. What is then the major challenge with this scheme? Mail server of AS 103 Mail server BGP of AS 105 Collector BGP AS 103 BGP AS 105 Mail server BGP of AS 101 Collector Mail server BGP of AS 104 Collector BGP AS 101 Mail server of AS 102 BGP AS 104 Mail server of AS 76 BGP AS 102 BGP AS 76 Figure 4: Detecting IP Prefix Hijack. 9

10 Problem 5: Vehicular Ad Hoc Networks (10 Points) (10 points) An amateur researcher analyses the characteristics of VANET messages that were exchanged in a particular VANET application. Her analysis reveals that the messages are frequent (about one every 10 milliseconds) but short (around 20 bytes). She also notes that signing each short message is time consuming. So she proposes to her adviser that these short messages can be grouped together and signed using a Bloom filter. Describe how such a scheme could work to achieve efficient signature of the messages using the Bloom filter as a component. Describe one advantage and two disadvantages of the resulting approach. 10

11 Problem 6: Intrusion Detection (10 Points) a) (5 points) A student of Secure Programming class (yeah, the same student who haunted you in homework 1), decides to implement a fail-open NIDS for her final project. Having learnt the principles of secure coding she avoids using any piece of code that could be exploited to launch memory overrun attacks like buffer overflow attacks. To gain extra credits, she decides to implement caching of web objects so that her NIDS can act as a proxy too. To achieve this, she refers to the Squid proxy implementation and implements caching using an in-memory hash table with the HTTP request method (i.e., GET, HEAD etc.) and the URL in question as a key to the hash table. However, her mentor for this project informs her of the possibility of an attack on this approach (as identified by you in homework 1). As a good friend of her, advise her on how to evade such attacks without much compromise in the performance/functionality of the NIDS/Proxy. b) (5 points) Consider an inline active-response intrusion detection product (often called Intrusion Prevention Systems, these apply stateful packet inspection beyond traditional TCP/IP protocols, and examine application data streams) that reconfigures your firewall rules to automatically block further connections from the attack source address for a certain period of time. Give two advantages and two disadvantages of this approach compared to a traditional NIDS, and describe where/when it might be beneficial to employ such a technology. 11

12 Problem 7: Secure Broadcast Communication (15 Points) a) (5 points) An important TESLA parameter is the key disclosure delay. Although the choice of the disclosure delay does not affect the security of the system, it is an important performance factor. As we discussed in class, a short disclosure delay will cause delayed packets to lose their safety property, so receivers will discard them, and a long disclosure delay leads to a long authentication delay for receivers. As an alternative, the sender may include in each packet the time t p at which it is going to disclose the key for this packet. With this method, the receiver only needs to know the bound D t on the clock skew and T 0, the sender s local time at the initiation of the session. Then the receiver records the local time T when the packet has arrived, and verifies that T T 0 + D t + t p. Else the packet is considered unauthenticated. Is this secure? Justify your answer. b) (5 points) Instead of operating on time basis, sender S decides to operate TESLA on a packet basis. S now broadcasts the packet P i along with the key K i and the message authentication code (MAC) of P i computed with the key K i+1 as follows: S : P i,k i,mac Ki+1 (P i ) The receiver must wait for the next packet to validate the MAC of the packet P i. Is this secure? Justify your answer. 12

13 c) (5 points) Describe how to generate keys using MARKS. Using the diagram below, show how keys B and O are generated. What key(s) will allow a member to receive data for time T2 - T8? 13