CS 161 Computer Security Spring 2010 Paxson/Wagner MT2



Similar documents
Midterm 2 exam solutions. Please do not read or discuss these solutions in the exam room while others are still taking the exam.

Network Security. Computer Networking Lecture 08. March 19, HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Client Server Registration Protocol

Overview. SSL Cryptography Overview CHAPTER 1

Content Teaching Academy at James Madison University

Security. Friends and Enemies. Overview Plaintext Cryptography functions. Secret Key (DES) Symmetric Key

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Chapter 17. Transport-Level Security

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Chapter 8. Network Security

Exam Papers Encryption Project PGP Universal Server Trial Progress Report

Module 8. Network Security. Version 2 CSE IIT, Kharagpur

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

7 Network Security. 7.1 Introduction 7.2 Improving the Security 7.3 Internet Security Framework. 7.5 Absolute Security?

Savitribai Phule Pune University

Designing a Secure Client-Server System Master of Science Thesis in the Programme Software Engineering & Technology

Chapter 10. Cloud Security Mechanisms

SAMPLE EXAM QUESTIONS MODULE EE5552 NETWORK SECURITY AND ENCRYPTION ECE, SCHOOL OF ENGINEERING AND DESIGN BRUNEL UNIVERSITY UXBRIDGE MIDDLESEX, UK

Using etoken for SSL Web Authentication. SSL V3.0 Overview

CRYPTOGRAPHY IN NETWORK SECURITY

Network Security. Gaurav Naik Gus Anderson. College of Engineering. Drexel University, Philadelphia, PA. Drexel University. College of Engineering

Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Soran University Faculty of Science and Engineering Computer Science Department Information Security Module Specification

CSci 530 Midterm Exam. Fall 2012

CSE/EE 461 Lecture 23

CS Final Exam

: Network Security. Name of Staff: Anusha Linda Kostka Department : MSc SE/CT/IT

IT Networks & Security CERT Luncheon Series: Cryptography

12/8/2015. Review. Final Exam. Network Basics. Network Basics. Network Basics. Network Basics. 12/10/2015 Thursday 5:30~6:30pm Science S-3-028

INTRODUCTION TO CRYPTOGRAPHY

CS 161 Computer Security

CS155. Cryptography Overview

KEY DISTRIBUTION: PKI and SESSION-KEY EXCHANGE. Mihir Bellare UCSD 1

Vulnerabilità dei protocolli SSL/TLS

Chapter 8. Cryptography Symmetric-Key Algorithms. Digital Signatures Management of Public Keys Communication Security Authentication Protocols

Wireless Networks. Welcome to Wireless

Cornerstones of Security

Topics in Network Security

What is Web Security? Motivation

Security & Privacy on the WWW. Topic Outline. Information Security. Briefing for CS4173

Authentication Application

VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui

CS 758: Cryptography / Network Security

Authenticity of Public Keys

COSC 472 Network Security

CSC Network Security. User Authentication Basics. Authentication and Identity. What is identity? Authentication: verify a user s identity

Is your data safe out there? -A white Paper on Online Security

Key Management. CSC 490 Special Topics Computer and Network Security. Dr. Xiao Qin. Auburn University

Three attacks in SSL protocol and their solutions

The Feasibility and Application of using a Zero-knowledge Protocol Authentication Systems

Part I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai Siemens AG 2001, ICN M NT

Our Key Security Features Are:

Connected from everywhere. Cryptelo completely protects your data. Data transmitted to the server. Data sharing (both files and directory structure)

SecureCom Mobile s mission is to help people keep their private communication private.

7 Key Management and PKIs

Princeton University Computer Science COS 432: Information Security (Fall 2013)

EXAM questions for the course TTM Information Security May Part 1

Chapter 10. Network Security

CS5008: Internet Computing

Network Security #10. Overview. Encryption Authentication Message integrity Key distribution & Certificates Secure Socket Layer (SSL) IPsec

CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

Data Encryption WHITE PAPER ON. Prepared by Mohammed Samiuddin.

SSL/TLS: The Ugly Truth

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

EE 7376: Introduction to Computer Networks. Homework #3: Network Security, , Web, DNS, and Network Management. Maximum Points: 60

CSCE 465 Computer & Network Security

12/3/08. Security in Wireless LANs and Mobile Networks. Wireless Magnifies Exposure Vulnerability. Mobility Makes it Difficult to Establish Trust

CS558. Network Security. Boston University, Computer Science. Midterm Spring 2014.

E-commerce. Security. Learning objectives. Internet Security Issues: Overview. Managing Risk-1. Managing Risk-2. Computer Security Classifications

CS 356 Lecture 27 Internet Security Protocols. Spring 2013

How To Encrypt Data With Encryption

Massachusetts Institute of Technology Handout : Network and Computer Security October 9, 2003 Professor Ronald L. Rivest.

Chapter 7: Network security

Authentication Types. Password-based Authentication. Off-Line Password Guessing

You re FREE Guide SSL. (Secure Sockets Layer) webvisions

Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ MEng. Nguyễn CaoĐạt

Practice Questions. CS161 Computer Security, Fall 2008

Cryptography and Network Security

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

Chapter 7 Transport-Level Security

Sync Security and Privacy Brief

Chapter 16: Authentication in Distributed System

Digital Certificates (Public Key Infrastructure) Reshma Afshar Indiana State University

CS 361S - Network Security and Privacy Spring Homework #1

Transport Level Security

Security Goals Services

Overview of Public-Key Cryptography

What is network security?

Cryptography Overview

Security (WEP, WPA\WPA2) 19/05/2009. Giulio Rossetti Unipi

Introduction to Cryptography

SENSE Security overview 2014

2.4: Authentication Authentication types Authentication schemes: RSA, Lamport s Hash Mutual Authentication Session Keys Trusted Intermediaries

Properties of Secure Network Communication

CNT4406/5412 Network Security Introduction

As enterprises conduct more and more

Secure Sockets Layer (SSL) / Transport Layer Security (TLS)

Why you need secure

The Misuse of RC4 in Microsoft Word and Excel

OPENID AUTHENTICATION SECURITY

Transcription:

CS 161 Computer Security Spring 2010 Paxson/Wagner MT2 PRINT your name:, (last) SIGN your name: (first) PRINT your class account login: cs161- Your T s name: Your section time: Name of the person sitting to your left: Name of the person sitting to your right: You may consult one sheet of paper (double-sided) of notes written for this midterm, plus the sheet of paper you brought to midterm 1. You may not consult other notes, textbooks, etc. Calculators and computers are not permitted. Please write your answers in the spaces provided in the test. We will not grade anything on the back of an exam page unless we are clearly told on the front of the page to look there. You have 80 minutes. There are 6 questions, of varying credit (100 points total). The questions are of varying difficulty, so avoid spending too long on any one question. Do not turn this page until your instructor tells you to do so. Problem 1 Problem 2 Problem 3 Problem 4 Problem 5 Problem 6 Total CS 161, Spring 2010, MT2 1

Problem 1. [True or false] (14 points) Circle TRUE or FLSE. Do not justify your answers on this problem. (a) TRUE or FLSE: If lice has a message to send to Bob and she wants to encrypt the message using asymmetric cryptography so that no one other than Bob can read it, she does so by using Bob s public key. (b) TRUE or FLSE: SSL and TLS provide essentially the same end-to-end security properties. (c) TRUE or FLSE: Properly used, a MC provides both confidentiality and integrity. (d) TRUE or FLSE: DNSSEC uses SSL between different name servers to certify that the results of DNS queries match those that the name servers are authorized to provide. (e) TRUE or FLSE: In the United States, if a company posts a privacy policy on their web site and fails to comply with it, they can be prosecuted for false advertising. (f) TRUE or FLSE: n attraction of public key cryptography is that, if implemented properly, the algorithms generally run much faster than those for symmetric key cryptography. (g) TRUE or FLSE: Memory protection, as found in a typical operating system, prevents malicious code running in kernel mode from writing to application-owned pages. CS 161, Spring 2010, MT2 2

Problem 2. [Multiple choice] (18 points) For parts (a), (b), and (c), circle all correct choices. (a) TLS uses the following cryptographic techniques: (i) symmetric-key cryptography. (ii) Symmetric-key cryptography. (iii) Cryptographic hash functions. (iv) PKI certificates. (v) Nonces. (vi) None of the above. (b) Which of the following properties must a cryptographic hash function provide? (i) Key revocation. (ii) Collision resistance. (iii) deterministic mapping from input to output. (iv) One-to-one mapping of input to output. (v) Difficulty of finding an input that matches a given hash. (vi) None of the above. (c) What risks arise when using the same key to encrypt both directions of a communication channel, that aren t present if using different keys for the different directions? (i) Message tampering by flipping bits in the ciphertext. (ii) Reflection attacks. (iii) Hash collisions. (iv) Eavesdropping attacks. (v) Denial-of-service. (vi) None of the above. (d) For this part, circle only the best choice. s we saw in class, WEP is vulnerable to active attacks that allow an active attacker to flip bits in the ciphertext and thereby cause unauthorized modifications to the message received by the recipient. What would be the best defense against this kind of attack? (i) Use a different key for each direction and for each wireless device. (ii) Protect the ciphertext using a MC. (iii) Encrypt using ES in Cipher Block Chaining (CBC) mode. (iv) Encrypt using ES in Electronic Code Book (ECB) mode. (v) Prepend a random 32-bit nonce to the packet before applying the CRC and encrypting it. CS 161, Spring 2010, MT2 3

Problem 3. [Terminology] (14 points) For each of the numbered concepts given below, list the term that best applies: ccess control list El Gamal encryption Private key ES Entropy Public key symmetry cryptography IV Revocation list Certificate Kirchoff s principle RS Certificate authority Known plaintext attack Sandboxing Chosen plaintext attack MC Setuid Counter mode Message integrity SH256 Cryptographic hash Nonce SYN cookies Dictionary attack One-time pad Trapdoor one-way function Diffie-Hellman exchange PKI Web-of-trust Not all terms are used. 1. The security goal of ensuring that a communication arrives at the recipient in a form identical to what the sender transmitted. 2. widely used, standardized symmetric key encryption algorithm. 3. way of checking whether the private key matching the public key in a certificate has been compromised and so the certificate should no longer be accepted. 4. symmetric-key algorithm for ensuring that a message has not been tampered with. 5. The amount of uncertainty that an attacker faces when trying to guess an unseen value. 6. n approach by which users can build up a degree of confidence in a public key s validity without requiring a trusted root of authority. 7. n algorithm for digitally signing data with a private key such that anyone with possession of the corresponding public key can verify the signature. 8. signed statement by a trusted authority that a given public key indeed belongs to a given party. 9. value used in symmetric key cryptography to ensure that a new session that transmits the same text as a previous session does not result in identical ciphertext. 10. way of constructing a stream cipher, given a block cipher. 11. The notion that the security of a well-designed cryptography algorithm should not rely upon the secrecy of the algorithm itself but only on the secret keys it uses. 12. widely used, standardized cryptographic hash function. 13. Unix operating system mechanism that enables a program to execute with the privileges of a different user identity rather than the identity of the user who invoked the progam. 14. trusted third party who provides a way for one party to learn the public key of another party. Web browsers have a list of these trusted third parties, to support communication using HTTPS. CS 161, Spring 2010, MT2 4

Problem 4. [Cryptography] (15 points) SuperMail is a company designing a secure email system for protecting emails using cryptography. They have hired you to advise them on the best way to use cryptographic algorithms for this purpose. Their system generates two public/private keypairs for each user of the system (one keypair for signing, one for encryption) and provides a way for each user to securely learn the public keys of all of their contacts. In the following, you can assume that digital signatures are computed using RS and public-key encryption is performed using El Gamal. (a) SuperMail wants every email to be authenticated and protected from modification or tampering while it is transit from the sender to the receiver. Suppose lice is sending an email M to Bob. Given SuperMail s design constraints, which of the following options would be a secure way to protect the authenticity and integrity of her email? Circle all secure choices. (i) lice s software should encrypt M under Bob s public key. In other words, lice s software should send E KB (M) to Bob. (ii) lice s software should send M along with a digital signature on M using lice s private key. In other words, lice should send M,Sign K 1(M). (iii) lice s software should choose a new symmetric key k for this email, send an encryption of k under Bob s public key, and also send an encryption of M under k using a stream cipher such as RC4. In other words, lice should send E KB (k),m RC4(k). (iv) lice s software should choose a new symmetric key k for this email, send an encryption of k under Bob s public key, and also send an encryption of M under k using ES in CBC mode. In other words, lice should send E KB (k),es-cbc-encrypt k (M). (v) lice s software should choose a new symmetric key k for this email. Then it should send four pieces of information: the message M, a MC on M under the key k, an encryption of k under Bob s public key, and a digital signature on k using lice s private key. In other words, lice should send M,MC k (M),E KB (k),sign K 1(k). (b) SuperMail wants to adds a new feature for secure transmission of confidential email. They have in mind that the sender should be able to mark an email to indicate that it is confidential. Confidential emails should be protected from eavesdropping, interception, modification, or tampering while they are in transit from the sender to the receiver. SuperMail wants to protect the authenticity, integrity, and confidentiality of confidential emails. Let M be a confidential email that lice wants to send to Bob, K B be Bob s encryption public key, and K 1 be lice s private key for signing. Which of the following options would be the best choice for protecting confidential emails? Circle only the best choice. (i) Send E KB (M),Sign K 1(K B ). (M). (ii) Send E KB (M),Sign K 1 (iii) Send E KB (M),Sign K 1 (E KB (M)). (iv) Send E KB (k),sign K 1 E k represents encryption under k with a symmetric-key encryption algorithm. (E KB (k)),e k (M) where k is a new symmetric key chosen for this email and (v) Send E KB (k),sign K 1(E KB (k)),e k (M),MC k (M) where k is a new symmetric key chosen for this email, E k represents encryption under k with a symmetric-key encryption algorithm, and MC k represents a message authentication code (MC) using key k. CS 161, Spring 2010, MT2 5

Problem 5. [Local system security and privacy] (21 points) This problem concerns safeguarding your privacy when using your desktop computer, in the presence of the desktop system having potential security problems. For each question, provide a short answer. (a) To maintain your privacy, before surfing to www.twitter.com you always instruct your browser to delete all of your cookies. The browser s documentation states that cookies are stored in the file /.mycookies.txt, and you know from past experience that indeed that s where they are kept. Suppose you are concerned that your browser has malicious code running within it, though you are confident that your operating system has not been compromised. You type www.twitter.com into your browser s address bar to take you to the Twitter site. re there steps you could take (which could involve additional effort on your part) to check whether your browser sent any information to www.twitter.com via cookies as part of that request? Circle yes or no, then briefly explain. (i) Yes. Justification: (ii) No. (b) Now consider a slightly modified situation where you are confident that your browser has not been tampered with, but you are concerned that your operating system may have been compromised. You type https://secrets.cs.berkeley.edu into the browser s address bar, and your browser establishes a TLS connection to https://secrets.cs.berkeley.edu. That web server responds with a Web form for you to type in your username and password, and your browser sends back your answers via TLS. Can malware running inside the operating system extract your username and password? Circle yes or no, then briefly explain. (i) Yes. Justification: (ii) No. (c) Suppose now that you are confident that both your browser and your operating system have not been tampered with, but you believe a user-level process that runs as user daemon has been infected and is running malware. Permissions on your system allow user daemon to read your files (which includes the browser executable) but not to write them. You are confident that your OS correctly implements these permissions and provides process-level isolation and memory protection. However, user daemon is allowed by the operating system to sniff packets received or sent by your system s network interface card. ssume that your browser is free of bugs. You again make a TLS connection to https://secrets.cs.berkeley.edu. Can the malware running as user daemon extract your username and password? Explain how, or why not. Circle yes or no, then briefly explain. (i) Yes. Justification: (ii) No. CS 161, Spring 2010, MT2 6

Problem 6. [n alternate authentication scheme] (18 points) The startup company Gingerbread, Inc. is marketing a new authentication scheme to several banks that offer online banking services. In Gingerbread s sales presentation, they suggest that banks can eliminate passwords and all existing authentication schemes and replace them with the Gingerbread web authentication scheme. Here s the secret sauce behind their scheme. The Gingerbread employees have read the HTTP specification carefully. They discovered that when a web server sends a cookie to your web browser, there are two optional flags that the web server can set: If the persistent flag is set, the browser will store the cookie forever on persistent storage (e.g., the filesystem). Even if the user closes the browser, reboots their machine, and starts a new browser instance, the browser still remembers the cookie. If the secure flag is set, the browser will only send the cookie back over a SSL (HTTPS) connection. The browser will never send the cookie back over an unencrypted (HTTP) connection. This ensures that eavesdroppers will never be able to learn the value of a cookie set with the secure flag. These two flags do not change any other aspect of how browsers handle cookies. In the Gingerbread scheme, the bank s web site will use SSL (HTTPS) for all operations; the bank s web server does not respond to unencrypted (HTTP) connections. When the user U signs up for online banking, the web server picks a new random 128-bit value U (called the authenticator), sets a secure persistent cookie on the user s browser containing the 128-bit authenticator U, and remembers the association (N U, U ) between the user s account number N U and the 128-bit authenticator U for that user. The bank also asks the user to bookmark the bank s secure web site (at a HTTPS link), and instructs the user to use that bookmark when they want to access their account in the future. When the user visits the bank s website again in the future, the user s browser will send the secure persistent cookie containing the user s authenticator U to the bank s web server. The bank s web server can use the authenticator U to identify and authenticate the user U, and provide the user access to their bank account. You are employed at a local bank, BankOBytes. Your bank manager is trying to decide whether to adopt Gingerbread s scheme on the bank web site, www.bankobytes.com. Your manager shares with you some of the things he s heard about Gingerbread through the rumor mill and would like to know which of these statements are accurate. For each statement listed below, circle either CCURTE or INCCURTE according to whether the statement is an accurate characterization of Gingerbread s scheme. (a) CCURTE or INCCURTE: The Gingerbread scheme provides better security against phishing than password-based authentication: in the Gingerbread scheme, since users don t know their own secret authenticator U, users can t be easily fooled into typing their authenticator into a phishing web site. (b) CCURTE or INCCURTE: The Gingerbread scheme has a serious security flaw: since every web site can read all cookies stored in the browser, if the user visits a malicious third-party web site, the malicious web site could learn the user s authenticator U and then impersonate the user and access the user s bank account. (c) CCURTE or INCCURTE: The Gingerbread scheme has a serious security flaw: it can be easily broken by an attacker who simply tries to connect to the bank s web server many times, trying a different guess at U each time. (continued on next page) CS 161, Spring 2010, MT2 7

(d) CCURTE or INCCURTE: One shortcoming of the Gingerbread scheme is that if the user leaves their computer logged in, then others who have physical access to the user s computer (e.g., the user s family members or the user s roommates) can impersonate the user and obtain access to the user s bank account. (e) CCURTE or INCCURTE: One feature of the Gingerbread scheme is that if the user wants to visit their bank website, but forgets to use the bookmark and types in http://www.bankobytes.com into the browser address bar, then this mistake will not compromise the user s security. From the standpoint of security, this is a good human factors engineering, because it means that this kind of user error does not cause a serious security breach. (f) CCURTE or INCCURTE: potential security risk in the Gingerbread scheme is that, if Gingerbread s scheme is widely adopted by many banks, attackers might start trying to attack the process by which users initially sign up for online banking, instead of trying to steal the user s password. (g) CCURTE or INCCURTE: potential privacy risk in the Gingerbread scheme is that, if Gingerbread s scheme is widely adopted by many banks, advertising networks could use the cookie set by the bank to track users as they browse third-party web sites, without the consent of the user or the user s bank. (h) CCURTE or INCCURTE: The only benefit of using HTTPS connections (instead of HTTP) in the Gingerbread scheme is ensuring that the user s browser is talking to the correct bank and not an imposter. (i) CCURTE or INCCURTE: If the bank preferred to minimize the amount of data that needs to be stored on the bank web server, there is an alternative that is also secure but needs less state on the bank web server: instead of making U a random 128-bit value, the bank could form U as the concatenation of the user s account number N U and a MC on the account number under some key k stored on the bank web server. In other words, in the alternate scheme, the bank web server stores a single key k (never revealed to anyone and the same for all users), and when a user signs up for online banking, the bank sets a cookie containing U = (N U,MC k (N U )) on the user s browser. This alternative is also secure and avoids the need to store the association (N U, U ) on the bank server. CS 161, Spring 2010, MT2 8

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information