Review Questions
20.1 Give examples of applications of IPsec.
Get 20.1 exercise solution
20.2 What services are provided by IPsec?
Get 20.2 exercise solution
20.3 What parameters identify an SA and what parameters characterize the nature of a
particular SA?
Get 20.3 exercise solution
20.4 What is the difference between transport mode and tunnel mode?
Get 20.4 exercise solution
20.5 What is a replay attack?
Get 20.5 exercise solution
20.6 Why does ESP include a padding field?
Get 20.6 exercise solution
20.7 What are the basic approaches to bundling SAs?
Get 20.7 exercise solution
20.8 What are the roles of the Oakley key determination protocol and ISAKMP in IPsec?
Get 20.8 exercise solution
Problems
20.1 Describe and explain each of the entries in Table 20.2.
Get 20.1 exercise solution
20.2 Draw a figure similar to Figure 20.8 for AH.
Get 20.2 exercise solution
20.3 List the major security services provided by AH and ESP, respectively.
Get 20.3 exercise solution
20.4 In discussing AH processing, it was mentioned that not all of the fields in an IP header
are included in MAC calculation.
a. For each of the fields in the IPv4 header, indicate whether the field is immutable,
mutable but predictable, or mutable (zeroed prior to ICV calculation).
b. Do the same for the IPv6 header.
c. Do the same for the IPv6 extension headers.
In each case, justify your decision for each field.
Get 20.4 exercise solution
20.5 Suppose that the current replay window spans from 120 to 530.
a. If the next incoming authenticated packet has sequence number 105, what will the receiver
do with the packet, and what will be the parameters of the window after that?
b. If instead the next incoming authenticated packet has sequence number 440, what
will the receiver do with the packet, and what will be the parameters of the window
after that?
c. If instead the next incoming authenticated packet has sequence number 540, what
will the receiver do with the packet, and what will be the parameters of the window
after that?
Get 20.5 exercise solution
20.6 When tunnel mode is used, a new outer IP header is constructed. For both IPv4
and IPv6, indicate the relationship of each outer IP header field and each extension
header in the outer packet to the corresponding field or extension header of the inner
IP packet. That is, indicate which outer values are derived from inner values and
which are constructed independently of the inner values.
Get 20.6 exercise solution
20.7 End-to-end authentication and encryption are desired between two hosts. Draw
figures
similar to Figure 20.8 that show each of the following.
a. Transport adjacency with encryption applied before authentication.
b. A transport SA bundled inside a tunnel SA with encryption applied before
authentication.
c. A transport SA bundled inside a tunnel SA with authentication applied before
encryption.
Get 20.7 exercise solution
20.8 The IPsec architecture document states that when two transport mode SAs are bundled
to allow both AH and ESP protocols on the same end-to-end flow, only one
ordering of security protocols seems appropriate: performing the ESP protocol before
performing the AH protocol. Why is this approach recommended rather than
authentication before encryption?
Get 20.8 exercise solution
20.9 For the IKE key exchange, indicate which parameters in each message go in which
ISAKMP payload types.
Get 20.9 exercise solution
20.10 Where does IPsec reside in a protocol stack?
Get 20.10 exercise solution
Solutions for Chapter 19 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
19.1 What are the five principal services provided by PGP?
Get 19.1 exercise solution
19.2 What is the utility of a detached signature?
Get 19.2 exercise solution
19.3 Why does PGP generate a signature before applying compression?
Get 19.3 exercise solution
19.4 What is R64 conversion?
Get 19.4 exercise solution
19.5 Why is R64 conversion useful for an e-mail application?
Get 19.5 exercise solution
19.6 How does PGP use the concept of trust?
Get 19.6 exercise solution
19.7 What is RFC 5322?
Get 19.7 exercise solution
19.8 What is MIME?
Get 19.8 exercise solution
19.9 What is S/MIME?
Get 19.9 exercise solution
19.10 What is DKIM?
Get 19.10 exercise solution
Problems
19.1 PGP makes use of the cipher feedback (CFB) mode of CAST-128, whereas most symmetric encryption applications (other than key encryption) use the cipher block chaining (CBC) mode. We have CBC: Ci = E(K, [Ci-1 Pi]); Pi = Ci-1 D(K, Ci) CFB: Ci = Pi E(K, Ci-1); Pi = Ci E(K, Ci-1) These two appear to provide equal security. Suggest a reason why PGP uses the CFB mode.
Get 19.1 exercise solution
19.2 In the PGP scheme, what is the expected number of session keys generated before a previously created key is produced?
Get 19.2 exercise solution
19.3 As discussed in Appendix P, a PGP user may have multiple public keys. So that a recipient knows which public key is being used by a sender, a key ID, consisting of the least significant 64 bits of the public key, is sent with the message. What is the probability that a user with N public keys will have at least one duplicate key ID?
Get 19.3 exercise solution
19.4 As discussed in Appendix P, the first 16 bits of the message digest in a PGP signature are translated in the clear. This enables the recipient to determine if the correct public key was used to decrypt the message digest by comparing the plaintext copy of the first two octets with the first two octets of the decrypted digest. a. To what extent does this compromise the security of the hash algorithm? b. To what extent does it in fact perform its intended function, namely, to help determine if the correct RSA key was used to decrypt the digest?
Get 19.4 exercise solution
19.5 For this problem and the next, consult Appendix P. In Figure P.2, each entry in the public-key ring contains an Owner Trust field that indicates the degree of trust associated with this public-key owner. Why is that not enough? That is, if this owner is trusted and this is supposed to be the owner’s public key, why is that trust not enough to permit PGP to use this public key?
Get 19.5 exercise solution
19.6 What is the basic difference between X.509 and PGP in terms of key hierarchies and key trust?
Get 19.6 exercise solution
19.7 Phil Zimmermann chose IDEA, three-key triple DES, and CAST-128 as symmetric encryption algorithms for PGP. Give reasons why each of the following symmetric encryption algorithms described in this book is suitable or unsuitable for PGP: DES, two-key triple DES, and AES.
Get 19.7 exercise solution
19.8 Consider radix-64 conversion as a form of encryption. In this case, there is no key. But suppose that an opponent knew only that some form of substitution algorithm was being used to encrypt English text and did not guess that it was R64. How effective would this algorithm be against cryptanalysis?
Get 19.8 exercise solution
19.9 Encode the text “plaintext” using the following techniques. Assume characters are stored in 8-bit ASCII with zero parity. a. Radix-64 b. Quoted-printable
Get 19.9 exercise solution
19.1 What are the five principal services provided by PGP?
Get 19.1 exercise solution
19.2 What is the utility of a detached signature?
Get 19.2 exercise solution
19.3 Why does PGP generate a signature before applying compression?
Get 19.3 exercise solution
19.4 What is R64 conversion?
Get 19.4 exercise solution
19.5 Why is R64 conversion useful for an e-mail application?
Get 19.5 exercise solution
19.6 How does PGP use the concept of trust?
Get 19.6 exercise solution
19.7 What is RFC 5322?
Get 19.7 exercise solution
19.8 What is MIME?
Get 19.8 exercise solution
19.9 What is S/MIME?
Get 19.9 exercise solution
19.10 What is DKIM?
Get 19.10 exercise solution
Problems
19.1 PGP makes use of the cipher feedback (CFB) mode of CAST-128, whereas most symmetric encryption applications (other than key encryption) use the cipher block chaining (CBC) mode. We have CBC: Ci = E(K, [Ci-1 Pi]); Pi = Ci-1 D(K, Ci) CFB: Ci = Pi E(K, Ci-1); Pi = Ci E(K, Ci-1) These two appear to provide equal security. Suggest a reason why PGP uses the CFB mode.
Get 19.1 exercise solution
19.2 In the PGP scheme, what is the expected number of session keys generated before a previously created key is produced?
Get 19.2 exercise solution
19.3 As discussed in Appendix P, a PGP user may have multiple public keys. So that a recipient knows which public key is being used by a sender, a key ID, consisting of the least significant 64 bits of the public key, is sent with the message. What is the probability that a user with N public keys will have at least one duplicate key ID?
Get 19.3 exercise solution
19.4 As discussed in Appendix P, the first 16 bits of the message digest in a PGP signature are translated in the clear. This enables the recipient to determine if the correct public key was used to decrypt the message digest by comparing the plaintext copy of the first two octets with the first two octets of the decrypted digest. a. To what extent does this compromise the security of the hash algorithm? b. To what extent does it in fact perform its intended function, namely, to help determine if the correct RSA key was used to decrypt the digest?
Get 19.4 exercise solution
19.5 For this problem and the next, consult Appendix P. In Figure P.2, each entry in the public-key ring contains an Owner Trust field that indicates the degree of trust associated with this public-key owner. Why is that not enough? That is, if this owner is trusted and this is supposed to be the owner’s public key, why is that trust not enough to permit PGP to use this public key?
Get 19.5 exercise solution
19.6 What is the basic difference between X.509 and PGP in terms of key hierarchies and key trust?
Get 19.6 exercise solution
19.7 Phil Zimmermann chose IDEA, three-key triple DES, and CAST-128 as symmetric encryption algorithms for PGP. Give reasons why each of the following symmetric encryption algorithms described in this book is suitable or unsuitable for PGP: DES, two-key triple DES, and AES.
Get 19.7 exercise solution
19.8 Consider radix-64 conversion as a form of encryption. In this case, there is no key. But suppose that an opponent knew only that some form of substitution algorithm was being used to encrypt English text and did not guess that it was R64. How effective would this algorithm be against cryptanalysis?
Get 19.8 exercise solution
19.9 Encode the text “plaintext” using the following techniques. Assume characters are stored in 8-bit ASCII with zero parity. a. Radix-64 b. Quoted-printable
Get 19.9 exercise solution
Solutions for Chapter 18 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
18.1 What is the basic building block of an 802.11 WLAN?
Get 18.1 exercise solution
18.2 Define an extended service set.
Get 18.2 exercise solution
18.3 List and briefly define IEEE 802.11 services.
Get 18.3 exercise solution
18.4 Is a distribution system a wireless network?
Get 18.4 exercise solution
18.5 How is the concept of an association related to that of mobility?
Get 18.5 exercise solution
18.6 What security areas are addressed by IEEE 802.11i?
Get 18.6 exercise solution
18.7 Briefly describe the four IEEE 802.11i phases of operation.
Get 18.7 exercise solution
18.8 What is the difference between TKIP and CCMP?
Get 18.8 exercise solution
Problems
18.1 In IEEE 802.11, open system authentication simply consists of two communications. An authentication is requested by the client, which contains the station ID (typically the MAC address). This is followed by an authentication response from the AP/router containing a success or failure message. An example of when a failure may occur is if the client’s MAC address is explicitly excluded in the AP/router configuration. a. What are the benefits of this authentication scheme? b. What are the security vulnerabilities of this authentication scheme?
Get 18.1 exercise solution
18.2 Prior to the introduction of IEEE 802.11i, the security scheme for IEEE 802.11 was Wired Equivalent Privacy (WEP). WEP assumed all devices in the network share a secret key. The purpose of the authentication scenario is for the STA to prove that it possesses the secret key. Authentication proceeds as shown in Figure 18.12. The STA sends a message to the AP requesting authentication. The AP issues a challenge, which is a sequence of 128 random bytes sent as plaintext. The STA encrypts the challenge with the shared key and returns it to the AP. The AP decrypts the incoming value and compares it to the challenge that it sent. If there is a match, the AP confirms that authentication has succeeded. a. What are the benefits of this authentication scheme? b. This authentication scheme is incomplete. What is missing and why is this important? Hint: The addition of one or two messages would fix the problem. c. What is a cryptographic weakness of this scheme?
Get 18.2 exercise solution
18.3 For WEP, data integrity and data confidentiality are achieved using the RC4 stream encryption algorithm. The transmitter of an MPDU performs the following steps, referred to as encapsulation: 1. The transmitter selects an initial vector (IV) value. 2. The IV value is concatenated with the WEP key shared by transmitter and receiver to form the seed, or key input, to RC4. 3. A 32-bit cyclic redundancy check (CRC) is computed over all the bits of the MAC data field and appended to the data field. The CRC is a common error-detection code used in data link control protocols. In this case, the CRC serves as a integrity check value (ICV).
4. The result of step 3 is encrypted using RC4 to form the ciphertext block. 5. The plaintext IV is prepended to the ciphertext block to form the encapsulated MPDU for transmission. a. Draw a block diagram that illustrates the encapsulation process. b. Describe the steps at the receiver end to recover the plaintext and perform the integrity check. c. Draw a block diagram that illustrates part b.
Get 18.3 exercise solution
18.4 A potential weakness of the CRC as an integrity check is that it is a linear function. This means that you can predict which bits of the CRC are changed if a single bit of the message is changed. Furthermore, it is possible to determine which combination of bits could be flipped in the message so that the net result is no change in the CRC. Thus, there are a number of combinations of bit flippings of the plaintext message that leave the CRC unchanged, so message integrity is defeated. However, in WEP, if an attacker does not know the encryption key, the attacker does not have access to the plaintext, only to the ciphertext block. Does this mean that the ICV is protected from the bit flipping attack? Explain.
Get 18.4 exercise solution
18.1 What is the basic building block of an 802.11 WLAN?
Get 18.1 exercise solution
18.2 Define an extended service set.
Get 18.2 exercise solution
18.3 List and briefly define IEEE 802.11 services.
Get 18.3 exercise solution
18.4 Is a distribution system a wireless network?
Get 18.4 exercise solution
18.5 How is the concept of an association related to that of mobility?
Get 18.5 exercise solution
18.6 What security areas are addressed by IEEE 802.11i?
Get 18.6 exercise solution
18.7 Briefly describe the four IEEE 802.11i phases of operation.
Get 18.7 exercise solution
18.8 What is the difference between TKIP and CCMP?
Get 18.8 exercise solution
Problems
18.1 In IEEE 802.11, open system authentication simply consists of two communications. An authentication is requested by the client, which contains the station ID (typically the MAC address). This is followed by an authentication response from the AP/router containing a success or failure message. An example of when a failure may occur is if the client’s MAC address is explicitly excluded in the AP/router configuration. a. What are the benefits of this authentication scheme? b. What are the security vulnerabilities of this authentication scheme?
Get 18.1 exercise solution
18.2 Prior to the introduction of IEEE 802.11i, the security scheme for IEEE 802.11 was Wired Equivalent Privacy (WEP). WEP assumed all devices in the network share a secret key. The purpose of the authentication scenario is for the STA to prove that it possesses the secret key. Authentication proceeds as shown in Figure 18.12. The STA sends a message to the AP requesting authentication. The AP issues a challenge, which is a sequence of 128 random bytes sent as plaintext. The STA encrypts the challenge with the shared key and returns it to the AP. The AP decrypts the incoming value and compares it to the challenge that it sent. If there is a match, the AP confirms that authentication has succeeded. a. What are the benefits of this authentication scheme? b. This authentication scheme is incomplete. What is missing and why is this important? Hint: The addition of one or two messages would fix the problem. c. What is a cryptographic weakness of this scheme?
Get 18.2 exercise solution
18.3 For WEP, data integrity and data confidentiality are achieved using the RC4 stream encryption algorithm. The transmitter of an MPDU performs the following steps, referred to as encapsulation: 1. The transmitter selects an initial vector (IV) value. 2. The IV value is concatenated with the WEP key shared by transmitter and receiver to form the seed, or key input, to RC4. 3. A 32-bit cyclic redundancy check (CRC) is computed over all the bits of the MAC data field and appended to the data field. The CRC is a common error-detection code used in data link control protocols. In this case, the CRC serves as a integrity check value (ICV).
4. The result of step 3 is encrypted using RC4 to form the ciphertext block. 5. The plaintext IV is prepended to the ciphertext block to form the encapsulated MPDU for transmission. a. Draw a block diagram that illustrates the encapsulation process. b. Describe the steps at the receiver end to recover the plaintext and perform the integrity check. c. Draw a block diagram that illustrates part b.
Get 18.3 exercise solution
18.4 A potential weakness of the CRC as an integrity check is that it is a linear function. This means that you can predict which bits of the CRC are changed if a single bit of the message is changed. Furthermore, it is possible to determine which combination of bits could be flipped in the message so that the net result is no change in the CRC. Thus, there are a number of combinations of bit flippings of the plaintext message that leave the CRC unchanged, so message integrity is defeated. However, in WEP, if an attacker does not know the encryption key, the attacker does not have access to the plaintext, only to the ciphertext block. Does this mean that the ICV is protected from the bit flipping attack? Explain.
Get 18.4 exercise solution
Solutions for Chapter 17 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
17.1 What are the advantages of each of the three approaches shown in Figure 17.1?
Get 17.1 exercise solution
17.2 What protocols comprise SSL?
Get 17.2 exercise solution
17.3 What is the difference between an SSL connection and an SSL session?
Get 17.3 exercise solution
17.4 List and briefly define the parameters that define an SSL session state.
Get 17.4 exercise solution
17.5 List and briefly define the parameters that define an SSL session connection.
Get 17.5 exercise solution
17.6 What services are provided by the SSL Record Protocol?
Get 17.6 exercise solution
17.7 What steps are involved in the SSL Record Protocol transmission?
Get 17.7 exercise solution
17.8 What is the purpose of HTTPS?
Get 17.8 exercise solution
17.9 For what applications is SSH useful?
Get 17.9 exercise solution
17.10 List and briefly define the SSH protocols.
Get 17.10 exercise solution
Problems
17.1 In SSL and TLS, why is there a separate Change Cipher Spec Protocol rather than including a change_cipher_spec message in the Handshake Protocol?
Get 17.1 exercise solution
17.2 What purpose does the MAC serve during the change cipher spec SSL exchange?
Get 17.2 exercise solution
17.3 Consider the following threats to Web security and describe how each is countered by a particular feature of SSL. a. Brute-Force Cryptanalytic Attack: An exhaustive search of the key space for a conventional encryption algorithm. b. Known Plaintext Dictionary Attack: Many messages will contain predictable plaintext, such as the HTTP GET command. An attacker constructs a dictionary containing every possible encryption of the known-plaintext message. When an encrypted message is intercepted, the attacker takes the portion containing the encrypted known plaintext and looks up the ciphertext in the dictionary. The ciphertext should match against an entry that was encrypted with the same secret key. If there are several matches, each of these can be tried against the full ciphertext to determine the right one. This attack is especially effective against small key sizes (e.g., 40-bit keys). c. Replay Attack: Earlier SSL handshake messages are replayed. d. Man-in-the-Middle Attack: An attacker interposes during key exchange, acting as the client to the server and as the server to the client. e. Password Sniffing: Passwords in HTTP or other application traffic are eavesdropped.
f. IP Spoofing: Uses forged IP addresses to fool a host into accepting bogus data. g. IP Hijacking: An active, authenticated connection between two hosts is disrupted and the attacker takes the place of one of the hosts. h. SYN Flooding: An attacker sends TCP SYN messages to request a connection but does not respond to the final message to establish the connection fully. The attacked TCP module typically leaves the “half-open connection” around for a few minutes. Repeated SYN messages can clog the TCP module.
Get 17.3 exercise solution
17.4 Based on what you have learned in this chapter, is it possible in SSL for the receiver to reorder SSL record blocks that arrive out of order? If so, explain how it can be done. If not, why not?
Get 17.4 exercise solution
17.5 For SSH packets, what is the advantage, if any, of not including the MAC in the scope of the packet encryption?
Get 17.5 exercise solution
17.1 What are the advantages of each of the three approaches shown in Figure 17.1?
Get 17.1 exercise solution
17.2 What protocols comprise SSL?
Get 17.2 exercise solution
17.3 What is the difference between an SSL connection and an SSL session?
Get 17.3 exercise solution
17.4 List and briefly define the parameters that define an SSL session state.
Get 17.4 exercise solution
17.5 List and briefly define the parameters that define an SSL session connection.
Get 17.5 exercise solution
17.6 What services are provided by the SSL Record Protocol?
Get 17.6 exercise solution
17.7 What steps are involved in the SSL Record Protocol transmission?
Get 17.7 exercise solution
17.8 What is the purpose of HTTPS?
Get 17.8 exercise solution
17.9 For what applications is SSH useful?
Get 17.9 exercise solution
17.10 List and briefly define the SSH protocols.
Get 17.10 exercise solution
Problems
17.1 In SSL and TLS, why is there a separate Change Cipher Spec Protocol rather than including a change_cipher_spec message in the Handshake Protocol?
Get 17.1 exercise solution
17.2 What purpose does the MAC serve during the change cipher spec SSL exchange?
Get 17.2 exercise solution
17.3 Consider the following threats to Web security and describe how each is countered by a particular feature of SSL. a. Brute-Force Cryptanalytic Attack: An exhaustive search of the key space for a conventional encryption algorithm. b. Known Plaintext Dictionary Attack: Many messages will contain predictable plaintext, such as the HTTP GET command. An attacker constructs a dictionary containing every possible encryption of the known-plaintext message. When an encrypted message is intercepted, the attacker takes the portion containing the encrypted known plaintext and looks up the ciphertext in the dictionary. The ciphertext should match against an entry that was encrypted with the same secret key. If there are several matches, each of these can be tried against the full ciphertext to determine the right one. This attack is especially effective against small key sizes (e.g., 40-bit keys). c. Replay Attack: Earlier SSL handshake messages are replayed. d. Man-in-the-Middle Attack: An attacker interposes during key exchange, acting as the client to the server and as the server to the client. e. Password Sniffing: Passwords in HTTP or other application traffic are eavesdropped.
f. IP Spoofing: Uses forged IP addresses to fool a host into accepting bogus data. g. IP Hijacking: An active, authenticated connection between two hosts is disrupted and the attacker takes the place of one of the hosts. h. SYN Flooding: An attacker sends TCP SYN messages to request a connection but does not respond to the final message to establish the connection fully. The attacked TCP module typically leaves the “half-open connection” around for a few minutes. Repeated SYN messages can clog the TCP module.
Get 17.3 exercise solution
17.4 Based on what you have learned in this chapter, is it possible in SSL for the receiver to reorder SSL record blocks that arrive out of order? If so, explain how it can be done. If not, why not?
Get 17.4 exercise solution
17.5 For SSH packets, what is the advantage, if any, of not including the MAC in the scope of the packet encryption?
Get 17.5 exercise solution
Solutions for Chapter 16 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
16.1 Provide a brief definition of network access control.
Get 16.1 exercise solution
16.2 What is an EAP?
Get 16.2 exercise solution
16.3 List and briefly define four EAP authentication methods.
Get 16.3 exercise solution
16.4 What is EAPOL?
Get 16.4 exercise solution
16.5 What is the function of IEEE 802.1X?
Get 16.5 exercise solution
16.6 Define cloud computing.
Get 16.6 exercise solution
16.7 List and briefly define three cloud service models.
Get 16.7 exercise solution
16.8 What is the cloud computing reference architecture?
Get 16.8 exercise solution
16.9 Describe some of the main cloud-specific security threats.
Get 16.9 exercise solution
Problems
16.2 Figure 16.3 suggests that EAP can be described in the context of a four-layer model. Indicate the functions and formats of each of the four layers. You may need to refer to RFC 3748.
Get 16.2 exercise solution
16.1 Provide a brief definition of network access control.
Get 16.1 exercise solution
16.2 What is an EAP?
Get 16.2 exercise solution
16.3 List and briefly define four EAP authentication methods.
Get 16.3 exercise solution
16.4 What is EAPOL?
Get 16.4 exercise solution
16.5 What is the function of IEEE 802.1X?
Get 16.5 exercise solution
16.6 Define cloud computing.
Get 16.6 exercise solution
16.7 List and briefly define three cloud service models.
Get 16.7 exercise solution
16.8 What is the cloud computing reference architecture?
Get 16.8 exercise solution
16.9 Describe some of the main cloud-specific security threats.
Get 16.9 exercise solution
Problems
16.2 Figure 16.3 suggests that EAP can be described in the context of a four-layer model. Indicate the functions and formats of each of the four layers. You may need to refer to RFC 3748.
Get 16.2 exercise solution
Solutions for Chapter 15 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
15.1 Give examples of replay attacks.
Get 15.1 exercise solution
15.2 List three general approaches to dealing with replay attacks.
Get 15.2 exercise solution
15.3 What is a suppress-replay attack?
Get 15.3 exercise solution
15.4 What problem was Kerberos designed to address?
Get 15.4 exercise solution
15.5 What are three threats associated with user authentication over a network or Internet?
Get 15.5 exercise solution
15.6 List three approaches to secure user authentication in a distributed environment.
Get 15.6 exercise solution
15.7 What four requirements were defined for Kerberos?
Get 15.7 exercise solution
15.8 What entities constitute a full-service Kerberos environment?
Get 15.8 exercise solution
15.9 In the context of Kerberos, what is a realm?
Get 15.9 exercise solution
15.10 What are the principal differences between version 4 and version 5 of Kerberos?
Get 15.10 exercise solution
Problems
15.1 In Section 15.4, we outlined the public-key scheme proposed in [WOO92a] for the distribution of secret keys. The revised version includes IDA in steps 5 and 6. What attack, specifically, is countered by this revision?
Get 15.1 exercise solution
15.2 The protocol referred to in Problem 15.1 can be reduced from seven steps to five, having the following sequence:
a. A -> B:
b. A S KDC:
c. KDC -> B:
d. B -> A:
e. A -> B: Show the message transmitted at each step. Hint: The final message in this protocol is the same as the final message in the original protocol.
Get 15.2 exercise solution
15.3 Reference the suppress-replay attack described in Section 15.2 to answer the following. a. Give an example of an attack when a party’s clock is ahead of that of the KDC. b. Give an example of an attack when a party’s clock is ahead of that of another party.
Get 15.3 exercise solution
15.4 There are three typical ways to use nonces as challenges. Suppose Na is a nonce generated by A, A and B share key K, and f() is a function (such as an increment). The three usages are
Describe situations for which each usage is appropriate.
Get 15.4 exercise solution
15.5 Show that a random error in one block of ciphertext is propagated to all subsequent blocks of plaintext in PCBC mode (See Figure T.2 in Appendix T).
Get 15.5 exercise solution
15.6 Suppose that, in PCBC mode, blocks Ci and Ci+1 are interchanged during transmission. Show that this affects only the decrypted blocks Pi and Pi+1 but not subsequent blocks.
Get 15.6 exercise solution
15.7 In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol. The original version of X.509 contains a security flaw. The essence of the protocol is as follows.
where tA and tB are timestamps, rA and rB are nonces and the notation X {Y} indicates that the message Y is transmitted, encrypted, and signed by X. The text of X.509 states that checking timestamps tA and tB is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B: C -> B: A {0, rA, IDB} B responds, thinking it is talking to A but is actually talking to C: B -> C: B {0, r"B, IDA, rA} C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following: A -> C: A {0, r"A, IDC} C responds to A using the same nonce provided to C by B: C -> A: C {0, r"B, IDA, r"A} A responds with A -> C: A {r"B} This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B. C -> B: A {r"B} So B will believe it is talking to A whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.
Get 15.7 exercise solution
15.8 Consider a one-way authentication technique based on asymmetric encryption: A -> B: IDA B -> A: R1 A -> B: E(PRa, R1) a. Explain the protocol. b. What type of attack is this protocol susceptible to?
Get 15.8 exercise solution
15.9 Consider a one-way authentication technique based on asymmetric encryption: A -> B: IDA B -> A: E(PUa, R2) A -> B: R2 a. Explain the protocol. b. What type of attack is this protocol susceptible to?
Get 15.9 exercise solution
15.10 In Kerberos, when Bob receives a Ticket from Alice, how does he know it is genuine?
Get 15.10 exercise solution
15.11 In Kerberos, when Bob receives a Ticket from Alice, how does he know it came from Alice?
Get 15.11 exercise solution
15.12 In Kerberos, when Alice receives a reply, how does she know it came from Bob (that it’s not a replay of an earlier message from Bob)?
Get 15.12 exercise solution
15.13 In Kerberos, what does the Ticket contain that allows Alice and Bob to talk securely?
Get 15.13 exercise solution
15.1 Give examples of replay attacks.
Get 15.1 exercise solution
15.2 List three general approaches to dealing with replay attacks.
Get 15.2 exercise solution
15.3 What is a suppress-replay attack?
Get 15.3 exercise solution
15.4 What problem was Kerberos designed to address?
Get 15.4 exercise solution
15.5 What are three threats associated with user authentication over a network or Internet?
Get 15.5 exercise solution
15.6 List three approaches to secure user authentication in a distributed environment.
Get 15.6 exercise solution
15.7 What four requirements were defined for Kerberos?
Get 15.7 exercise solution
15.8 What entities constitute a full-service Kerberos environment?
Get 15.8 exercise solution
15.9 In the context of Kerberos, what is a realm?
Get 15.9 exercise solution
15.10 What are the principal differences between version 4 and version 5 of Kerberos?
Get 15.10 exercise solution
Problems
15.1 In Section 15.4, we outlined the public-key scheme proposed in [WOO92a] for the distribution of secret keys. The revised version includes IDA in steps 5 and 6. What attack, specifically, is countered by this revision?
Get 15.1 exercise solution
15.2 The protocol referred to in Problem 15.1 can be reduced from seven steps to five, having the following sequence:
a. A -> B:
b. A S KDC:
c. KDC -> B:
d. B -> A:
e. A -> B: Show the message transmitted at each step. Hint: The final message in this protocol is the same as the final message in the original protocol.
Get 15.2 exercise solution
15.3 Reference the suppress-replay attack described in Section 15.2 to answer the following. a. Give an example of an attack when a party’s clock is ahead of that of the KDC. b. Give an example of an attack when a party’s clock is ahead of that of another party.
Get 15.3 exercise solution
15.4 There are three typical ways to use nonces as challenges. Suppose Na is a nonce generated by A, A and B share key K, and f() is a function (such as an increment). The three usages are
Describe situations for which each usage is appropriate.
Get 15.4 exercise solution
15.5 Show that a random error in one block of ciphertext is propagated to all subsequent blocks of plaintext in PCBC mode (See Figure T.2 in Appendix T).
Get 15.5 exercise solution
15.6 Suppose that, in PCBC mode, blocks Ci and Ci+1 are interchanged during transmission. Show that this affects only the decrypted blocks Pi and Pi+1 but not subsequent blocks.
Get 15.6 exercise solution
15.7 In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol. The original version of X.509 contains a security flaw. The essence of the protocol is as follows.
where tA and tB are timestamps, rA and rB are nonces and the notation X {Y} indicates that the message Y is transmitted, encrypted, and signed by X. The text of X.509 states that checking timestamps tA and tB is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B: C -> B: A {0, rA, IDB} B responds, thinking it is talking to A but is actually talking to C: B -> C: B {0, r"B, IDA, rA} C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following: A -> C: A {0, r"A, IDC} C responds to A using the same nonce provided to C by B: C -> A: C {0, r"B, IDA, r"A} A responds with A -> C: A {r"B} This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B. C -> B: A {r"B} So B will believe it is talking to A whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.
Get 15.7 exercise solution
15.8 Consider a one-way authentication technique based on asymmetric encryption: A -> B: IDA B -> A: R1 A -> B: E(PRa, R1) a. Explain the protocol. b. What type of attack is this protocol susceptible to?
Get 15.8 exercise solution
15.9 Consider a one-way authentication technique based on asymmetric encryption: A -> B: IDA B -> A: E(PUa, R2) A -> B: R2 a. Explain the protocol. b. What type of attack is this protocol susceptible to?
Get 15.9 exercise solution
15.10 In Kerberos, when Bob receives a Ticket from Alice, how does he know it is genuine?
Get 15.10 exercise solution
15.11 In Kerberos, when Bob receives a Ticket from Alice, how does he know it came from Alice?
Get 15.11 exercise solution
15.12 In Kerberos, when Alice receives a reply, how does she know it came from Bob (that it’s not a replay of an earlier message from Bob)?
Get 15.12 exercise solution
15.13 In Kerberos, what does the Ticket contain that allows Alice and Bob to talk securely?
Get 15.13 exercise solution
Solutions for Chapter 14 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
14.1 List ways in which secret keys can be distributed to two communicating parties.
Get 14.1 exercise solution
14.2 What is the difference between a session key and a master key?
Get 14.2 exercise solution
14.3 What is a nonce?
Get 14.3 exercise solution
14.4 What is a key distribution center?
Get 14.4 exercise solution
14.5 What are two different uses of public-key cryptography related to key distribution?
Get 14.5 exercise solution
14.6 List four general categories of schemes for the distribution of public keys.
Get 14.6 exercise solution
14.7 What are the essential ingredients of a public-key directory?
Get 14.7 exercise solution
14.8 What is a public-key certificate?
Get 14.8 exercise solution
14.9 What are the requirements for the use of a public-key certificate scheme?
Get 14.9 exercise solution
14.10 What is the purpose of the X.509 standard?
Get 14.10 exercise solution
14.11 What is a chain of certificates?
Get 14.11 exercise solution
14.12 How is an X.509 certificate revoked?
Get 14.12 exercise solution
Problems
14.1 One local area network vendor provides a key distribution facility, as illustrated in Figure 14.18. a. Describe the scheme. b. Compare this scheme to that of Figure 14.3. What are the pros and cons?
Get 14.1 exercise solution
14.2 “We are under great pressure, Holmes.” Detective Lestrade looked nervous. “We have learned that copies of sensitive government documents are stored in computers of one foreign embassy here in London. Normally these documents exist in electronic form only on a selected few government computers that satisfy the most stringent security requirements. However, sometimes they must be sent through the network connecting all government computers. But all messages in this network are encrypted using a top-secret encryption algorithm certified by our best crypto experts. Even the NSA and the KGB are unable to break it. And now these documents have appeared in hands of diplomats of a small, otherwise insignificant, country. And we have no idea how it could happen.” “But you do have some suspicion who did it, do you?” asked Holmes. “Yes, we did some routine investigation. There is a man who has legal access to one of the government computers and has frequent contacts with diplomats from the embassy. But the computer he has access to is not one of the trusted ones where these documents are normally stored. He is the suspect, but we have no idea how he could obtain copies of the documents. Even if he could obtain a copy of an encrypted document, he couldn’t decrypt it.” “Hmm, please describe the communication protocol used on the network.” Holmes opened his eyes, thus proving that he had followed Lestrade’s talk with an attention that contrasted with his sleepy look. “Well, the protocol is as follows. Each node N of the network has been assigned a unique secret key Kn. This key is used to secure communication between the node and a trusted server. That is, all the keys are stored also on the server. User A, wishing to send a secret message M to user B, initiates the following protocol: 1. A generates a random number R and sends to the server his name A, destination B, and E(Ka, R). 2. Server responds by sending E(Kb, R) to A. 3. A sends E(R, M) together with E(Kb, R) to B. 4. B knows Kb, thus decrypts E(Kb, R), to get R and will subsequently use R to decrypt E(R, M) to get M. You see that a random key is generated every time a message has to be sent. I admit the man could intercept messages sent between the top-secret trusted nodes, but I see no way he could decrypt them.” “Well, I think you have your man, Lestrade. The protocol isn’t secure because the server doesn’t authenticate users who send him a request. Apparently designers of the protocol have believed that sending E(Kx, R) implicitly authenticates user X as the sender, as only X (and the server) knows Kx. But you know that E(Kx, R) can be intercepted and later replayed. Once you understand where the hole is, you will be able to obtain enough evidence by monitoring the man’s use of the computer he has access to. Most likely he works as follows. After intercepting E(Ka, R) and E(R, M) (see steps 1 and 3 of the protocol), the man, let’s denote him as Z, will continue by pretending to be A and … Finish the sentence for Holmes.
Get 14.2 exercise solution
14.3 The 1988 version of X.509 lists properties that RSA keys must satisfy to be secure given current knowledge about the difficulty of factoring large numbers. The discussion concludes with a constraint on the public exponent and the modulus n: It must be ensured that e 7 log2(n) to prevent attack by taking the eth root mod n to disclose the plaintext. Although the constraint is correct, the reason given for requiring it is incorrect. What is wrong with the reason given and what is the correct reason?
Get 14.3 exercise solution
14.4 Find at least one intermediate certification authority’s certificate and one trusted root certification authority’s certificate on your computer (e.g. in the browser). Print screenshots of both the general and details tab for each certificate.
Get 14.4 exercise solution
14.5 NIST defines the term cryptoperiod as the time span during which a specific key is authorized for use or in which the keys for a given system or application may remain in effect. One document on key management uses the following time diagram for a shared secret key.
Explain the overlap by giving an example application in which the originator’s usage period for the shared secret key begins before the recipient’s usage period and also ends before the recipients usage period.
Get 14.5 exercise solution
14.6 Consider the following protocol, designed to let A and B decide on a fresh, shared session key K=AB. We assume that they already share a long-term key KAB. 1. AS B:A, NA. 2. B S A:E(KAB, [NA, K=AB]) 3. AS B:E(K=AB, NA) a. We first try to understand the protocol designer’s reasoning: — Why would A and B believe after the protocol ran that they share K=AB with the other party? —Why would they believe that this shared key is fresh? In both cases, you should explain both the reasons of both A and B, so your answer should complete the sentences A believes that she shares K=AB with B since… B believes that he shares K=AB with A since… A believes that K=AB is fresh since… B believes that K=AB is fresh since… b. Assume now that A starts a run of this protocol with B. However, the connection is intercepted by the adversary C. Show how C can start a new run of the protocol using reflection, causing A to believe that she has agreed on a fresh key with B (in spite of the fact that she has only been communicating with C). Thus, in particular, the belief in (a) is false. c. Propose a modification of the protocol that prevents this attack.
Get 14.6 exercise solution
14.7 What are the core components of a PKI? Briefly describe each component.
Get 14.7 exercise solution
14.8 Explain the problems with key management and how it affects symmetric cryptography. Note: The remaining problems deal with the a cryptographic product developed by IBM, which is briefly described in a document at this book’s Premium Content Web site (IBMCrypto. pdf). Try these problems after reviewing the document.
Get 14.8 exercise solution
14.9 What is the effect of adding the instruction EMKi EMKi: XS E(KMHi, X) i = 0, 1
Get 14.9 exercise solution
14.10 Suppose N different systems use the IBM Cryptographic Subsystem with host master keys KMH[i](i = 1, 2,cN). Devise a method for communicating between systems without requiring the system to either share a common host master key or to divulge their individual host master keys. Hint: each system needs three variants of its host master key.
Get 14.10 exercise solution
14.11 The principal objective of the IBM Cryptographic Subsystem is to protect transmissions between a terminal and the processing system. Devise a procedure, perhaps adding instructions, which will allow the processor to generate a session key KS and distribute it to Terminal i and Terminal j without having to store a key-equivalent variable in the host.
Get 14.11 exercise solution
14.1 List ways in which secret keys can be distributed to two communicating parties.
Get 14.1 exercise solution
14.2 What is the difference between a session key and a master key?
Get 14.2 exercise solution
14.3 What is a nonce?
Get 14.3 exercise solution
14.4 What is a key distribution center?
Get 14.4 exercise solution
14.5 What are two different uses of public-key cryptography related to key distribution?
Get 14.5 exercise solution
14.6 List four general categories of schemes for the distribution of public keys.
Get 14.6 exercise solution
14.7 What are the essential ingredients of a public-key directory?
Get 14.7 exercise solution
14.8 What is a public-key certificate?
Get 14.8 exercise solution
14.9 What are the requirements for the use of a public-key certificate scheme?
Get 14.9 exercise solution
14.10 What is the purpose of the X.509 standard?
Get 14.10 exercise solution
14.11 What is a chain of certificates?
Get 14.11 exercise solution
14.12 How is an X.509 certificate revoked?
Get 14.12 exercise solution
Problems
14.1 One local area network vendor provides a key distribution facility, as illustrated in Figure 14.18. a. Describe the scheme. b. Compare this scheme to that of Figure 14.3. What are the pros and cons?
Get 14.1 exercise solution
14.2 “We are under great pressure, Holmes.” Detective Lestrade looked nervous. “We have learned that copies of sensitive government documents are stored in computers of one foreign embassy here in London. Normally these documents exist in electronic form only on a selected few government computers that satisfy the most stringent security requirements. However, sometimes they must be sent through the network connecting all government computers. But all messages in this network are encrypted using a top-secret encryption algorithm certified by our best crypto experts. Even the NSA and the KGB are unable to break it. And now these documents have appeared in hands of diplomats of a small, otherwise insignificant, country. And we have no idea how it could happen.” “But you do have some suspicion who did it, do you?” asked Holmes. “Yes, we did some routine investigation. There is a man who has legal access to one of the government computers and has frequent contacts with diplomats from the embassy. But the computer he has access to is not one of the trusted ones where these documents are normally stored. He is the suspect, but we have no idea how he could obtain copies of the documents. Even if he could obtain a copy of an encrypted document, he couldn’t decrypt it.” “Hmm, please describe the communication protocol used on the network.” Holmes opened his eyes, thus proving that he had followed Lestrade’s talk with an attention that contrasted with his sleepy look. “Well, the protocol is as follows. Each node N of the network has been assigned a unique secret key Kn. This key is used to secure communication between the node and a trusted server. That is, all the keys are stored also on the server. User A, wishing to send a secret message M to user B, initiates the following protocol: 1. A generates a random number R and sends to the server his name A, destination B, and E(Ka, R). 2. Server responds by sending E(Kb, R) to A. 3. A sends E(R, M) together with E(Kb, R) to B. 4. B knows Kb, thus decrypts E(Kb, R), to get R and will subsequently use R to decrypt E(R, M) to get M. You see that a random key is generated every time a message has to be sent. I admit the man could intercept messages sent between the top-secret trusted nodes, but I see no way he could decrypt them.” “Well, I think you have your man, Lestrade. The protocol isn’t secure because the server doesn’t authenticate users who send him a request. Apparently designers of the protocol have believed that sending E(Kx, R) implicitly authenticates user X as the sender, as only X (and the server) knows Kx. But you know that E(Kx, R) can be intercepted and later replayed. Once you understand where the hole is, you will be able to obtain enough evidence by monitoring the man’s use of the computer he has access to. Most likely he works as follows. After intercepting E(Ka, R) and E(R, M) (see steps 1 and 3 of the protocol), the man, let’s denote him as Z, will continue by pretending to be A and … Finish the sentence for Holmes.
Get 14.2 exercise solution
14.3 The 1988 version of X.509 lists properties that RSA keys must satisfy to be secure given current knowledge about the difficulty of factoring large numbers. The discussion concludes with a constraint on the public exponent and the modulus n: It must be ensured that e 7 log2(n) to prevent attack by taking the eth root mod n to disclose the plaintext. Although the constraint is correct, the reason given for requiring it is incorrect. What is wrong with the reason given and what is the correct reason?
Get 14.3 exercise solution
14.4 Find at least one intermediate certification authority’s certificate and one trusted root certification authority’s certificate on your computer (e.g. in the browser). Print screenshots of both the general and details tab for each certificate.
Get 14.4 exercise solution
14.5 NIST defines the term cryptoperiod as the time span during which a specific key is authorized for use or in which the keys for a given system or application may remain in effect. One document on key management uses the following time diagram for a shared secret key.
Explain the overlap by giving an example application in which the originator’s usage period for the shared secret key begins before the recipient’s usage period and also ends before the recipients usage period.
Get 14.5 exercise solution
14.6 Consider the following protocol, designed to let A and B decide on a fresh, shared session key K=AB. We assume that they already share a long-term key KAB. 1. AS B:A, NA. 2. B S A:E(KAB, [NA, K=AB]) 3. AS B:E(K=AB, NA) a. We first try to understand the protocol designer’s reasoning: — Why would A and B believe after the protocol ran that they share K=AB with the other party? —Why would they believe that this shared key is fresh? In both cases, you should explain both the reasons of both A and B, so your answer should complete the sentences A believes that she shares K=AB with B since… B believes that he shares K=AB with A since… A believes that K=AB is fresh since… B believes that K=AB is fresh since… b. Assume now that A starts a run of this protocol with B. However, the connection is intercepted by the adversary C. Show how C can start a new run of the protocol using reflection, causing A to believe that she has agreed on a fresh key with B (in spite of the fact that she has only been communicating with C). Thus, in particular, the belief in (a) is false. c. Propose a modification of the protocol that prevents this attack.
Get 14.6 exercise solution
14.7 What are the core components of a PKI? Briefly describe each component.
Get 14.7 exercise solution
14.8 Explain the problems with key management and how it affects symmetric cryptography. Note: The remaining problems deal with the a cryptographic product developed by IBM, which is briefly described in a document at this book’s Premium Content Web site (IBMCrypto. pdf). Try these problems after reviewing the document.
Get 14.8 exercise solution
14.9 What is the effect of adding the instruction EMKi EMKi: XS E(KMHi, X) i = 0, 1
Get 14.9 exercise solution
14.10 Suppose N different systems use the IBM Cryptographic Subsystem with host master keys KMH[i](i = 1, 2,cN). Devise a method for communicating between systems without requiring the system to either share a common host master key or to divulge their individual host master keys. Hint: each system needs three variants of its host master key.
Get 14.10 exercise solution
14.11 The principal objective of the IBM Cryptographic Subsystem is to protect transmissions between a terminal and the processing system. Devise a procedure, perhaps adding instructions, which will allow the processor to generate a session key KS and distribute it to Terminal i and Terminal j without having to store a key-equivalent variable in the host.
Get 14.11 exercise solution
Subscribe to:
Posts (Atom)