ANSWERS TO QUESTIONS
1.1 The OSI Security Architecture is a framework that provides a
systematic way of defining
the requirements for security and characterizing the approaches to
satisfying those
requirements. The document defines security attacks, mechanisms,
and services, and the
relationships among these categories.
1.2 Passive attacks have to do with eavesdropping on, or monitoring,
transmissions.
Electronic mail, file transfers, and client/server exchanges are
examples of
transmissions that can be monitored. Active attacks include the modification of
transmitted data and attempts to gain unauthorized access to
computer systems.
1.3 Passive attacks: release of message contents and traffic analysis. Active attacks:
masquerade, replay, modification of messages, and denial of
service.
1.4 Authentication: The assurance that the communicating entity is the one that it
claims to be.
Access control: The prevention of unauthorized use of a resource (i.e., this
service controls
who can have access to a resource, under what conditions access can
occur, and what those
accessing the resource are allowed to do).
Data confidentiality: The protection of data from unauthorized disclosure.
Data integrity: The assurance that data received are exactly as sent by an
authorized entity
(i.e., contain no modification, insertion, deletion, or replay).
Nonrepudiation: Provides protection against denial by one of the entities involved
in a
communication of having participated in all or part of the
communication.
Availability service: The property of a system or a system resource being
accessible and
usable upon demand by an authorized system entity, according to
performance
specifications for the system (i.e., a system is available if it
provides services according to
the system design whenever users request them).
1.5 See Table 1.3.
CHAPTER 1
INTRODUCTION
-6-
ANSWERS TO PROBLEMS
1.1 Release
of
message
contents
Traffic
analysis
Masquerade Replay Modification
of messages
Denial
of
service
Peer entity
authentication
Y
Data origin
authentication
Y
Access control Y
Confidentiality Y
Traffic flow
confidentiality
Y
Data integrity Y Y
Non-repudiation Y
Availability Y
1.2 Release
of
message
contents
Traffic
analysis
Masquerade Replay Modification
of messages
Denial
of
service
Encipherment Y
Digital signature Y Y Y
Access control Y Y Y Y Y
Data integrity Y Y
Authentication
exchange
Y Y Y Y
Traffic padding Y
Routing control Y Y Y
Notarization Y Y Y
-7-
ANSWERS TO QUESTIONS
2.1 Plaintext, encryption algorithm, secret key, ciphertext,
decryption algorithm.
2.2 Permutation and substitution.
2.3 One secret key.
2.4 A stream cipher is one that encrypts a digital data stream one bit
or one byte at a
time. A block cipher is one in which a block of plaintext is treated as
a whole and
used to produce a ciphertext block of equal length.
2.5 Cryptanalysis and brute force.
2.6 In some modes, the plaintext does not pass through the encryption
function, but is
XORed with the output of the encryption function. The math works
out that for
decryption in these cases, the encryption function must also be
used.
2.7 With triple encryption, a plaintext block is encrypted by passing
it through an
encryption algorithm; the result is then passed through the same
encryption
algorithm again; the result of the second encryption is passed
through the same
encryption algorithm a third time. Typically, the second stage
uses the decryption
algorithm rather than the encryption algorithm.
2.8 There is no cryptographic significance to the use of decryption
for the second
stage. Its only advantage is that it allows users of 3DES to
decrypt data encrypted
by users of the older single DES by repeating the key.
2.9 With link encryption, each vulnerable communications link is equipped
on both
ends with an encryption device. With end-to-end encryption, the encryption
process is carried out at the two end systems. The source host or
terminal encrypts
the data; the data in encrypted form are then transmitted
unaltered across the
network to the destination terminal or host.
2.10 For two parties A and B, key distribution can be achieved in a
number of ways, as
follows:
1. A can select a key and physically deliver it to B.
2. A third party can select the key and physically deliver it to A
and B.
3. If A and B have previously and recently used a key, one party can
transmit
the new key to the other, encrypted using the old key.
CHAPTER 2
SYMMETRIC ENCRYPTION AND MESSAGE
CONFIDENTIALITY
-8-
4. If A and B each has an encrypted connection to a third party C, C
can deliver
a key on the encrypted links to A and B.
2.11 A session key is a temporary encryption key used between two
principals. A
master key is a long-lasting key that is used between a key distribution
center and
a principal for the purpose of encoding the transmission of
session keys. Typically,
the master keys are distributed by noncryptographic means.
2.12 A key distribution center is a system that is authorized to
transmit temporary
session keys to principals. Each session key is transmitted in
encrypted form, using
a master key that the key distribution center shares with the
target principal.
ANSWERS TO PROBLEMS
2.1 To see that the same algorithm with a reversed key order produces
the correct
result, consider the figure following this discussion, which shows
the encryption
process going down the left-hand side and the decryption process
going up the
right-hand side for a 16-round algorithm (the result would be the
same for any
number of rounds). For clarity, we use the notation LEi and
REi for data traveling
through the encryption algorithm and LDi and
RDi for data traveling through the
decryption algorithm. The diagram indicates that, at every round,
the intermediate
value of the decryption process is equal to the corresponding
value of the
encryption process with the two halves of the value swapped. To
put this another
way, let the output of the ith encryption round be LEi||REi (Li concatenated
with
Ri). Then the corresponding input to the (16 – i)th
decryption round is RDi||LDi.
Let us walk through the figure to demonstrate the validity of the
preceding
assertions. To simplify the diagram, it is unwrapped, not showing
the swap that
occurs at the end of each iteration. But note that the
intermediate result at the end
of the ith stage of the encryption process is the 2w-bit quantity
formed by
concatenating LEi
and REi,
and that the intermediate result at the end of the ith
stage of the decryption process is the 2w-bit quantity formed by
concatenating LDi
and RDi. After the last iteration of the encryption
process, the two halves of the
output are swapped, so that the ciphertext is RE16||LE16.
The output of that round
is the ciphertext. Now take that ciphertext and use it as input to
the same algorithm.
The input to the first round is RE16||LE16,
which is equal to the 32-bit swap of the
output of the sixteenth round of the encryption process.
Now we would like to show that the output of the first round of
the decryption
process is equal to a 32-bit swap of the input to the sixteenth
round of the
encryption process. First, consider the encryption process. We see
that:
LE16 = RE15
RE16 = LE15 ⊕ F(RE15, K16)
On the decryption side:
LD1 = RD0 = LE16 =
RE15
RD1 = LD0 ⊕ F(RD0, K16)
= RE16 ⊕ F(RE15,
K16)
-9-
= [LE15 ⊕ F(RE15,K16)]
⊕ F(RE15,
K16)
The XOR has the following properties:
[A ⊕ B] ⊕ C = A ⊕ [B ⊕ C]
D ⊕ D = 0
E ⊕ 0 = E
Thus, we have LD1
= RE15 and
RD1 = LE15. Therefore, the output of the
first
round of the decryption process is LE15||RE15,
which is the 32-bit swap of the
input to the sixteenth round of the encryption. This
correspondence holds all the
way through the 16 iterations, as is easily shown. We can cast
this process in
general terms. For the ith iteration of the encryption algorithm:
LEi = REi-1
REi = LEi-1 ⊕ F(REi-1, Ki)
Rearranging terms:
REi-1 = LEi
LEi-1 = REi ⊕ F(REi-1, Ki) = REi ⊕ F(LEi, Ki)
Thus, we have described the inputs to the ith iteration as a
function of the
outputs, and these equations confirm the assignments shown in the
right-hand side
of the following figure.
Finally, we see that the output of the last round of the
decryption process is
RE0||LE0. A 32-bit swap recovers the
original plaintext, demonstrating the validity
of the Feistel decryption process.
-10-
Output (ciphertext)
F F
F
F
F
LE0 K1 RE0
LE14 K15 RE14
LE16 RE16
RE16 LE16
RE15 K16 LE15
LD0 = RE16 RD0 = LE16
LD2 = RE14 RD2 = LE14
K16
LD14 = RE2 RD14 = LE2
LD16 = RE0 RD16 = LE0
RD16 = LE0 LD16 = RE0
K2
RD1 = LE15 LD1 = RE15
K15
RD15 = LE1 LD15 = RE1
K1
LE2 RE2
RE1 K2 LE1
Input (plaintext)
Input (ciphertext)
Output (plaintext)
F
F
F
⊕ ⊕
⊕ ⊕
⊕ ⊕
⊕ ⊕
2.2 Use a key of length 255 bytes. The first two bytes are zero; that
is K[0] = K[1] = 0.
Thereafter, we have: K[2] = 255; K[3] = 254; … K[255]= 2.
-11-
2.3 a. Simply store i, j, and S, which requires 8 + 8 + (256 × 8) = 2064 bits
b. The number of states is [256! × 2562] ≈ 21700. Therefore, 1700 bits are required.
2.4 a. No. For example, suppose C1 is corrupted. The output block
P3 depends only
on the input blocks C2 and C3.
b. An error in P1 affects C1. But since C1 is
input to the calculation of C2, C2
is
affected. This effect carries through indefinitely, so that all
ciphertext blocks are
affected. However, at the receiving end, the decryption algorithm
restores the
correct plaintext for blocks except the one in error. You can show
this by
writing out the equations for the decryption. Therefore, the error
only effects
the corresponding decrypted plaintext block.
2.5 After decryption, the last byte of the last block is used to
determine the amount of
padding that must be stripped off. Therefore there must be at
least one byte of
padding.
2.6 a. Assume that the last block of plaintext is only L bytes long, where L < 2w/8.
The encryption sequence is as follows (The description in RFC 2040
has an
error; the description here is correct.):
1. Encrypt the first (N – 2) blocks using the
traditional CBC technique.
2. XOR PN–1 with
the previous ciphertext block CN–2 to create YN–1.
3. Encrypt YN–1 to
create EN–1.
4. Select the first L bytes of EN–1 to create CN.
5. Pad PN with zeros at the end and exclusive-OR with EN–1 to create YN.
6. Encrypt YN to create CN–1.
The last two blocks of the ciphertext are CN–1 and CN.
b. PN–1 = CN–2
⊕ D(K, [CN || X])
PN || X
= (CN || 00…0)
⊕ D(K, [CN–1])
PN = left-hand portion of (PN || X)
where || is the concatenation function
2.7 a. Assume that the last block (PN) has j bits. After encrypting
the last full block
(PN–1), encrypt the ciphertext (CN–1)
again, select the leftmost j bits of the
encrypted ciphertext, and XOR that with the short block to
generate the output
ciphertext.
b. While an attacker cannot recover the last plaintext block, he can
change it
systematically by changing individual bits in the ciphertext. If
the last few bits
of the plaintext contain essential information, this is a
weakness.
2.8 Nine plaintext characters are affected. The plaintext character
corresponding to the
ciphertext character is obviously altered. In addition, the
altered ciphertext
character enters the shift register and is not removed until the
next eight characters
are processed.
2.9 The central points should be highly fault-tolerant, should be
physically secured,
and should use trusted hardware/software.
-12-
2.10 Yes. The eavesdropper is left with two strings, one sent in each
direction, and their
XOR is the secret key.
-13-
ANSWERS TO QUESTIONS
3.1 Message encryption, message authentication code, hash function.
3.2 An authenticator that is a cryptographic function of both the data
to be
authenticated and a secret key.
3.3 (a) A hash code is computed from the source message, encrypted using
symmetric
encryption and a secret key, and appended to the message. At the
receiver, the
same hash code is computed. The incoming code is decrypted using
the same key
and compared with the computed hash code. (b) This is the same procedure as in
(a) except that public-key encryption is used; the sender encrypts
the hash code
with the sender's private key, and the receiver decrypts the hash
code with the
sender's public key. (c) A secret value is appended to
a message and then a hash
code is calculated using the message plus secret value as input.
Then the message
(without the secret value) and the hash code are transmitted. The
receiver appends
the same secret value to the message and computes the hash value
over the
message plus secret value. This is then compared to the received
hash code.
3.4 1. H can be applied to a block of data of any size.
2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any given x, making both hardware and
software implementations practical.
4. For any given value h, it is computationally
infeasible to find x such that H(x)
= h. This is sometimes referred to in the literature
as the one-way property.
5. For any given block x, it is computationally
infeasible to find y ≠ x with H(y) =
H(x).
6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
3.5 The compression function is the fundamental module, or basic
building block, of a
hash function. The hash function consists of iterated application
of the
compression function.
3.6 Plaintext: This is the readable message or data that is fed into the
algorithm as
input. Encryption algorithm: The encryption algorithm performs various
transformations on the plaintext. Public and private keys: This is a pair of keys
that have been selected so that if one is used for encryption, the
other is used for
decryption. The exact transformations performed by the encryption
algorithm
depend on the public or private key that is provided as input. Ciphertext: This is
the scrambled message produced as output. It depends on the
plaintext and the
key. For a given message, two different keys will produce two
different
CHAPTER 3
PUBLIC-KEY CRYPTOGRAPHY AND MESSAGE
AUTHENTICATION
-14-
ciphertexts. Decryption
algorithm: This algorithm accepts the
ciphertext and the
matching key and produces the original plaintext.
3.7 Encryption/decryption: The sender encrypts a message with the recipient's
public
key. Digital signature: The sender "signs" a message with its
private key. Signing
is achieved by a cryptographic algorithm applied to the message or
to a small
block of data that is a function of the message. Key exchange: Two sides cooperate
to exchange a session key. Several different approaches are
possible, involving the
private key(s) of one or both parties.
3.8 The key used in conventional encryption is typically referred to
as a secret key.
The two keys used for public-key encryption are referred to as the
public key and
the private key.
3.9 A digital signature is an authentication mechanism that enables the
creator of a
message to attach a code that acts as a signature. The signature
is formed by taking
the hash of the message and encrypting the message with the
creator's private key.
The signature guarantees the source and integrity of the message.
3.10 A pubic-key certificate consists of a public key plus a User ID of the key
owner,
with the whole block signed by a trusted third party. Typically,
the third party is a
certificate authority (CA) that is trusted by the user community,
such as a
government agency or a financial institution.
3.11 Several different approaches are possible, involving the private
key(s) of one or
both parties. One approach is Diffie-Hellman key exchange. Another
approach is
for the sender to encrypt a secret key with the recipient's public
key.
ANSWERS TO PROBLEMS
3.1 The CBC mode with an IV of 0 and plaintext blocks D1, D2, . . .,
Dn and 64-bit CFB
mode with IV = D1 and plaintext blocks D2, D3, . . ., Dn yield the
same result.
3.2 a. Yes. The XOR function is simply a vertical parity check. If there
is an odd
number of errors, then there must be at least one column that
contains an odd
number of errors, and the parity bit for that column will detect
the error. Note
that the RXOR function also catches all errors caused by an odd
number of
error bits. Each RXOR bit is a function of a unique
"spiral" of bits in the block of
data. If there is an odd number of errors, then there must be at
least one spiral
that contains an odd number of errors, and the parity bit for that
spiral will
detect the error.
b. No. The checksum will fail to detect an even number of errors when
both the
XOR and RXOR functions fail. In order for both to fail, the
pattern of error bits
must be at intersection points between parity spirals and parity
columns such
that there is an even number of error bits in each parity column
and an even
number of error bits in each spiral.
c. It is too simple to be used as a secure hash function; finding
multiple messages
with the same hash function would be too easy.
-15-
3.3 The statement is false. Such a function cannot be one-to-one
because the number of inputs
to the function is of arbitrary, but the number of unique outputs
is 2n. Thus, there are
multiple inputs that map into the same output.
3.4 a. It satisfies properties 1 through 3 but not the remaining
properties. For
example, for property 4, a message consisting of the value h satisfies H(h) = h.
For property 5, take any message M and add the decimal digit 0 to
the
sequence; it will have the same hash value.
b. It satisfies properties 1 through 3. Property 4 is also satisfied
if n is a large
composite number, because taking square roots modulo such an
integer n is
considered to be infeasible. Properties 5 and 6 are not satisfied
because –M will
have the same value as M.
c. 955
3.5 a. Overall structure:
N × 16 letters
M1 M2 MN
IV = F
0000
H1
F
• • •
• • •
Message
H2
16
HN =
hash
code
16
F
16
16 letters 16 letters 16 letters
Padding
4
Compression function F:
-16-
Mi Hi–1
Column-wise mod 26 addition
Column-wise mod 26 addition
row-wise
rotations
Hi
b. BFQG
c. Simple algebra is all you need to generate a result:
AYHGDAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAA
3.6 If you examine the structure of a single round of DES, you see
that the round
includes a one-way function, F, and an XOR:
Ri = Li-1
⊕ F(Ri-1,
Ki)
For DES, the function F is depicted in Figure 2.4. It maps a
32-bit R and a 48-bit K
into a 32-bit output. That is, it maps an 80-bit input into a
32-bit output. This is
clearly a one-way function. Any hash function that produces a
32-bit output could
be used for F. The demonstration in the text that decryption works
is still valid for
any one-way function F.
3.7
a.
M3 =
5 2 1 4 5
1 4 3 2 2
3 1 2 5 3
4 3 4 1 4
2 5 5 3 1
b. Assume a plaintext message p is to be encrypted by Alice and sent
to Bob. Bob
makes use of M1 and M3, and Alice makes use of M2. Bob chooses a
random
number, k, as his private key, and maps k by M1 to get x, which he
sends as his
public key to Alice. Alice uses x to encrypt p with M2 to get z,
the ciphertext,
which she sends to Bob. Bob uses k to decrypt z by means of M3,
yielding the
plaintext message p.
-17-
c. If the numbers are large enough, and M1 and M2 are sufficiently
random to
make it impractical to work backwards, p cannot be found without
knowing k.
3.8 a. n = 33; ö(n) = 20; d = 3; C = 26.
b. n = 55; ö(n) = 40; d = 27; C = 14.
c. n = 77; ö(n) = 60; d = 53; C = 57.
d. n = 143; ö(n) = 120; d = 11; C = 106.
e. n = 527; ö(n) = 480; d = 343; C = 128. For decryption, we have
128343 mod 527 = 128256 × 12864 × 12816 × 1284
× 1282 × 1281
mod 527
= 35 × 256 × 35 × 101 × 47 × 128 = 2 mod 527
= 2 mod 257
3.9 M = 5
3.10 d = 3031
3.11 Yes. If a plaintext block has a common factor with n modulo n then
the encoded
block will also have a common factor with n modulo n. Because we
encode
blocks that are smaller than pq, the factor must be p or q and the
plaintext block
must be a multiple of p or q. We can test each block for
primality. If prime, it is p
or q. In this case we divide into n to find the other factor. If
not prime, we factor
it and try the factors as divisors of n.
3.12 Refer to Figure 3.8 The private key k is the pair {d, n}; the
public key x is the pair
{e, n}; the plaintext p is M; and the ciphertext z is C. M1 is
formed by calculating
d = e–1 mod ö(n). M2 consists of raising M to the power e (mod
n). M2 consists of
raising C to the power d (mod n).
3.13 Yes.
3.14 The opponent has the two-block message B1, B2 and its hash
RSAH(B1, B2). The
following attack will work. Choose an arbitrary C1 and choose C2
such that:
C2 = RSA(C1) ⊕ RSA(B1) ⊕ B2
then
RSA(C1) ⊕ C2 = RSA(C1) ⊕ RSA(C1) ⊕ RSA(B1) ⊕ B2
= RSA(B1) ⊕ B2
so RSAH(C1, C2) = RSA[RSA(C1) ⊕ C2)] = RSA[RSA(B1) ⊕ B2]
= RSAH(B1, B2)
3.15 Consider a set of alphabetic characters {A, B, …, Z}. The
corresponding integers,
representing the position of each alphabetic character in the
alphabet, form a set
of message block values SM = {0, 1, 2, …, 25}. The set of
corresponding ciphertext
block values SC = {0e mod N, 1e mod N, …, 25e mod N}, and can be computed by
everybody with the knowledge of the public key of Bob.
Thus, the most efficient attack against the scheme described in
the
problem is to compute Me mod N for all possible values of M, then create a lookup
table with a ciphertext as an index, and the corresponding
plaintext as a value
of the appropriate location in the table.
-18-
3.16 a. XA = 6
b. K = 3
-19-
ANSWERS TO QUESTIONS
4.1 The problem that Kerberos addresses is this: Assume an open
distributed
environment in which users at workstations wish to access services
on servers
distributed throughout the network. We would like for servers to
be able to
restrict access to authorized users and to be able to authenticate
requests for
service. In this environment, a workstation cannot be trusted to
identify its users
correctly to network services.
4.2 1. A user may gain access to a particular workstation and pretend to
be another
user operating from that workstation. 2. A user may alter the network address of
a workstation so that the requests sent from the altered
workstation appear to
come from the impersonated workstation. 3. A user may eavesdrop on exchanges
and use a replay attack to gain entrance to a server or to disrupt
operations.
4.3 1. Rely on each individual client workstation to assure the identity of
its user or
users and rely on each server to enforce a security policy based
on user
identification (ID). 2. Require that client systems
authenticate themselves to
servers, but trust the client system concerning the identity of
its user. 3. Require
the user to prove identity for each service invoked. Also require
that servers
prove their identity to clients.
4.4 Secure: A network eavesdropper should not be able to obtain the necessary
information to impersonate a user. More generally, Kerberos should
be strong
enough that a potential opponent does not find it to be the weak
link. Reliable:
For all services that rely on Kerberos for access control, lack of
availability of the
Kerberos service means lack of availability of the supported
services. Hence,
Kerberos should be highly reliable and should employ a distributed
server
architecture, with one system able to back up another. Transparent: Ideally, the
user should not be aware that authentication is taking place,
beyond the
requirement to enter a password. Scalable: The
system should be capable of
supporting large numbers of clients and servers. This suggests a
modular,
distributed architecture.
4.5 A full-service Kerberos environment consists of a Kerberos server,
a number of
clients, and a number of application servers.
4.6 A realm is an environment in which: 1. The Kerberos server must have the user ID
(UID) and hashed password of all participating users in its database.
All users are
registered with the Kerberos server. 2. The Kerberos server must share a secret
key with each server. All servers are registered with the Kerberos
server.
4.7 Version 5 overcomes some environmental shortcomings and some
technical
deficiencies in Version 4.
CHAPTER 4
AUTHENTICATION APPLICATIONS
-20-
4.8 X.509 defines a framework for the provision of authentication
services by the
X.500 directory to its users. The directory may serve as a
repository of public-key
certificates. Each certificate contains the public key of a user
and is signed with
the private key of a trusted certification authority. In addition,
X.509 defines
alternative authentication protocols based on the use of
public-key certificates.
4.9 A chain of certificates consists of a sequence of certificates
created by different
certification authorities (CAs) in which each successive
certificate is a certificate
by one CA that certifies the public key of the next CA in the
chain.
4.10 The owner of a public-key can issue a certificate revocation list
that revokes one
or more certificates.
ANSWERS TO PROBLEMS
4.1 An error in C1 affects P1 because the encryption of C1 is
XORed with IV to produce
P1. Both C1 and P1 affect
P2, which is the XOR of the encryption of C2 with
the
XOR of C1 and P1. Beyond that, PN–1 is one of the XORed inputs to forming PN.
4.2 Let us consider the case of the interchange of C1 and
C2. The argument will be the
same for any other adjacent pair of ciphertext blocks. First, if C1 and
C2 arrive in
the proper order:
P1 = E[K, C1] ⊕ IV
P2 = E[K, C2] ⊕ C1 ⊕ P1
= E[K, C2]
⊕ C1 ⊕ E[K, C1] ⊕ IV
P3 = E[K, C3] ⊕ C2 ⊕ P2
= E[K, C3]
⊕ C2 ⊕ E[K, C2] ⊕ C1 ⊕ E[K, C1] ⊕ IV
Now suppose that C1
and C2 arrive
in the reverse order. Let us refer to the
decrypted blocks as Qi.
Q1 = E[K, C2] ⊕ IV
Q2 = E[K, C1] ⊕ C2 ⊕ Q1
= E[K, C1]
⊕ C2 ⊕ E[K, C2] ⊕ IV
Q3 = E[K, C3] ⊕ C1 ⊕ Q2
= E[K, C3]
⊕ C1 ⊕ E[K, C1] ⊕ C2 ⊕ E[K, C2] ⊕ IV
The result is that Q1 ≠ P1;
Q2 ≠ P2; but Q3 = P3.
Subsequent blocks are clearly
unaffected.
4.3 The problem has a simple fix, namely the inclusion of the name of
B in the signed
information for the third message, so that the third message now
reads:
A → B: A {rB, B}
4.4 Taking the eth root mod n of a ciphertext block will
always reveal the plaintext, no
matter what the values of e and n are. In general this is a very difficult problem,
and indeed is the reason why RSA is secure. The point is that, if e is too small, then
taking the normal integer eth root will be the same as
taking the eth root mod n,
and taking integer eth roots is relatively easy.
-21-
ANSWERS TO QUESTIONS
5.1 Authentication, confidentiality, compression, e-mail
compatibility, and
segmentation
5.2 A detached signature is useful in several contexts. A user may
wish to maintain a
separate signature log of all messages sent or received. A
detached signature of an
executable program can detect subsequent virus infection. Finally,
detached
signatures can be used when more than one party must sign a
document, such as
a legal contract. Each person's signature is independent and
therefore is applied
only to the document. Otherwise, signatures would have to be
nested, with the
second signer signing both the document and the first signature,
and so on.
5.3 a. It is preferable to sign an uncompressed message so that one can
store only the
uncompressed message together with the signature for future
verification. If one
signed a compressed document, then it would be necessary either to
store a
compressed version of the message for later verification or to
recompress the
message when verification is required. b. Even if one were willing to generate
dynamically a recompressed message for verification, PGP's
compression
algorithm presents a difficulty. The algorithm is not
deterministic; various
implementations of the algorithm achieve different tradeoffs in
running speed
versus compression ratio and, as a result, produce different
compressed forms.
However, these different compression algorithms are interoperable
because any
version of the algorithm can correctly decompress the output of
any other version.
Applying the hash function and signature after compression would
constrain all
PGP implementations to the same version of the compression
algorithm.
5.4 R64 converts a raw 8-bit binary stream to a stream of printable
ASCII characters.
Each group of three octets of binary data is mapped into four
ASCII characters.
5.5 When PGP is used, at least part of the block to be transmitted is
encrypted. If only
the signature service is used, then the message digest is
encrypted (with the
sender's private key). If the confidentiality service is used, the
message plus
signature (if present) are encrypted (with a one-time symmetric
key). Thus, part
or all of the resulting block consists of a stream of arbitrary
8-bit octets. However,
many electronic mail systems only permit the use of blocks
consisting of ASCII
text.
5.6 E-mail facilities often are restricted to a maximum message
length.
5.7 PGP includes a facility for assigning a level of trust to
individual signers and to
keys.
5.8 RFC 822 defines a format for text messages that are sent using
electronic mail.
CHAPTER 5
ELECTRONIC MAIL SECURITY
-22-
5.9 MIME is an extension to the RFC 822 framework that is intended to
address some
of the problems and limitations of the use of SMTP (Simple Mail
Transfer
Protocol) or some other mail transfer protocol and RFC 822 for
electronic mail.
5.10 S/MIME (Secure/Multipurpose Internet Mail Extension) is a security
enhancement to the MIME Internet e-mail format standard, based on
technology
from RSA Data Security.
ANSWERS TO PROBLEMS
5.1 CFB avoids the need to add and strip padding.
5.2 This is just another form of the birthday paradox discussed in
Appendix 11A. Let
us state the problem as one of determining what number of session
keys must be
generated so that the probability of a duplicate is greater than
0.5. From Equation
(11.6) in Appendix 11A, we have the approximation:
€
k =1.18 × n
For a 128-bit key, there are 2128 possible keys. Therefore
€
k =1.18 × 2128 =1.18 × 264
5.3 Again, we are dealing with a birthday-paradox phenomenon. We need
to
calculate the value for:
P(n, k) = Pr [at least one duplicate
in k items, with each item able to take on
one of n equally likely values between 1 and n]
In this case, k = N and n = 264. Using equation (11.5) of
Appendix 1A:
P(26 4 ,N) = 1− 264!
(26
4 − N)!264× k
> 1− e−[N ×(N
−1]
26 5
5.4 a. Not at all. The message digest is encrypted with the sender's
private key.
Therefore, anyone in possession of the public key can decrypt it
and recover
the entire message digest.
b. The probability that a message digest decrypted with the wrong key
would
have an exact match in the first 16 bits with the original message
digest is
2–16.
5.5 We trust this owner, but that does not necessarily mean that we
can trust that we
are in possession of that owner's public key.
5.6 It certainly provides more security than a monoalphabetic
substitution. Because
we are treating the plaintext as a string of bits and encrypting 6
bits at a time, we
-23-
are not encrypting individual characters. Therefore, the frequency
information is
lost, or at least significantly obscured.
5.7 DES is unsuitable because of its short key size. Two-key triple
DES, which has a
key length of 112 bits, is suitable. AES is also suitable.
-24-
ANSWERS TO QUESTIONS
6.1 Secure branch office connectivity over the
Internet: A company can build a
secure virtual private network over the Internet or over a public
WAN. This
enables a business to rely heavily on the Internet and reduce its
need for private
networks, saving costs and network management overhead. Secure remote access
over the Internet: An end user whose system is equipped with IP
security
protocols can make a local call to an Internet service provider
(ISP) and gain
secure access to a company network. This reduces the cost of toll
charges for
traveling employees and telecommuters. Establishing extranet and intranet
connectivity with partners: IPSec can be used to secure communication with
other organizations, ensuring authentication and confidentiality
and providing a
key exchange mechanism. Enhancing electronic commerce security: Even though
some Web and electronic commerce applications have built-in
security protocols,
the use of IPSec enhances that security.
6.2 Access control; connectionless integrity; data origin
authentication; rejection of
replayed packets (a form of partial sequence integrity);
confidentiality
(encryption); and limited traffic flow confidentiality
6.3 A security association is uniquely identified by three parameters:
Security
Parameters Index (SPI): A bit string assigned to this SA and having local
significance only. The SPI is carried in AH and ESP headers to
enable the
receiving system to select the SA under which a received packet
will be processed.
IP Destination Address: Currently, only unicast addresses are allowed; this
is the
address of the destination endpoint of the SA, which may be an end
user system
or a network system such as a firewall or router. Security Protocol Identifier:
This indicates whether the association is an AH or ESP security
association.
A security association is normally defined by the following
parameters:
Sequence Number Counter: A 32-bit value used to generate the Sequence
Number field in AH or ESP headers, described in Section 6.3
(required for all
implementations). Sequence Counter Overflow: A flag indicating whether
overflow of the Sequence Number Counter should generate an
auditable event
and prevent further transmission of packets on this SA (required
for all
implementations). Anti-Replay Window: Used to determine whether an inbound
AH or ESP packet is a replay, described in Section 6.3 (required
for all
implementations). AH Information: Authentication algorithm, keys, key
lifetimes, and related parameters being used with AH (required for
AH
implementations). ESP Information: Encryption and authentication algorithm,
keys, initialization values, key lifetimes, and related parameters
being used with
ESP (required for ESP implementations). Lifetime of this Security Association: A
time interval or byte count after which an SA must be replaced
with a new SA
(and new SPI) or terminated, plus an indication of which of these
actions should
occur (required for all implementations). IPSec Protocol Mode: Tunnel, transport,
or wildcard (required for all implementations). These modes are
discussed later in
CHAPTER 6
IP SECURITY
-25-
this section. Path
MTU: Any observed path maximum
transmission unit
(maximum size of a packet that can be transmitted without
fragmentation) and
aging variables (required for all implementations).
6.4 Transport mode provides protection primarily for upper-layer
protocols. That is,
transport mode protection extends to the payload of an IP packet. Tunnel mode
provides protection to the entire IP packet.
6.5 A replay attack is one in which an attacker obtains a copy of an
authenticated
packet and later transmits it to the intended destination. The
receipt of duplicate,
authenticated IP packets may disrupt service in some way or may
have some
other undesired consequence.
6.6 1. If an encryption algorithm requires the plaintext to be a multiple
of some
number of bytes (e.g., the multiple of a single block for a block
cipher), the
Padding field is used to expand the plaintext (consisting of the
Payload Data,
Padding, Pad Length, and Next Header fields) to the required
length. 2. The ESP
format requires that the Pad Length and Next Header fields be
right aligned
within a 32-bit word. Equivalently, the ciphertext must be an
integer multiple of
32 bits. The Padding field is used to assure this alignment. 3. Additional padding
may be added to provide partial traffic flow confidentiality by
concealing the
actual length of the payload.
6.7 Transport adjacency: Refers to applying more than one security protocol
to the
same IP packet, without invoking tunneling. This approach to
combining AH and
ESP allows for only one level of combination; further nesting
yields no added
benefit since the processing is performed at one IPSec instance:
the (ultimate)
destination. Iterated
tunneling: Refers to the application of
multiple layers of
security protocols effected through IP tunneling. This approach
allows for
multiple levels of nesting, since each tunnel can originate or
terminate at a
different IPSec site along the path.
6.8 ISAKMP by itself does not dictate a specific key exchange
algorithm; rather,
ISAKMP consists of a set of message types that enable the use of a
variety of key
exchange algorithms. Oakley is the specific key exchange algorithm
mandated for
use with the initial version of ISAKMP.
ANSWERS TO PROBLEMS
6.1 a. Immutable: Version, Internet Header Length, Total Length, Identification,
Protocol (This should be the value for AH.), Source Address,
Destination
Address (without loose or strict source routing). None of these
are changed by
routers in transit.
Mutable but predictable: Destination Address (with loose or strict source
routing). At each intermediate router designated in the source
routing list, the
Destination Address field is changed to indicate the next
designated address.
However, the source routing field contains the information needed
for doing
the MAC calculation.
Mutable (zeroed prior to ICV calculation): Type of Service (TOS), Flags,
Fragment Offset, Time to Live (TTL), Header Checksum. TOS may be
altered
by a router to reflect a reduced service. Flags and Fragment
offset are altered if
-26-
an router performs fragmentation. TTL is decreased at each router.
The Header
Checksum changes if any of these other fields change.
b. Immutable: Version, Payload Length, Next Header (This should be the value
for AH.), Source Address, Destination Address (without Routing
Extension
Header)
Mutable but predictable: Destination Address (with Routing Extension
Header)
Mutable (zeroed prior to ICV calculation): Class, Flow Label, Hop Limit
c. IPv6 options in the Hop-by-Hop and Destination Extension Headers
contain a
bit that indicates whether the option might change (unpredictably)
during
transit.
Mutable but predictable: Routing
Not Applicable: Fragmentation occurs after outbound IPSec processing and
reassembly occur before inbound IPSec processing , so the
Fragmentation
Extension Header, if it exists, is not seen by IPSec.
6.2 From RFC 2401
IPv4 Header Fields Outer Header at
Encapsulator
Inner Header at
Decapsulator
version 4 (1) no change
header length constructed no change
TOS copied from inner header
(5)
no change
total length constructed no change
ID constructed no change
Flags constructed, DF (4) no change
Fragment offset constructed no change
TTL constructed decrement (2)
protocol AH, ESP, routing header no change
checksum constructed no change
source address constructed (3) no change
destination address constructed (3) no change
options never copied no change
IPv6 Header Fields Outer Header at
Encapsulator
Inner Header at
Decapsulator
version 6 (1) no change
class copied or configured (6) no change
flow id copied or configured no change
length constructed no change
next header AH, ESP, routing header no change
hop count constructed (2) decrement (2)
source address constructed (3) no change
dest address constructed (3) no change
extension headers never copied no change
1. The IP version in the encapsulating header can be different from
the value in
the inner header.
-27-
2. The TTL in the inner header is decremented by the encapsulator
prior to
forwarding and by the decapsulator if it forwards the packet.
3. src and dest addresses depend on the SA, which is used to
determine the dest
address, which in turn determines which src address (net
interface) is used to
forward the packet.
4. configuration determines whether to copy from the inner header
(IPv4 only),
clear or set the DF.
5. If Inner Hdr is IPv4, copy the TOS. If Inner Hdr is IPv6, map the
Class to TOS.
6. If Inner Hdr is IPv6, copy the Class. If Inner Hdr IPv4, map the
TOS to Class.
6.3 We show the results for IPv4; IPv6 is similar.
6.4 This order of processing facilitates rapid detection and rejection
of replayed or
bogus packets by the receiver, prior to decrypting the packet,
hence potentially
reducing the impact of denial of service attacks. It also allows
for the possibility
of parallel processing of packets at the receiver, i.e.,
decryption can take place in
parallel with authentication.
6.5 a. The Aggressive Exchange type.
b. (CKYI, CKYR) ↔ HDR
(OK_KEYX) ↔ HDR
(GRP) ↔ P
gx, gy) ↔ KE
(EHAO, EHAS) ↔ T
(NIDP) ↔ HDR
(IDI, IDR) ↔ ID
(NI, NR) ↔ NONCE
(SKI[X], SKR[X]) ↔ SIG
-28-
ANSWERS TO QUESTIONS
7.1 The advantage of using IPSec (Figure 7.1a) is that it is
transparent to end users
and applications and provides a general-purpose solution. Further,
IPSec includes
a filtering capability so that only selected traffic need incur
the overhead of IPSec
processing. The advantage of using SSL is that it makes use of the reliability and
flow control mechanisms of TCP. The advantage application-specific security
services (Figure 7.1c) is that the service can be tailored to the specific
needs of a
given application.
7.2 SSL handshake protocol; SSL change cipher spec protocol; SSL alert
protocol; SSL
record protocol.
7.3 Connection: A connection is a transport (in the OSI layering model definition)
that provides a suitable type of service. For SSL, such
connections are peer-to-peer
relationships. The connections are transient. Every connection is
associated with
one session. Session:
An SSL session is an
association between a client and a
server. Sessions are created by the Handshake Protocol. Sessions
define a set of
cryptographic security parameters, which can be shared among
multiple
connections. Sessions are used to avoid the expensive negotiation
of new security
parameters for each connection.
7.4 Session identifier: An arbitrary byte sequence chosen by the server to
identify an
active or resumable session state. Peer certificate: An X509.v3 certificate of the
peer. Compression method: The algorithm used to compress data prior to
encryption. Cipher
spec: Specifies the bulk data
encryption algorithm (such as
null, DES, etc.) and a hash algorithm (such as MD5 or SHA-1) used
for MAC
calculation. It also defines cryptographic attributes such as the
hash_size. Master
secret: 48-byte secret shared between the client and server. Is resumable: A flag
indicating whether the session can be used to initiate new
connections.
7.5 Server and client random: Byte sequences that are chosen by the server and
client
for each connection. Server write MAC secret: The secret key used in MAC
operations on data sent by the server. Client write MAC secret: The secret key
used in MAC operations on data sent by the client. Server write key: The
conventional encryption key for data encrypted by the server and
decrypted by
the client. Client
write key: The conventional encryption
key for data encrypted
by the client and decrypted by the server. Initialization vectors: When a block
cipher in CBC mode is used, an initialization vector (IV) is
maintained for each
key. This field is first initialized by the SSL Handshake
Protocol. Thereafter the
final ciphertext block from each record is preserved for use as
the IV with the
following record. Sequence numbers: Each party maintains separate sequence
numbers for transmitted and received messages for each connection.
When a
party sends or receives a change cipher spec message, the
appropriate sequence
number is set to zero. Sequence numbers may not exceed 264 –
1.
CHAPTER 7
WEB SECURITY
-29-
7.6 Confidentiality: The Handshake Protocol defines a shared secret key
that is used
for conventional encryption of SSL payloads. Message Integrity: The Handshake
Protocol also defines a shared secret key that is used to form a
message
authentication code (MAC).
7.7 Fragmentation; compression; add MAC; encrypt; append SSL record
header.
7.8 Cardholder: In the electronic environment, consumers and corporate purchasers
interact with merchants from personal computers over the Internet.
A cardholder
is an authorized holder of a payment card (e.g., MasterCard, Visa)
that has been
issued by an issuer. Merchant: A
merchant is a person or organization that has
goods or services to sell to the cardholder. Typically, these
goods and services are
offered via a Web site or by electronic mail. A merchant that
accepts payment
cards must have a relationship with an acquirer. Issuer: This is a financial
institution, such as a bank, that provides the cardholder with the
payment card.
Typically, accounts are applied for and opened by mail or in
person. Ultimately, it
is the issuer that is responsible for the payment of the debt of
the cardholder.
Acquirer: This is a financial institution that establishes an account with a
merchant and processes payment card authorizations and payments.
Merchants
will usually accept more than one credit card brand but do not
want to deal with
multiple bankcard associations or with multiple individual
issuers. The acquirer
provides authorization to the merchant that a given card account
is active and
that the proposed purchase does not exceed the credit limit. The
acquirer also
provides electronic transfer of payments to the merchant's
account. Subsequently,
the acquirer is reimbursed by the issuer over some sort of payment
network for
electronic funds transfer. Payment gateway: This is a function operated by the
acquirer or a designated third party that processes merchant
payment messages.
The payment gateway interfaces between SET and the existing
bankcard payment
networks for authorization and payment functions. The merchant
exchanges SET
messages with the payment gateway over the Internet, while the
payment
gateway has some direct or network connection to the acquirer's
financial
processing system. Certification authority (CA): This is an entity that is trusted to
issue X.509v3 public-key certificates for cardholders, merchants,
and payment
gateways. The success of SET will depend on the existence of a CA
infrastructure
available for this purpose. As was discussed in previous chapters,
a hierarchy of
CAs is used, so that participants need not be directly certified
by a root authority.
7.9 A dual signature is used to sign two concatenated documents each
with its own
hash code. The purpose of the dual signature is to link two
messages that are
intended for two different recipients. In this case, the customer
want to send the
order information (OI) to the merchant and the payment information
(PI) to the
bank. The merchant does not need to know the customer's credit
card number,
and the bank does not need to know the details of the customer's
order.
ANSWERS TO PROBLEMS
7.1 The change cipher spec protocol exists to signal transitions in
ciphering strategies,
and can be sent independent of the complete handshake protocol
exchange.
-30-
7.2 a. Brute Force Cryptanalytic Attack: The conventional encryption algorithms
use key lengths ranging from 40 to 168 bits.
b. Known Plaintext Dictionary Attack: SSL protects against this attack by not
really using a 40-bit key, but an effective key of 128 bits. The
rest of the key is
constructed from data that is disclosed in the Hello messages. As
a result the
dictionary must be long enough to accommodate 2128 entries.
c. Replay Attack: This is prevented by the use of nonces.
d. Man-in-the-Middle Attack: This is prevented by the use of pubic-key
certificates to authenticate the correspondents.
e. Password Sniffing: User data is encrypted.
f. IP Spoofing: The spoofer must be in possession of the secret key as well as the
forged IP address.
g. IP Hijacking: Again, encryption protects against this attack.
h. SYN Flooding: SSL provides no protection against this attack.
7.3 SSL relies on an underlying reliable protocol to assure that bytes
are not lost or
inserted. There was some discussion of reengineering the future
TLS protocol to
work over datagram protocols such as UDP, however, most people at
a recent
TLS meeting felt that this was inappropriate layering (from the
SSL FAQ).
-31-
ANSWERS TO QUESTIONS
8.1 1. A single operator interface with a powerful but user-friendly set
of commands
for performing most or all network management tasks. 2. A minimal amount of
separate equipment. That is, most of the hardware and software
required for
network management is incorporated into the existing user equipment.
8.2 Management station, management agent, management information base,
network
management protocol.
8.3 To manage resources in the network, each resource is represented
as an object. An
object is, essentially, a data variable that represents one aspect
of the managed
agent. The collection of objects is referred to as a management information base
(MIB).
8.4 Get: enables the management station to retrieve the value of objects at
the agent.
Set: enables the management station to set the value of objects at the
agent.
Notify: enables an agent to notify the management station of significant
events.
8.5 To accommodate devices that do not implement SNMP, the concept of
proxy was
developed. In this scheme an SNMP agent acts as a proxy for one or
more other
devices; that is, the SNMP agent acts on behalf of the proxied
devices.
8.6 An SNMP community is a relationship between an SNMP agent and a set
of SNMP
managers that defines authentication, access control, and proxy
characteristics. The
community concept is a local one, defined at the agent. The agent
establishes one
community for each desired combination of authentication, access
control, and
proxy characteristics. Each community is given a unique (within
this agent)
community name, and the managers within that community are
provided with and
must employ the community name in all get and set operations. The
agent may
establish a number of communities, with overlapping manager
membership.
8.7 SNMPv1 is the original standard version of SNMP. SNMPv2 added
functional
capabilities to those of SNMPv1 and changed some formats. SNMPv3
is a security
facility that can work with either SNMPv1 or SNMPv2.
8.8 Modification of information: An entity could alter an in-transit message
generated
by an authorized entity in such a way as to cause unauthorized
management
operations, including the setting of object values. The essence of
this threat is that
an unauthorized entity could change any management parameter, including
those
related to configuration, operations, and accounting. Masquerade: Management
operations that are not authorized for some entity may be
attempted by that entity
by assuming the identity of an authorized entity. Message stream modification:
SNMP is designed to operate over a connectionless transport
protocol. There is a
threat that SNMP messages could be reordered, delayed, or replayed
(duplicated)
CHAPTER 8
NETWORK MANAGEMENT SECURITY
-32-
to cause unauthorized management operations. Disclosure: An entity could
observe exchanges between a manager and an agent and thereby learn
the values of
managed objects and learn of notifiable events.
8.9 In any message transmission, one of the two entities, transmitter
or receiver, is
designated as the authoritative SNMP engine, according to the
following rules:
1. When an SNMP message contains a payload that expects a response
(for
example, a Get, GetNext, GetBulk, Set, or Inform PDU), then the
receiver of such
messages is authoritative. 2. When an SNMP message contains
a payload that does
not expect a response (for example, an SNMPv2-Trap, Response, or
Report PDU),
then the sender of such a message is authoritative.
8.10 A localized key is defined in RFC 2574 as a secret key shared between
a user and
one authoritative SNMP engine. The objective is that the user need
only maintain a
single key (or two keys if both authentication and privacy are
required) and
therefore need only remember one password (or two). The actual
secrets shared
between a particular user and each authoritative SNMP engine are
different. The
process by which a single user key is converted into multiple
unique keys, one for
each remote SNMP engine, is referred to as key localization.
8.11 Group: a set of zero or more tuples
on whose
behalf SNMP management objects can be accessed. Security level: Determines
access rights for a group. For example, an agent may allow
read-only access for a
request communicated in an unauthenticated message but may require
authentication for write access. Context: a
named subset of the object instances in
the local MIB. Contexts provide a useful way of aggregating
objects into collections
with different access policies. MIB view: a
specific set of managed objects (and
optionally specific object instances). Access policy: a particular set of access rights.
ANSWERS TO PROBLEMS
8.1 a. The value of a Gauge has its maximum value whenever the
information being
modeled is greater than or equal to that maximum value; if the
information
being modeled subsequently decreases below the maximum value, the
Gauge
remains at the maximum value. The gauge can only be released from
this
maximum value by subsequent management action.
b. The SNMPv2 interpretation provides a realistic representation of
the underlying
value at all times, subject to the limitation of the gauge.
However, a manager
may want to know that some maximum value has been reached or
exceeded. By
"sticking" the gauge at its maximum value until it is
noticed and released by a
manager, this information is preserved.
-33-
8.2
MIB Access SNMP Access Mode
Category READ-ONLY READ-WRITE
read-only Available for Get and Trap
operations —
read-write Available for Get and Trap
operations
Available for Get, Set, and
Trap operations
write-only
Available for Get and Trap
Operations, but the value is
implementation-specific.
Available for Get, Set, and Trap
Operations, but the value is
implementation-specific for
Get and Set.
not-accessible Unavailable
8.3 a. This restriction makes sense because the authoritative receiver
will only check
those fields if the message is to be authenticated.
b. Keep in mind that in the case of the authoritative sender, these
values represent
the "official" local values of snmpEngineBoots and
snmpEngineTime. When the
Response message is received by the non-authorititave engine, it
may only use
these values for synchronization if the message is authenticated.
However, an
implementation might perhaps use these values for a "reality
check" even on
non-authenticated Response messages.
8.4 If we had done the time window check first, we would have declared
the message
untimely because MAET < (SET – 150). That doesn't seem good,
but that is what the
RFC says.
8.5 In the example just given, the authoritative SNMP engine is more
than 150 seconds
behind the non-authoritative engine (because
msgAuthoritativeEngineTime <
(snmpEngineTime – 150)) but time synchronization occurs (because
latestReceivedEngineTime < msgAuthoritativeEngineTime).
8.6 The first method is straightforward but has the drawback that it
requires the use of
encryption even in systems that support only message
authentication. A related
drawback is that export restrictions from the United States and
possibly other
countries could complicate the use of an encryption-based
approach.
8.7 Note that the value protocolKeyChange is just the concatenation of
random and
delta. So the receiver can compute:
digest = Hash(keyOld || random)
keyNew = digest ⊕ delta
8.8 (1) The one-way function puts an impenetrable barrier between the old
and new
keys, so that if the new key is discovered, it is still infeasible
to recover the older
key. (2) Deducing relationship between the bits of the old
and new keys is
intractable in both directions (forward and backward), so that the
cryptanalyst
only has the traffic protected by a given key to use in attempting
to determine that
key.
-34-
ANSWERS TO QUESTIONS
9.1 Masquerader: An individual who is not authorized to use the computer and who
penetrates a system's access controls to exploit a legitimate
user's account.
Misfeasor: A legitimate user who accesses data, programs, or resources for
which
such access is not authorized, or who is authorized for such
access but misuses his
or her privileges. Clandestine user: An individual who seizes supervisory control
of the system and uses this control to evade auditing and access
controls or to
suppress audit collection.
9.2 One-way encryption: The system stores only an encrypted form of the
user's
password. When the user presents a password, the system encrypts
that
password and compares it with the stored value. In practice, the
system usually
performs a one-way transformation (not reversible) in which the
password is
used to generate a key for the encryption function and in which a
fixed-length
output is produced. Access control: Access to the password file is limited to one
or a very few accounts.
9.3 1. If an intrusion is detected quickly enough, the intruder can be
identified and
ejected from the system before any damage is done or any data are
compromised.
Even if the detection is not sufficiently timely to preempt the
intruder, the sooner
that the intrusion is detected, the less the amount of damage and
the more quickly
that recovery can be achieved. 2. An effective intrusion
detection system can serve
as a deterrent, so acting to prevent intrusions. 3. Intrusion detection enables the
collection of information about intrusion techniques that can be
used to
strengthen the intrusion prevention facility.
9.4 Statistical anomaly detection involves the collection of data relating to the
behavior of legitimate users over a period of time. Then
statistical tests are
applied to observed behavior to determine with a high level of
confidence
whether that behavior is not legitimate user behavior. Rule-Based Detection
involves an attempt to define a set of rules that can be used to
decide that a given
behavior is that of an intruder.
9.5 Counter: A nonnegative integer that may be incremented but not decremented
until it is reset by management action. Typically, a count of
certain event types is
kept over a particular period of time. Gauge: A nonnegative integer that may be
incremented or decremented. Typically, a gauge is used to measure
the current
value of some entity. Interval timer: The length of time between two related
events. Resource utilization: Quantity of resources consumed during a specified
period.
9.6 With rule-based anomaly detection, historical audit records are analyzed to
identify usage patterns and to generate automatically rules that
describe those
patterns. Rules may represent past behavior patterns of users,
programs,
CHAPTER 9
INTRUDERS
-35-
privileges, time slots, terminals, and so on. Current behavior is
then observed,
and each transaction is matched against the set of rules to
determine if it conforms
to any historically observed pattern of behavior. Rule-based penetration
identification uses rules for identifying known penetrations or penetrations that
would exploit known weaknesses. Rules can also be defined that
identify
suspicious behavior, even when the behavior is within the bounds
of established
patterns of usage. Typically, the rules used in these systems are
specific to the
machine and operating system. Also, such rules are generated by
"experts" rather
than by means of an automated analysis of audit records.
9.7 Honeypots are decoy systems that are designed to lure a potential
attacker away
from critical systems.
9.8 The salt is combined with the password at the input to the one-way
encryption
routine.
9.9 User education: Users can be told the importance of using hard-to-guess
passwords and can be provided with guidelines for selecting strong
passwords.
Computer-generated passwords: Users are provided passwords generated by a
computer algorithm. Reactive password checking: the system periodically runs
its own password cracker to find guessable passwords. The system
cancels any
passwords that are guessed and notifies the user. Proactive password checking: a
user is allowed to select his or her own password. However, at the
time of
selection, the system checks to see if the password is allowable
and, if not, rejects
it.
ANSWERS TO PROBLEMS
9.1 Let WB equal the event {witness reports Blue cab}. Then:
Pr[Blue WB] = Pr[WB Blue]Pr[Blue]
Pr[WB Blue]Pr[Blue] + Pr[WB Green]Pr[Green]
= (0.8)(0.15)
(0.8)(0.15) +(0.2)(0.85)
= 0. 41
This example, or something similar, is referred to as "the
juror's fallacy."
9.2 a. T =
264
2
seconds = 63.5 hours
b. Expect 13 tries for each digit. T = 13 × 4 = 52 seconds.
9.3 a. p =rk
b. p =
rk − rp
rk +p
c. p =rp
9.4 a. T = (21 × 5 × 21)2 = 4,862,025
-36-
b. p = 1/T ≈ 2 × 10–7
9.5 There are 9510 ≈ 6 × 1019 possible
passwords. The time required is:
6 × 1019passwords
6.4 ×106 passwords/second
= 9.4 × 1012seconds
= 300, 000 years
9.6 a. Since PUa and PRa are inverses, the value PRa can
be checked to validate that Pa
was correctly supplied: Simply take some arbitrary block X and
verify that X =
D(PRa, E[PUa, X]).
b. Since the file /etc/publickey is publicly readable, an attacker
can guess P (say
P') and compute PRa'
= D(P', E[P, PRa]).
now he can choose an arbitrary block Y
and check to see if Y = D(PRa, E[PUa,
Y]). If so, it is highly probable that P' = P.
Additional blocks can be used to verify the equality.
9.7 Yes.
9.8 Without the salt, the attacker can guess a password and encrypt
it. If ANY of the
users on a system use that password, then there will be a match.
With the salt, the
attacker must guess a password and then encrypt it once for each
user, using the
particular salt for each user.
9.9 It depends on the size of the user population, not the size of the
salt, since the
attacker presumably has access to the salt for each user. The
benefit of larger salts
is that the larger the salt, the less likely it is that two users
will have the same salt.
If multiple users have the same salt, then the attacker can do one
encryption per
password guess to test all of those users.
9.10 a. If there is only one hash function (k = 1), which produces one of
N possible
hash values, and there is only one word in the dictionary, then
the probability
that an arbitrary bit bi is set to 1 is just 1/N. If
there are k hash functions, let
us assume for simplicity that they produce k distinct hash
functions for a
given word. This assumption only introduces a small margin of
error. Then,
the probability that an arbitrary bit bi is
set to 1 is k/N. Therefore, the
probability that bi
is equal to 0 is 1 – k/N. The
probability that a bit is left
unset after D dictionary words are processed is just the
probability that each
of the D transformations set other bits:
Pr[bi = 0] = 1− k
N
D
This can also be interpreted as the expected fraction of bits that
are equal to 0.
b. A word not in the dictionary will be falsely accepted if all k
bits tested are
equal to 1. Now, from part (a), we can say that the expected
fraction of bits in
the hash table that are equal to one is 1 – ö. The probability that a
random
word will be mapped by a single hash function onto a bit that is
already set is
the probability that the bit generated by the hash function is in
the set of bits
-37-
equal to one, which is just 1 – ö. Therefore, the probability that the k hash
functions applied to the word will produce k bits all of which are
in the set of
bits equal to one is (1 – ö)k.
c. We use the approximation (1 – x) ≈ e-x.
9.11 The system enciphers files with a master system key KM, which is
stored in some
secure fashion. When User i attempts to read file F, the header of
F is decrypted
using KM and User i's read privilege is checked. If the user has
read access, the
file is decrypted using KM and the reencrypted using User i's key
for
transmission to User i. Write is handled in a similar fashion.
-38-
ANSWERS TO QUESTIONS
10.1 A virus may use compression so that the infected program is
exactly the same
length as an uninfected version.
10.2 A portion of the virus, generally called a mutation engine, creates a random
encryption key to encrypt the remainder of the virus. The key is
stored with the
virus, and the mutation engine itself is altered. When an infected
program is
invoked, the virus uses the stored random key to decrypt the
virus. When the
virus replicates, a different random key is selected.
10.3 A dormant phase, a propagation phase, a triggering phase, and an
execution
phase
10.4 1. Search for other systems to infect by examining host tables or
similar
repositories of remote system addresses. 2.Establish a connection with a remote
system. 3. Copy itself to the remote system and cause the copy
to be run.
10.5 This system provides a general-purpose emulation and
virus-detection system.
The objective is to provide rapid response time so that viruses
can be stamped out
almost as soon as they are introduced. When a new virus enters an
organization,
the immune system automatically captures it, analyzes it, adds
detection and
shielding for it, removes it, and passes information about that
virus to systems
running a general antivirus program so that it can be detected
before it is allowed
to run elsewhere.
10.6 Behavior-blocking software integrates with the operating system of
a host
computer and monitors program behavior in real-time for malicious
actions. The
behavior blocking software then blocks potentially malicious
actions before they
have a chance to affect the system.
10.7 A denial of service (DoS) attack is an attempt to prevent
legitimate users of a
service from using that service. When this attack comes from a
single host or
network node, then it is simply referred to as a DoS attack. A
more serious threat
is posed by a DDoS attack. In a DDoS attack, an attacker is able
to recruit a
number of hosts throughout the Internet to simultaneously or in a
coordinated
fashion launch an attack upon the target.
ANSWERS TO PROBLEMS
10.1 The program will loop indefinitely once all of the executable
files in the system
are infected.
CHAPTER 10
MALICIOUS SOFTWARE
-39-
10.2 D is supposed to examine a program P and return TRUE if P is a
computer virus
and FALSE if it is not. But CV calls D. If D says that CV is a
virus, then CV will
not infect an executable. But if D says that CV is not a virus, it
infects an
executable. D always returns the wrong answer.
-40-
ANSWERS TO QUESTIONS
11.1 1. All traffic from inside to outside, and vice versa, must pass
through the
firewall. This is achieved by physically blocking all access to
the local network
except via the firewall. Various configurations are possible, as
explained later in
this section. 2.
Only authorized traffic, as
defined by the local security policy, will
be allowed to pass. Various types of firewalls are used, which
implement various
types of security policies, as explained later in this section. 3. The firewall itself is
immune to penetration. This implies that use of a trusted system
with a secure
operating system.
11.2 Service control: Determines the types of Internet services that can
be accessed,
inbound or outbound. The firewall may filter traffic on the basis
of IP address and
TCP port number; may provide proxy software that receives and
interprets each
service request before passing it on; or may host the server
software itself, such as
a Web or mail service. Direction control: Determines the direction in which
particular service requests may be initiated and allowed to flow
through the
firewall. User
control: Controls access to a service
according to which user is
attempting to access it. This feature is typically applied to
users inside the firewall
perimeter (local users). It may also be applied to incoming
traffic from external
users; the latter requires some form of secure authentication
technology, such as is
provided in IPSec. Behavior control: Controls how particular services are used.
For example, the firewall may filter e-mail to eliminate spam, or
it may enable
external access to only a portion of the information on a local
Web server.
11.3 Source IP address: The IP address of the system that originated the IP
packet.
Destination IP address: The IP address of the system the IP packet is
trying to
reach. Source and destination
transport-level address: The
transport level (e.g.,
TCP or UDP) port number, which defines applications such as SNMP
or TELNET.
IP protocol field: Defines the transport protocol. Interface: For a router with three
or more ports, which interface of the router the packet came from
or which
interface of the router the packet is destined for.
11.4 1. Because packet filter firewalls do not examine upper-layer data,
they cannot
prevent attacks that employ application-specific vulnerabilities
or functions. For
example, a packet filter firewall cannot block specific
application commands; if a
packet filter firewall allows a given application, all functions
available within that
application will be permitted. 2. Because of the limited
information available to
the firewall, the logging functionality present in packet filter
firewalls is limited.
Packet filter logs normally contain the same information used to
make access
control decisions (source address, destination address, and
traffic type). 3. Most
packet filter firewalls do not support advanced user
authentication schemes. Once
again, this limitation is mostly due to the lack of upper-layer
functionality by the
firewall. 4.
They are generally vulnerable
to attacks and exploits that take
advantage of problems within the TCP/IP specification and protocol
stack, such
CHAPTER 11
FIREWALLS
-41-
as network layer address
spoofing. Many packet filter firewalls
cannot detect a
network packet in which the OSI Layer 3 addressing information has
been
altered. Spoofing attacks are generally employed by intruders to
bypass the
security controls implemented in a firewall platform. 5. Finally, due to the small
number of variables used in access control decisions, packet
filter firewalls are
susceptible to security breaches caused by improper
configurations. In other
words, it is easy to accidentally configure a packet filter
firewall to allow traffic
types, sources, and destinations that should be denied based on an
organization's
information security policy.
11.5 A traditional packet filter makes filtering decisions on an individual packet
basis
and does not take into consideration any higher layer context. A stateful
inspection packet filter tightens up the rules for TCP traffic by creating a
directory of outbound TCP connections, as shown in Table 11.2.
There is an entry
for each currently established connection. The packet filter will
now allow
incoming traffic to high-numbered ports only for those packets
that fit the profile
of one of the entries in this directory
11.6 An application-level gateway, also called a proxy server, acts as
a relay of
application-level traffic.
11.7 A circuit-level gateway does not permit an end-to-end TCP
connection; rather, the
gateway sets up two TCP connections, one between itself and a TCP
user on an
inner host and one between itself and a TCP user on an outside
host. Once the
two connections are established, the gateway typically relays TCP
segments from
one connection to the other without examining the contents. The
security function
consists of determining which connections will be allowed.
11.8 The screened host firewall,
single-homed bastion configuration (Figure 11.2a),
the firewall consists of two systems: a packet-filtering router
and a bastion host;
the latter performs authentication and proxy functions. In the
single-homed
configuration just described, if the packet-filtering router is
completely
compromised, traffic could flow directly through the router
between the Internet
and other hosts on the private network. The screened host firewall, dual-homed
bastion configuration physically prevents such a security breach. In the screened
subnet firewall configuration, two packet-filtering routers are used, one between
the bastion host and the Internet and one between the bastion host
and the
internal network. This configuration creates an isolated
subnetwork, which may
consist of simply the bastion host but may also include one or
more information
servers and modems for dial-in capability.
11.9 A subject is an entity capable of accessing objects.
Generally, the concept of
subject equates with that of process. Any user or application
actually gains access
to an object by means of a process that represents that user or
application. An
object is anything to which access is controlled. Examples include files,
portions
of files, programs, and segments of memory.
11.10 For each object, an access control list lists users and their permitted access rights.
A capability ticket specifies authorized objects and operations for a
user.
-42-
11.11 No read up: A subject can only read an object of less or equal security level.
No
write down: A subject can only write into an object of greater or equal
security
level.
11.12 Complete mediation: The security rules are enforced on every access,
not just,
for example, when a file is opened. Isolation: The reference monitor and
database are protected from unauthorized modification. Verifiability: The
reference monitor's correctness must be provable. That is, it must
be possible to
demonstrate mathematically that the reference monitor enforces the
security
rules and provides complete mediation and isolation.
11.13 The Common Criteria (CC) for Information Technology and Security
Evaluation
is an international initiative by standards bodies in a number of
countries to
develop international standards for specifying security
requirements and
defining evaluation criteria.
ANSWERS TO PROBLEMS
11.1 It will be impossible for the destination host to complete
reassembly of the packet
if the first fragment is missing, and therefore the entire packet
will be discarded
by the destination after a time-out.
11.2 When a TCP packet is fragmented so as to force interesting header
fields out of
the zero-offset fragment, there must exist a fragment with FO
equal to 1. If a
packet with FO = 1 is seen, conversely, it could indicate the
presence, in the
fragment set, of a zero-offset fragment with a transport header
length of eight
octets Discarding this one-offset fragment will block reassembly
at the receiving
host and be as effective as the direct method described above.
11.3 If the router's filtering module enforces a minimum fragment
offset for fragments
that have non-zero offsets, it can prevent overlaps in filter
parameter regions of
the transport headers.
11.4 The purpose of the "no write down" rule, or *-property
is to address the problem
of Trojan horse software. With the *-property, information cannot
be
compromised through the use of a Trojan horse. Under this
property, a program
operating on behalf of one user cannot be used to pass information
to any user
having a lower or disjoint access class.
11.5 Drake is not authorized to read the string directly, so the
no-read-up rule will
prevent this. Similarly, Drake is not authorized to assign a
security level of
sensitive
to the back-pocket file, so that is prevented as well.
0 Comments:
Post a Comment