Sectiunea 8.1 R1 What are the differences between message confidentiality and message integrity?

Can you have confidentiality without integrity? Can you have integrity without confidentiality? Justify your answer.

Confidenialitatea este proprietatea c mesajul plaintext original nu poate fi determinat de ctre un atacator care intercepteaz criptarea mesajului plaintext original. Integritatea mesajului este proprietatea in care receptorul poate detecta dac mesajul trimis (criptat sau nu) a fost modificat n transit. Cele dou sunt astfel concept diferite, i o poate avea loc una fr cealalt. Un mesaj criptat, care este modificat n transit poate fi n continuare confidenial (atacatorul nu poate determina plaintext-ul original), dar nu va avea integritatea mesajului n cazul n care eroarea este nedetectata. n mod similar, un mesaj care este modificat n tranzit (i detectat) ar fi putut fi trimis n plaintext i, prin urmare, nu ar fi confidenial.

R2. Entiti Internet (routere, switch-uri. Servere DNS. Servers.Web sisteme pentru utilizatorul final. i aa mai departe), de multe ori trebuie s comunice n siguran. Dati trei perechi exemple de entiti specifice internetului care doreste securizarea comunicaiilor. 1). Sistemul de utilizator final (client) i server web (magazin online), n tranzaciile de afaceri 2). Sistemul final de utilizator (laptop) i un router protejat prin parol (internet Wi-Fi), n timpul log-arii 3) Dou servere web (servicii de e-mail) n trimiterea unui e-mail.

Sectiunea 8.2

R3. Dintr-o perspectiv de service, care este o diferen important ntre un system de cheie simetrica i un sistem de cheie publica? O diferen important ntre sistemele cu chei simetrice i publice, este c n sistemele cu chei simetrice, att expeditorul i destinatarul trebuie s cunoasc aceeai cheie (secret). n sisteme de chei publice, cheile de criptare i decriptare sunt distincte. Cheia de criptare este cunoscuta de ctre ntreaga lume (inclusiv expeditorului), dar cheia de decriptare este cunoscut doar de ctre receptor. R4. Suppose that an intruder has an encrypted message as well as the decrypted version of that message. Can the intruder mount a ciphertext-only attack, a known-plaintext attack, or a chosenplaintext attack? n acest caz, un atac plaintext cunoscut este efectuat. Dac, ntr-un fel, mesajul criptat de ctre expeditor ar fi fost ales de ctre atacator, atunci acest lucru ar fi un atac chosenplaintext.

R5. Consider an 8-blockcipher. How many possible input blocks does this cipher have'!How many possible mappings are there? If we view each mapping as a key, then how many possible keys does this cipher have? Un cifru 8-bloc (din iruri de bii) are 2 ^ 8 = 256 intrri posibile. Aceste intrri pot fi aranjate n 256 moduri diferite. Acest lucru nseamn c oricare dintre 256 mapri ar putea fi folosite ca o cheie.

R6. Suppose N people want to communicate with each of N-1 other people using symmetric key encryption. All communication between any two people, i and j, is visible to all other people in this group of N, and no other person in this group should be able to decode their communication. How many keys are required in the system as a whole? Now suppose that public key encryption is used. How many keys are required in this case? n cazul n care fiecare utilizator dorete s comunice cu N ali utilizatori, atunci fiecare pereche de utilizatorii trebuie s aib o cheie simetric comuna. Exist N * (N-1) / 2 astfel de perechi i astfel exist N * (N-1) / 2 chei. Cu un sistem de chei publice, fiecare utilizator are o cheie public, care este cunoscut de toti, i o cheie privat (care este secreta i cunoscua doar de ctre utilizator). Exist, astfel, 2N chei n sistemul de chei publice. R7. Suppose n = 10,000, a = 10,023,and b = 10,004. Use an identity of modular arithmetic to calculate in your head (a b) mod n. a mod n = 23 , b mod n = 4. Astfel nct (a * b) mod n = 23 * 4 = 92.

R8. Suppose you want to encrypt the message 10101111 by encrypting the decimal number that corresponds to the message. What is the decimal number? 175 Sectiunea 8.3 R9. In what way does a hash provide a better message integrity check than a checksum (such as the Internet checksum)? Nu e chiar bine!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! O cerin a unui mesaj rezumat este c, avnd un mesaj M, este foarte dificil de a gsi un alt mesaj M ", care are acelai mesaj rezumat i, dand acelui mesaj rezumat o valoare, este dificil de a gsi un alt mesaj M '", care are ca mesaj rezumat aceeasi valoare. Acest lucru nu este adevrat de si in cazul Internet chechsum, in care este uor de a gsi dou mesaje cu acelai Internet checksum.

R10. Can you "decrypt" a hash of a message to get the original message? Explain your answer. Nu. Acest lucru se datoreaz faptului c o funcie hash este o funcie cu sens unic. Avnd n vedere orice valoare hash, mesajul original nu poate fi recuperat (dat h, astfel nct h = H (m), nu se poate recupera m dela h).

R11. Consider a variation of the MAC algorithm (Figure 8.9) where the sender sends (m, H(m) + s), where H(m) +S is the concatenation of H(m) and s. Is this variation flawed? Why or why not? Aceasta schema este n mod clar eronat. Un atacator poate mirosi n primul rnd comunicarea i de a obine s secrete mprtite de extragerea ultimei poriuni de cifre de la H (m) + s. Atacatorul poate mascarada apoi ca expeditor prin crearea propriului mesaj t i trimite (t, H (t) + s). R12. What does it mean for a signed document to be verifiable and non-forgeable? S presupunem c Bob trimite un document criptat la Alice. Pentru a fi verificabil, Alice trebuie s fie capabila s se conving c Bob a trimis documentul criptat. Pentru a fi non-forgeable, Alice trebuie s fie capabila s se conving c numai Bob ar fi trimis documentul criptat (de exemplu,, nimeni altcineva nu ar fi putut ghici o cheie criptat i / trimis documentul). Pentru a fi non-reputiable, Alice trebuie s fie capabila de a convinge pe cineva c doar Bob ar fi trimis documentul. Pentru a ilustra aceasta din urm distincie, s presupunem c Bob i Alice ar partaja o cheie secret, i ei sunt singurii din lume care cunosc cheia. n cazul n care Alice primete un document care a fost criptat cu cheia, i tie c ea nu a criptat documentul nsi, atunci documentul este cunoscut a fi verificabil i non-forgeable (presupunnd c a fost utilizat un sistem de criptare corespunztor puternic). Cu toate acestea, Alice nu poate convinge pe cineva c Bob trebuie s fi trimis documentul, deoarece, de fapt, Alice stia cheia nsi i-ar fi putut criptat / trimis documentul. R13 In what way does the public-key encrypted message hash provide a better digital signature than the public-key encrypted message? In cazul in care ai o cheie publica a carui mesaj se rezuma la "better" este mai bine sa se efectueze doar criptarea (folosind cheia privata) mesajului scurt rezumat , mai degrab dect ntregul mesaj. Din moment ce criptarea cu o cheie public avand o tehnica cum ar fi RSA este scumpa, este de dorit s aib de criptat, o cantitate mai mic de date dect o cantitate mai mare de date. R14 Suppose certifier.com creates a certificate for foo.com, Typically, the entire certificate would be encrypted with certifier.corn's public key. True or False? Acest lucru este fals. Pentru a crea certificatul, certifier.com ar include o semntur digital, care este un hash de foo.com 's informaii (inclusiv cheia public), i ar loga cu e cheia privat certifier.com . R15 Suppose Alice has a message that she is ready to send to anyone who asks. Thousands of people want to obtain Alice's message, but each wants to be sure of the integrity of the message. In this context, do you think a MAC-based or a digital signature-based integrity scheme is more suitable? Why? Pentru un sistem MAC-based, Alice ar trebui s stabileasc o cheie partajat cu fiecare beneficiar potenial. Cu semnturi digitale, ea folosete aceeai semntur digital pentru fiecare beneficiar, semntura digital este creat prin semnarea hash a mesajului cu cheia sa privat. Semnturile digitale sunt n mod clar o alegere mai buna aici.

R16. What is the purpose of a nonce in an end-point authentication protocol?

Scopul nonce este de a apra mpotriva atacului reluare(replay). R17. What does it mean to say that a nonce is a once-in-a-lifetime value? In whose lifetime? O valoare odata in viata nseamn c entitatea care trimite nonce nu va mai folosi niciodat aceast valoare pentru a verifica dac o alt entitate este "live". R18. What is the man-in-the-middle attack? Can this attack occur when symmetric keys are used? ntr-un atac man-in-the-middle, atacatorul se pune ntre Alice i Bob, modificand datele transmise ntre ei. Dac Bob i Alice ar partaja o cheie de autentificare secreta, atunci orice modificare va fi detectata.

Sectiunea 8.4 --- 8.7 R19. Suppose that Bob receives a PGP message from Alice. How does Bob know for sure that Alice created the message (rather than, say, Trudy)? Does PGP use a MAC for message integrity? Alice ofer o semntur digital, din care Bob poate verifica c mesajul a venit de la Alice. utilizeaz semnturi digitale, nu MAC-uri, pentru integritatea mesajului. R20. In the SSL record, there is a field for SSL sequence numbers. True or False? Fals. SSL utilizeaz numere de secventa implicite. R21. What is the purpose of the random nonces in the SSL handshake? Scopul nonces aleator n strngerea de mn este de a apra mpotriva atacului conexiunilor. R22. Suppose an SSL session employs a block cipher with CBC. True or False The server sends to the client the IV in the clear? Adevrat.IV este trimis ntotdeauna n clar. n SSL, acesta este trimis n timpul strngere de mn SSL. R23. Suppose Bob initiates a TCP connection to Trudy who is pretending to be Alice. During the handshake, Trudy sends Bob Alice's certificate. In what step of the SSL handshake algorithm will Bob discover that he is not communicating with Alice? Dup ce clientul va genera un secret pre-master (PMS), acesta se va cripta cu cheia public a lui Alice, i apoi va trimite PMS criptat catre Trudy. Trudy nu va fi capabil de a decripta PMS, deoarece nu are cheia privat a lui Alice. Astfel Trudy nu va fi n msur s determine cheia de autentificare partajat. Ea poate ghici una n schimb alegand o cheie aleatoare. Pe parcursul ultimei etape handshake, ea trimite la Bob un MAC a tuturor mesajelor handshake, folosind cheia de autentificare ghicita. Cnd Bob primete MAC, testul MAC va eua, i Bob va termina conexiunea TCP. R24. Consider sending a stream of packets from Host A to Host Busing IPsec. Typically, a new SA will be established for each pack.et sent in the stream. True or False? de reluarea PGP

Fals. De obicei o IPsec SA este stabilit mai nti ntre gazda A i B. Apoi toate pachetele din flux vor utiliza SA. R25. Suppose that TCP is being run over IPsec between headquarters and the branch office in Figure 8.29. If TCP retransmits the same packet, then the two corresponding packets sent by R I packets will have the same sequence number in the ESP header. True or False? Fals. IPsec va incrementa numrul de ordine pentru fiecare pachet pe care il trimite. R26. An IKE SA and an IPsec SA are the same thing? True or False? Fals. Un IKE SA este folosit pentru a stabili una sau mai multe IPsec SAs. R27. Consider WEP for 802.11. Suppose that that the data is 10101100 and the keystream is 1111000. What is the resulting ciphertext? 01011100

R28. In WEP, an IV is sent in the clear in every frame. True or False? Adevarat. R29. Stateful packet filters maintain two data structures. Name them and briefly describe what they do. Filter table i connection table. Connection table ine evidena conexiuni, care permite un grad mai fin de filtrare de pachete. R30. Consider a traditional (stateless) packet filter. This packet filter may filter packets based on TCP flag bits as well as other header fields. True or False? Adevarat R31. In a traditional packet filter, each interface can have its own access control list. True or False? Adevarat R32. Why must an application gateway work in conjunction with a router filter to be effective? Dac nu exist un filtru de pachete, atunci utilizatorii din interiorul reelei instituiei vor fi n continuare liberi de a face conexiuni directe la gazde n afara reelei instituiei. Filtrul oblig utilizatorii s se conecteze mai nti la gateway-ul de aplicare. R33. Signature-based IDSs and IPSs inspect into the payloads of TCP and UDP segments. True or False? Adevarat

Probleme: P1. Using the monoalphabetic cipher in Figure 8.3, encode the message "This is an easy problem." Decode the message "rmij'u uamu xyj." Codarea lui This is an easy problem este uasi si my cmiw lokngch. Decodarea lui rmij'u uamu xyj este wasn't that fun. P2. Show that Trudy's known-plaintext attack, in which she knows the (ciphertext, plaintext) translation pairs for seven letters, reduces the number of possible substitutions to be checked in the example in Section 8.2.1 by approximately 109. n cazul n care Trudy tia c cuvintele "bob" i "Alice" a aprut n text, atunci ea ar ti textul cifrat pentru b, o, a, l, i, c, e (cum "bob", este singurul palindrom n mesaj , i "Alice" este singurul cuvnt de 5 litere. Dac Trudy tie textul cifrat pentru 7 din litere, atunci ea are nevoie doar pentru a ncerca 19!, Mai degrab dect 26!, perechi plaintext-ciphertext. Diferena dintre 19! i 26! este 26 * 25 * 24 * ... 20, care este 3315312000, sau aproximativ 10 la puterea 9. P3. Consider the polyalphabetic system shown in Figure 8.4. Will a chosenplaintext attack that is able to get the plaintext encoding of the message "The quick brown fox jumps over the lazy dog." be sufficient to decode all messages? Why or why not? Fiecare liter din alfabetul apare n sintagma The quick fox jumps over the lazy brown dog. Avnd n vedere aceast fraz ntr-un atac plaintext ales (n cazul n care atacatorul are att text simplu, iar textul cifrat), cifrul Cezar ar fi rupt - intrusul ar ti caracterul cifrat pentru fiecare caracter plaintext. Cu toate acestea, cifrul Vigenere nu se traduce ntotdeauna un character plaintext dat de acelai caracter cifrat de fiecare dat, i, prin urmare, un cifru Vigenere nu va fi imediat ntrerupt de acest atac plaintext ales. P4. Consider the block cipher in Figure 8.5. Suppose that each block cipher T, simply reverses the order of the eight input bits (so that, for example, 11110000 becomes 00(01111). Further suppose that the 64-bit scrambler does not modify any bits (so that the output value of the mth bit is equal to the input value of the mth bit). (a) With n = 3 and the original 64-bit input equal to 10100000 repeated eight times, what is the value of the output? (b) Repeat part (a) but now change the last bit of the original 64-bit input from a 0 to a l.(c) Repeat parts (a) and (b) but now suppose that the 64-bit scrambler inverses the order of the 64 bits. a). Ieirea este egal cu 00000101 repetat de opt ori. b). ieirea este egal cu 00000101 repetat de apte ori + 10000101. c). Avem ( ) =CBA. Unde ABC sunt siruri si R operatia inversa astfel: 1) Pentru (a), iesirea este 10100000 repetat de opt ori; 2) Pentru (b), ieirea este 10100001 + 10100000 repetat de apte ori.

P5. Consider the block cipher in Figure 8.5. For a given "key" Alice and Bob would need to keep eight tables, each 8 bits by 8 bits. For Alice (or Bob) to store all eight tables, how many bits of storage are

necessary? How does this number compare with the number of bits required for a full-table 64-bit block cipher? Exist 8 tabele. Fiecare tabel are de intrri. Fiecare intrare are 8 bii. numr de tabele * dimensiunea fiecrui tabel * mrime fiecarei intrari intrari = 8 * Exist de intrri. Fiecare intrare are 64 de bii. de bii

*8=

bii.

P6. Consider the 3-bit block cipher in Table 8.1. Suppose the plaintext is 100100100. (a) Initially assume that CBC is not used. What is the resulting ciphertext? (b) Suppose Trudy sniffs the ciphertext. Assuming she knows that a 3-bit block cipher without CBC is being employed (but doesn't know the specific cipher), what can she surmise? (c) Now suppose that CBC is used with IV = Ill. What is the resulting ciphertext? (a) 100100100 ==> 011011011 (b) Trudy va cunoate ca cele trei bloc plaintext sunt la fel. (c) c(i) = KS(m(i) XOR c(i-1)) c(1) = KS(100 XOR 111) = KS (011) = 100 c(2) = KS(100 XOR 100) = KS (000) = 110 c(1) = KS(100 XOR 110) = KS (010) = 101

P7 (a) Using RSA. choose p = 3 and q = l l , and encode the word "dog" by encrypting each letter separately. Apply the decryption algorithm to the encrypted version to recover the original plaintext message. (b) Repeat part (a) but now encrypt "dog" as one message m. a) Ni se da p=3 si q=11. De asemenea avem n=33 si q=11. Alegem e=9 cum 3 si (p-1)*(q-1)=10 nu au factori comuni. Alegem d=9 astfel e*d=81 si dec e*d-1=80 este divizibil exact cu 20. Acum putem performa encriptia si decriptia RSA utilizand n=33 , e =9 si d=9.

(b) Considerm prima fiecare liter un numr de 5-bit: 00100, 01111, 00111. Acum concatenam fiecare liter pentru a obine 001000111100111 i criptam numrul zecimal rezultat m = 4583. Numrul zecimal concatenat m (= 4583) este mai mare dect n curent (= 33). Avem nevoie de m <n. Deci, vom folosi p = 43, q = 107, n = p * q = 4601, z = (p-1) (q-1) = 4452. e = 61, d = 73.

P8. Consider RSA with p = 5 and q = 11. a. What are nand z. b. Let e be 3. Why is this an acceptable choice for e? c. Find d such that de = 1 (mod z) and d < 160. d. Encrypt the message m = 8 using the key (n, e). Let c denote the corresponding ciphertext. Show all work. Hint: To simplify the calculations, use the fact: *(a mod n) (b mod n)+ mod n = (a b) mod n p = 5, q = 11 (a) n = p*q = 55, z = (p-1)(q-1) = 40 (b) e = 3 e mai mic decat n si nu are nici un factor comun cu z. (c) d = 27 (d) m = 8, = 512, Ciphertext c= mod n = 17 P9. In this problem, we explore the Diffie-Hellman (DH) public-key encryption algorithm, which allows two entities to agree on a shared key. The DH algorithm makes use of a large prime number p and another large number g less than p. Both p and g are made public (so that an attacker would know them). In DH, Alice and Bob each independently choose secret keys, and . respectively. Alice then computes her public key, by raising g to and then taking mod p. Bob similarly computes his own public key by raising g to and then taking mod p. Alice and Bob then exchange their public keys over the Internet. Alice then calculates the shared secret key S by raising to and then taking mod p. Similarly. Bob calculates the shared key S' by raising to and then taking mod p. a. Prove that in general that Alice and Bob obtain the same symmetric key. that is. prove S = S'. b. With P = 11 and g = 2, suppose Alice and Bob choose private keys =5 and = 12, respectively. Calculate Alice's and Bob's public keys. and . Show all work.

c. Following up on part (b), now calculate S as the shared syrrunetric key. Show all work. d. Provide a timing diagram that shows how Diffie-Hellman can be attacked by a man-in-the-middle. The timing diagram should have three vertical lines, one for Alice, one for Bob. and one for the attacker Trudy.

Algoritmul de criptare cu cheie publica Diffie-Hellman este posibil s fie atacat de om- de la-mijloc. 1. n acest atac, Trudy primete valoarea public a lui Alice ( ) i trimite propria ei valoare public ( ) lui Bob. 2. Cnd Bob transmite valoarea sa public ( ), Trudy trimite cheia sa public la Alice ( ). 3. Trudy i Alice, prin urmare, sunt de acord, de o cheie comun ( ) i Trudy i Bob sunt de acord pe o alt cheie comun ( ). 4. Dup acest schimb, Trudy pur i simplu decripteaz toate mesajele trimise de Alice sau Bob cu cheile publice i ). P10. Suppose Alice wants to communicate with Bob using symmetric key cryptography using a session key . In Section 8.2, we learned how public-key cryptography can be used to distribute the session key from Alice to Bob. In this problem. we explore how the session key can be distributed-without public key cryptography-using a key distribution center (KDC). The KDC is a server that shares a unique secret symmetric key with each registered user. For Alice and Bob, denote these keys by and Design a scheme that uses the KDC to distribute to Alice and Bob. Your scheme should use

three messages to distribute the session key: a message from Alice to the KDC; a message from the KDC to Alice; and finally a message from Alice to Bob. The first message is (A, B). Using the notation S.A and B answer the following questions. a. What is the second message? b. What is the third message?

P11. Compute a third message, different from the two messages in Figure 8.8, that has the same checksum as the messages in Figure 8.8. Mesajul I O U 1 9 0 . 9 0 B O B

are acelasi checksum.

P12. Suppose Alice and Bob share two secret keys: an authentication key Sf and a symmetric encryption key S2. Augment Figure 8.9 so that both integrity and confidentiality are provided.

P13. In the BitTorrent P2P file distribution protocol (see Chapter 2). the seed breaks the file into blocks, and the peers redistribute the blocks to each other. Without any protection. an attacker can easily wreak havoc in a torrent by masquerading as a benevolent peer and sending bogus blocks to a small subset of peers in the torrent. These unsuspecting peers then redistribute the bogus blocks to other peers. which in turn redistribute the bogus blocks to even more peers. Thus. it is critical for BitTorrent to have a mechanism that allows a peer to verify the integrity of a block. so that it doesn't redistribute bogus blocks. Assume that when a peer joins a torrent. it initially gets a .torrent file from a fully trusted source. Describe a simple scheme that allows peers to verify the integrity of blocks.

Fiierul este mprit n blocuri de dimensiuni egale. Pentru fiecare bloc, calculati hash-ul (de exemplu, cu MD5 sau SHA-1). Hash-urile pentru toate blocurile sunt salvate n fiierul torrent. Ori de cte ori un peer descarc un bloc, se calculeaza hash-ul acelui bloc i il compar cu hash-ul din fiierul torrent. Dac cele dou hash-uri sunt egale, blocul este valabil. n caz contrar, blocul este fals, i trebui s fie sters.

P14. The OSPF routing protocol uses a MAC rather than digital signatures to provide message integrity . Why do you think a MAC was chosen over digital signatures? Semnturile digitale necesit o infrastructur de baz Public Key (PKI), cu autoritile de certificare. Pentru OSPF, toate routerele sunt n acelai domeniu, astfel nct administratorul poate implementa cu uurin cheia simetric pe fiecare router, fr a fi nevoie de un PKI. P15. Consider our authentication protocol in Figure 8.16 in which Alice authenticates herself to Bob, which we saw works well (i.e. we found no flaws in it). Now suppose that while Alice is authenticating herself to Bob, Bob must authenticate himself to Alice. Give a scenario by which Trudy. pretending to be Alice, can now authenticate herself to Bob as Alice. (Hint: Consider that the sequence of operations of the protocol. one with Trudy initiating and one with Bob initiating, can be arbitrarily interleaved. Pay particular attention to the fact that both Bob and Alice will use a nonce, and that if care is not taken. the same nonce can be used maliciously.)

Bob initial nu tie dac el vorbeste cu Trudy sau Alice. Bob i Alice mprtesc o cheie secreta care este necunoscuta de Trudy. Trudy vrea ca Bob s o autentifice pe ea (Trudy) ca Alice. Trudy va astepta ca Bob sa se autentifice , i va ateapta pe Bob sa nceapa:

1. Bob-to-Trudy: I am Bob Comentariu: Bob incepe autentificarea. Autentificarea lui Bob pe partea cealalt, apoi se oprete pentru civa pai. 2. Trudy-to-Bob: I am Alice Comentariu: Trudy ncepe s se autentifice ca Alice. 3. Bob-to-Trudy: R Comentariu: Bob rspunde la pasul 2 prin trimiterea unui nonce n rspuns. Trudy nu tie nc (R), astfel ea nc nu poate rspunde. 4. Trudy-to-Bob: R Comentariu: Trudy rspunde la pasul 1 continuand acum autentificarea lui Bob, alegand nonce-ul ca Bob sa-l cripteze, exact aceeai valoare care Bob a trimis-o ei pentru a o cripta n pasul 3. 5. Bob-to-Trudy: (R) Bob finalizeaza propria autentificare de partea cealalt prin criptarea nonce-ului care a fost trimis la pasul 4. Trudy are acum (R). (Not: ea nu are si nici nu va avea nevoie de . 6. Trudy-to-Bob: (R) Trudy finalizeaza autentificarea ei, rspunznd la R-ul pe care Bob l-a trimis n pasul 3 de mai sus cu (R) . Deoarece Trudy a returnat nonce-ul criptat n mod corespunztor , cel pe care Bob l-a trimis la pasul 3, Bob crede c Trudy este Alice!

P16. In the man-in-the-middle attack in Figure 8.19.Alice has not authenticated Bob. If Alice were to require Bob to authenticate himself using the public key authentication protocol. would the man-inthe-middle attack be avoided? Explain your reasoning. Acest lucru nu ar rezolva cu adevarat problema. La fel cum Bob crede (n mod eronat) c este autentificarea lui Alice n prima jumtate a figurii 7.14, astfel nct si Trudy o poate pacali pe Alice in gandire (incorect) c ea este autentificata ca Bob. Rdcina problemei pe care nici Bob nici Alice nu o poate spune este cheia public pe care nici unul din ei nu stiu daca este ntr-adevr cheia public a lui Alice sau a lui Bob. P17. Figure 8.20 shows the operations that Alice must perform with PGP to provide confidentiality. authentication. and integrity. Diagram the corresponding operations that Bob must perform on the package received from Alice.

P18. Suppose Alice wants to send an e-mail to Bob. Bob has a public-private key pair ( ), and Alice has Bob's certificate. But Alice does not have a public, private key pair. Alice and Bob (and the entire world) share the same hash function H(*).

a. In this situation, is it possible to design a scheme so that Bob can verify that Alice created the message? If so, show how with a block diagram for Alice and Bob. b. Is it possible to design a scheme that provides confidentiality for sending the message from Alice to Bob? If so, show how with a block diagram for Alice and Bob. (a) Nu, fr o pereche de chei publice-private sau un secret pre-partajat, Bob nu poate verifica c Alice a creat mesajul. (b) Da, Alice pur i simplu cripteaz mesajul cu cheia public a lui Bob i trimite mesajul criptat lui Bob. P19. Consider the Wireshark output below for a portion of an SSL session. a. Is Wireshark packet 112sent by the client or server? b. What is the server's IP address and port number? c. Assuming no loss and no retransmissions, what will be the sequence number of the next TCP segment sent by the client? d. How many SSL records does Wireshark packet 112contain? e. Does packet 112contain a Master Secret or an Encrypted Master Secret or neither? f. Assuming that the handshake type field is I byte and each length field is 3 bytes, what are the values of the first and last bytes of the Master Secret (or Encrypted Master Secret)? g. The client encrypted handshake message takes into account how many SSL records? h. The server encrypted handshake message takes into account how many SSL records?

a) Client b) IP: 216.75.194.220, port: 443 c) 283 d)3 SSL records e) Yes, it contains an encrypted master secret f) primul byte: bc; ultimul byte: 29 g) 6

P20. In Section 8.5.1, it is shown that without sequence numbers, Trudy (a woman-in-the middle) can wreak havoc in an SSL session by interchanging TCP segments. Can Trudy do something similar by deleting a TCP segment? What does she need to do to succeed at the deletion attack? What effect will it have? Din nou, s presupunem c SSL nu ofer numere de secventa. S presupunem c Trudy, o femeie -inthe-middle, terge un segment TCP. Astfel c Bob nu face nimic, Trudy trebuie de asemenea sa ajusteze numerele de secventa din pachetele ulterioare trimise de la Alice la Bob, i numerele de confirmare trimise de la Bob la Alice. Rezultatul va fi c lui Bob in necunostiinta, ii va lipsii un pachet de bytes n fluxul de octeti. P21. Suppose Alice and Bob are communicating over an SSL session. Suppose an attacker. who does not have any of the shared keys. inserts a bogus TCP segment into a packet stream with correct TCP checksum and sequence numbers (and correct IP addresses and port numbers). Will SSL at the receiving side accept the bogus packet and pass the payload to the receiving application? Why or why not? Nu, pachetul fals va eua in verificarea integritii (care foloseste o cheie MAC comun).

P22. The following True/False questions pertain to Figure 8.29. a. When a host in 172.16.1/24 sends a datagram to an Amazon.com server. the router Rl will encrypt the datagram using IPsec. b. When a host in 172.16.1/24sends a datagramto a host in 172.16.2124,the routerRI will change the source and destinationaddressof the IP datagram. c. Suppose a host in 172.16.1124initiates a TCP connection to a Web server in 172.16.2124.As part of this connection. all datagrams sent by RI will have protocol number 50 in the left-most IPv4 header field. d. Consider sending a TCP segment from a host in 172.16.1/24 to a host in 172.16.2124.Suppose the acknowledgment for this segment gets lost, so that TCP resends the segment. Because IPsec uses sequence numbers. Rl will not resend the TCP segment. (a) F (b) T (c) T (d) F

P23. Consider the example in Figure 8.29. Suppose Trudy is a woman-in-the-middle, who can insert datagrams into the stream of datagrams going from RI and R2.As part of a replay attack, Trudy sends a duplicate copy of one of the datagrams sent from RI to R2. Will R2 decrypt the duplicate datagram and forward it into the branch-office network? If not. describe in detail how R2 detects the duplicate datagram. Dac Trudy nu se deranjeaza pentru a schimba numrul de ordine, R2 va detecta duplicatul la verificarea numrul de ordine n antetul ESP. Dac Trudy incrementeaz numrul de ordine, pachetul va eua in verificarea integritii la R2. P24. Consider the following pseudo-WEP protocol. The key is 4 bits and the IV is 2 bits. The IV is appended to the end of the key when generating the keystream. Suppose that the shared secret key is 10IO.The keystream for the four possible inputs are as follows: 101000:0010101101010101001011010100100 . 101001: 1010011011001010110100100101101 101010: 0001101000111100010100101001111 .. 101011: 1111101010000000101010100010111 . Suppose all messages are 8-bits long. Suppose the ICV (integrity check) is 4- bits long, and is calculated by XOR-ing the first 4 bits of data with the last 4 bits of data. Suppose the pseudo-WEP packet consists of three fields: first the IV field, then the message field. and last the ICV field. with some of these fields encrypted. a. We want to send the message m = 10I00000 using the IV = II and using WEP. What will be the values in the three WEP fields? b. Show that when the receiver decrypts the WEP packet, it recovers the message and the ICV. c. Suppose Trudy intercepts a WEP packet (not necessarily with the IV = 11) and wants to modify it before forwarding it to the receiver. Suppose Trudy flips the first ICV bit. Assuming that Trudy does not know the keystreams for any of the IVs, what other bit(s) must Trudy also flip so that the received packet passes the ICV check? d. Justify your answer by modifying the bits in the WEP packet in part (a), decrypting the resulting packet, and verifying that the integrity check. a) Since IV = 11, the key stream is 111110100000 . Given, m = 10100000 Hence, ICV = 1010 XOR 0000 = 1010 The three fields will be: IV: 11 Encrypted message: 10100000 XOR 11111010 = 01011010 Encrypted ICV: 1010 XOR 0000 = 1010

b) The receiver extracts the IV (11) and generates the key stream 111110100000 . XORs the encrypted message with the key stream to recover the original message: 01011010 XOR 11111010 = 10100000

XORs the encrypted ICV with the keystream to recover the original ICV: 1010 XOR 0000 = 1010 The receiver then XORs the first 4 bits of recovered message with its last 4 bits: 1010 0000 = 1010 (which equals the recovered ICV)

c) Deoarece ICV este calculat ca XOR a primiilor 4 bii de mesaj cu ultimii 4 bii de mesaj, fie ori primul bit sau bitul 5 al mesajului trebuie s fie oglindit pentru ca pachetul recepionat sa treaca de controlul ICV.

d) For part (a), the encrypted message was 01011010 Flipping the 1st bit gives, 11011010 Trudy XORs this message with the keystream: 11011010 XOR 11111010 = 00100000 Dac Trudy inverseaza primul bit al ICV criptat, valoarea ICV primit de ctre receptor este 0010. The receiver XORs this value with the keystream to get the ICV: 0010 XOR 0000 = 0010 The receiver now calculates the ICV from the recovered message: 0010 XOR 0000 = 0010 (which equals the recovered ICV and so the received packet passes the ICV check) P25. Provide a filter table and a connection table for a stateful firewall that is restrictive as possible but accomplishes the following: a, Allows all internal users to establish Telnet sessions with external hosts. b. Allows external users to surf the company Web site at 222.22.0.12. c. But otherwise blocks all inbound and outbound traffic. The internal network is 222.22/16. In your solution. suppose that the connection table is currently caching three connections, all from inside to outside. You'll need to invent appropriate IP addresses and port numbers.