Handout 20 - Quiz 2 Solutions

Similar documents
THIS IS AN OPEN BOOK, OPEN NOTES QUIZ.

CISNTWK-440. Chapter 4 Network Vulnerabilities and Attacks

MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

CS164 Final Exam Winter 2013

NETWORK SECURITY. Ch. 3: Network Attacks

On the Internet, nobody knows you re a dog.

MPEG Frame Types intrapicture predicted picture bidirectional predicted picture. I frames reference frames

R (2) Implementation of following spoofing assignments using C++ multi-core Programming a) IP Spoofing b) Web spoofing.

SPOOFING. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

Chapter 9: Key Management

Real-time protocol. Chapter 16: Real-Time Communication Security

CS 161 Computer Security

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

Security Handshake Pitfalls

CS 161 Computer Security

ELEC5616 COMPUTER & NETWORK SECURITY

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Full file at

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Internet Layers. Physical Layer. Application. Application. Transport. Transport. Network. Network. Network. Network. Link. Link. Link.

CS 494/594 Computer and Network Security

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Security Handshake Pitfalls

Securing Internet Communication: TLS

Systems and Network Security (NETW-1002)

P2_L12 Web Security Page 1

(a) Which of these two conditions (high or low) is considered more serious? Justify your answer.

interface Question 1. a) Applications nslookup/dig Web Application DNS SMTP HTTP layer SIP Transport layer OSPF ICMP IP Network layer

CS 361S - Network Security and Privacy Spring Homework #1

Outline Key Management CS 239 Computer Security February 9, 2004

Guide to Networking Essentials, 6 th Edition. Chapter 5: Network Protocols

Spring 2010: CS419 Computer Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni

Lecture 9. Authentication & Key Distribution

Bank Infrastructure - Video - 1

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz II

ADP Security Management Service

CSE 123b Communications Software

Quick announcements. CSE 123b Communications Software. Today s issues. Last class. The Mobility Problem. Problems. Spring 2004

Nigori: Storing Secrets in the Cloud. Ben Laurie

Session key establishment protocols

When does it work? Packet Sniffers. INFO Lecture 8. Content 24/03/2009

Session key establishment protocols

What did we talk about last time? Public key cryptography A little number theory

CN Assignment I. 1. With an example explain how cookies are used in e-commerce application to improve the performance.

TELNET is short for Terminal Network Enables the establishment of a connection to a remote system, so that the local terminal appears to be the

Chapter 13. Digital Cash. Information Security/System Security p. 570/626

Review for Internet Introduction

Introduction to Security and User Authentication

The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to

CSE 123A Computer Netwrking

Networking and Health Information Exchange Unit 1a ISO Open Systems Interconnection (OSI) Slide 1. Slide 2. Slide 3

Can HTTP Strict Transport Security Meaningfully Help Secure the Web? nicolle neulist June 2, 2012 Security B-Sides Detroit

Network Defenses 21 JANUARY KAMI VANIEA 1

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

Network Security - ISA 656 IPsec IPsec Key Management (IKE)

Cryptographic Checksums

Internet Protocol and Transmission Control Protocol

NETWORK INTRUSION. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

Configuring attack detection and prevention 1

Firewalls, Tunnels, and Network Intrusion Detection

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Pre-exam 3 Review. Fall Paul Krzyzanowski Distributed Systems

Secure Internet Commerce -- Design and Implementation of the Security Architecture of Security First Network Bank, FSB. Abstract

Full file at

Instructions 1 Elevation of Privilege Instructions

CS 161 Computer Security

L13. Reviews. Rocky K. C. Chang, April 10, 2015

SIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels

Communication Networks ( ) / Fall 2013 The Blavatnik School of Computer Science, Tel-Aviv University. Allon Wagner

Main area: Security Additional areas: Digital Access, Information Literacy, Privacy and Reputation

Exercises with solutions, Set 3

1 Identification protocols

Computer Security Spring 2010 Paxson/Wagner Notes 3/8. Key Management. 1 Cryptographic Hash Functions. 2 Man-in-the-middle Attacks

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Public-Key Infrastructure NETS E2008


User Authentication. Modified By: Dr. Ramzi Saifan

Security and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web

Authentication & Authorization

(2½ hours) Total Marks: 75

Communications Software. CSE 123b. CSE 123b. Spring Lecture 10: Mobile Networking. Stefan Savage

Quick announcement. CSE 123b Communications Software. Last class. Today s issues. The Mobility Problem. Problems. Spring 2003

Sirindhorn International Institute of Technology Thammasat University

Computer Networks & Security 2016/2017

WEB SECURITY: XSS & CSRF

OPC UA Configuration Manager PTC Inc. All Rights Reserved.

Instructions 1. Elevation of Privilege Instructions. Draw a diagram of the system you want to threat model before you deal the cards.

Q.1. (a) [4 marks] List and briefly explain four reasons why resource sharing is beneficial.

CS Final Exam

Networking and Health Information Exchange: ISO Open System Interconnection (OSI)

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

INSTRUCTIONS TO CANDIDATES

CPSC 467b: Cryptography and Computer Security

ITEC 350: Introduction To Computer Networking Midterm Exam #2 Key. Fall 2008

Transcription:

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.033 Computer Systems Engineering: Spring 2001 Handout 20 - Quiz 2 Solutions 20 Average: 81 Median: 83 Std. Deviation: 9 "q2.dat" 15 10 5 0 0 10 20 30 40 50 60 70 80 90 100

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 2 of 13 I Reading questions 1. [6 points]: What problems do Network Address Translators (NATs) cause? A. NATs are not transparent to all end-to-end applications. B. NATs require changes to the link layer. C. NATs break the Internet s universal addressing model. D. NATs increase the consumption of IP addresses. 2. [6 points]: The following features of Grapevine (as described in Reading #15) make it scale well A. Decentralizing administrative functions B. Partitioning the name space into multiple, independent registries C. Exchanging complete databases nightly to resolve inconsistencies D. Allowing databases to be inconsistent temporarily Exchanging the complete database nightly will take longer and longer as the system grows, until it takes more than a night. 3. [6 points]: IP tunneling as described by Johnson in the mobile IP paper (Reading #12) is a technique A. To reduce the cost of the Big Dig by replacing physical tunnels with virtual tunnels. B. To allow stationary hosts to communicate through mobile hosts that don t speak Mobile IP C. To allow a packet to be routed using IP to a mobile host s current location, if that location is different than its home network location D. To reduce space in Mobile-IP packets

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 3 of 13 4. [6 points]: Why are queues in Click (as described in Reading #14) explicit? A. Simplifies most elements, since they don t have to worry about packet storage B. Because queues are the only elements that have only push ports C. Allows the construction of sophisticated scheduling configurations based on queues D. Reduces the number of elements in a router 5. [6 points]: Ross Anderson in Why cryptosystems fail (Reading #18) argues A. Cryptosystems are unnecessary B. Achieving security in a system is a difficult engineering problem rather than just a problem of cryptography C. Design and implementation techniques for safety-critical systems also apply to systems that need to be secure D. Cryptography needs to be improved to enable secure systems

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 4 of 13 II WebTrust.com, OutOfMoney.com part II After their disastrous experience with OutOfMoney.com, the 16-year-old kids regroup. They rethink their business plan and switch from being a service provider to a technology provider. Reading many war stories about security has convinced the kid wizards that there should be a market for a secure client authentication product for Web servers. The kids re-incorporate as WebTrust.com. The kids study up on how the Web works. They discover that HTTP 1.0 is a simple protocol with essentially two remote procedure calls: GET (URL) returns document POST (URL, form) returns document The GET procedure gets a document from a Web server. The POST procedure sends back to the server the entries that the user filled out on a form that was in a previously retrieved document. The POST procedure also gets a document. The browser invokes the POST procedure when the user hits the submit button on the form. These remote procedure calls are sent over a reliable transport protocol, TCP. A web browser opens a TCP connection, calls a procedure (GET or POST), and waits for a result from the server. The Web server waits for a TCP connection request, accepts the connection, and waits for the GET or POST call. Once the call arrives, it executes it, sends the result over the connection, and closes the connection. The browser displays the response and closes the connection on its side. (Thus, a connection is setup for each request.) Simple URLs are of the form: http://www.webtrust.com/index.html 6. [6 points]: www.webtrust.com in the above URL is (Circle best answer) A. a DNS name B. a protocol name C. a pathname for a file D. an IP address

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 5 of 13 The objective of WebTrust.com s product is to authenticate users of on-line services. The intended use is for a user to login once per session and to allow only logged-in users access to the rest of the site. The product consists of a collection of Web pages and some server software. The company employs their own product to authenticate customers of the company s Web site. To allow Internet users to create an account, WebTrust.com has a Web form in which a user types in her username and two copies of her password. When the user types in her password, the browser doesn t echoed it, but instead displays a * for each typed character. When the user hits the submit button, the user browser calls the POST procedure to send the form to the server. When the server receives an create-account request, it makes sure that the two passwords are the same and makes sure that the account doesn t exist. If these conditions are true, then it creates an entry in its local password file. If either of the conditions is false, the the server returns an error. The form to create an account is stored in the document create.html on WebTrust s Web site. Another document on the server contains: <a href="create.html">create an account</a> 7. [6 points]: What is the source of the context reference that identifies the context in which the name create.html will be resolved? (Circle best answer) A. The browser derives a default context reference from the URL of the document that contains the relative URL. B. It is configured in the Web browser when the browser is installed. C. The server derives it from information it remembers about previous documents it sent to this client. D. The user types it into the browser.

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 6 of 13 8. [6 points]: Why does the form for creating an account ask a user to type in her password twice? A. To allow a password not to be echoed on the screen while enabling users to catch typos. B. To detect transmission errors between the keyboard and the browser. C. To reduce the probability that a packet with a password has to be retransmitted if the network deletes the packet. D. To make it harder for users to create fake accounts. Full credit was awarded to students who did not circle B, but noted that detecting transmission errors was more likely to have been a side-effect than a goal of the design. 9. [6 points]: In this system, to what attacks is creating an account vulnerable? (Assume an active attacker.) A. An attacker can learn the password for a user by eavesdropping B. An attacker can modify the password C. An attacker can overwhelm server by creating many accounts D. An attacker can run a server that pretends to be www.webtrust.com Some students noted that A is a passive attack; but active attackers have more tools than passive attackers, not fewer. Some students noted that all network services are vulnerable to denial of service attacks; but account creation is also vulnerable to attacks that overwhelm the account database. Some students thought that DNS servers would thwart impersonating a server, but an active attacker can also get around or subvert DNS. To login, the user visits the web page login.html, which asks the user for her account name and password. When the user hits the submit button, the browser invokes the POST procedure, which sends the user name and password to the server. The server checks the stored password against the password in the login request. If they match, the user is allowed to access the server; otherwise, the server returns an error. 10. [6 points]: To what attacks is the login procedure vulnerable? (Assume an active attacker.) A. An attacker can login by replaying a recorded POST from a legitimate login B. An attacker can login as any user by replaying a single recorded POST for login

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 7 of 13 C. An attacker can impersonate WebTrust.com to any registered user D. An attacker can impersonate WebTrust.com to an unregistered user A is correct: Since the POST does not contain anything that assures freshness, the browser has no way of detecting and rejecting a later copy replayed by an attacker. B is not correct: The POST contains a user s name and password, so simply replaying it will log in that user; it can t log in any other user. C is correct. It s a difficult attack, but it can be accomplished. The thing that makes it hard is that the registered user knows how the real webtrust.com responds, so the attacker must behave in exactly the same way, even to the extent of rejecting wrong passwords. But it can do just that by standing in the middle, passing some or all of the user s requests to the real webtrust.com, and passing its responses back. D is correct; all the attacker needs to do is reject the login the same way that webtrust.com does.

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 8 of 13 Login procedure Username, password cookie Browser Subsequent requests Server POST/GET, cookie document Figure 1: The protocol To authenticate subsequent Web requests from a user after they have logged in, WebTrust.com exploits something called cookies in Web terminology. A server can install some state (called a cookie ) in the Web browser. The server installs this state by including in the response a set-cookie directive containing data to be stored in the cookie. WebTrust.com s use of cookies is summarized in Figure 1. The document containing the response to a login request includes the directive 1 : set-cookie (cookie) The browser stores the cookie in memory. (In practice, cookies are named, but for this quiz, you can assume that a cookie always refers to WebTrust.com s cookie.) On subsequent calls (i.e., GET or POST) to the server that installed the cookie, the browser will send the installed cookie along with the call. Thus, once WebTrust.com has set a cookie in a browser, it will see that cookie on all subsequent requests from that browser. The server requires that the browser send a cookie along with all calls, except a create or login call. If the cookie is missing (e.g., the browser has failed and lost the cookie stored in memory, or an attacker is leaving the cookie out on purpose), the server will return an error to the browser and ask the user to login (again). 1 To be precise, the HTTP reply header includes the directive, but that doesn t matter for the subsequent questions

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 9 of 13 An important issue is to determine what should go in cookie. WebTrust.com offers a number of alternatives. The first option is to compute the cookie as follows (the operator + is concatenation): cookie = expiration-time + MAC(expiration-time, key) MAC computes a message authentication code (a string of bytes); it takes as the first argument the string to be MACed and as the second argument a key. The key key is a value known to only the server, which remembers it for only 24 hours. All cookies in that period use the same key. All cookies expire at 5am EST, at which time the server changes the key too. When the server receives the cookie, it verifies it using: boolean verify (cookie c) { if (MAC (c.expiration-time, key) == c.mac) { if (c.expiration-time >= current-time ()) { return true; } } return false; } (The notation c.field refers to the corresponding field in the cookie.) The procedure verify recomputes the MAC from the plaintext expiration-time stored in the cookie. If the MAC is valid, then the server checks whether the cookie is still fresh (i.e., if the expiration time is larger than the current time). If it is, then verify returns true; the server can now execute the request. In all other cases, verify returns false and the server returns an error to the browser.

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 10 of 13 11. [6 points]: What is the role of the MAC in this protocol? A. To help detect transmission errors B. To privately communicate key from the server to the browser C. To privately communicate expiration-time from the server to the browser. D. To help detect a forged cookie. B and C are false; in this protocol nothing is sealed, so nothing could be communicated privately. 12. [6 points]: What attacks does this protocol prevent? A. Replayed cookies B. Forged expiration times C. Forged cookies D. Dictionary attacks on passwords A is false: an attacker can replay any cookie to gain illicit access, until the cookie expires. B and C are two ways of saying the same thing, since the cookie contains only the expiration time. Another supported option is to compute cookie as follows (the operator + is concatenation): cookie = expiration-time + username + MAC(expiration-time + username, key) The server uses for username the name of the user in the login request. The usage of this cookie is similar to before. The corresponding verification procedure for this cookie option is: boolean verify (cookie c) { if (MAC (c.expiration-time + c.username, key) == c.mac) { if (c.expiration-time >= current-time ()) return true; } } return false; }

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 11 of 13 13. [6 points]: If the server receives a cookie with Alice as username and the server verifies it successfully (i.e., verify returns true), what does the server know? (Assume active attacks.) A. No-one modified the cookie B. The server accepted a login from Alice recently C. The cookie was generated recently D. The browser of the user Alice sent this cookie recently Because a cookie is a really a message from the server to itself, only the server knows the MAC key; thus the server will detect an attacker s attempts to create or modify cookies. The server creates a cookie saying Alice only if someone successfully logs in with Alice s user name and password; thus B is true. The timestamp allows the server to reject a cookie if it wasn t created recently. D is not true: An attacker may have intercepted the cookie on the way from the server to Alice s browser and is now sending it back to the server. 14. [6 points]: For this question only, assume that all Alice s Web requests are sent over a single TCP connection that is sealed and authenticated, and that the setup all has been done appropriately (i.e., only the browser and server know the sealing and authentication keys). After Alice has logged in over this connection, the server has received a cookie with Alice as the username over this connection, and has verified it successfully (i.e., verify returns true), what does the server know? (Assume active attacks.) A. No-one but the server and the browser of the user Alice knows the cookie B. The server accepted a login from Alice recently C. The cookie was generated recently D. The browser of the user Alice sent this cookie recently The server can t know whether Alice s browser, or some other software running on her computer, has given away the cookie. But the server can know that Alice s browser sent the cookie, since it arrived over an authenticated connection, and the question states that only the browser and server know the authentication key. 15. [6 points]: Is there an additional security risk with storing cookies persistently (i.e., the browser stores them in a file on the local operating system) instead of in the run-time memory of the browser? (Assume the operating system is a multi-user operating system such as Linux or Windows2000, including a virtual memory system.)

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 12 of 13 A. Yes, because the file with cookies might be accessible to other users. B. Yes, because the next user to login to the client machine might have access to the file with cookies. C. Yes, because the trusted computing base is extended to include the local operating system D. Yes, because the trusted computing base is extended to include the hard disk C is not true because the trusted computing base already included the local operating system. D is not true because the trusted computing base already included the hard disk: the virtual memory of the browser probably includes the hard disk, and the binary of the operating system and the browser were almost certainly stored on the hard disk.

6.033 Spring 2001, Handout 21 - Quiz 2 Solutions Page 13 of 13 16. [2 points]: For what applications is WebTrust s product (without the sealing and authenticating TCP connection) appropriate (i.e., useable without grave risk)? A. For protecting access to bank accounts of an electronic bank B. For restricting access to electronic news articles to clients that have subscription service C. For protecting access to student data on MIT s on-line student services D. For electronic shopping, say, at amazon.com E. None of the above Any answer (except E and another choice) is acceptable; this is a matter of judgement, not a strictly technical question. You might find it interesting to know that in practice, Web sites use considerably weaker schemes than the ones you were questioned about, and use them for applications like B, C, and D. Mark Bittdiddle Ben s 16-year kid brother proposes to change the protocol slightly. Instead of computing cookie as: cookie = expiration-time + username + MAC(expiration-time + username, key) Mark suggests that the code be simplified to: cookie = expiration-time + username + MAC(expiration-time, key) He also suggests the corresponding change for the procedure verify. The protocol, as before, runs over an ordinary TCP connection (i.e., unsealed, unauthenticated). 17. [8 points]: Describe one attack that this change opens up and illustrate the attack by describing a scenario (e.g., Lucifer can now... by... ); answering, for example, a replay attack is insufficient. (Be brief; use no more than 50 words) Lucifer can create an account, log into the server, change his cookie s username to Alice (or any other user), and send the modified cookie to the server. The server will believe that he is Alice, since the MAC doesn t cover the username. You can read more about the security of cookie authentication schemes here: http://cookies.lcs.mit.edu/pubs.html End of Quiz 2

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback