Exam Advanced Network Security

Similar documents
Managing and Securing Computer Networks. Guy Leduc. Chapter 7: Securing LANs. Chapter goals: security in practice: Security in the data link layer

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Nullcon, 2 March 2018

L13. Reviews. Rocky K. C. Chang, April 10, 2015

06/02/ Local & Metropolitan Area Networks. 0. Overview. Terminology ACOE322. Lecture 8 Network Security

Sirindhorn International Institute of Technology Thammasat University

05 - WLAN Encryption and Data Integrity Protocols

KRACKing WPA2 by Forcing Nonce Reuse. Mathy Chaos Communication Congress (CCC), 27 December 2017

Security and Anonymity

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy CCS 2017, 1 October 2017

Physical and Link Layer Attacks

Frequently Asked Questions WPA2 Vulnerability (KRACK)

Defeating IMSI Catchers. Fabian van den Broek et al. CCS 2015

Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2. Mathy Vanhoef, PhD Wi-Fi Alliance meeting Bucharest, 24 October 2017

Symmetric Encryption

Summary on Crypto Primitives and Protocols

DO NOT OPEN UNTIL INSTRUCTED

CS-435 spring semester Network Technology & Programming Laboratory. Stefanos Papadakis & Manolis Spanakis

(2½ hours) Total Marks: 75

Cryptography Functions

Improved KRACK Attacks Against WPA2 Implementations. Mathy OPCDE, Dubai, 7 April 2018

CS 161 Computer Security

Overview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.

KRACKing WPA2 in Practice Using Key Reinstallation Attacks. Mathy BlueHat IL, 24 January 2018

Questioning the Feasibility of UMTS GSM Interworking Attacks

Network Encryption 3 4/20/17

Cryptographic Concepts

Wireless Security. Comp Sci 3600 Security. Attacks WEP WPA/WPA2. Authentication Encryption Vulnerabilities

EECS 3214 Final Exam Winter 2017 April 19, 2017 Instructor: S. Datta. 3. You have 180 minutes to complete the exam. Use your time judiciously.

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

1.264 Lecture 28. Cryptography: Asymmetric keys

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Network Security and Cryptography. December Sample Exam Marking Scheme

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

ECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CYBER ATTACKS EXPLAINED: WIRELESS ATTACKS

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 24

EEC-484/584 Computer Networks

WiFuzz: Detecting and Exploiting Logical Flaws in the Wi-Fi Cryptographic Handshake

CS 361S - Network Security and Privacy Spring Homework #3

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Crypto meets Web Security: Certificates and SSL/TLS

AN INTEGRATED BLOCK AND STREAM CIPHER APPROACH FOR KEY ENHANCEMENT

Security Analysis of Bluetooth v2.1 + EDR Pairing Authentication Protocol. John Jersin Jonathan Wheeler. CS259 Stanford University.

CS 161 Computer Security

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

CS 155 Final Exam. CS 155: Spring 2009 June 2009

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

CS Computer Networks 1: Authentication

A Chosen-key Distinguishing Attack on Phelix

Analysis of Security or Wired Equivalent Privacy Isn t. Nikita Borisov, Ian Goldberg, and David Wagner

Network Security Essentials Chapter 2

CIS 4360 Secure Computer Systems Applied Cryptography

NETWORK SECURITY. Ch. 3: Network Attacks

CRYPTOGRAPHIC ENGINEERING ASSIGNMENT II Theoretical: Design Weaknesses in MIFARE Classic

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

HW/Lab 4: IPSec and Wireless Security. CS 336/536: Computer Network Security DUE 11 am on 12/01/2014 (Monday)

Real-time protocol. Chapter 16: Real-Time Communication Security

CPSC 467b: Cryptography and Computer Security

Chapter 3 Block Ciphers and the Data Encryption Standard

interface Question 1. a) Applications nslookup/dig Web Application DNS SMTP HTTP layer SIP Transport layer OSPF ICMP IP Network layer

CPSC 467b: Cryptography and Computer Security

Key Establishment and Authentication Protocols EECE 412

Cryptanalysis. Ed Crowley

CS 161 Computer Security

CS Protocol Design. Prof. Clarkson Spring 2017

Network Security and Cryptography. 2 September Marking Scheme

Cryptography 2017 Lecture 3

Cryptography ThreeB. Ed Crowley. Fall 08

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

CSE 127: Computer Security Cryptography. Kirill Levchenko

Introduction to Cryptography in Blockchain Technology. December 23, 2018

PYTHIA SERVICE BY VIRGIL SECURITY WHITE PAPER

Principles of Information Security, Fourth Edition. Chapter 8 Cryptography

CSCE 813 Internet Security Symmetric Cryptography

Block Cipher Operation

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

1 Achieving IND-CPA security

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Total points: 71. Total time: 75 minutes. 9 problems over 7 pages. No book, notes, or calculator

Overview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation

KALASALINGAM UNIVERSITY

Computer and Data Security. Lecture 3 Block cipher and DES

SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security

CPSC 467b: Cryptography and Computer Security

Security: Cryptography

CS 494/594 Computer and Network Security

EEC-682/782 Computer Networks I

Student ID: CS457: Computer Networking Date: 5/8/2007 Name:

Elements of Security

Solutions to exam in Cryptography December 17, 2013

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

CIS 4360 Secure Computer Systems Symmetric Cryptography

CPSC 467b: Cryptography and Computer Security

The Security Problem

ON THE IMPACT OF GSM ENCRYPTION AND MAN-IN-THE-MIDDLE ATTACKS ON THE SECURITY OF INTEROPERATING GSM/UMTS NETWORKS

Transcription:

Exam Advanced Network Security Jaap-Henk Hoepman, Joeri de Ruiter July 2, 2018 NOTE: READ THIS CAREFULLY: This exam consists of two alternatives. The first alternative is the regular exam for students that followed the course this academic year (with lectures by Joeri de Ruiter and Jaap-Henk Hoepman). The second alternative is only intended as the final resit exam for those students that followed the course the previous academic years (with lectures only by Jaap-Henk Hoepman). Select the alternative that applies to you and only answer the questions in that alternative. Please answer your questions using the space provided on the exam sheet. Write legibly, and use proper sentences; an unreadable answer is a wrong answer... Answer questions concisely, but with sufficient detail and precision. Always explain your answers. Please leave space in the margin for correction marks. Use a separate piece of scratch paper for draft answers, private computations or remarks. Write your name and student number on every page. You are not allowed to use books, notes, tablets, PCs and (smart)phones during the exam. The total number of points that can be scored is 60, as specified alongside the questions. The final grade equals 1 + 9 points 60, rounded to the nearest half grade (except for grades between 5 and 6 which are rounded to nearest full grade). Good luck! 1

ALTERNATIVE 1: Exam for the current academic year (2017-2018) Answer the questions in this version of the exam if you followed the course this academic year (with lectures by Joeri de Ruiter and Jaap-Henk Hoepman). Question 1 (9 points): BGP a. (3 points) Two security extension for BGP that are currently standardised in RFCs are origin authentication (using ROAs) and path validation (using BGPsec). What attacks does path validation protect against, which origin authentication does not? b. (3 points) As we see over and over again, adoption of new protocols on the Internet typically goes very slow and this will probably also be the case for BGPsec. Can we already benefit from BGPsec if it is only partly deployed (i.e. some autonomous systems support it and some not)? Explain why. c. (3 points) In order to get around many of the legacy issues, SCION introduces a new architecture for the Internet. For the discovery of routes, they use a similar approach as BGPsec, as every AS along the path signs the PCB (Path-segment Construction Beacon) so it can be checked for authenticity. Unlike BGPsec, every AS also adds a so-called hop field. Explain how this field is used in the data plane. a. Announcing fake paths, i.e. pretending to be able to route traffic to a victim AS, in order to intercept the traffic. b. Yes, paths can already be verified if all autonomous systems on this path support BGPsec. This can then be used in the policy to determine routes. If there is only one AS on a path that does not support BGPsec, the path cannot be verified. c. The HF contains information for a specific AS with authenticated instructions how a packet should be routed. A sender defines how a packet should travel by including the corresponding HFs in the header of the packet. Every AS will then authenticate its dedicated HF, and use this to route the packet to the next AS. Question 2 (9 points): GSM a. (3 points) On GSM networks it is possible to perform an active man-in-the-middle attack. Why is this not possible (or less trivial) on later generations of the standard such as UMTS and LTE? b. (3 points) A telecom provider is considering updating its cell towers to only support the more secure A5/3 cipher. Assuming we cannot break A5/3, would this measure protect against active man-in-the-middle attacks? Explain why. c. (3 points) Currently it is quite easy to perform IMSI-catching attacks, as a phone will always reveal its IMSI when asked for it. This can, for example, be used to trace users. To counter this, a provider suggests the following solution: a phone will encrypt its IMSI before sending it with the public key of the home network. Will this solution protect against all traceability attacks (both for GSM and 3G)? Explain your answer. a. GSM does not provide mutual authentication, so a mobile phone does not know whether it is connected to the genuine network. UMTS and LTE do provide mutual authentication making it harder to set up a rogue base station. 2

b. No, if the mobile phones still support GSM and A5/2, a MitM can crack the key in real-time and use this for authentication against the real network, after tricking the victim to connect to its fake base station. This is possible because the same key is used for all ciphers. c. No, for example, the phone still needs to provide the identity of its home network so the network knows where to retrieve the necessary information. If a phone is the only one in a network that is from a specific provider it is trivial to trace it. Another example is when you don t randomise the encryption and always send the same ciphertext, which can then be used to trace the user. Yet another example is the linkability attack by Arapinis et al. in 3G. This attack does however not work in GSM, as there is nothing for the phone to verify which could lead to different error messages. Question 3 (9 points): WiFi a. (3 points) A restaurant offers WiFi and decides to protect the traffic using WPA2-Personal (using CCMP). The password for this is printed on the menu so all customers can make use of the free WiFi. Are the customers protected against passive eavesdropping attacks? Explain why. b. (3 points) With KRACK (Key Reinstallation Attacks) we have seen that nonce reuse can lead to serious security problems. Explain how nonce reuse could lead to the recovery of encrypted data. c. (3 points) If you could make a change to the cryptography that is used in WiFi, what change would prevent this attack (i.e. the one in.b)? a. No, if a passive attacker can observe the 4-way handshake between a victim and the access point, it can observe the nonces that are exchanged. Since the password is public, the attacker has enough information to compute the PTK. The PTK can then be used to decrypt all the information exchanged between the victim and the access point. b. The nonce is used to generate the keystream, by reusing the nonce the same keystream is used to encrypt two (different) packets. Assume one of those packets contains known plaintext and the other packet the data we want to learn. Compute the xor of the encrypted packet containing the known plaintext with the known plaintext. This will result in the keystream. Now the unknown data can be retrieved by computing the xor of the keystream and the encrypted data packet. c. For example: use a block cipher instead of a stream cipher. This way the xor of the known plaintext and the encrypted plaintext will not result in the original keystream. Question 4 (3 points): Consider the following scenario. A new botnet scans for vulnerable hosts. Potential vulnerable hosts are reported and another bot will try to exploit these. If a host can be successfully exploited, the bot software is uploaded, installed and configured and finally the bot connects back to a C&C server to wait for commands. What patterns (low/medium/high) do you expect to see in the netflow data for the different phases with regard to number of flows and packets per flow? Explain why. Port scan: high number of flows with low PPF (all hosts are scanned, but checking for an open port requires little traffic per flow) Executing the exploit: medium number of flows with medium PPF (only machines with the correct port are connected to and exploit requires some more traffic to be executed) Installation of the bot software: low number of flows with high PPF (only connection to vulnerable machines and executable causes higher amount of traffic) 3

Connection to the C&C server: low number of flows with medium PPF (only infected machines are connected to and traffic is medium as bots are waiting for commands) Question 5 (15 points): On distributed algorithms a) (5 points) Will the following program (eventually) terminate, or is it possible that it runs forever? Assume that reading or writing a single variable is atomic. a = 1 b = 1 thread while a 0 do b (b + a) mod 2 thread while b 0 do a a + 1 a 0 b) (3 points) What are the three properties a mutual exclusion protocol must satisfy? c) (7 points) Consider two processors 0 and 1 that can both read and write one global atomic variable p, initially 0. Why is the following protocol (code for processor i) not a mutual exclusion protocol? while true do while p i do /* wait */ /* critical section */ p 1 p a) Suppose b = 1. Let the second thread take a single step (changing a from odd to even or vice versa). If a has become odd, let the first thread take two steps. Then after those two steps b again is equal to 1. If a has become even, let the first thread take one step. After that single step b still equals 1. This can be repeated forever (assuming a is unbounded). Alternative answer: Let second thread do one step; now a is even. The continue with the following steps forever: let the first thread do one step (because a is even, b remains 1), and then let the second thread do two steps so a becomes even again. P.S.: Note that the assignment a 0 is not part of the loop body! b) A mutual exclusion protocol needs to satisfy the following three properties: Mutual exclusion: there is at most one processor in the critical section, Progress: if there is at least one processor enters, and the critical section is empty, then one of these processors will eventually get access to the critical section, and No starvation: if a processor enters, and if all processors that get access to the critical section release it, then it will eventually get access c) This protocol does not satisfy progress: because p = 0 initially, if only processor 1 ever wants to enter, it is blocked forever (while it should be able to get the critical section if no other processor is contending, because of the no-starvation condition). 4

Question 6 (15 points): This question considers self-stabilisation. a. (2 points) What is the difference between a central daemon and a distributed daemon? b. (3 points) Which of these two daemons is the hardest model to design a selfstabilising system for? Explain your answer. c. (10 points) Dijkstra s selfstabilising mutual exclusion protocol (as explained in class) runs on nodes numbered 0 to N. The state of each node is given as a value in {0,..., K 1}. The system stabilises under the central daemon when K N. What goes wrong when K < N? a. Under the central daemon exactly one node takes a step at a time. Under the distributed daemon at least one node, put possibly more nodes, take a step simultaneously. b. The distributed daemon is the hardest model to design a selfstabilising system for. For one, the central daemon is a special case of the distributed daemon (so every protocol that self stabilises under the distributed daemon also self-stabilises under the central daemon). Intuitively, the distributed daemon is harder because if a node takes a step, considering all other states it has access to, to move closer to the desired, legitimate, states, then another node may update its state simultaneously. As both nodes are unaware of their moves, they may move in opposite directions. c. Take the case where N = 3 and K = 2. The possible states are 0 and 1. Let the initial state be 0101 (i.e. node 0 has value 0, node 1 has value 1, node 2 has value 0 and node 3 has value 1. Consider the following sequence of steps: Node 3 takes a step. New state 0100. Node 2 takes a step. New state 0110. Node 1 takes a step. New state 0010. Node 0 takes a step. New state 1010. Node 3 takes a step. New state 1011. Node 2 takes a step. New state 1001. Node 1 takes a step. New state 1101. Node 0 takes a step. New state 0101. We reached the state we started in. This state is not legitimate (all nodes are enabled), so the system does not converge. END OF EXAM ALTERNATIVE 1 5

ALTERNATIVE 2: (Resit) Exam for the previous academic years Answer the questions in this version of the exam if you followed the course the previous academic years (with lectures only by Jaap-Henk Hoepman). Question 1 (15 points): a) (5 points) Will the following program (eventually) terminate, or is it possible that it runs forever? Assume that reading or writing a single variable is atomic. a = 1 b = 1 thread while a 0 do b (b + a) mod 2 thread while b 0 do a a + 1 a 0 b) (3 points) What are the three properties a mutual exclusion protocol must satisfy? c) (7 points) Consider two processors 0 and 1 that can both read and write one global atomic variable p, initially 0. Why is the following protocol (code for processor i) not a mutual exclusion protocol? while true do while p i do /* wait */ /* critical section */ p 1 p a) Suppose b = 1. Let the second thread take a single step (changing a from odd to even or vice versa). If a has become odd, let the first thread take two steps. Then after those two steps b again is equal to 1. If a has become even, let the first thread take one step. After that single step b still equals 1. This can be repeated forever (assuming a is unbounded). Alternative answer: Let second thread do one step; now a is even. The continue with the following steps forever: let the first thread do one step (because a is even, b remains 1), and then let the second thread do two steps so a becomes even again. P.S.: Note that the assignment a 0 is not part of the loop body! b) A mutual exclusion protocol needs to satisfy the following three properties: Mutual exclusion: there is at most one processor in the critical section, Progress: if there is at least one processor enters, and the critical section is empty, then one of these processors will eventually get access to the critical section, and No starvation: if a processor enters, and if all processors that get access to the critical section release it, then it will eventually get access c) This protocol does not satisfy progress: because p = 0 initially, if only processor 1 ever wants to enter, it is blocked forever (while it should be able to get the critical section if no other processor is contending, because of the no-starvation condition). 6

Question 2 (15 points): This question considers self-stabilisation. a. (2 points) What is the difference between a central daemon and a distributed daemon? b. (3 points) Which of these two daemons is the hardest model to design a selfstabilising system for? Explain your answer. c. (10 points) Dijkstra s selfstabilising mutual exclusion protocol (as explained in class) runs on nodes numbered 0 to N. The state of each node is given as a value in {0,..., K 1}. The system stabilises under the central daemon when K N. What goes wrong when K < N? a. Under the central daemon exactly one node takes a step at a time. Under the distributed daemon at least one node, put possibly more nodes, take a step simultaneously. b. The distributed daemon is the hardest model to design a selfstabilising system for. For one, the central daemon is a special case of the distributed daemon (so every protocol that self stabilises under the distributed daemon also self-stabilises under the central daemon). Intuitively, the distributed daemon is harder because if a node takes a step, considering all other states it has access to, to move closer to the desired, legitimate, states, then another node may update its state simultaneously. As both nodes are unaware of their moves, they may move in opposite directions. c. Take the case where N = 3 and K = 2. The possible states are 0 and 1. Let the initial state be 0101 (i.e. node 0 has value 0, node 1 has value 1, node 2 has value 0 and node 3 has value 1. Consider the following sequence of steps: Node 3 takes a step. New state 0100. Node 2 takes a step. New state 0110. Node 1 takes a step. New state 0010. Node 0 takes a step. New state 1010. Node 3 takes a step. New state 1011. Node 2 takes a step. New state 1001. Node 1 takes a step. New state 1101. Node 0 takes a step. New state 0101. We reached the state we started in. This state is not legitimate (all nodes are enabled), so the system does not converge. Question 3 (15 points): This question considers bitcoin/blockchains. a. (4 points) Explain how mining a block in the bitcoin blockchain works. b. (4 points) Why would miners resist a change in the mining function, e.g. when moving from proof-of-work to proof-of-stake? c. (7 points) Explain how transactions in the bitcoin network can be de-anonymised. a. In the bitcoin blockchain, mining a block requires one to find a nonce n such that the hash h of the current block contents b (represented by the hash of a the Merkle tree containing all transactions in the block) together with the nonce is less than a target value t, i.e. h(b; n) < t. 7

b. Miners would resist a fundamental change in the mining function as it would render all their investments in specialised hardware useless. c. The bitcoin blockchain is public. From this a transaction graph (linking all transactions by looking at which inputs consume which outputs) can be constructed. From this transaction graph an address graph can be constructed linking bitcoin addresses. These addresses are anonymous and typically transactions use fresh output addresses. Yet using heuristics (like the assumptions that all inputs to a transaction belong to the same user, and that the second output of a transaction is a change address and hence belongs to the same user as the input addresses) addresses can be grouped to belong to the same entity/user. Once one address in this set is linked to user identity (e.g. when exchanged for goods or other currencies), anonymity of all addresses in the set is destroyed. Question 4 (15 points): This question is related to mix networking. In this context, answer the following three subquestions. a. (3 points) What are anonymous return addresses? b. (3 points) Why are they necessary? c. (9 points) How do they work? a. An anonymous return address is a datastructure attached to a message that specifies a route for responding to that message, together with intermediate keys necessary to encrypt and thus secure the reply. b. Anonymous return addresses are necessary to allow a recipient of a message to reply to it without learning who the recipient of the reply (i.e. the sender of the original message) is. c. Concretely, an anonymous return address is the triple ({S 1 ; M 2 ; { {S k ; A} k } 2 } 1, M 1, K A ) where K A is a fresh public key generated by the recipient A, where M 1,..., M k are the names of the intermediate mixes, where M i can decrypt {x} i, and where S 1,..., S k are fresh symmetric keys generated by A. To use it, the sender of the reply encrypts the reply using K A and sends it to mix M 1, together with the first part of the anonymous reply block. Each mix i in the path, when receiving an encrypted reply m and part of the anonymous reply block {S i ; M i+1 ; { {S k ; A} k } i decrypts the reply block using its private key k i to obtain S i and M i+1 and then encrypts m with S i and passes it on to M i+1 together with the remainder of the reply block (i.e. {S i+1 ; M i+2 ; { {S k ; A} k } i+1 ). END OF EXAM ALTERNATIVE 2 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback