Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Web Design

1 2

advertisement 
SI110 Homework Alpha: ________ Name: ____________________
Page 1 of
Collaboration Policy: Default
choose one: □ None □ XS110 □ EI with:
(or more)
□ MGSP
□ Discussed with: ____________________________
Homework:
2
/SI110/Security Tools/X.509 Certificates
1. [ 5 / 3 / 0 ] In the context of secure web traffic (i.e. HTTPS,) X.509 certificates certify the mapping of
_______________________ to _______________________
2. [ 10 / 7 / 4 / 0 ] Suppose a bad guy sets up a replica of https://www.navyfederal.org at
https://www.navyfederak.org, and obtains and installs a certificate for https://www.navyfederak.org from a
trusted certificate authority (CA). This way, an unwary user (who types poorly) might enter their real Navy
Federal password into his fake site, so that he can then log into the real Navy Federal site and steal all their
money! Will X.509 certificates protect you against this? Explain!
3. [ 15 / 10 / 5 / 0 ] You have an online bank account with Barclays, a British bank. You want to access your
account, so you put https://bank.barclays.co.uk/ in the browser's address bar. Match the following:
____ is responsible for verifying that public key K really belongs
to bank.barclays.co.uk.
A. the user
____ is responsible for making sure the encrypted messages your
browser receives really come from the owner of public ley K.
B. X.509 Certificates system
____ is responsible for verifying that the domain name
bank.barclays.co.uk really belongs to the Barclays Bank – the big
British bank.
C. RSA public key cryptosystem
4. Go to the site https://www.navy.mil/. The certificate won't be trusted ... find out why!
a. [ 10 / 7 / 4 / 0 ] Which is the best explanation of why the browser doesn't like this certificate?
i. the signing certificate authority is not one your browser trusts
ii. the subject common name does not match the website URL
iii. the certificate is self-signed
iv. the encryption is not strong enough, i.e. key not long enough
v. the certificate has expired
b. [ 10 / 7 / 4 / 0 ] If you go ahead and accept this certificate anyway, you are more secure / less secure / just as
(in)secure [circle one] against man-in-the-middle attacks as if you went to http://www.navy.mil instead?
c. [ 10 / 7 / 4 / 0 ] If you go ahead and accept this certificate anyway, you are more secure / less secure / just as
(in)secure [circle one] against eavesdropping attacks as if you went to http://www.navy.mil instead?
SI110 Homework
Alpha: ________
Name: ____________________
Page
2 of 2
5. [ 20 / 12 / 7 / 0 ] Eve pulls off a man-in-the-middle attack while Alice and Bob are communicating using
public key cryptography. Alice sent Bob the message, “meet me at 8 PM at the small boat landing.” Eve
intercepted the message and changed it to “meet me at 8 PM at the pizzeria.” Eve then forwarded the amended
message to Bob. Bob showed up at the pizzeria, waited an hour and then left, frustrated and confused. Alice
waited at the small boat landing for an hour, shivering, and then angrily left. Which pillars of IA did Eve
violate in this scenario? Explain why, for each pillar identified.
6. [ 5 / 3 / 0 ] Continuing with the above scenario, what should Alice and Bob do to prevent Eve from being
successful at her man-in-the-middle attacks?
a.
b.
c.
d.
Use Asymmetric Encryption to encrypt their messages
Use Hashing to guarantee the message has not been changed
Use Digital Signatures to sign their messages
Involve a certificate authority (trusted third party) to validate the other’s public key
7. [ 15 / 10 / 5 / 0 ] HTTPS uses Symmetric Encryption, Asymmetric Encryption, and Hashing. Number the
following seven steps with the correct order to describe logically how these tools are utilized in a HTTPS
session (steps 1 – 7).
________The web server sends its public key with its certificate.
________The browser uses the public key, from the certificate, to encrypt a random symmetric
encryption key (session key) and sends it to the server with the encrypted URL required, as well as other
encrypted http data.
_______The web server sends back the requested html document and http data encrypted with the
symmetric key (session key).
________A browser requests a secure page (usually https://).
________The browser decrypts the http data and html document using the symmetric key (session key)
and displays the information.
________The web server decrypts the symmetric encryption key using its private key and uses the
symmetric key (session key) to decrypt the URL and http data.
________The browser checks that the server's certificate was issued by a trusted party (usually a trusted
root CA), that the certificate is still valid, and that the certificate is related to the site contacted.
Related documents
SCHOOL BOARD RECOGNITION
SCHOOL BOARD RECOGNITION
Download
advertisement