Student name:
Student number:
Examination cover sheet
(to be completed by the examiner)
Course name:
Computer Networks and Security
Date:
28.06.2016
Start time:
13:30
Number of pages:
5
Course code:
End time:
2IC60
16:30
Number of questions: 7
Maximum number of points/distribution of points over questions: 11 points / see the exam for the distribution.
Method of determining final grade:
Exam score = min(10, sum of the points gained from individual questions)
Answering style: formulation, order, foundation of arguments, multiple choice:
Open questions + Fill in the blanks + True/False
Instructions for students and invigilators
Permitted examination aids (to be supplied by students):
□
None. Students need only pen and paper.
PLEASE DO NOT PROVIDE ANY ANSWERS ON THE QUESTION SHEETS (THOSE WILL NOT BE COLLECTED).
ALL ANSWERS MUST BE PROVIDED IN OFFICIAL TU/e EXAM ANSWER SHEETS THAT WE PROVIDE.
Important:
• examinees are only permitted to visit the toilets under supervision
• it is not permitted to leave the examination room within 15 minutes of the start
and within the final 15 minutes of the examination, unless stated otherwise
• examination scripts (fully completed examination paper, stating name, student
number, etc.) must always be handed in
• the house rules must be observed during the examination
• the instructions of examiners and invigilators must be followed
• no pencil cases are permitted on desks
• examinees are not permitted to share examination aids or lend them to each
other
During written examinations, the following actions will in any case be deemed
to constitute fraud or attempted fraud:
• using another person's proof of identity/campus card (student identity card)
• having a mobile telephone or any other type of media-carrying device on your
desk or in your clothes
• using, or attempting to use, unauthorized resources and aids, such as the
internet, a mobile telephone, etc.
• using a clicker that does not belong to you
• having any paper at hand other than that provided by TU/e, unless stated
otherwise
• visiting the toilet (or going outside) without permission or supervision
Associated with the Central Examination Regulations
Name
:
ID number:
Exam Computer Networks and
Security (2IC61)
June 28th, 2016
Closed book; no additional materials/equipment may be used during the exam.
1. (1.0 pt) Packet switching versus circuit switching
Consider an application that transmits data at a steady rate (for example, the sender generates N-bits of data
every k time units, where k is small and fixed). Also, when such an application starts, it will continue running
for a relatively long period of time. Would a packet-switched or a circuit-switched network be more
appropriate for this application? Motivate your answer.
2. (1.5 pt) Domain Name System (DNS)
DNS root servers must deal with frequent “bad” requests for name translation of domain names that do not
exist, such as www.tue.nll or www.tuee.nl, which brings extra load to the root name servers. Would caching
the negative responses of root name servers for such requests at local name servers solve this problem by
sufficiently lowering the load on the root name server? What is the cost of such solution? Explain your
reasoning to justify your answer.
3. (2.1 pt) IP and MAC
a) (0.8p) What is the main advantage of using IP addresses in routing instead of MAC addresses (assume
that MAC addresses are indeed uniquely assigned)? Motivate your answer.
b) (0.7p) In addition to an increase in routing latency and routers’ resource usage, give at least one more
reason why routers do not reassemble fragmented IPv4 packets. Motivate your answer.
c) (0.6p) Consider the network shown in the figure below. R1, R2 are layer-3 routers. S1 and S2 are
layer-2 switches. AP1 and AP2 are wireless access points, whose ranges are shown as well as the hosts
connected to them. The network interface cards (NIC) have been numbered from 1 to 24. The ith NIC is
called NICi. IPi denotes the IP address of NICi (where applicable) and MACi denotes the link layer
address of NICi (where applicable).
Page 1 of 5
Name
:
ID number:
Exam Computer Networks and
Security (2IC61)
June 28th, 2016
Hosts A (NIC1) and B (NIC14) have data packets to send to each other. Consider the journey of an IP packet
travelling from host A to host B and fill in the blanks. Give your answers in the answer sheet (not here).
The destination address of the link layer frame when it is leaving R2 is __________.
The source address of the link layer frame when it is leaving R2 is _________.
The source address of the network layer datagram when it is leaving R2 is __________.
The destination address of the network layer datagram when it is leaving R2 is __________.
4. (1.2 pt) Security protocols and keys
Assume Bob is registered at a trusted server S and they share a secret key KBS. Any party A can use the
following security protocol for key exchange to obtain a session key with registered user B:
A → S : A, {| B, K |}pkS
S → B : { A, B, K }KBS
B → A : { A, B }K
where K is a key freshly generated by A, pkS is the public key of S, {| X |}pkY denotes asymmetric
encryption of message X with public key pkY and { X }K denotes symmetric encryption of message X with
shared secret key K.
a) (0.3p) Before running the protocol Alice needs to ensure she has the right public key pkS. What
methods (give at least two different methods) could be used to establish trust in a public key?
Assuming that server S is trusted, Alice has the correct public key of S and using the Dolev-Yao attacker
model does the protocol achieve (motivate your answers):
b) (0.3p) authentication of Alice to Bob,
c) (0.3p) authentication of Bob to Alice,
d) (0.3p) secrecy of K?
5. (1.4 pt) Block modes and signatures
a) (0.4p) Block modes allow encrypting large messages. Consider the following encryption schema:
Plain text block 1 is XORed with the (public) initialization
vector IV and the result is encrypted to give cypher text bock
C1. Each cypher text block Ci is then XORed with the next
plain text block Pi+1 before encryption into next cypher text
block Ci+1.
Draw the corresponding decryption schema, which shows how to retrieve the plain text from the IV
and a sequence of cypher text blocks.
Page 2 of 5
Name
:
ID number:
Exam Computer Networks and
Security (2IC61)
June 28th, 2016
Hash functions are used in the creation of digital signatures.
b) (0.3p) Describe how you can create a digital signature on a message.
c) (0.2p) What will someone else need to check your digital signature and how does this work?
d) (0.3p) What property of a hash function is needed for the digital signature scheme to work correctly;
describe what could go wrong if this property does not hold.
e) (0.2p) Do you need to use block modes for signing a large message? (Shortly motivate your answer.)
6. (1.8 pt) True/False Questions - Please write down True or False in the answer sheet. Grading: Let c, w
and u denote the numbers of correct answers, wrong answers and unanswered questions, respectively, for
this exercise (i.e. c+w+u=9). Rule 1: If w≥c then you gain no points from this exercise. Rule 2: If c>w,
then you gain (0.2×c) - (0.1×w) points. Example: For c=6, w=2 and u=1, you gain (0.2×6) - (0.1×2) = 1.0
point.
a) When a malicious party Trudy manages to see the content of a message sent
by Alice to Bob, this does not necessarily mean that the message integrity has True / False
been lost.
b) In asymmetric cryptography Alice can use her private key to encrypt a
message such that only Bob can decrypt it.
True / False
c) A higher entropy of a secret indicates that more information (and effort) is
needed to be able to predict the secret.
True / False
d) UDP provides process-to-process in-order delivery of packets.
True / False
e) During network congestion, average queuing delay at routers is much higher
than the average processing delay at routers.
True / False
f) In the TCP protocol, receiving 3 duplicate ACKs for a given packet at the
sender side is an indicator of congestion in the network.
True / False
g) If the data link transport is reliable along the network path, reliable transport
services are not needed from the transport layer.
True / False
h) The Carrier Sense Multiple Access with Collision Avoidance (CSMA/CA)
scheme creates a collision-free access medium.
True / False
i)
Having an unlimited amount of storage (for buffering packets) in routers
does not eliminate the congestion problem.
Page 3 of 5
True / False
Name
:
ID number:
Exam Computer Networks and
Security (2IC61)
June 28th, 2016
7. (2.0 pt) Lab Question
Part 1: Exploring TCP
a) The TCP transfer of a file from your computer to a remote server are shown above. Consider the TCP
segment containing the HTTP POST as the first segment in the TCP connection. Fill the table below:
st
1 segment (TCP segment
containing HTTP POST)
2
nd
Sequence Number
Length of TCP segment
1
565
566
______________ (0.2p)
________________ (0.2p)
______________ (0.2p)
________________ (0.2p)
______________ (0.2p)
segment
3rd segment
4th segment
Page 4 of 5
Name
:
ID number:
Exam Computer Networks and
Security (2IC61)
June 28th, 2016
Part 2: SQL Injection
Below is a snippet from the PHP code that executes the query in a login page for a given username and
password. (Note that in PHP period(.) denotes string concatenation and only double quotes (") are part of the
PHP code, single quotes (') are part of the SQL query.)
(...)
//Get username and password
$userName = getFieldValue("userName");
//Hash the password to avoid keeping plaintext passwords in the database
$password_hash = (string)(hash("sha256", (getFieldValue("password"))));
//Prepare query
$myquery = "SELECT * FROM USERS WHERE (PASSWORD_HASH = '" .
$password_hash . "'" . "AND NAME = '" . $userName
. "')";
//Execute the query
$result = mysql_query($myquery);
(...)
You can fill in the user name and password fields in the login page. Given these,
b) (0.4p) Propose a user name that allows you to log in as "Bob".
c) (0.3p) Propose a user name that deletes the "USERS" table.
d) (0.3p) If possible, propose a password that does the same. If not possible, explain why.
Relevant SQL syntax:
Deleting a table: DROP TABLE tablename
(Conditional) Selecting from a table: SELECT * FROM table WHERE condition
Example: SELECT * FROM USERS WHERE (FIRSTNAME = 'Bob' AND LASTNAME='Smith')
OR (FIRSTNAME = 'Alice' AND LASTNAME LIKE 'Smith-%')
(this selects anyone called Bob Smith or Alice Smith-...)
The SQL command separator is ; and -- starts a comment.
Page 5 of 5