HW11

advertisement
Computer Networking
Discussion 11
1. What is the difference between a passive intruder and an active intruder?
A passive intruder only monitors (“sniffs”, intercepts) messages. An active intruder can also monitor
traffic, but will also actively send messages into the network
2. What are the differences between a symmetric key system and a public key system?
One important difference between symmetric and public key systems is that in symmetric key systems
both the sender and receiver must know the same (secret) key. In public key systems, the encryption
and decryption keys are distinct. The encryption key is known by the entire world (including the
sender), but the decryption key is known only by the receiver.
3. In authentication using secret key, consider the case where the transmitter is the intruder.

What happens if the transmitter initiates the challenge?
If the transmitter (intruder) initiates the challenge, it will send an ordered list of numbers. The
receiver responds to the intruder with an encrypted version of the listed numbers. The intruder
receives the responses and stores them in a table of challenges. Once the table of challenges grows to a
certain size, the intruder may be able to authenticate itself if the receiver sends a challenge value that
is found in the intruder’s table of challenges.

How secure is the system if the receiver changes the challenge value once every minute?
The system is not very secure if the receiver changes the challenge value once every minute. This is
because the intruder can use the same value to initiate a challenge within a minute and get the
encrypted response from the receiver. Once the intruder receives the response, it can send the
corresponding encrypted version of the receiver’s challenge to authenticate itself. This time (one
minute) is long enough for all this to happen.

How secure is the system if the receiver selects the challenge value from a set of 128 choices?
The system is not secure if the receiver selects the challenge value from a set of 128 choices. This is
because the intruder can easily send the same set of 128 values and store them and their encrypted
versions that it receives from the receiver in its table of challenges. Whenever the receiver starts a
challenge with the intruder, it can look up the corresponding encrypted version of the value in its table
of challenge for authentication.
4. Consider a system where a user is authenticated based on an ID and password that are supplied by the
transmitter in plaintext. Does it make any difference if the password and ID are encrypted? If yes, explain
why? If no, how would you improve the system?
If the system authenticates users based on IDs and passwords that are transmitted in plaintext, the
system is very insecure. An eavesdropper can listen and record the authentication information over
the network. This information can be replayed by the intruder when attempting to access the system.
If the password and ID are encrypted, the system no more secure than in the plaintext case. The
intruder can still record the encrypted ID and the corresponding encrypted password. By replaying
these, the intruder can gain access to the system. To be secure the encrypted password should be used
only once so that it is not susceptible to the playback attack. The method were the user identifies itself
followed by a nonce challenge from the server uses this approach.
5. Compare the following two approaches to operation of a packet-filtering router: discard everything that is not
expressly permitted versus forward everything that is not expressly prohibited.
a) Which policy is more conservative?
Discard everything that is not expressly permitted is more conservative.
b) Which policy is more visible to the users?
Discard everything that is not expressly permitted is more visible to the users because only a small set
of packets are forwarded. The users can easily identify the policy definition in this type of router.
c) Which policy is easier to implement?
Forward everything that is not expressly prohibited is easier to implement. The router only needs to
examine the packet header and determine whether the information matches the prohibited table.
6. Using the RSA algorithm, encrypt the following:

p = 3, q = 11, e = 7, for P = 12 (plaintext)
Download