Computer and Network Security Final Exam (A), 2006 Dr. Ron Rymon Time: 2 hours and 30 minutes, plus 30 minutes extension. No Additional Material is Allowed Part A. Explain briefly 6 of the following 7 terms (4 points each): 1. Phishing a. A type of spam mail (1) b. Which impersonates a request from a familiar business (usually a bank) (1) c. Refers the victim to an impersonating web site in which the victim is requested to enter personal data such as usernames and password to be used by the criminals (2) 2. SSL a. b. c. d. Secure Socket Layer (1) Protocol for secure web communication (1) Supports confidentiality/encryption (1) Supports one-way or two-way authentication using certificates (1) 3. PGP a. b. c. d. Pretty Good Privacy (1) Protocol and software for secure email (1) Supports authentication (1) Supports confidentiality (1) 4. Kerberos a. Client/server authentication system (2) b. Based on idea of access tickets (2) 5. CBC a. Cipher Block Chaining (1) b. A mode of operation for block ciphers (1) c. Combines the output of the encryption of the previous block with the current block plaintext (1) d. In order to create inter-block diffusion and to avoid repetitions of same block being encrypted in the same way (1) 6. Stream cipher a. Works on a stream of plaintext bits (1) b. Auto-generates a keystream, which is dependent on the encryption key (1), and on previous bits (1) c. Keystream xored with the plaintext stream (1) 7. Something-you-possess a. A type of authentication where the authenticating party is required to physically demonstrate something (2) b. for example a card, token, etc. (2) Part B. Answer 4 of the following 5 questions (9 points each): 1. Explain how a DDoS attack is mounted, and how it can be detected and dealt with a. What it is: Distributed Denial of Service. A DoS is an attack on a server that is designed to shut it down by flooding it with requests/traffic (2). b. How it works: In distributed DoS, the hacker is using many computers that are launching the attack when received the command from the hacker (2). c. How the hacker gets to control the slaves: Usually, the computers that do the actual attack were taken over by the hacker in a preceding step, e.g. through a Trojan that was downloaded by unsuspecting users (1). d. How it is detected: A DDoS attack is usually detected only when the traffic to the victim becomes unusual or high (2). e. How it is mitigated: Once detected, it is usually impossible to mitigate the attack in the areas of the network that are close to the victim. Instead, traffic aimed to the victim has to be siphoned and filtered at the ISP level, as close as possible to the perimeter or sources of the attack. Filtering is usually based on the protocols and patterns of the attack vs. the normal traffic (2) 2. Explain how fingerprinting works, and how it can be used for authentication a. What it is: Fingerprinting is a something-you-are form of authentication, based on the fact that different people have different fingerprints (3) b. How it works: a reader makes a copy of the fingerprint. The image is then analyzed and compared to the original fingerprint. (3) c. How two fingerprints are compared: The comparison uses a catalog of lines/shapes that are found in a fingerprint (minutiae) (3) 3. Explain how an HMAC is computed, and how it protects a message integrity a. Illustration/explanation of the HMAC algorithm, and the input/output (5) b. The role of the MAC and hash function in ensuring integrity (4) 4. Explain the Role-Based Access Control model a. Groups people that perform same job function (3) b. Together with the privileges they need to perform this function (3). c. Advantages/disadvantages/comparison to other methods (e.g., ACL, groups) (3) 5. Explain how packet filters and application gateways work. What are the relative advantages of each method? a. General explanation (3) b. Firewall rules (1) c. Firewall configuration (DMZ, Bastion Host) (1) d. Packet filters work in IP layer vs App Gateways in App layer (1) e. Advantages and disadvantages (3) Part C. Answer the following two questions (20 points each): 1. Explain how IPSec works and how it can be used to implement a VPN a. IP Security protocol that works at the IP layer, therefore can be used for any application (3) b. General architecture that consists of a set of protocols for encryption and authentication (ESP, AH) (2) c. Explanation of AH for authentication (3) d. Explanation of ESP for confidentiality (3) e. Domain of interpretation, SAs, and key management functions (3) f. Transport and tunnel mode – confidentiality for packet and against traffic analysis (3) g. IPSec-based VPN architecture (3) 2. Outline the RSA encryption algorithm, and explain how it can be used to implement digital signatures a. RSA is a public-key algorithm (2). b. The key generation algorithm (3 bonus – I didn’t ask for it) c. The RSA encryption algorithm itself (6) d. The difficulty in factorization that gives RSA its power (2) e. Digital signatures – explanation of the public key scheme (two keys, one published one secret) (2) f. Digital signatures – the process explanation/illustration – how signed, how verified, why secure (6) g. Best to sign only hashes (2)