sol

advertisement
Chapter 8
A. Book Exercise (Chapter 8) : 10, 12, 13, 15, 17, 25
B. Briefly Explain Public key cryptography and its algorithm
C. Briefly Explain RSA and give an example
D. What is Authentication and which way may be the best way to perform
authentication?
E. Briefly introduce “digital signature” and how many ways we can implement this
technique?
F. Briefly introduce KDC and CA. Give an example of each technique and why we
need to implement these two techniques.
Answer (Chapter 8)
A. (Question 10)
An eavesdropper may have intercepted the messages exchanged in a previous
transaction, and may be replaying the client’s earlier responses. Until the real
client has successfully decrypted the server’s new challenge and sent back
evidence of this, the server cannot be sure such a replay attack isn’t in progress.
(Question 12)
(Question 13)
For a two-way authentication, the one-way authentication given in the chapter is
done in both directions. That is, the client sends random number x to the server
encrypted with the server’s public key, which the server decrypts with its private
key and sends back unencrypted; at about the same time, the server encrypts
random number y with the client’s public key, which the client decrypts with its
private key and sends back.
(Question 15)
We have password[N] = g(password[N - 1]); the essential property of g is that
it be believed that knowing g(x) does not provide any information that can be
used to find x.
(Question 17)
The FAQ at www.rsasecurity.com explains:
The Diffie-Hellman key exchange is vulnerable to a man-in-the-middle attack. In
this attack, an opponent Carol intercepts Alice’s public value and sends her own
public value to Bob. When Bob transmits his public value, Carol substitutes it
with her own and sends it to Alice. Carol and Alice thus agree on one shared key
and Carol and Bob agree on another shared key. After this exchange, Carol
simply decrypts any messages sent out by Alice or Bob, and then reads and
possibly modifies them before re-encrypting with the appropriate key and
transmitting them to the other party. This vulnerability is present because DiffieHellman key exchange does not authenticate the participants. Possible solutions
include the use of digital signatures and other protocol variants.
(Question 25)
(a) An internal telnet client can presumably use any port _ 1024. In order for
such clients to be able to connect to the outside world, the firewall must pass their
return, inbound traffic. If the firewall bases its filtering solely on port numbers, it
must thus allow nbound TCP connections to any port greater or equal to 1024.
(b) If the firewall is allowed access to the TCP header Flags bits, then to block all
inbound TCP connections it suffices to disallow inbound packets with SYN set
but not ACK. This prevents an outside host initiating a connection with an inside
host, but allows any outbound connection. No port filtering is needed.
Question B.-F. : See Power Point Slide of Chapter 8 for answers.
Chapter 5
Problem 2:
The maximum value of UDP Message Length field (2 bytes) is 65535 (2^16 –1).
The Offset field of IP header is only 13 bits that represents a number of 2^13. Therefore
in order to support the fragmentation of a maximum packet, the offset field must
represent in multiples of 2^16 – 2^13 = 2^3 = 8 bytes.
Problem 4:
TCP message = payload + TCP header = 2048 + 20 = 2068 bytes
First network:
MTU = 1024 = link header + IP header + payload = 14 bytes + 20 bytes + TCP data 
TCP data = 990 bytes but 990 is not in multiples of 8. TCP data fragment must be 984
which is in multiples of 8. Therefore the first network generates three fragments (size,
offset) = (984, 0), (984, 123), (100, 246).
Second network:
MTU = 512 = link header + IP header + payload = 8 bytes + 20 bytes + TCP data  TCP
data = 484 bytes but 484 is not in multiples of 8. TCP data fragment must be 480 that is
in multiples of 8. Therefore the second network generates six fragments (size, offset) =
(480, 0), (480, 60), (24, 120), (480, 123), (480, 183), (24, 243), (100, 246)
Problem 6:
a. The first and second transmissions are independent. Therefore the probability of
packet loss of both transmissions is 0.01 * 0.01.
b. The first and second transmissions are not independent because the first
transmission can use the fragments of second transmission for assembling the
packets. Therefore the probability of packet loss is 0.01 * 0.01 * 10. (Seriously
math reasoning: P(A|B) = P(A And B) / P(B) = 0.1 * 0.1 /0.1 )
c. (a) Identification for each transmission is different
(b) Identification of both transmissions is the same
Problem 7:
If the timeout value is too small, senders must often send ARP request to find the
physical address of IP.
If the timeout value is too large, it may be invalid if the physical adapter is replaced or
broken.
Problem :
a.
A
B
C
D
E
F
A
0
3
8
-
B
0
2
-
C
3
0
1
6
D
8
0
2
-
E
2
1
2
0
-
F
6
0
A
0
3
8
4
9
B
0
3
4
2
-
C
3
3
0
3
1
6
D
8
4
3
0
2
-
E
4
2
1
2
0
7
F
9
6
7
0
A
0
6
3
6
B
6
0
3
4
C
3
3
0
3
D
6
4
3
0
E
4
2
1
2
F
9
9
6
9
b.
A
B
C
D
E
F
c.
A
B
C
D
E
F
Problem 17.
Step
1
2
3
4
5
6
7
4
9
2
9
1
6
Confirmed List
(D, 0, -)
(D, 0, -)
(D,0,-) , (E,2,E)
(D,0,-) , (E,2,E) , (C, 3, E)
(D,0,-) , (E,2,E) , (C, 3, E),
(B,4,E)
(D,0,-) , (E,2,E) , (C, 3, E),
(B,4,E), (A,6,E)
(D,0,-) , (E,2,E) , (C, 3, E),
(B,4,E), (A,6,E), (F,9,E)
2
9
0
7
7
0
Tentative list
(A,8,A), (E,2,E)
(A,8,A), (B,4,E), (C,3,E)
(A,6,E), (B,4,E), (F,9,E)
(A,6,E), (F,9,E)
(F,9,E)
Problem 21:
a. 128.96.39.10/Interface 0
b. 128.96.40.12/R2
c. 128.96.40.151/R4
d. 192.4.153.17/R3
e. 192.4.153.90/R4
Problem 27:
“No packets time out” assumes that each node increments its sequence number only
when there is some change in the state of its local links.
The LSP data for each node is as follows:
Nodes Seq #
Seq #
Seq#
Seq# after Seq #
Seq #
Connects to
before
after
after
node D is after a
after the
the link
the
node H added
new
link B-F
B-F is
link B- is
with a
link A- is
broken
F is
added
connection D is
restored
broken
to C
added
A
1
1
1
1
2
2
B, C, D
B
1
2
2
2
2
3
A, C
C
1
1
1
2
2
2
A, B, D
D
0
0
0
1
2
2
A, C
F
1
2
2
2
2
3
G
G
1
1
2
2
2
2
F, H
H
0
0
1
1
1
1
G
Problem 28.
Step
Confirmed List
1
(A, 0, -)
2
(A, 0, -)
Tentative list
(B,5,B), (D,2,D)
3
4
5
(A, 0, -), (D,2,D)
(A, 0, -), (D,2,D), (B,4,D),
(A, 0, -), (D,2,D), (B,4,D),
(E,6,D),
(A, 0, -), (D,2,D), (B,4,D),
(E,6,D), (C,7,D)
6
(E,7,D)
(E,6,D), (C,8,B)
(C,7,D)
Problem 30:
a. The link changed state recently and one of the two LSP’s was old.
b. It takes sometime for both B and C having the same state
Problem 40:
a. Class A can represent 255 hosts for a network. 7-bit host ID are needed to
represent 72 hosts
Subnet ID
200.1.1.0
(0000 0000)
200.1.1.128
(1000 0000)
200.1.1.192
(1100 0000)
200.1.1.224
(1110 0000)
Subnet mask
255.255.255.128
No Hosts/Max
72 hosts/128
Department
A
255.255.255.192
35 hosts/64
B
255.255.255.224
20 hosts/32
C
255.255.255.224
18 hosts/32
D
b. If department D grows to 34 hosts, the subnet of department A is split into 2 subnets as
follows:
Subnet ID
200.1.1.0
(0000 0000)
200.1.1.64
(0100 0000)
200.1.1.128
(1000 0000)
200.1.1.192
(1100 0000)
200.1.1.224
(1110 0000)
Subnet mask
255.255.255.192
No Hosts/Max
64 hosts/64
Department
A
255.255.255.192
34 hosts/64
D
255.255.255.192
35 hosts/64
B
255.255.255.224
20 hosts/32
C
255.255.255.224
8 hosts/32
A
Download