Vietnam National University, Hanoi Faculty of Information Technology University of Engineering and Technology Friday, January 06, 0! "uration # !0 minutes Open books and notes, no notebooks, no mobile phones documents between students during the exam $lass # INT%0&% No discussion or exchange of documents
Final E'am Network Security (4 problems, 3 pages, point values given in parentheses, 10 maximum 1. Key distri distributio bution n and user user authentic authenticatio ation n (2 points) points)
(ssume an o)en distri*uted environment in +hich users at client +orstations +ish to access services on servers distri*uted throughout the net+or- .e +ould lie for servers to *e a*le to restrict access to authori/ed users and to *e a*le to authenticate reuests for service- 1ather than *uilding in ela*orate authentication )rotocols at each server, an authentication server 2(34 and a ticet5granting server 2T34 are used- The (3 no+s the )ass+ords of all users and stores these in a centrali/ed data*ase- Its function is to authenticate users to servers- The T3 no+s if a user can access a )articular service$onsider the follo+ing hy)othetical dialogue2i4 7nce )er user logon session 2!4 $ → (3 # !"# 8 !"tgs 24 (3 → $ # E $ # 9%icket tgs: 2ii4 7nce )er ty)e of service 2%4 $ → T3 # !"# 8 !"& 8 %icket tgs 2;4 T3 → $ #
%icket &
2iii4 7nce )er service session 2<4 $ → V # !"# 8 %icket & %icket tgs = E $ 9 !" !"# 8 '"# 8 !"tgs 8 % ! 8 )ifetime!: tgs %icket & = E $ 9 !" !" 8 '"# 8 !"& 8 % 8 )ifetime: & #
+here, $ is a client +orstation, !"# is the identifier of user on $, !"tgs is the identifier of T3, V is a service server, !"& is the identifier of V, %icket tgs is the ticet to *e used *y client to access T3, %icket & is the ticet to *e used *y client to access server V, '"# is the net+or address of $, $ # # is is a ey derived from the user>s )ass+ord, $ tgs is a secret ey no+n only to (3 and T3, $ & & is is a secret ey no+n only to T3 and V, % ! indicates indicates the time at +hich %icket tgs is issued, % indicates the time at +hich %icket & is issued, )ifetime! v? )ifetime indicate the length of time for +hich the corres)onding ticet is valida* (1 point
Final E'am
NET.71@ 3E$U1ITA
!B%
Vietnam National University, Hanoi University of Engineering and Technology
Faculty of Information Technology Friday, January 06, 0!
"escri*e t+o scenarios in +hich an o))onent, +ithout no+ing the user !"# Cs )ass+ord nor $ # #, is a*le to im)ersonate this user to o*tain %icket & from T3b* (0*+ po point
In each of the a*ove scenarios, scenarios, after o*taining o*tain %icket & from T3, ho+ the o))onent can do to have access to the corres)onding serviceD a* (0*+ po point
E')lain ho+ our system is vulnera*le to a )ass+ord attac2. Tr Transp ansport-l ort-level evel security security (3 (3 points points))
$onsider $onsider the 33 Handshae Handshae rotocol- 3u))ose that the hy*rid e)hemeralBfi'ed e)hemeralBfi'ed "iffie5 "iffie5 Hell Hellma mann ey ey e'ch e'chan ange ge meth method od is used usedGG the the serv server er has has a fi'e fi'edd "iff "iffie ie5H 5Hel ellm lman an )u*licB)rivate ey )air 2the "iffie5Hellman )u*lic )arameters are contained in the server>s certificate4G the client generates a one5time "iffie5Hellman )u*licB)rivate ey )air *ut has a fi'ed 13( )u*licB)rivate ey )air 2the 13( )u*lic ey is contained in the client>s certificate4a* (1*+ po point int
"ra+ the most secure e'change of messages e')ected for this scenariob* (1*+ po point int
"escri*e the )arameters associated +ith each situation de)endent message and +ith the clientke-exchange message3. lectro lectronic nic !ail security security (2." points) points)
( user ( maintains a )u*lic ey ring +ith the fields #ublic Key, $ser %&, 'wner Trust, and Sinatures as follo+s# #ublic Key
./ (
./
./ $
./ "
./ E
./ F
./
./ H
$ser %&
(
$
"
E
F
H
'wner Trust
/ltimate
'lwa-s trusted
/sualltrusted
/sualltrusted
/suall- 'lwa-s trusted trusted
Not 'lwatrusted s trusted
( ( $ $, " $, F , I eiti!acy fields are com)uted on the *asis of the attached signatures as
Sinatures
5
The Key follo+s# If the o+ner is ( then the )u*lic ey is legitimate• • If at least one signature has a signature trust value of ultimate, then the )u*lic ey is legitimate7ther+ise, 7ther+ise, com)utes com)utes a +eighted +eighted sum of the trust values- ( +eight of ! is given • to signa signatu ture ress that that are are alwa-s trusted and and to signa signatur tures es that that are are usuall- trusted Final E'am
NET.71@ 3E$U1ITA
B%
Vietnam National University, Hanoi University of Engineering and Technology
Faculty of Information Technology Friday, January 06, 0!
.hen the total of +eights of the introducers of a #ublic KeyB$ser %& com*ination reaches !, the )u*lic ey is considered legitimate• In all remaining cases, the )u*lic ey is considered illegitimate"ra+ the corres)onding trust model*. %# Sec Securi urity ty (2." (2." point points) s)
"ra+ the format of the Iv; I3ec )acets )acets as transmitted on the Internet *y the security security gate+ay .! of a local net+or (N! to the security gate+ay . of another local net+or (N- Those )acets have the host H! in (N! as the original source and the host H in (N as the original destination- I3ec is im)lemented on the devices H!, .!, ., and H- T+o security association are com*ined together# an inner trans)ort security association and an outer tunnel security association- In the tunnel mode, *oth ends of the security association are a security gate+ay- The inner trans)ort security association )rovides data origin authentication- The outer tunnel security association )rovides only data confidentialy *ut no additional authentication (re the given )acets )rotected against data modification, re)lay and limited traffic analysis attacsD E')lain +hy +ith each attac-
Final E'am
NET.71@ 3E$U1ITA
%B%
