New York University
CSCI-SHU MISC
LECTURE 6 – MESSAGE INTEGRITY / PKI / TLS
LECTURE 7 – LAYER 2 SECURITY
LECTURE 8 – FIREWALLS
LECTURE 9 – AUTHENTICATION
LECTURE 9 – AUTHENTICATION
Sample Finals Solutions:
Me
...
New York University
CSCI-SHU MISC
LECTURE 6 – MESSAGE INTEGRITY / PKI / TLS
LECTURE 7 – LAYER 2 SECURITY
LECTURE 8 – FIREWALLS
LECTURE 9 – AUTHENTICATION
LECTURE 9 – AUTHENTICATION
Sample Finals Solutions:
Message Integrity Question 1:
1a. [4 pts] As stated above, how would Alice generate the digital signature?
Alice would take a hash of the message, and encrypt it using her private certificates.
1b. [4 pts] How can Trudy (who is evil) take advantage of this system to get herself more
money?
The message can be captured and resent by Trudy to the bank. Since the digital signature is
valid, the bank would transfer the funds multiple times.
1c. [4 pts] How can the communication be modified to prevent this attack?
A nonce can be added to the communication in the following manner:
Alice -> Bank: Hello
Bank -> Alice: Here’s a nonce R
Alice -> Bank: “transfer $1000 to Trudy” + R + Encrypt(hash(“transfer $1000 to Trudy” + R)
where the encryption uses the private cert.
Bank -> Alice: Success
In this scenario, Trudy won’t be able to perform a replay attack.
Message Integrity Question 2:
No solution provided
SSL/TLS Question 1:
1a. [4 pts] Suppose that in the SSL Full Handshake, as shown, the Finished messages do not
contain a checksum of all previous handshake messages. Describe two ways that an attacker can
take advantage of this flaw.
Although the attacker can MITM the connection, the Attacker still cannot see the data as the
attacker cannot forge a valid certificate, but he can change some messages:
1. Version rollback attack – force the client to offer an earlier version of SSL which has
more vulnerabilities
2. CipherSpec rollback – force the client to offer weaker version of cipherspecs so it can be
broken easier.
1b. [4 pts] Describe each algorithm of this ciphersuite its purpose in SSL/TLS:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
DHE – client/server uses DH to exchange keys for each session.
RSA – the authentication protocol, used with DHE
AES_128_CBC – uses AES 128-bit keys in CBC mode for bulk encryption
SHA – SHA is used as the integrity
1c. [2 pts] What’s the primary security difference between these two ciphersuites:
TLS_DHE_RSA_WITH_AES_128_CBC_SHA and
TLS_DH_RSA_WITH_AES_128_CBC_SHA
The E in the first protocol stands for ephemeral, which means new DH keys are exchanged for
each session. If the session keys are compromised, only the data for that session is lost. This
provides what’s called Perfect Forward Security.
SSL/TLS Question 2:
2a. [3 pts] What messages are hashed by each of the Finished messages in the SSL Full
Handshake? Be specific.
The Finished messages has all the previous handshake messages. For the Finished message in
(8), the messages (1)-(6) are hashed. For the Finished message in (10), the messages (1)-(6) and
(8) are hashed. The ChangeCipherSpec is not hashed because it’s not a handshake message for
the purpose of forcing the following message, the Finished message, to be sent in a new packet.
2b. [3 pts] When is the first encrypted message sent from each side in the SSL Full Handshake?
The Finished message is the first encrypted message sent from each side.
2c. [3 pts] What is the SSL Abbreviated Handshake and how are the messages different from the
SSL Full Handshake?
The SSL Abbreviated Handshake is used for resumption of SSL connections. The client sends
“session id” from the previous session. If the server remembers it, the server will immediately
send (9) ChangCipherSpec and (10) Finished after ServerHello (2). Then the client will agree by
sending (7) ChangeCipherSpec and (8) Finished.
2d. [3 pts] Why should the TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA ciphersuite,
which is a TLS 1.2 ciphersuite, not be used anymore?
ECDH does not have to property of Perfect Forward Security. Also accepted for 1 point is that
SHA is somewhat broken and should be avoided.
2e. [3 pts] If an attacker sent a TCP RST message to reset a TLS connection, does TLS know
that the TCP connection was attacked? How?
Yes, as TLS expects a close_notify TLS message before the TCP connection ends. If the TCP
RST comes before close_notify, then there is something wrong, such as an attacker.
PKI/TLS Question 1:
1a. [4 pts] If amazon.com always uses the ciphersuite
TLS_RSA_WITH_AES_256_CBC_SHA, are prior encrypted connections protected after Trudy
steals the key? Explain why.
No, prior connections are not protected because this ciphersuite does not have the property of
perfect forward security. Each time a TLS connection is established, the same RSA key is used
for key exchange and authentication, therefore when the TLS private keys are lost, all prior
connections can be decrypted.
1b. [4 pts] How can Trudy use the stolen private key to MITM a TLS connection and see
encrypted data between a user and amazon.com? Explain why this cannot be easily done without
the private key.
With the private key, Trudy can successfully impersonate amazon.com without causing browser
errors stating that certificates are bad. This cannot be done without the private keys because the
browser is supposed to detect any errors during certificate validation.
1c. [2 pts] Is it possible for a CA to issue more than one TLS certificate for amazon.com?
Explain why or why not.
Yes, it’s possible because issuing certificates is not a technical limitation, and a CA is free to
(and commonly does) issue multiple TLS certificates for a single domain name.
1d. [4 pts] Suppose a root CA was vulnerable to Heartbleed and lost its private keys. What can a
user do to protect him or herself from being eavesdropped on?
Multiple correct answers.
1. User can remove the CA from the browser or OS certificate list.
2. Avoid websites with compromised certificates (that’s pretty hard to do).
3. Change passwords (to avoid further compromise).
PKI/TLS Question 2:
a. [3 pts] Explain how Alice would mutually authenticate an ACME server using her PKI
certificates.
There are multiple correct ways to answer this question. In order to perform mutual
authentication, both Alice and ACME server must authenticate to each other, like so:
Alice -> ACME: Hello, and here’s a nonce R1
ACME -> Alice: Encrypt(R1) with private key, and here’s another nonce R2
Alice -> ACME: Encrypt(R2) with private key
[Bi-directional communications begin]
A few assumptions were made for this to work out, including that Alice’s laptop and ACME’s
server already stored the ACME CA public cert.
Sidenote: One of the most secure methods to store PKI private certs is by using a hardwarebased solution, such as the Intel Trusted Platform Module (TPM), which is available on many
Intel CPUs. Private keys are generated by the chip and cannot be easily removed.
b. [3 pts] How does ACME and Alice know that each other’s certificate is valid?
Both ACME and Alice needed to be able to verify the authenticity of certificate by checking the
chain of trust and ensuring that all fields are valid. After ensuring the certificate is valid, each
will also need to verify the Subject Common Name (CN) of the other entity. For Alice, she
would need to have her name or other unique identifying information on her public cert. For the
server, it would have the server’s address/IP/name on the cert.
c. [3 pts] If Alice used her PKI certificates for encrypted communications to Bob, would ACME
be able to read the encrypted conversation? Explain.
Absolutely, because both Alice and Bob needs to trust the ACME CA, and the ACME CA will
be able to generate any certificates that are authentic to both Alice and Bob. ACME CA does not
actually have the certs, but can generate a new one that looks just like it and can use to MITM
the connection. There’s a caveat: if Alice and Bob were able to exchange the “fingerprint” of
each other’s public certificate in some manner before hand, then they would be able to see that if
the certificates are real.
d. [3 pts] Trudy (who is evil) also worked at ACME corporation and has valid PKI certificates to
authenticate into the ACME network. In what instances would Trudy be able to read the
encrypted communication between Alice and Bob? Explain.
If everything works the way it’s supposed to be working, then there’s not much that Trudy can
do.
SSL/TLS Question 3:
2a. [6 pts] The above diagram shows the SSL Record Layer Operations. Describe what each
number (1) to (6) is referring to.
(1) Application data. Shows the data from the view of the application.
(2) SSL fragments to a 16Kb fragments, which is the max size for SSL packets.
(3) Compression, which isn’t used due to numerous vulnerabilities.
(4) HMAC of the plaintext is appended to the packet.
(5) The entire packet (plaintext and HMAC) are encrypted.
(6) Header information is added to the packet.
Note: (3), (4), and (5) can be summarized as “HMAC then Encrypt”
2b. [6 pts] Select the ciphersuites that should not be support anymore today and explain why.
Explanation required for credit.
(1) TLS_RSA_WITH_RC4_128_SHA – should not be used because it does not have Perfect
Forward Security and RC4 is broken.
(2) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 – good ciphersuite
(3) TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 – good ciphersuite
(4) TLS_ECDHE_ECDSA_WITH_RC4_128_SHA – RC4 should not be used anymore
(5) TLS_DH_RSA_WITH_AES_128_CBC_SHA – No PFS, and it uses SHA1, which is
somewhat broken.
PKI /TLS Question 3:
1a. [8 pts] If you were the security engineer for a website, explain for each of the following
ciphersuites if you recommend to the administrator to keep them enabled or disabled, and state
your reason for each. For disabled, state all the reasons why the ciphersuite should be disabled:
(1) SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA - disable. Export ciphers
(RSA_EXPORT) are very weak. DES40 is broken and SHA1 shouldn’t be used anymore.
(2) TLS_RSA_WITH_AES_128_CBC_SHA256 – disable. No PFS.
(3) SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA – disable. 3DES EDE is very weak. SHA1
shouldn’t be used anymore
(4) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 – enable. This cipher has PFS, good
symmetric algorithm, and good hashing function.
(5) TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - disable. No PFS.
1b. [4 pts] Suppose a TLS connection is using the ciphersuite
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256. How does TLS ensure that each message
has a different ciphertext even when the plaintext message is the same?
“Mode of operation” CBC ensures there’s a separate IV for each message.
2. TLS. No solution provided
PKI /TLS Question 4: No solution provided
LECTURE 7 – LAYER 2 SECURITY
Layer 2 Security Question 1:
4a. [5 pts] Using only layer two protocols, describe the step-by-step process in detail in which
Trudy successfully becomes the MITM between Alice and amazon.com without disruption any
of Bob’s network connections. Specify IP/MAC address when necessary.
(1) Trudy will need to wait until the ARP cache entry expires, or DOS Alice until the ARP
cache entry expires.
(2) Trudy will send ARP Reply to the Router saying that 10.10.10.3 is associated with MAC T.
(3) Trudy will send an ARP Reply to Alice saying that 10.10.10.2 is associated with MAC T.
(4) Trudy will bridge the connection, and is now the MITM.
4b. [4 pts] Explain how SSLStrip works to allow Trudy to view the supposedly encrypted TLS
connection between Alice and amazon.com.
SSLStrip sits in between Alice and amazon.com. When Alice goes to the encrypted amazon.com
website, SSLStrip will establish a TLS connection for amazon.com for Alice, but will send the
decrypted page to Alice. This allows SSLStrip to see the encrypted data without the correct
private keys.
4c. [4 pts] How does Dynamic ARP Inspection (DAI) know if an ARP is being spoofed and
needs to be dropped?
First, DHCP Snooping needs to be enabled, which creates the DHCP Snooping Binding Table.
Entries are added to the table by capturing valid DHCP traffic. DAI will check each ARP Reply
to ensure that the source MAC and IP matches what’s in the table.
Layer 2 Security Question 2:
5a. [6 pts] Using only ARP packets, describe the step-by-step process in detail in which Trudy
successfully becomes the MITM between Alice and amazon.com:
(1) by spoofing the ARP table; and (2) by overloading the CAM table on the switch.
Describe the details of the ARP packets in detail.
(1) In the ARP spoofing attack, the attacker sends an ARP packet claiming to have the MAC
address of the Alice, and another ARP packet claiming to have the MAC address of the Router.
This results in all traffic between the Router and Alice being diverted via Trudy.
(2) In the CAM attack, the attacker floods the CAM table with random ARP reply packets
ensuring that the CAM table is filled and the switch can no longer learn any new MAC
addresses. When the CAM table overflows, the switch acts as a hub.
5b. [2 pts] If Trudy uses SSLStrip, what will Alice see from her perspective when she logs into
amazon.com?
Alice will be able to see the same homepage of Amazon.com. However this would be a plain
HTTP page with the TLS layer security stripped off as the traffic is now flowing through Trudy’s
machine. All the bidirectional traffic is routed via Trudy’s machine without amazon.com or
Alice ever knowing.
5c. [4 pts] Describe how IP Spoof Guard (IPSG) works and what information it would use to
stop this attack.
IPSG uses the DHCP snooping binding table information to check every IP packet in ensuring
that the IP address coming from the interface matches with that of the information collected by
DHCP Snooping.
Layer 2 Security Question 3:
5a. [4 pts] If the Attacker can only send one ARP packet and nothing else, what is the single
ARP packet that will allow the Attacker to eavesdrop on as much traffic as possible? Describe
the ARP packet in detail and explain why.
Gratuitous ARP Request or Reply stating that the Attacker is the Router (saying it has IP
10.10.111.1 and MAC R) would probably capture any new traffic originating from the Clients.
5b. [4 pts] Suppose that the Attacker knows that the Client with MAC B, which already has a
DHCP IP address, will be renewing its lease soon. How can the Attacker be the MITM between
Client B and the Router R using only the DHCP protocol?
When the Client will eventually send a DHCP Request (Broadcast). The Attacker will reply with
a DHCP ACK with the Attacker’s IP as the gateway
5c. [6 pts] Describe in detail three ways to mitigate these two attacks.
(1) DHCP Snooping – a feature that allows the switch to monitor all DHCP traffic. The interface
for the Attacker would be set to “unstrusted,” so the attacker won’t be able to send
Offers/ACKs/NAKs.
(2) Block port 68 on the interfaces that don’t have the DHCP server. This will make the Attacker
not able to send DHCP Offer and DHCP ACK.
(3) Enable DHCP Snooping which checks if the MAC address matches the Client HW Address.
DHCP Question 2: No solution provided
[Show More]
.png)
