Upload
abrasaxeimi370
View
216
Download
0
Embed Size (px)
Citation preview
7/29/2019 88 590-18 Final Solutions
http://slidepdf.com/reader/full/88-590-18-final-solutions 1/3
University of Windsor Department of Electrical and Computer Engineering
ECE 88-590-18: Network SecuritySolution to Final Examination
December 16, 2003
1) (a) If r and n are relatively prime integers with n > 0. and if φ(n) is the least
positive exponent m such that am
≡ 1 mod n, then r is called a primitive root
modulo n.(b) x = 9, 24 (mod 29)
2) At minimum the message 1 from A to B includes a timestamp t A , a nonce r A , and
the identity of B and is signed with A’s private key. The message may alsoinclude information to be conveyed. This information, sgnData, is included
within the scope of the signature, guaranteeing its authenticity and integrity. Themessage may include a session key to B, i.e., K ab , encrypted with B’s public keyKU b . The timestamp can consist of an optional generation time and an
expiration time. This prevents delayed delivery of messages. The nonce can be
used to detect replay attacks. The nonce value must be unique within theexpiration time of the message. Thus, B can store the nonce until it expires and
reject any new messages with the same nonce.
The reply message 2 from B to A includes the nonce from A, to validate the reply.
It also includes a timestamp and nonce generated by B. As before, the message
may include signed additional information and a session key K ba , encrypted with
A’s public key.
In the last message in this three-way authentication, a final message from A to B
is included, which contains a signed copy of the nonce r B . The intent of echoing back of nonces is to detect replay attacks. This approach is needed when
synchronized clocks are not available.
3) (a) False --- IPSec functional areas are Authentication, Confidentiality and Key
Management.
(b) True
(c) False -- Tunnel mode provides protection to the entire IP packet.
(d) True(e) True(f) False -- Firewalls may be categorized according to the layers of the Internet
protocol stack at which they operate.
(g) True(h) True
(i) False
(j) True
7/29/2019 88 590-18 Final Solutions
http://slidepdf.com/reader/full/88-590-18-final-solutions 2/3
4) 1. A sends a timestamped message to the public-key authority containing arequest for the current public key of B.
2. The authority responds with a message that is encrypted using the authority’s
private key, KR auth . Thus, A is able to decrypt the message using the authority’s public key. Therefore, A is assured that the message originated with the
authority. The message includes B’s public key, KU b , the original request, and
the original timestamp, so A can determine that this is not an old message fromthe authority containing a key other than B’s current public key. The original
request included to enable A to match this response with the corresponding earlier
request and to verify that the original request was not altered before reception by
the authority.3. A stores B’s public key and also uses it to encrypt a message to B containing
an identifier of A, i.e., IDA , and a nonce N1 , which is used to identify this
transaction uniquely.
4 and 5. B retrieves A’s public key from the authority in the same manner as Aretrieved B’s public key. At this point A and B can begin their protected
exchange. However, two additional steps are taken as shown in the diagram.6. B sends a message to A encrypted with KUa and containing A’s nonce N1 as
well as a new nonce generated by b, N2 . Because only B could have decrypted
message 3, the presence of N1 in this message assures A that the correspondent isB.
7. A returns N2 , encrypted using B’s public key, to assures B that its
correspondent is A.
One drawback of this scenario is that the public-key authority could be somewhat
of a bottleneck in the system, for a user must appeal to the authority for a public
key for every other user that it wishes to contact. Also, the directory of namesand public keys maintain by the authority is vulnerable to tampering.
5) An Acquirer is a financial institution that establishes an account with a merchant
and processes payment card authorizations and payments. Merchants will
usually accept more than one credit card brand but do not want to deal with
multiple bankcard associations or with multiple individual issuers. The acquirer provides authorization to the merchant that a given card account is active and the
proposed purchase does not exceed the credit limit. The acquirer also provides
electronic transfer of payments to the merchant’s account. Subsequently, theacquirer is reimbursed by the issuer over some sort of payment network for
electronic funds transfer.
The Payment Gateway is a function operated by the acquirer or a designated third
party that processes merchant payment messages. This is an interface between
SET and the existing bankcard payment networks for authorization and payment
functions. The merchant exchanges SET messages with the payment gateway
7/29/2019 88 590-18 Final Solutions
http://slidepdf.com/reader/full/88-590-18-final-solutions 3/3
over the Internet, while the payment gateway has some direct or network
connection to the acquirer’s financial processing system.
6) A) Manager, Agent, MIB, and network management protocol
B) The collection of managed objects is referred to as a management information
base (MIB). The MIB functions as a collection of access points at the agent for the management station. These objects are standardized across systems of a
particular class, e.g., bridges all support the same management objects. A
management station performs the monitoring function by retrieving the value of MIB objects.
C) Traps are unsolicited notifications that inform the manager of some device
status changes.
D) SNMPv1 has lack of support for distributed network management, functionaldeficiencies and security deficiencies. SNMPv2 supports distributed network
management and addresses the functional deficiencies by adding GetBulkRequest
and InformRequest commands (5 commands) to already existing commands of
GetRequest and GetNextRequest and SetRequest of SNMPv1 (3 commands).SNMPv3 addresses the security deficiencies of SNMPv1 and SNMPv2 by
introducing SNMPv3 User Security Model (USM).