88 590-18 Final Solutions

7/29/2019 88 590-18 Final Solutions

http://slidepdf.com/reader/full/88-590-18-final-solutions 1/3

University of Windsor Department of Electrical and Computer Engineering

ECE 88-590-18: Network SecuritySolution to Final Examination

December 16, 2003

1) (a) If r and n are relatively prime integers with n > 0. and if φ(n) is the least

positive exponent m such that am

≡ 1 mod n, then r is called a primitive root

modulo n.(b) x = 9, 24 (mod 29)

2) At minimum the message 1 from A to B includes a timestamp t A , a nonce r A , and

the identity of B and is signed with A’s private key. The message may alsoinclude information to be conveyed. This information, sgnData, is included

within the scope of the signature, guaranteeing its authenticity and integrity. Themessage may include a session key to B, i.e., K ab , encrypted with B’s public keyKU b . The timestamp can consist of an optional generation time and an

expiration time. This prevents delayed delivery of messages. The nonce can be

used to detect replay attacks. The nonce value must be unique within theexpiration time of the message. Thus, B can store the nonce until it expires and

reject any new messages with the same nonce.

The reply message 2 from B to A includes the nonce from A, to validate the reply.

It also includes a timestamp and nonce generated by B. As before, the message

may include signed additional information and a session key K ba , encrypted with

A’s public key.

In the last message in this three-way authentication, a final message from A to B

is included, which contains a signed copy of the nonce r B . The intent of echoing back of nonces is to detect replay attacks. This approach is needed when

synchronized clocks are not available.

3) (a) False --- IPSec functional areas are Authentication, Confidentiality and Key

Management.

(b) True

(c) False -- Tunnel mode provides protection to the entire IP packet.

(d) True(e) True(f) False -- Firewalls may be categorized according to the layers of the Internet

protocol stack at which they operate.

(g) True(h) True

(i) False

(j) True



4) 1. A sends a timestamped message to the public-key authority containing arequest for the current public key of B.

2. The authority responds with a message that is encrypted using the authority’s

private key, KR auth . Thus, A is able to decrypt the message using the authority’s public key. Therefore, A is assured that the message originated with the

authority. The message includes B’s public key, KU b , the original request, and

the original timestamp, so A can determine that this is not an old message fromthe authority containing a key other than B’s current public key. The original

request included to enable A to match this response with the corresponding earlier

request and to verify that the original request was not altered before reception by

the authority.3. A stores B’s public key and also uses it to encrypt a message to B containing

an identifier of A, i.e., IDA , and a nonce N1 , which is used to identify this

transaction uniquely.

4 and 5. B retrieves A’s public key from the authority in the same manner as Aretrieved B’s public key. At this point A and B can begin their protected

exchange. However, two additional steps are taken as shown in the diagram.6. B sends a message to A encrypted with KUa and containing A’s nonce N1 as

well as a new nonce generated by b, N2 . Because only B could have decrypted

message 3, the presence of N1 in this message assures A that the correspondent isB.

7. A returns N2 , encrypted using B’s public key, to assures B that its

correspondent is A.

One drawback of this scenario is that the public-key authority could be somewhat

of a bottleneck in the system, for a user must appeal to the authority for a public

key for every other user that it wishes to contact. Also, the directory of namesand public keys maintain by the authority is vulnerable to tampering.

5) An Acquirer is a financial institution that establishes an account with a merchant

and processes payment card authorizations and payments. Merchants will

usually accept more than one credit card brand but do not want to deal with

multiple bankcard associations or with multiple individual issuers. The acquirer provides authorization to the merchant that a given card account is active and the

proposed purchase does not exceed the credit limit. The acquirer also provides

electronic transfer of payments to the merchant’s account. Subsequently, theacquirer is reimbursed by the issuer over some sort of payment network for

electronic funds transfer.

The Payment Gateway is a function operated by the acquirer or a designated third

party that processes merchant payment messages. This is an interface between

SET and the existing bankcard payment networks for authorization and payment

functions. The merchant exchanges SET messages with the payment gateway



over the Internet, while the payment gateway has some direct or network

connection to the acquirer’s financial processing system.

6) A) Manager, Agent, MIB, and network management protocol

B) The collection of managed objects is referred to as a management information

base (MIB). The MIB functions as a collection of access points at the agent for the management station. These objects are standardized across systems of a

particular class, e.g., bridges all support the same management objects. A

management station performs the monitoring function by retrieving the value of MIB objects.

C) Traps are unsolicited notifications that inform the manager of some device

status changes.

D) SNMPv1 has lack of support for distributed network management, functionaldeficiencies and security deficiencies. SNMPv2 supports distributed network

management and addresses the functional deficiencies by adding GetBulkRequest

and InformRequest commands (5 commands) to already existing commands of

GetRequest and GetNextRequest and SetRequest of SNMPv1 (3 commands).SNMPv3 addresses the security deficiencies of SNMPv1 and SNMPv2 by

introducing SNMPv3 User Security Model (USM).

Documents

88 590-18 Final Solutions