《网络安全技术》英文习题集
Chapter 1 Introduction
ANSWERS NSWERS TO QUESTIONS
1.1 What is the OSI security architecture?
The OSI Security Architecture is a framework that provides a systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. The document defines security attacks, mechanisms, and services, and the relationships among these categories.
1.2 What is the difference between passive and active security threats? Passive attacks have to do with eavesdropping on, or monitoring,
transmissions. Electronic mail, file transfers, and client/server exchanges are examples of transmissions that can be monitored. Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems.
1.3 Lists and briefly define categories of passive and active security attacks?
Passive attacks: release of message contents and traffic analysis. Active
attacks: masquerade, replay, modification of messages, and denial of service.
1.4 Lists and briefly define categories of security service?
Authentication: The assurance that the communicating entity is the one that it claims to be.
Access control: The prevention of unauthorized use of a resource (i.e., this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do). Data confidentiality: The protection of data from unauthorized disclosure. Data integrity: The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay). Nonrepudiation: Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.
授课:XXX
Availability service: The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system (i.e., a system is
available if it provides services according to the system design whenever users request them).
Chapter2 Symmetric Encryptionand Message Confidentiality
ANSWERS NSWERS TO QUESTIONS
2.1 What are the essential ingredients of a symmetric cipher?
Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.
2.2 What are the two basic functions used in encryption algorithms? Permutation and substitution.
2.3 How many keys are required for two people to communicate via a symmetric cipher? One secret key.
2.4 What is the difference between a block cipher and a stream cipher? A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.
2.5 What are the two general approaches to attacking a cipher? Cryptanalysis and brute force.
2.6 Why do some block cipher modes of operation only use encryption while others use both encryption and decryption?
In some modes, the plaintext does not pass through the encryption function, but is XORed with the output of the encryption function. The math works out that for decryption in these cases, the encryption function must also be used.
2.7 What is triple encryption?
授课:XXX
With triple encryption, a plaintext block is encrypted by passing it through an encryption algorithm; the result is then passed through the same encryption algorithm again; the result of the second encryption is passed through the same encryption algorithm a third time. Typically, the second stage uses the decryption algorithm rather than the encryption algorithm.
2.8 Why is the middle portion of 3DES a decryption rather than an encryption?
There is no cryptographic significance to the use of decryption for the second stage. Its only advantage is that it allows users of 3DES to decrypt data encrypted by users of the older single DES by repeating the key.
2.9 What is the difference between link and end-to-end encryption?
With link encryption, each vulnerable communications link is equipped on both ends with an encryption device. With end-to-end encryption, the encryption process is carried out at the two end systems. The source host or terminal encrypts the data; the data in encrypted form are then transmitted unaltered across the network to the destination terminal or host.
2.10 List ways in which secret keys can be distributed to two
communicating parties.
For two parties A and B, key distribution can be achieved in a number of ways, as follows:
(1)A can select a key and physically deliver it to B.
(2)A third party can select the key and physically deliver it to A and B.
(3)If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key.
(4)If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links to A and B.
2.11 What is the difference between a session key and a master key? A session key is a temporary encryption key used between two principals. A master key is a long-lasting key that is used between a key distribution center and a principal for the purpose of encoding the transmission of session keys. Typically, the master keys are distributed by noncryptographic means.
2.12 What is a key distribution center?
授课:XXX
A key distribution center is a system that is authorized to transmit temporary session keys to principals. Each session key is transmitted in encrypted form, using a master key that the key distribution center shares with the target principal.
ANSWERS NSWERS TO PROBLEMS
2.1 What RC4 key value will leave S unchanged during initialization? That is, after the initial permutation of S, the entries of S will be equal to the values from 0 through 255 in ascending order.
Use a key of length 255 bytes. The first two bytes are zero; that is K[0] = K[1] = 0. Thereafter, we have: K[2] = 255; K[3] = 254; … K[255]= 2.
2.2 If a bit error occurs in the transmission of a ciphertext character in 8-bit CFB mode, how far does the error propagate?
Nine plaintext characters are affected. The plaintext character corresponding to the ciphertext character is obviously altered. In addition, the altered
ciphertext character enters the shift register and is not removed until the next eight characters are processed.
2.3 Key distribution schemes using an access control center and/or a key distribution center have central points vulnerable to attack. Discuss the security implications of such centralization.
The central points should be highly fault-tolerant, should be physically secured, and should use trusted hardware/software.
Chapter 3 Public-Key Cryptography and Message Authentication
ANSWERS NSWERS TO QUESTIONS
3.1 List three approaches to message authentication.
Message encryption, message authentication code, hash function.
3.2 What is message authentication code?
授课:XXX
An authenticator that is a cryptographic function of both the data to be authenticated and a secret key.
3.3 Briefly describe the three schemes illustrated in Figture3.2.
(a) A hash code is computed from the source message, encrypted using
symmetric encryption and a secret key, and appended to the message. At the receiver, the same hash code is computed. The incoming code is decrypted using the same key and compared with the computed hash code. (b) This is the same procedure as in (a) except that public-key encryption is used; the sender encrypts the hash code with the sender's private key, and the receiver decrypts the hash code with the sender's public key. (c) A secret value is appended to a message and then a hash code is calculated using the
message plus secret value as input. Then the message (without the secret value) and the hash code are transmitted. The receiver appends the same secret value to the message and computes the hash value over the message plus secret value. This is then compared to the received hash code.
3.4 What properties must a hash function have to be useful for message authentication?
(1)H can be applied to a block of data of any size.
(2)H produces a fixed-length output.
(3)H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical.
(4)For any given value h, it is computationally infeasible to find x such that H(x) = h. This is sometimes referred to in the literature as the one-way property. (5)For any given block x, it is computationally infeasible to find y ≠ x with H(y) =H(x).
(6)It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
3.5 In the context of a hash function, what is a compression function? The compression function is the fundamental module, or basic building block, of a hash function. The hash function consists of iterated application of the compression function.
3.6 What are the principal ingredients of a public-key cryptosystem?
Plaintext: This is the readable message or data that is fed into the algorithm as input. Encryption algorithm: The encryption algorithm performs various
授课:XXX
transformations on the plaintext. Public and private keys: This is a pair of keys that have been selected so that if one is used for encryption, the other is used for decryption. The exact transformations performed by the encryption algorithm depend on the public or private key that is provided as input.
Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the key. For a given message, two different keys will produce two different ciphertexts. Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the original plaintext.
3.7 List and briefly define three uses of a public-key cryptosystem. Encryption/decryption: The sender encrypts a message with the recipient's public key. Digital signature: The sender \"signs\" a message with its private key. Signing is achieved by a cryptographic algorithm applied to the message or to a small block of data that is a function of the message. Key exchange: Two sides cooperate to exchange a session key. Several different approaches are possible, involving the private key(s) of one or both parties.
3.8 What is the difference between a private key and a secret key?
The key used in conventional encryption is typically referred to as a secret key. The two keys used for public-key encryption are referred to as the public key and the private key.
3.9 What is digital signature?
A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature. The signature is formed by taking the hash of the message and encrypting the message with the
creator's private key. The signature guarantees the source and integrity of the message.
3.10 What is a public-key certificate?
A pubic-key certificate consists of a public key plus a User ID of the key owner, with the whole block signed by a trusted third party. Typically, the third party is a certificate authority (CA) that is trusted by the user community, such as a government agency or a financial institution.
3.11 How can public-key encryption be used to distribute a secret key? Several different approaches are possible, involving the private key(s) of one or both parties. One approach is Diffie-Hellman key exchange. Another
授课:XXX
approach is for the sender to encrypt a secret key with the recipient's public key.
ANSWERS NSWERS TO PROBLEMS
3.1 Consider a 32-bit hash function defined as the concatenation of two 16-bit functions: XOR and RXOR, defined in Section 3.2 as “two simple hash function.”
a. Will this checksum detect all errors caused by an odd number of error bits? Explain.
b. Will this checksum detect all errors caused by an even number of error bits? If not, characterize the error patterns that will cause the checksum to fail.
c. Comments on the effectiveness of this function for use a hash functions for authentication.
a. Yes. The XOR function is simply a vertical parity check. If there is an odd number of errors, then there must be at least one column that contains an odd number of errors, and the parity bit for that column will detect the error. Note that the RXOR function also catches all errors caused by an odd number of error bits. Each RXOR bit is a function of a unique \"spiral\" of bits in the block of data. If there is an odd number of errors, then there must be at least one spiral that contains an odd number of errors, and the parity bit for that spiral will detect the error.
b. No. The checksum will fail to detect an even number of errors when both the XOR and RXOR functions fail. In order for both to fail, the pattern of error bits must be at intersection points between parity spirals and parity columns such that there is an even number of error bits in each parity column and an even number of error bits in each spiral.
c. It is too simple to be used as a secure hash function; finding multiple messages with the same hash function would be too easy.
3.2 Suppose H (m) is a collision resistant hash function that maps a
message of arbitrary bit length into an n-bit hash value. Is it true that, for all messages x, x’ with x≠x’,we have H(x)≠H(x’)?Explain your answer.
授课:XXX
The statement is false. Such a function cannot be one-to-one because the number of inputs to the function is of arbitrary, but the number of unique outputs is 2n. Thus, there are multiple inputs that map into the same output.
3.3 Perform encryption and decryption using the RSA algorithm, as in Figture3.9, for the following: a. p=3;q=11;e=7;M=5 b. p=5;q=11;e=3;M=9 c. p=7;q=11;e=17;M=8 d. p=11;q=13;e=11;M=7
e. p=17;q=31;e=7;M=2.Hint: Decryption is not as hard as you think; use some finesse.
a. n = 33; (n) = 20; d = 3; C = 26. b. n = 55; (n) = 40; d = 27; C = 14. c. n = 77; (n) = 60; d = 53; C = 57. d. n = 143; (n) = 120; d = 11; C = 106.
e. n = 527; (n) = 480; d = 343; C = 128. For decryption, we have 128343 mod 527 = 128256 12864 12816 1284 1282 1281 mod 527 = 35 256 35 101 47 128 = 2 mod 527 = 2 mod 257
3.4 In a public-key system using RSA, you intercept the cipher text C=10 sent to a user whose public key is e=5, n=35.What is the plaintext M? M = 5
3.5 In an RSA system, the public key of a given user is e=31, n=3599.What is the private key of this user? d = 3031
3.6 Suppose we have a set of blocks encoded with the RSA algorithm and we don’t have the private key, Assume n=pq, e is the public key. Suppose also someone tells us they know one of the plaintext blocks has a common factor with n. Does this help us in any way?
授课:XXX
Yes. If a plaintext block has a common factor with n modulo n then the encoded block will also have a common factor with n modulo n. Because we encode blocks that are smaller than pq, the factor must be p or q and the
plaintext block must be a multiple of p or q. We can test each block for primality. If prime, it is p or q. In this case we divide into n to find the other factor. If not prime, we factor it and try the factors as divisors of n.
3.7 Consider a Diffie-Hellman scheme with a common prime q=11 and a primitive root a=2.
a. If user A has public key YA=9, what is A’s private key XA?
b. If user B has public key YB=3, what is the shared secret key K? a. XA = 6 b. K = 3
Chapter 4 Authentication Applications
ANSWERS NSWERS TO QUESTIONS
4.1 What problem was Kerberos designed to address?
The problem that Kerberos addresses is this: Assume an open distributed environment in which users at workstations wish to access services on servers distributed throughout the network. We would like for servers to be able to restrict access to authorized users and to be able to authenticate requests for service. In this environment, a workstation cannot be trusted to identify its users correctly to network services.
4.2 What are three threats associated with user authentication over a network or Internet?
A user may gain access to a particular workstation and pretend to be another user operating from that workstation. 2. A user may alter the network address of a workstation so that the requests sent from the altered workstation appear to come from the impersonated workstation. 3. A user may eavesdrop on exchanges and use a replay attack to gain entrance to a server or to disrupt operations.
4.3 List three approaches to secure user authentication in a distributed environment.
授课:XXX
Rely on each individual client workstation to assure the identity of its user or users and rely on each server to enforce a security policy based on user identification (ID). 2. Require that client systems authenticate themselves to servers, but trust the client system concerning the identity of its user. 3.
Require the user to prove identity for each service invoked. Also require that servers prove their identity to clients.
4.4 What four requirements are defined for Kerberos?
Secure: A network eavesdropper should not be able to obtain the necessary information to impersonate a user. More generally, Kerberos should be strong enough that a potential opponent does not find it to be the weak link. Reliable: For all services that rely on Kerberos for access control, lack of availability of the Kerberos service means lack of availability of the supported services. Hence, Kerberos should be highly reliable and should employ a distributed server architecture, with one system able to back up another. Transparent: Ideally, the user should not be aware that authentication is taking place,
beyond the requirement to enter a password. Scalable: The system should be capable of supporting large numbers of clients and servers. This suggests a modular, distributed architecture.
4.5 What entities constitute a full-service Kerberos environment?
A full-service Kerberos environment consists of a Kerberos server, a number of clients, and a number of application servers.
4.6 In the context of Kerberos, what is a realm?
A realm is an environment in which: 1. The Kerberos server must have the user ID (UID) and hashed password of all participating users in its database. All users are registered with the Kerberos server. 2. The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos server.
4.7 What are the principal difference between version 4 and version 5 of Kerberos?
Version 5 overcomes some environmental shortcomings and some technical deficiencies in Version 4.
4.8 What is the purpose of the X.509 standard?
授课:XXX
X.509 defines a framework for the provision of authentication services by the X.500 directory to its users. The directory may serve as a repository of
public-key certificates. Each certificate contains the public key of a user and is signed with the private key of a trusted certification authority. In addition, X.509 defines alternative authentication protocols based on the use of public-key certificates.
4.9 What is a chain of certificates?
A chain of certificates consists of a sequence of certificates created by
different certification authorities (CAs) in which each successive certificate is a certificate by one CA that certifies the public key of the next CA in the chain.
4.10 How is an X.509 certificate revoked?
The owner of a public-key can issue a certificate revocation list that revokes one or more certificates.
ANSWERS NSWERS TO PROBLEMS
4.1 Show that a random error in block of cipher text is propagated to all subsequent blocks of plaintext in PCBC mode (Figure 4.9).
An error in C1 affects P1 because the encryption of C1 is XORed with IV to produce P1. Both C1 and P1 affect P2, which is the XOR of the encryption of C2 with the XOR of C1 and P1. Beyond that, PN–1 is one of the XORed inputs to forming PN.
4.2 The 1988 version of X.509 lists properties that PSA keys must satisfy to be secure, given current knowledge about the difficulty of factoring large numbers. The discussion concludes with a constraint on the public exponent and the modulus n: It must be ensured that e>log2 (n) to prevent attack by taking the eth root mod n to disclose the plaintext. Although the constraint is correct, the reason given for requiring it is incorrect. What is wrong with the reason given and what is the correct reason?
Taking the eth root mod n of a ciphertext block will always reveal the plaintext, no matter what the values of e and n are. In general this is a very difficult
problem, and indeed is the reason why RSA is secure. The point is that, if e is
授课:XXX
too small, then taking the normal integer eth root will be the same as taking the eth root mod n, and taking integer eth roots is relatively easy.
Chapter 5 Electronic Mail Security
ANSWERS NSWERS TO QUESTIONS
5.1 What are the five principal services provided by PGP?
Authentication, confidentiality, compression, e-mail compatibility, and segmentation
5.2 What is the utility of a detached signature?
A detached signature is useful in several contexts. A user may wish to maintain a separate signature log of all messages sent or received. A detached signature of an executable program can detect subsequent virus infection. Finally, detached signatures can be used when more than one party must sign a document, such as a legal contract. Each person's signature is independent and therefore is applied only to the document. Otherwise,
signatures would have to be nested, with the second signer signing both the document and the first signature, and so on.
5.3 Why does PGP generate a signature before applying compression? a. It is preferable to sign an uncompressed message so that one can store only the uncompressed message together with the signature for future verification. If one signed a compressed document, then it would be necessary either to store a compressed version of the message for later verification or to
recompress the message when verification is required. b. Even if one were willing to generate dynamically a recompressed message for verification, PGP's compression algorithm presents a difficulty. The algorithm is not deterministic; various implementations of the algorithm achieve different tradeoffs in running speed versus compression ratio and, as a result, produce different compressed forms. However, these different compression algorithms are interoperable because any version of the algorithm can correctly
decompress the output of any other version. Applying the hash function and signature after compression would constrain all PGP implementations to the same version of the compression algorithm.
5.4 What is R64conversion?
授课:XXX
R64 converts a raw 8-bit binary stream to a stream of printable ASCII
characters. Each group of three octets of binary data is mapped into four ASCII characters.
5.5 Why is R64 conversion useful for an e-mail application?
When PGP is used, at least part of the block to be transmitted is encrypted. If only the signature service is used, then the message digest is encrypted (with the sender's private key). If the confidentiality service is used, the message plus signature (if present) are encrypted (with a one-time symmetric key). Thus, part or all of the resulting block consists of a stream of arbitrary 8-bit octets. However, many electronic mail systems only permit the use of blocks consisting of ASCII text.
5.6 Why is the segmentation and reassembly function in PGP needed? E-mail facilities often are restricted to a maximum message length.
5.7 How does PGP use the concept of trust?
PGP includes a facility for assigning a level of trust to individual signers and to keys.
5.8 What is RFC822?
RFC 822 defines a format for text messages that are sent using electronic mail.
5.9 What is MIME?
MIME is an extension to the RFC 822 framework that is intended to address some of the problems and limitations of the use of SMTP (Simple Mail Transfer Protocol) or some other mail transfer protocol and RFC 822 for electronic mail.
5.10 What is S/MIME?
S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security.
ANSWERS NSWERS TO PROBLEMS
授课:XXX
5.1 In the PGP scheme, what is the expected number of session keys generated before a previously created key is produced?
This is just another form of the birthday paradox discussed in Appendix 11A. Let us state the problem as one of determining what number of session keys must be generated so that the probability of a duplicate is greater than 0.5. From Equation (11.6) in Appendix 11A, we have the approximation:k 1.18 n
For a 128-bit key, there are 2128 possible keys. Thereforek 1.18 2128 1.18 264
5.2 The first 16 bits of the message digest in a PGP signature are translated in the clear.
a. To what extent does this compromise the security of the hash algorithm?
b. To what extent does it in fact perform its intended function, namely, to help determine if the correct RSA key was used to decrypt the digest? a. Not at all. The message digest is encrypted with the sender's private key. Therefore, anyone in possession of the public key can decrypt it and recover the entire message digest.
b. The probability that a message digest decrypted with the wrong key would have an exact match in the first 16 bits with the original message digest is 2–16.
5.3 In Figure 5.4, each entry in the public-key ring contains an owner trust field that indicates the degree of trust associated with this public-key owner. Why is that not enough? That is, if this owner is
trusted and this is supposed to be the owner’s public key, why is not that trust enough to permit PGP to use this public key?
We trust this owner, but that does not necessarily mean that we can trust that we are in possession of that owner's public key.
5.4 Consider radix-64 conversion as a form of encryption. In this case, there is no key. But suppose that an opponent knew only that some form of substitution algorithm was being used to encrypt English text and did
授课:XXX
not guess it was R64. How effective would this algorithm be against cryptanalysis?
It certainly provides more security than a monoalphabetic substitution.
Because we are treating the plaintext as a string of bits and encrypting 6 bits at a time, we are not encrypting individual characters. Therefore, the frequency information is lost, or at least significantly obscured.
5.5 Phil Zimmermann chose IDEA, three-key triple DES, and CAST-128 as symmetric encryption algorithms for PGP.Give reasons why each of the following symmetric encryption algorithms for described in this book is suitable or unsuitable for PGP: DES, two-key triple DES, and AES. DES is unsuitable because of its short key size. Two-key triple DES, which has a key length of 112 bits, is suitable. AES is also suitable.
Chapter 6 IP Security
ANSWERS NSWERS TO QUESTIONS
6.1 Give examples of applications of IPSec.
Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet service provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. Establishing extranet and intranet connectivity with partners: IPSec can be used to secure
communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. Enhancing
electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPSec enhances that security.
6.2 What service are provided by IPSec?
Access control; connectionless integrity; data origin authentication; rejection of replayed packets (a form of partial sequence integrity); confidentiality (encryption); and limited traffic flow confidentiality
授课:XXX
6.3 What parameters identify an SA and what parameters characterize the nature of a particular SA?
A security association is uniquely identified by three parameters: Security Parameters Index (SPI): A bit string assigned to this SA and having local significance only. The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed. IP Destination Address: Currently, only unicast addresses are allowed; this is the address of the destination endpoint of the SA, which may be an end user system or a network system such as a firewall or router.
Security Protocol Identifier: This indicates whether the association is an AH or ESP security association. A security association is normally defined by the following parameters: Sequence Number Counter: A 32-bit value used to generate the Sequence Number field in AH or ESP headers, described in Section 6.3 (required for all implementations). Sequence Counter Overflow: A flag indicating whether overflow of the Sequence Number Counter should generate an auditable event and prevent further transmission of packets on this SA (required for all implementations). Anti-Replay Window: Used to determine whether an inbound AH or ESP packet is a replay, described in Section 6.3 (required for all implementations). AH Information: Authentication algorithm, keys, key lifetimes, and related parameters being used with AH (required for AH implementations). ESP Information: Encryption and
authentication algorithm, keys, initialization values, key lifetimes, and related parameters being used with ESP (required for ESP implementations). Lifetime of this Security Association: A time interval or byte count after which an SA must be replaced with a new SA (and new SPI) or terminated, plus an indication of which of these actions should occur (required for all
implementations). IPSec Protocol Mode: Tunnel, transport, or wildcard (required for all implementations). These modes are discussed later in this section. Path MTU: Any observed path maximum transmission unit (maximum size of a packet that can be transmitted without fragmentation) and aging variables (required for all implementations).
6.4 What is the difference between transport mode and tunnel mode? Transport mode provides protection primarily for upper-layer protocols. That is, transport mode protection extends to the payload of an IP packet. Tunnel mode provides protection to the entire IP packet.
授课:XXX
6.5 What is a replay attack?
A replay attack is one in which an attacker obtains a copy of an authenticated packet and later transmits it to the intended destination. The receipt of
duplicate, authenticated IP packets may disrupt service in some way or may have some other undesired consequence.
6.6 Why does ESP include a padding field?
If an encryption algorithm requires the plaintext to be a multiple of some number of bytes (e.g., the multiple of a single block for a block cipher), the Padding field is used to expand the plaintext (consisting of the Payload Data, Padding, Pad Length, and Next Header fields) to the required length. 2. The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32-bit word. Equivalently, the ciphertext must be an integer multiple of 32 bits. The Padding field is used to assure this alignment. 3. Additional padding may be added to provide partial traffic flow confidentiality by concealing the actual length of the payload.
6.7 What are the basic approaches to bundling SAs?
Transport adjacency: Refers to applying more than one security protocol to the same IP packet, without invoking tunneling. This approach to combining AH and ESP allows for only one level of combination; further nesting yields no added benefit since the processing is performed at one IPSec instance: the (ultimate) destination. Iterated tunneling: Refers to the application of multiple layers of security protocols effected through IP tunneling. This approach allows for multiple levels of nesting, since each tunnel can originate or terminate at a different IPSec site along the path.
6.8 What are the roles of the Oakley key determination protocol and ISAKMP in IPSec?
ISAKMP by itself does not dictate a specific key exchange algorithm; rather, ISAKMP consists of a set of message types that enable the use of a variety of key exchange algorithms. Oakley is the specific key exchange algorithm mandated for use with the initial version of ISAKMP.
ANSWERS NSWERS TO PROBLEMS
授课:XXX
6.1 In discussing AH processing, it was mentioned that not all of the fields in an IP header are included in MAC calculation.
a. For each of the fields in the IPv4 header, indicate whether the field is immutable, mutable but predictable, or mutable (zeroed prior to ICV calculation).
b. Do the same for the IPv6 header.
c. Do the same for the IPv6 extension headers. In each case, justify your decision for each field.
a. Immutable: Version, Internet Header Length, Total Length, Identification, Protocol (This should be the value for AH.), Source Address, Destination
Address (without loose or strict source routing). None of these are changed by routers in transit. Mutable but predictable: Destination Address (with loose or strict source routing). At each intermediate router designated in the source routing list, the Destination Address field is changed to indicate the next designated address. However, the source routing field contains the information needed for doing the MAC calculation. Mutable (zeroed prior to ICV
calculation): Type of Service (TOS), Flags, Fragment Offset, Time to Live
(TTL), Header Checksum. TOS may be altered by a router to reflect a reduced service. Flags and Fragment offset are altered if an router performs fragmentation. TTL is decreased at each router. The Header Checksum changes if any of these other fields change. b. Immutable: Version, Payload Length, Next Header (This should be the value for AH.), Source Address, Destination Address (without Routing Extension Header) Mutable but
predictable: Destination Address (with Routing Extension Header) Mutable (zeroed prior to ICV calculation): Class, Flow Label, Hop Limit c. IPv6 options in the Hop-by-Hop and Destination Extension Headers contain a bit that indicates whether the option might change (unpredictably) during transit. Mutable but predictable: Routing Not Applicable: Fragmentation occurs after outbound IPSec processing and reassembly occur before inbound IPSec
processing , so the Fragmentation Extension Header, if it exists, is not seen by IPSec.
6.2 When tunnel mode is used, a new outer IP header is constructed. For both IPv4 and IPv6, indicate the relationship of each other IP header field and each extension header in the outer packet to the corresponding field or extension header of the inner IP packet. That is, indicate which outer values are derived from inner values and which are constructed independently of the inner values.
授课:XXX
(1) The IP version in the encapsulating header can be different from the value inthe inner header.
(2) The TTL in the inner header is decremented by the encapsulator prior toforwarding and by the decapsulator if it forwards the packet.
(3) src and dest addresses depend on the SA, which is used to determine the dest address, which in turn determines which src address (net interface) is used to forward the packet.
(4) configuration determines whether to copy from the inner header (IPv4 only), clear or set the DF. 5. If Inner Hdr is IPv4, copy the TOS. If Inner Hdr is IPv6, map the Class to TOS.
(5) If Inner Hdr is IPv6, copy the Class. If Inner Hdr IPv4, map the TOS to Class.
Chapter 7 Web Security
ANSWERS NSWERS TO QUESTIONS
7.1 What are the advantages of each of the three approaches shown in Figure 7.1?
The advantage of using IPSec (Figure 7.1a) is that it is transparent to end users and applications and provides a general-purpose solution. Further, IPSec includes a filtering capability so that only selected traffic need incur the overhead of IPSec processing. The advantage of using SSL is that it makes use of the reliability and flow control mechanisms of TCP. The advantage application-specific security services (Figure 7.1c) is that the service can be tailored to the specific needs of a given application.
7.2 What protocols comprise SSL?
SSL handshake protocol; SSL change cipher spec protocol; SSL alert protocol; SSL record protocol.
7.3 What is the difference between an SSL connection and an SSL session?
Connection: A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. For SSL, such connections are
peer-to-peer relationships. The connections are transient. Every connection is associated with one session. Session: An SSL session is an association between a client and a server. Sessions are created by the Handshake
授课:XXX
Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.
7.4 List and briefly define the parameters that define an SSL session state.
Session identifier: An arbitrary byte sequence chosen by the server to identify an active or resumable session state. Peer certificate: An X509.v3 certificate of the peer. Compression method: The algorithm used to compress data prior to encryption. Cipher spec: Specifies the bulk data encryption algorithm (such as null, DES, etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC calculation. It also defines cryptographic attributes such as the hash_size. Master secret: 48-byte secret shared between the client and server. Is
resumable: A flag indicating whether the session can be used to initiate new connections.
7.5 List and briefly define the parameters that define an SSL session connection.
Server and client random: Byte sequences that are chosen by the server and client for each connection. Server write MAC secret: The secret key used in MAC operations on data sent by the server. Client write MAC secret: The
secret key used in MAC operations on data sent by the client. Server write key: The conventional encryption key for data encrypted by the server and
decrypted by the client. Client write key: The conventional encryption key for data encrypted by the client and decrypted by the server. Initialization vectors: When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the SSL Handshake Protocol. Thereafter the final ciphertext block from each record is preserved for use as the IV with the following record. Sequence numbers: Each party
maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero. Sequence numbers may not exceed 264 – 1.
7.6 What services are provided by the SSL Record Protocol?
Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. Message Integrity: The
授课:XXX
Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC).
7.7 What steps are involved in the SSL Record Protocol transmission? Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of SSL payloads. Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC).
7.8 List and briefly define the principal categories of SET participants. Cardholder: In the electronic environment, consumers and corporate
purchasers interact with merchants from personal computers over the Internet. A cardholder is an authorized holder of a payment card (e.g., MasterCard, Visa) that has been issued by an issuer. Merchant: A merchant is a person or organization that has goods or services to sell to the cardholder. Typically, these goods and services are offered via a Web site or by electronic mail. A merchant that accepts payment cards must have a relationship with an
acquirer. Issuer: This is a financial institution, such as a bank, that provides the cardholder with the payment card. Typically, accounts are applied for and opened by mail or in person. Ultimately, it is the issuer that is responsible for the payment of the debt of the cardholder. Acquirer: This is a financial
institution that establishes an account with a merchant and processes payment card authorizations and payments. Merchants will usually accept more than one credit card brand but do not want to deal with multiple bankcard associations or with multiple individual issuers. The acquirer provides
authorization to the merchant that a given card account is active and that the proposed purchase does not exceed the credit limit. The acquirer also provides electronic transfer of payments to the merchant's account.
Subsequently, the acquirer is reimbursed by the issuer over some sort of payment network for electronic funds transfer. Payment gateway: This is a function operated by the acquirer or a designated third party that processes merchant payment messages. The payment gateway interfaces between SET and the existing bankcard payment networks for authorization and payment functions. The merchant exchanges SET messages with the payment gateway over the Internet, while the payment gateway has some direct or network connection to the acquirer's financial processing system. Certification authority (CA): This is an entity that is trusted to issue X.509v3 public-key certificates for cardholders, merchants, and payment gateways. The success of SET will
授课:XXX
depend on the existence of a CA infrastructure available for this purpose. As was discussed in previous chapters, a hierarchy of CAs is used, so that participants need not be directly certified by a root authority.
7.9 What is a dual signature and what is its purpose?
A dual signature is used to sign two concatenated documents each with its own hash code. The purpose of the dual signature is to link two messages that are intended for two different recipients. In this case, the customer wants to send the order information (OI) to the merchant and the payment information (PI) to the bank. The merchant does not need to know the customer's credit card number, and the bank does not need to know the details of the customer's order.
ANSWERS NSWERS TO PROBLEMS
7.1 In SSL and TSL, why is there a separate Change Cipher Spec Protocol, rather than including a change-cipher-spec message in the Handshake Protocol?
The change cipher spec protocol exists to signal transitions in ciphering strategies, and can be sent independent of the complete handshake protocol exchange.
7.2 Based on what you have learned in this chapter, is it possible in SSL for the receiver to reorder SSL record blocks that arrive out of order? If so, explain how it can be done. If not, why not?
SSL relies on an underlying reliable protocol to assure that bytes are not lost or inserted. There was some discussion of reengineering the future TLS protocol to work over datagram protocols such as UDP, however, most people at a recent TLS meeting felt that this was inappropriate layering (from the SSL FAQ).
Chapter 8 Network Management Security
ANSWERS NSWERS TO QUESTIONS
8.1 In what sense is a network management architecture considered integrated?
授课:XXX
A single operator interface with a powerful but user-friendly set of commands for performing most or all network management tasks. 2. A minimal amount of separate equipment. That is, most of the hardware and software required for network management is incorporated into the existing user equipment.
8.2 What are the key elements of the SNMP model?
Management station, management agent, management information base, network management protocol.
8.3 What is a MIB?
To manage resources in the network, each resource is represented as an object. An object is, essentially, a data variable that represents one aspect of the managed agent. The collection of objects is referred to as a management information base (MIB).
8.4 What basic capabilities or commands are provided in SNMPv1? Get: enables the management station to retrieve the value of objects at the agent. Set: enables the management station to set the value of objects at the agent. Notify: enables an agent to notify the management station of significant events.
8.5 What is the function of an SNMP proxy?
To accommodate devices that do not implement SNMP, the concept of proxy was developed. In this scheme an SNMP agent acts as a proxy for one or more other devices; that is, the SNMP agent acts on behalf of the proxied devices.
8.6 Briefly explain the SNMPv1.
An SNMP community is a relationship between an SNMP agent and a set of SNMP managers that defines authentication, access control, and proxy characteristics. The community concept is a local one, defined at the agent. The agent establishes one community for each desired combination of
authentication, access control, and proxy characteristics. Each community is given a unique (within this agent) community name, and the managers within that community are provided with and must employ the community name in all get and set operations. The agent may establish a number of communities, with overlapping manager membership.
授课:XXX
8.7 What is the relationship among SNMPv1, SNMPv2 and SNMPv3? SNMPv1 is the original standard version of SNMP. SNMPv2 added functional capabilities to those of SNMPv1 and changed some formats. SNMPv3 is a security facility that can work with either SNMPv1 or SNMPv2.
8.8 What threats is USM designed to counter?
Modification of information: An entity could alter an in-transit message generated by an authorized entity in such a way as to cause unauthorized management operations, including the setting of object values. The essence of this threat is that an unauthorized entity could change any management
parameter, including those related to configuration, operations, and accounting. Masquerade: Management operations that are not authorized for some entity may be attempted by that entity by assuming the identity of an authorized entity. Message stream modification: SNMP is designed to operate over a connectionless transport protocol. There is a threat that SNMP messages could be reordered, delayed, or replayed (duplicated) to cause unauthorized management operations. Disclosure: An entity could observe exchanges between a manager and an agent and thereby learn the values of managed objects and learn of notifiable events.
8.9 What is the difference between an authoritative and a noauthoritative engine?
In any message transmission, one of the two entities, transmitter or receiver, is designated as the authoritative SNMP engine, according to the following rules: 1. When an SNMP message contains a payload that expects a response (for example, a Get, GetNext, GetBulk, Set, or Inform PDU), then the receiver of such messages is authoritative. 2. When an SNMP message contains a payload that does not expect a response (for example, an SNMPv2-Trap, Response, or Report PDU), then the sender of such a message is authoritative.
8.10 What is key localization?
A localized key is defined in RFC 2574 as a secret key shared between a user and one authoritative SNMP engine. The objective is that the user need only maintain a single key (or two keys if both authentication and privacy are required) and therefore need only remember one password (or two). The
actual secrets shared between a particular user and each authoritative SNMP engine are different. The process by which a single user key is converted into
授课:XXX
multiple unique keys, one for each remote SNMP engine, is referred to as key localization.
8.11 List and briefly define the elements that comprise VACM.
Group: a set of zero or more read-only access for a request communicated in an unauthenticated message but may require authentication for write access. Context: a named subset of the object instances in the local MIB. Contexts provide a useful way of aggregating objects into collections with different access policies. MIB view: a specific set of managed objects (and optionally specific object instances). Access policy: a particular set of access rights. ANSWERS NSWERS TO PROBLEMS 8.1 SNMPv1 defines a data type referred to as gauge and the following explanation of the semantics of this type: This application-wide type represents a non-negative integer, which may increase or decrease, but which latches at a maximum value. This standard specifies a maximum value of 232-1(4294967295 decimal) for gauges. Unfortunately, the word latch is not defined, and this has resulted in two different interpretations. The SNMPv2 standard cleared up the ambiguity with the following definition: The value of a Gauge has its maximum value whenever the information being modeled is greater than or equal to that maximum value; if the information being modeled subsequently decreases below the maximum value, the Gauge also decreases. a. What is the alternative interpretation? b. Discuss the pros and cons of the two interpretations. a. The value of a Gauge has its maximum value whenever the information being modeled is greater than or equal to that maximum value; if the information being modeled subsequently decreases below the maximum value, the Gauge remains at the maximum value. The gauge can only be released from this maximum value by subsequent management action. b. The SNMPv2 interpretation provides a realistic representation of the underlying value at all times, subject to the limitation of the gauge. However, a 授课:XXX manager may want to know that some maximum value has been reached or exceeded. By \"sticking\" the gauge at its maximum value until it is noticed and released by a manager, this information is preserved. 8.2 In SNMPv1, any object in a MIB is defined has having a MIB Access Category, which can be assigned the one of the following values: read-only, read-write, write-only, and not-accessible. A read is accomplished with a get or trap operation, and a write is accomplished with a set operation. For write-only, the object may be available for get and trap operation but this is implantation dependent. The MIB Access Category specifies the maximum access that may be allowed for an object, but in the SNMPv1 community, the Access Mode may further restrict this access for a given community profile. In the following table, fill in each entry to show the access allowed. MIB Access Category read-only read-write write-only Not-accessible SNMP Access Mode READ-ONLY READ-WRITE 8.3 a. RFC 2574 states that for a no authoritative engine, the values of msgAuthoritativeEngine Boots and msgAuthoritativeEngineTime in an outgoing message header are set only if the message is to be authenticated by the authoritative receiver. Why does this restriction make sense? b. However, for a Response message from an authoritative engine, the values of msgAuthoritativeEngineBoots and msgAuthoritativeEngineTime in the outgoing message header are always set. Why might this be so? a. This restriction makes sense because the authoritative receiver will only check those fields if the message is to be authenticated. b. Keep in mind that in the case of the authoritative sender, these values represent the \"official\" local values of snmpEngineBoots and snmpEngineTime. When the Response message is received by the non-authorititave engine, it may only use these values for synchronization if the message is authenticated. However, an implementation might perhaps use these values for a \"reality check\" even on non-authenticated Response messages. 授课:XXX Chapter 9 Intruders ANSWERS NSWERS TO QUESTIONS 9.1 List and briefly define three classes of intruders. Masquerader: An individual who is not authorized to use the computer and who penetrates a system's access controls to exploit a legitimate user's account. Misfeasor: A legitimate user who accesses data, programs, or resources for which such access is not authorized, or who is authorized for such access but misuses his or her privileges. Clandestine user: An individual who seizes supervisory control of the system and uses this control to evade auditing and access controls or to suppress audit collection. 9.2 What are two common techniques used to protect a password file? One-way encryption: The system stores only an encrypted form of the user's password. When the user presents a password, the system encrypts that password and compares it with the stored value. In practice, the system usually performs a one-way transformation (not reversible) in which the password is used to generate a key for the encryption function and in which a fixed-length output is produced. Access control: Access to the password file is limited to one or a very few accounts. 9.3 What are three benefits that can be provided by an intrusion detection system? If an intrusion is detected quickly enough, the intruder can be identified and ejected from the system before any damage is done or any data are compromised. Even if the detection is not sufficiently timely to preempt the intruder, the sooner that the intrusion is detected, the less the amount of damage and the more quickly that recovery can be achieved. 2. An effective intrusion detection system can serve as a deterrent, so acting to prevent intrusions. 3. Intrusion detection enables the collection of information about intrusion techniques that can be used to strengthen the intrusion prevention facility. 授课:XXX 9.4 What is the difference between statistical anomaly detection and rule-based intrusion detection? Statistical anomaly detection involves the collection of data relating to the behavior of legitimate users over a period of time. Then statistical tests are applied to observed behavior to determine with a high level of confidence whether that behavior is not legitimate user behavior. Rule-Based Detection involves an attempt to define a set of rules that can be used to decide that a given behavior is that of an intruder. 9.5 What metrics are useful for profiled-based intrusion detection? Counter: A nonnegative integer that may be incremented but not decremented until it is reset by management action. Typically, a count of certain event types is kept over a particular period of time. Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is used to measure the current value of some entity. Interval timer: The length of time between two related events. Resource utilization: Quantity of resources consumed during a specified period. 9.6 What is the difference between rule-based anomaly detection and rule-based penetration identification? With rule-based anomaly detection, historical audit records are analyzed to identify usage patterns and to generate automatically rules that describe those patterns. Rules may represent past behavior patterns of users, programs, privileges, time slots, terminals, and so on. Current behavior is then observed, and each transaction is matched against the set of rules to determine if it conforms to any historically observed pattern of behavior. Rule-based penetration identification uses rules for identifying known penetrations or penetrations that would exploit known weaknesses. Rules can also be defined that identify suspicious behavior, even when the behavior is within the bounds of established patterns of usage. Typically, the rules used in these systems are specific to the machine and operating system. Also, such rules are generated by \"experts\" rather than by means of an automated analysis of audit records. 9.7 What is a honeypot? Honeypots are decoy systems that are designed to lure a potential attacker away from critical systems. 9.8 What is a salt in the context of UNIX password management? 授课:XXX The salt is combined with the password at the input to the one-way encryption routine. 9.9 List and briefly define four techniques used to avoid guessable passwords. User education: Users can be told the importance of using hard-to-guess passwords and can be provided with guidelines for selecting strong passwords. Computer-generated passwords: Users are provided passwords generated by a computer algorithm. Reactive password checking: the system periodically runs its own password cracker to find guessable passwords. The system cancels any passwords that are guessed and notifies the user. Proactive password checking: a user is allowed to select his or her own password. However, at the time of selection, the system checks to see if the password is allowable and, if not, rejects it. ANSWERS NSWERS TO PROBLEMS 9.1 The encryption scheme used for UNIX passwords is one way; it is not possible to reverse it. Therefore, would it be accurate to say that this is, in fact, a hash code rather than an encryption of the password? Yes 9.2 It was stated that the inclusion of the salt in the UNIX password scheme increases the difficulty of guessing by a factor of 4096.But the salt is stored in plaintext in the same entry as the corresponding cipher text password .Therefore, those two characters are known to the attacker and need not be guessed. Why is it asserted that the salt increases security? Without the salt, the attacker can guess a password and encrypt it. If ANY of the users on a system use that password, then there will be a match. With the salt, the attacker must guess a password and then encrypt it once for each user, using the particular salt for each user. 9.3 Assuming that you have successfully answered the preceding problem and understand the significance of the salt, here is another question. Wouldn’t it be possible to thwart completely all password crackers by dramatically increasing the salt size to,say,24 or 48 bits? 授课:XXX It depends on the size of the user population, not the size of the salt, since the attacker presumably has access to the salt for each user. The benefit of larger salts is that the larger the salt, the less likely it is that two users will have the same salt. If multiple users have the same salt, then the attacker can do one encryption per password guess to test all of those users. Chapter 10 Malicious Software ANSWERS NSWERS TO QUESTIONS 10.1 What is the role of compression in the operation of a virus? A virus may use compression so that the infected program is exactly the same length as an uninfected version. 10.2 What is the role of encryption in the operation of a virus? A portion of the virus, generally called a mutation engine, creates a random encryption key to encrypt the remainder of the virus. The key is stored with the virus, and the mutation engine itself is altered. When an infected program is invoked, the virus uses the stored random key to decrypt the virus. When the virus replicates, a different random key is selected. 10.3 What are typical phases of operation of a virus or worm? 10.4 In general terms, how does a worm propagate? (1) Search for other systems to infect by examining host tables or similar repositories of remote system addresses. (2)Establish a connection with a remote system. (3)Copy itself to the remote system and cause the copy to be run. 10.5 What is a digital immune system? This system provides a general-purpose emulation and virus-detection system. The objective is to provide rapid response time so that viruses can be stamped out almost as soon as they are introduced. When a new virus enters an organization, the immune system automatically captures it, analyzes it, adds detection and shielding for it, removes it, and passes information about that virus to systems running a general antivirus program so that it can be detected before it is allowed to run elsewhere. 授课:XXX 10.6 How does behavior-blocking software work? Behavior-blocking software integrates with the operating system of a host computer and monitors program behavior in real-time for malicious actions. The behavior blocking software then blocks potentially malicious actions before they have a chance to affect the system. 10.7 What is a DDoS? A denial of service (DoS) attack is an attempt to prevent legitimate users of a service from using that service. When this attack comes from a single host or network node, then it is simply referred to as a DoS attack. A more serious threat is posed by a DDoS attack. In a DDoS attack, an attacker is able to recruit a number of hosts throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target. ANSWERS NSWERS TO PROBLEMS 10.1 There is a flaw in the virus program of Figure 10.1.What is it? The program will loop indefinitely once all of the executable files in the system are infected. 10.2 The question arises as to whether it is possible to develop a program that can analyze a piece of software to determine if it is a virus. Consider that we have a program D that is supposed to be able to do that. That is ,for any problem P, if we run D(P),the result returned is TRUE(P is a virus).Now consider the following program: Program CV: = {……… Main –program: = {if D (CV) then goto next: Else infect–executable; } next; } In the preceding program, infect-executable is a module that scans memory for executable programs and replicates itself in those programs. Determine if D can correctly decide whether CV is a virus. D is supposed to examine a program P and return TRUE if P is a computer virus and FALSE if it is not. But CV calls D. If D says that CV is a virus, then 授课:XXX CV will not infect an executable. But if D says that CV is not a virus, it infects an executable. D always returns the wrong answer. 授课:XXX Chapter 11 Firewalls ANSWERS NSWERS TO QUESTIONS 11.1 List three design goals for a firewall. 1. All traffic from inside to outside, and vice versa, must pass through the firewall. This is achieved by physically blocking all access to the local network except via the firewall. Various configurations are possible, as explained later in this section. 2. Only authorized traffic, as defined by the local security policy, will be allowed to pass. Various types of firewalls are used, which implement various types of security policies, as explained later in this section. 3. The firewall itself is immune to penetration. This implies that use of a trusted system with a secure operating system. 11.2 List four techniques used by firewalls to control access and enforce a security policy. Service control: Determines the types of Internet services that can be accessed, inbound or outbound. The firewall may filter traffic on the basis of IP address and TCP port number; may provide proxy software that receives and interprets each service request before passing it on; or may host the server software itself, such as a Web or mail service. Direction control: Determines the direction in which particular service requests may be initiated and allowed to flow through the firewall. User control: Controls access to a service according to which user is attempting to access it. This feature is typically applied to users inside the firewall perimeter (local users). It may also be applied to incoming traffic from external users; the latter requires some form of secure authentication technology, such as is provided in IPSec. Behavior control: Controls how particular services are used. For example, the firewall may filter e-mail to eliminate spam, or it may enable external access to only a portion of the information on a local Web server. 11.3 What information is used by a typical packet-filtering router? Source IP address: The IP address of the system that originated the IP packet. Destination IP address: The IP address of the system the IP packet is trying to 授课:XXX reach. Source and destination transport-level address: The transport level (e.g., TCP or UDP) port number, which defines applications such as SNMP or TELNET. IP protocol field: Defines the transport protocol. Interface: For a router with three or more ports, which interface of the router the packet came from or which interface of the router the packet is destined for. 11.4 What are some weaknesses of a packet-filtering router? prevent attacks that employ application-specific vulnerabilities or functions. For example, a packet filter firewall cannot block specific application commands; if a packet filter firewall allows a given application, all functions available within that application will be permitted. 2. Because of the limited information available to the firewall, the logging functionality present in packet filter firewalls is limited. Packet filter logs normally contain the same information used to make access control decisions (source address, destination address, and traffic type). 3. Most packet filter firewalls do not support advanced user authentication schemes. Once again, this limitation is mostly due to the lack of upper-layer functionality by the firewall. 4. They are generally vulnerable to attacks and exploits that take advantage of problems within the TCP/IP specification and protocol stack, such as network layer address spoofing. Many packet filter firewalls cannot detect a network packet in which the OSI Layer 3 addressing information has been altered. Spoofing attacks are generally employed by intruders to bypass the security controls implemented in a firewall platform. 5. Finally, due to the small number of variables used in access control decisions, packet filter firewalls are susceptible to security breaches caused by improper configurations. In other words, it is easy to accidentally configure a packet filter firewall to allow traffic types, sources, and destinations that should be denied based on an organization's information security policy. 11.5 What is the difference between a packet-filtering router and a stateful inspection firewall? A traditional packet filter makes filtering decisions on an individual packet basis and does not take into consideration any higher layer context. A stateful inspection packet filter tightens up the rules for TCP traffic by creating a directory of outbound TCP connections, as shown in Table 11.2. There is an entry for each currently established connection. The packet filter will now allow incoming traffic to high-numbered ports only for those packets that fit the profile of one of the entries in this directory. 授课:XXX 11.6 What is an application-level gateway? An application-level gateway, also called a proxy server, acts as a relay of application-level traffic. 11.7 What is a circuit-level gateway? A circuit-level gateway does not permit an end-to-end TCP connection; rather, the gateway sets up two TCP connections, one between itself and a TCP user on an inner host and one between itself and a TCP user on an outside host. Once the two connections are established, the gateway typically relays TCP segments from one connection to the other without examining the contents. The security function consists of determining which connections will be allowed. 11.8 What are the differences among the three configuration of Figure 11.2? The screened host firewall, single-homed bastion configuration (Figure 11.2a), the firewall consists of two systems: a packet-filtering router and a bastion host; the latter performs authentication and proxy functions. In the single-homed configuration just described, if the packet-filtering router is completely compromised, traffic could flow directly through the router between the Internet and other hosts on the private network. The screened host firewall, dual-homed bastion configuration physically prevents such a security breach. In the screened subnet firewall configuration, two packet-filtering routers are used, one between the bastion host and the Internet and one between the bastion host and the internal network. This configuration creates an isolated subnetwork, which may consist of simply the bastion host but may also include one or more information servers and modems for dial-in capability. 11.9 In the context of access control, what is the difference between a subject and an object? A subject is an entity capable of accessing objects. Generally, the concept of subject equates with that of process. Any user or application actually gains access to an object by means of a process that represents that user or application. An object is anything to which access is controlled. Examples include files, portions of files, programs, and segments of memory. 授课:XXX 11.10 What is the difference between an access control list and a capability ticket? For each object, an access control list lists users and their permitted access rights. A capability ticket specifies authorized objects and operations for a user. 11.11 What are the two rules that a references monitor enforces? No read up: A subject can only read an object of less or equal security level. No write down: A subject can only write into an object of greater or equal security level. 11.12 What properties are required of a references monitor? Complete mediation: The security rules are enforced on every access, not just, for example, when a file is opened. Isolation: The reference monitor and database are protected from unauthorized modification. Verifiability: The reference monitor's correctness must be provable. That is, it must be possible to demonstrate mathematically that the reference monitor enforces the security rules and provides complete mediation and isolation. 11.13 What are the common criteria? The Common Criteria (CC) for Information Technology and Security Evaluation is an international initiative by standards bodies in a number of countries to develop international standards for specifying security requirements and defining evaluation criteria. ANSWERS NSWERS TO PROBLEMS 11.1 As was mentioned in Section 11.1, one approach to defeating the tiny fragment attack is to enforce a minimum length of the transport header that must be contained in the first fragment of an IP packet. If the first fragment is rejected, all subsequent fragments can be rejected .However; the nature of IP is such that fragments may arrive out of order. Thus, an intermediate fragment may pass through the filter before the initial fragment is rejected .How can this situation be handled? It will be impossible for the destination host to complete reassembly of the packet if the first fragment is missing, and therefore the entire packet will be discarded by the destination after a time-out. 授课:XXX 11.2 In an IPv4 packet, the size of the payload in the first fragment, in octets, is equal to Total Length –(4×IHL).If this value is less than the required minimum (8 octets for TCP), then this fragment and the entire packet are rejected. Suggest an alternative method of achieving the same result using only the Fragment Offset field. When a TCP packet is fragmented so as to force interesting header fields out of the zero-offset fragment, there must exist a fragment with FO equal to 1. If a packet with FO = 1 is seen, conversely, it could indicate the presence, in the fragment set, of a zero-offset fragment with a transport header length of eight octets Discarding this one-offset fragment will block reassembly at the receiving host and be as effective as the direct method described above. 11.3 The necessity of the “no read up” rule for a multilevel secure system is fairly obvious. What is the importance of the “no write down” rule? The purpose of the \"no write down\" rule, or *-property is to address the problem of Trojan horse software. With the *-property, information cannot be compromised through the use of a Trojan horse. Under this property, a program operating on behalf of one user cannot be used to pass information to any user having a lower or disjoint access class. (注:可编辑下载,若有不当之处,请指正,谢谢!) 授课:XXX 因篇幅问题不能全部显示,请点此查看更多更全内容