Solucionario Network Security Essentials

Solutions - Network Security Essentials - Stallings - 4th ed - Chapter 11

Review Questions
11.1 List three design goals for a firewall. Get this solution

11.2 List four techniques used by firewalls to control access and enforce a security policy. Get this solution

11.3 What information is used by a typical packet filtering firewall? Get this solution

11.4 What are some weaknesses of a packet filtering firewall? Get this solution

11.5 What is the difference between a packet filtering firewall and a stateful inspection firewall? Get this solution

11.6 What is an application-level gateway? Get this solution

11.7 What is a circuit-level gateway? Get this solution

11.8 What are the differences among the firewalls of Figure 11.1? Get this solution

11.9 What are the common characteristics of a bastion host? Get this solution

11.10 Why is it useful to have host-based firewalls? Get this solution

11.11 What is a DMZ network and what types of systems would you expect to find on such
networks? Get this solution

11.12 What is the difference between an internal and an external firewall? Get this solution

Problems

11.1 As was mentioned in Section 11.3, one approach to defeating the tiny fragment attack is to enforce a minimum length of the transport header that must be contained in the first fragment of an IP packet. If the first fragment is rejected, all subsequent fragments can be rejected. However, the nature of IP is such that fragments may arrive out of order. Thus, an intermediate fragment may pass through the filter before the initial fragment is rejected. How can this situation be handled? Get this solution

11.2 In an IPv4 packet, the size of the payload in the first fragment, in octets, is equal to Total Length – (4 × IHL). If this value is less than the required minimum (8 octets for TCP), then this fragment and the entire packet are rejected. Suggest an alternative method of achieving the same result using only the Fragment Offset field. Get this solution

11.3 RFC 791, the IPv4 protocol specification, describes a reassembly algorithm that results in new fragments overwriting any overlapped portions of previously received fragments. Given such a reassembly implementation, an attacker could construct a series of packets in which the lowest (zero-offset) fragment would contain innocuous data (and thereby be passed by administrative packet filters), and in which some subsequent packet having a non-zero offset would overlap TCP header information (destination port, for instance) and cause it to be modified. The second packet would be
passed through most filter implementations because it does not have a zero fragment offset. Suggest a method that could be used by a packet filter to counter this attack. Get this solution

11.4 Table 11.3 shows a sample of a packet filter firewall ruleset for an imaginary network of IP address that range from 192.168.1.0 to 192.168.1.254. Describe the effect of each rule. Get this solution

11.5 SMTP (Simple Mail Transfer Protocol) is the standard protocol for transferring mail between hosts over TCP. A TCP connection is set up between a user agent and a server program.The server listens on TCP port 25 for incoming connection requests. The user end of the connection is on a TCP port number above 1023. Suppose you wish to build a packet filter rule set allowing inbound and outbound SMTP traffic.
You generate the following ruleset:

a. Describe the effect of each rule.
b. Your host in this example has IP address 172.16.1.1. Someone tries to send e-mail from a remote host with IP address 192.168.3.4. If successful, this generates an SMTP dialogue between the remote user and the SMTP server on your host consisting of SMTP commands and mail. Additionally, assume that a user on your host tries to send e-mail to the SMTP server on the remote system. Four typical packets for this scenario are as shown:

Indicate which packets are permitted or denied and which rule is used in each case.

c. Someone from the outside world (10.1.2.3) attempts to open a connection from port 5150 on a remote host to the Web proxy server on port 8080 on one of your local hosts (172.16.3.4), in order to carry out an attack. Typical packets are as follows:

Will the attack succeed? Give details. Get this solution

11.6 To provide more protection, the ruleset from the preceding problem is modified as follows:

a. Describe the change.
b. Apply this new ruleset to the same six packets of the preceding problem. Indicate which packets are permitted or denied and which rule is used in each case. Get this solution

11.7 A hacker uses port 25 as the client port on his or her end to attempt to open a connection to your Web proxy server.
a. The following packets might be generated:

Explain why this attack will succeed, using the ruleset of the preceding problem.
b. When a TCP connection is initiated, the ACK bit in the TCP header is not set.
Subsequently, all TCP headers sent over the TCP connection have the ACK bit set. Use this information to modify the ruleset of the preceding problem to prevent the attack just described. Get this solution

11.8 A common management requirement is that “all external Web traffic must flow via the organization’s Web proxy.” However, that requirement is easier stated than implemented.
Discuss the various problems and issues, possible solutions, and limitations with supporting this requirement. In particular consider issues such as identifying exactly what constitutes “Web traffic” and how it may be monitored, given the large range of ports and various protocols used by Web browsers and servers. Get this solution

11.9 Consider the threat of “theft/breach of proprietary or confidential information held in key data files on the system.” One method by which such a breach might occur is the accidental/deliberate e-mailing of information to a user outside to the organization.
A possible countermeasure to this is to require all external e-mail to be given a sensitivity tag (classification if you like) in its subject and for external e-mail to have the lowest sensitivity tag. Discuss how this measure could be implemented in a firewall and what components and architecture would be needed to do this. Get this solution

11.10 You are given the following “informal firewall policy” details to be implemented using a firewall like that in Figure 11.3:
1. E-mail may be sent using SMTP in both directions through the firewall, but it must be relayed via the DMZ mail gateway that provides header sanitization and content filtering. External e-mail must be destined for the DMZ mail server.
2. Users inside may retrieve their e-mail from the DMZ mail gateway, using either POP3 or POP3S, and authenticate themselves.
3. Users outside may retrieve their e-mail from the DMZ mail gateway, but only if they use the secure POP3 protocol, and authenticate themselves
4. Web requests (both insecure and secure) are allowed from any internal user out through the firewall but must be relayed via the DMZ Web proxy, which provides content filtering (noting this is not possible for secure requests), and users must authenticate with the proxy for logging.
5. Web requests (both insecure and secure) are allowed from anywhere on the Internet to the DMZ Web server
6. DNS lookup requests by internal users allowed via the DMZ DNS server, which queries to the Internet.
7. External DNS requests are provided by the DMZ DNS server.
8. Management and update of information on the DMZ servers is allowed using secure shell connections from relevant authorized internal users (may have different sets of users on each system as appropriate).
9. SNMP management requests are permitted from the internal management hosts to the firewalls, with the firewalls also allowed to send management traps (i.e., notification of some event occurring) to the management hosts
Design suitable packet filter rulesets (similar to those shown in Table 11.1) to be implemented on the “External Firewall” and the “Internal Firewall” to satisfy the aforementioned policy requirements. Get this solution

Solutions - Network Security Essentials - Stallings - 4th ed - Chapter 10

Review Questions
10.1 What is the role of compression in the operation of a virus? Get this solution

10.2 What is the role of encryption in the operation of a virus? Get this solution

10.3 What are typical phases of operation of a virus or worm? Get this solution

10.4 What is a digital immune system? Get this solution

10.5 How does behavior-blocking software work? Get this solution

10.6 In general terms, how does a worm propagate? Get this solution

10.7 Describe some worm countermeasures. Get this solution

10.8 What is a DDoS? Get this solution

Problems
10.1 There is a flaw in the virus program of Figure 10.1.What is it? Get this solution

10.2 The question arises as to whether it is possible to develop a program that can analyze a piece of software to determine if it is a virus. Consider that we have a program D that is supposed to be able to do that. That is, for any program P, if we run D(P), the result returned is TRUE (P is a virus) or FALSE (P is not a virus). Now consider the
following program:
Program CV :=
{ ...
main-program :=
{if D(CV) then goto next:
else infect-executable;
}
next:
}
In the preceding program, infect-executable is a module that scans memory for executable programs and replicates itself in those programs. Determine if D can correctly decide whether CV is a virus. Get this solution

10.3 The point of this problem is to demonstrate the type of puzzles that must be solved in the design of malicious code and therefore, the type of mindset that one wishing to counter such attacks must adopt.
a. Consider the following C program:
begin
print (*begin print (); end.*);
end
What do you think the program was intended to do? Does it work?
b. Answer the same questions for the following program:
char [] = {'0', ' ', '}', ';', 'm', 'a', 'i', 'n',
'(', ')', '{', and so on... 't', ')', '0'};
main ()
{
int I;
printf(*char t[] = (*);

for (i=0; t[i]!=0; i=i+1)
printf("%d, ", t[i]);
printf("%s", t);
}
c. What is the specific relevance of this problem to this chapter? Get this solution

10.4 Consider the following fragment:
legitimate code
if data is Friday the 13th;
crash_computer();
legitimate code
What type of malicious software is this? Get this solution

10.5 Consider the following fragment in an authentication program:
username = read_username();
password = read_password();
if username is "133t h4ck0r"
return ALLOW_LOGIN;
if username and password are valid
return ALLOW_LOGIN
else return DENY_LOGIN
What type of malicious software is this? Get this solution

10.6 The following code fragments show a sequence of virus instructions and a metamorphic version of the virus. Describe the effect produced by the metamorphic code.

Get this solution

10.7 The list of passwords used by the Morris worm is provided at this book’s Web site.
a. The assumption has been expressed by many people that this list represents words
commonly used as passwords. Does this seem likely? Justify your answer.
b. If the list does not reflect commonly used passwords, suggest some approaches
that Morris may have used to construct the list. Get this solution

10.8 Suggest some methods of attacking the PWC worm defense that could be used by worm creators and suggest countermeasures to these methods. Get this solution

Solutions - Network Security Essentials - Stallings - 4th ed - Chapter 9

Review Questions
9.1 List and briefly define three classes of intruders. Get this solution

9.2 What are two common techniques used to protect a password file? Get this solution

9.3 What are three benefits that can be provided by an intrusion detection system? Get this solution

9.4 What is the difference between statistical anomaly detection and rule-based intrusion detection? Get this solution

9.5 What metrics are useful for profile-based intrusion detection? Get this solution

9.6 What is the difference between rule-based anomaly detection and rule-based penetration
identification? Get this solution

9.7 What is a honeypot? Get this solution

9.8 What is a salt in the context of UNIX password management? Get this solution

9.9 List and briefly define four techniques used to avoid guessable passwords. Get this solution

Problems
9.1 In the context of an IDS, we define a false positive to be an alarm generated by an
IDS in which the IDS alerts to a condition that is actually benign. A false negative
occurs when an IDS fails to generate an alarm when an alert-worthy condition is in
effect. Using the following diagram, depict two curves that roughly indicate false
positives and false negatives, respectively.

Get this solution

9.2 The overlapping area of the two probability density functions of Figure 9.1 represents the region in which there is the potential for false positives and false negatives.
Further, Figure 9.1 is an idealized and not necessarily representative depiction of the relative shapes of the two density functions. Suppose there is 1 actual intrusion for every 1000 authorized users, and the overlapping area covers 1% of the authorized users and 50% of the intruders.
a. Sketch such a set of density functions and argue that this is not an unreasonable depiction.
b. What is the probability that an event that occurs in this region is that of an authorized user? Keep in mind that 50% of all intrusions fall in this region. Get this solution

9.3 An example of a host-based intrusion detection tool is the tripwire program.This is a file integrity checking tool that scans files and directories on the system on a regular basis and notifies the administrator of any changes. It uses a protected database of cryptographic checksums for each file checked and compares this value with that recomputed on each file as it is scanned. It must be configured with a list of files and directories to check, and what changes, if any, are permissible to each. It can allow, for example, log files to have new entries appended, but not for existing entries to be changed.What are the advantages and disadvantages of using such a tool? Consider the problem of determining which files should only change rarely, which files may change more often and how, and which change frequently and hence cannot be checked. Hence consider the amount of work in both the configuration of the program and on the system administrator monitoring the responses generated. Get this solution

9.4 A taxicab was involved in a fatal hit-and-run accident at night. Two cab companies, the Green and the Blue, operate in the city.You are told that:
• 85% of the cabs in the city are Green and 15% are Blue.
• A witness identified the cab as Blue.
The court tested the reliability of the witness under the same circumstances that existed on the night of the accident and concluded that the witness was correct in identifying the color of the cab 80% of the time.What is the probability that the cab involved in the incident was Blue rather than Green? Get this solution

9.5 Explain the suitability or unsuitability of the following passwords:
a. YK 334 b. mfmitm (for “my favorite c. Natalie1 d. Washington
movie is tender mercies)
e. Aristotle f. tv9stove g. 12345678 h. dribgib Get this solution

9.6 An early attempt to force users to use less predictable passwords involved computersupplied passwords. The passwords were eight characters long and were taken from the character set consisting of lowercase letters and digits. They were generated by a pseudorandom number generator with possible starting values. Using the technology of the time, the time required to search through all character strings of length 8 from a 36-character alphabet was 112 years. Unfortunately, this is not a true reflection of the actual security of the system. Explain the problem. Get this solution

9.7 Assume that passwords are selected from four-character combinations of 26 alphabetic
characters. Assume that an adversary is able to attempt passwords at a rate of
one per second.
a. Assuming no feedback to the adversary until each attempt has been completed,
what is the expected time to discover the correct password?
b. Assuming feedback to the adversary flagging an error as each incorrect character
is entered, what is the expected time to discover the correct password? Get this solution

9.8 Assume that source elements of length are mapped in some uniform fashion into a target elements of length . If each digit can take on one of values, then the number of source elements is and the number of target elements is the smaller number .
A particular source element is mapped to a particular target element .
a. What is the probability that the correct source element can be selected by an adversary on one try?
b. What is the probability that a different source element that results in the same target element, , could be produced by an adversary?
c. What is the probability that the correct target element can be produced by an adversary on one try? Get this solution

9.9 A phonetic password generator picks two segments randomly for each six-letter password.
The form of each segment is CVC (consonant, vowel, consonant), where and .
a. What is the total password population?
b. What is the probability of an adversary guessing a password correctly? Get this solution

9.10 Assume that passwords are limited to the use of the 95 printable ASCII characters and that all passwords are 10 characters in length.Assume a password cracker with an encryption rate of 6.4 million encryptions per second. How long will it take to test exhaustively all possible passwords on a UNIX system? Get this solution

9.11 Because of the known risks of the UNIX password system, the SunOS-4.0 documentation recommends that the password file be removed and replaced with a publicly readable file called /etc/publickey. An entry in the file for user A consists of a user’s identifier , the user’s public key, , and the corresponding private key .This private key is encrypted using DES with a key derived from the user’s login password.When A logs in, the system decrypts to obtain .
a. The system then verifies that was correctly supplied. How?
b. How can an opponent attack this system? Get this solution

9.12 The encryption scheme used for UNIX passwords is one way; it is not possible to reverse it.Therefore, would it be accurate to say that this is, in fact, a hash code rather than an encryption of the password? Get this solution

9.13 It was stated that the inclusion of the salt in the UNIX password scheme increases the difficulty of guessing by a factor of 4096. But the salt is stored in plaintext in the same entry as the corresponding ciphertext password. Therefore, those two characters are known to the attacker and need not be guessed. Why is it asserted that the salt increases security? Get this solution

9.14 Assuming that you have successfully answered the preceding problem and understand the significance of the salt, here is another question.Wouldn’t it be possible to thwart completely all password crackers by dramatically increasing the salt size to, say, 24 or 48 bits? Get this solution

9.15 Consider the Bloom filter discussed in Section 9.3. Define number of hash functions; N = number of bits in hash table; and D = number of words in dictionary.

Get this solution

9.16 Design a file access system to allow certain users read and write access to a file, depending on authorization set up by the system. The instructions should be of the format:
READ (F, User A): attempt by User A to read file F
READ (F, User A): attempt by User A to store a possibly modified copy of F
Each file has a header record, which contains authorization privileges; that is, a list of users who can read and write.The file is to be encrypted by a key that is not shared by the users but known only to the system. Get this solution

Solutions - Network Security Essentials - Stallings - 4th ed - Chapter 8

Review Questions
8.1 Give examples of applications of IPsec. Get this solution

8.2 What services are provided by IPsec? Get this solution

8.3 What parameters identify an SA and what parameters characterize the nature of a particular SA? Get this solution

8.4 What is the difference between transport mode and tunnel mode? Get this solution

8.5 What is a replay attack? Get this solution

8.6 Why does ESP include a padding field? Get this solution

8.7 What are the basic approaches to bundling SAs? Get this solution

8.8 What are the roles of the Oakley key determination protocol and ISAKMP in IPsec? Get this solution

Problems
8.1 Describe and explain each of the entries in Table 8.2. Get this solution

8.2 Draw a figure similar to Figure 8.8 for AH. Get this solution

8.3 List the major security services provided by AH and ESP, respectively. Get this solution

8.4 In discussing AH processing, it was mentioned that not all of the fields in an IP header are included in MAC calculation.
a. For each of the fields in the IPv4 header, indicate whether the field is immutable,
mutable but predictable, or mutable (zeroed prior to ICV calculation).
b. Do the same for the IPv6 header.
c. Do the same for the IPv6 extension headers.
In each case, justify your decision for each field. Get this solution

8.5 Suppose that the current replay window spans from 120 to 530.
a. If the next incoming authenticated packet has sequence number 105, what will the receiver do with the packet, and what will be the parameters of the window after
that?
b. If instead the next incoming authenticated packet has sequence number 440, what will the receiver do with the packet, and what will be the parameters of the window after that?
c. If instead the next incoming authenticated packet has sequence number 540, what will the receiver do with the packet, and what will be the parameters of the window after that? Get this solution

8.6 When tunnel mode is used, a new outer IP header is constructed. For both IPv4 and IPv6, indicate the relationship of each outer IP header field and each extension header in the outer packet to the corresponding field or extension header of the inner IP packet. That is, indicate which outer values are derived from inner values and which are constructed independently of the inner values. Get this solution

8.7 End-to-end authentication and encryption are desired between two hosts. Draw figures similar to Figure 8.8 that show each of the following.
a. Transport adjacency with encryption applied before authentication.
b. A transport SA bundled inside a tunnel SA with encryption applied before
authentication.
c. A transport SA bundled inside a tunnel SA with authentication applied before encryption. Get this solution

8.8 The IPsec architecture document states that when two transport mode SAs are bundled to allow both AH and ESP protocols on the same end-to-end flow, only one ordering of security protocols seems appropriate: performing the ESP protocol before performing the AH protocol.Why is this approach recommended rather than authentication before encryption? Get this solution

8.9 For the IKE key exchange, indicate which parameters in each message go in which ISAKMP payload types. Get this solution

8.10 Where does IPsec reside in a protocol stack? Get this solution

Solutions - Network Security Essentials - Stallings - 4th ed - Chapter 7

Review Questions
7.1 What are the five principal services provided by PGP? Get this solution

7.2 What is the utility of a detached signature? Get this solution

7.3 Why does PGP generate a signature before applying compression? Get this solution

7.4 What is R64 conversion? Get this solution

7.5 Why is R64 conversion useful for an e-mail application? Get this solution

7.6 How does PGP use the concept of trust? Get this solution

7.7 What is RFC 5322? Get this solution

7.8 What is MIME? Get this solution

7.9 What is S/MIME? Get this solution

7.10 What is DKIM? Get this solution

Problems
7.1 PGP makes use of the cipher feedback (CFB) mode of CAST-128, whereas most symmetric
encryption applications (other than key encryption) use the cipher block chaining (CBC) mode.We have
CBC: Ci = E(K, [Ci-1+ Pi]); Pi = Ci-1+ D(K, Ci)
CFB: Ci = Pi + E(K, Ci-1); Pi = Ci + E(K, Ci-1)

These two appear to provide equal security. Suggest a reason why PGP uses the CFB mode. Get this solution

7.2 In the PGP scheme, what is the expected number of session keys generated before a previously created key is produced? Get this solution

7.3 In PGP, what is the probability that a user with public keys will have at least one duplicate key ID? Get this solution

7.4 The first 16 bits of the message digest in a PGP signature are translated in the clear.
a. To what extent does this compromise the security of the hash algorithm?
b. To what extent does it in fact perform its intended function, namely, to help determine
if the correct RSA key was used to decrypt the digest? Get this solution

7.5 In Figure 7.4, each entry in the public-key ring contains an Owner Trust field that indicates
the degree of trust associated with this public-key owner. Why is that not
enough? That is, if this owner is trusted and this is supposed to be the owner’s public
key, why is that trust not enough to permit PGP to use this public key? Get this solution

7.6 What is the basic difference between X.509 and PGP in terms of key hierarchies and key trust? Get this solution

7.7 Phil Zimmermann chose IDEA, three-key triple DES, and CAST-128 as symmetric encryption algorithms for PGP. Give reasons why each of the following symmetric encryption algorithms described in this book is suitable or unsuitable for PGP: DES,
two-key triple DES, and AES. Get this solution

7.8 Consider radix-64 conversion as a form of encryption. In this case, there is no key. But suppose that an opponent knew only that some form of substitution algorithm was being used to encrypt English text and did not guess that it was R64. How effective would this algorithm be against cryptanalysis? Get this solution

7.9 Encode the text “plaintext” using the following techniques. Assume characters are stored in 8-bit ASCII with zero parity.
a. Radix-64
b. Quoted-printable Get this solution

Solutions - Network Security Essentials - Stallings - 4th ed - Chapter 6

Review Questions 6.1 What is the basic building block of an 802.11 WLAN? Get this solution

6.2 Define an extended service set. Get this solution

6.3 List and briefly define IEEE 802.11 services. Get this solution

6.4 Is a distribution system a wireless network? Get this solution

6.5 How is the concept of an association related to that of mobility? Get this solution

6.6 What security areas are addressed by IEEE 802.11i? Get this solution

6.7 Briefly describe the four IEEE 802.11i phases of operation. Get this solution

6.8 What is the difference between TKIP and CCMP? Get this solution

6.9 What is the difference between an HTML filter and a WAP proxy? Get this solution

6.10 What services are provided by WSP? Get this solution

6.11 When would each of the three WTP transaction classes be used? Get this solution

6.12 List and briefly define the security services provided by WTLS. Get this solution

6.13 Briefly describe the four protocol elements of WTLS. Get this solution

6.14 List and briefly define all of the keys used in WTLS. Get this solution

6.15 Describe three alternative approaches to providing WAP end-to-end security. Get this solution

Problems
6.1 In IEEE 802.11, open system authentication simply consists of two communications.
An authentication is requested by the client, which contains the station ID (typically the MAC address). This is followed by an authentication response from the AP/router containing a success or failure message.
An example of when a failure may occur is if the client’s MAC address is explicitly excluded in the AP/router configuration.
a. What are the benefits of this authentication scheme?
b. What are the security vulnerabilities of this authentication scheme? Get this solution

6.2 Prior to the introduction of IEEE 802.11i, the security scheme for IEEE 802.11 was Wired Equivalent Privacy (WEP). WEP assumed all devices in the network share a secret key.The purpose of the authentication scenario is for the STA to prove that it possesses the secret key. Authentication proceeds as shown in Figure 6.23.The STA sends a message to the AP requesting authentication. The AP issues a challenge, which is a sequence of 128 random bytes sent as plaintext. The STA encrypts the challenge with the shared key and returns it to the AP.The AP decrypts the incoming value and
compares it to the challenge that it sent. If there is a match, the AP confirms
that authentication has succeeded.

a. What are the benefits of this authentication scheme?

b. This authentication scheme is incomplete.What is missing and why is this important?
Hint: The addition of one or two messages would fix the problem.
c. What is a cryptographic weakness of this scheme? Get this solution

6.3 For WEP, data integrity and data confidentiality are achieved using the RC4 stream encryption algorithm. The transmitter of an MPDU performs the following steps, referred to as encapsulation:
1. The transmitter selects an initial vector (IV) value.
2. The IV value is concatenated with the WEP key shared by transmitter and
receiver to form the seed, or key input, to RC4.
3. A 32-bit cyclic redundancy check (CRC) is computed over all the bits of the
MAC data field and appended to the data field. The CRC is a common
error-detection code used in data link control protocols. In this case, the
CRC serves as a integrity check value (ICV).
4. The result of step 3 is encrypted using RC4 to form the ciphertext block.
5. The plaintext IV is prepended to the ciphertext block to form the encapsulated
MPDU for transmission.
a. Draw a block diagram that illustrates the encapsulation process.
b. Describe the steps at the receiver end to recover the plaintext and perform
the integrity check.
c. Draw a block diagram that illustrates part b. Get this solution

6.4 A potential weakness of the CRC as an integrity check is that it is a linear function.

This means that you can predict which bits of the CRC are changed if a single bit of the message is changed. Furthermore, it is possible to determine which combination of bits could be flipped in the message so that the net result is no change in the CRC. Thus, there are a number of combinations of bit flippings of the plaintext message that leave the CRC unchanged, so message integrity is defeated. However, in WEP, if an attacker does not know the encryption key, the attacker does not have access to the plaintext, only to the ciphertext block. Does this mean that the ICV is protected from the bit flipping attack? Explain. Get this solution

6.5 One potential weakness in WTLS is the use of CBC mode cipher encryption. The standard states that for CBC mode block ciphers, the IV (initialization vector) for each record is calculated in the following way: , where IV is the original IV and S is obtained by concatenating the 2-byte sequence number of the record the needed number of times to obtain as many bytes as in IV.Thus, if the IV is

8 bytes long, the sequence number of the record is concatenated with itself four times.
Now, in CBC mode, the first block of plaintext for a record with sequence number would be encrypted as (Figure 2.10) where Ps,1 is the first block of plaintext of a record with sequence number and is the concatenated version of . Consider a terminal application (such as telnet), where each keypress is sent as an individual record. Alice enters her password into this application, and Eve captures these encrypted records. Note that the sequence number is known to Eve, because this portion of the record is not encrypted (Figure 6.17). Now somehow Eve gets hold of Alice’s channel, perhaps through an echo feature in some application. This means that Eve can present unencrypted
records to the channel and view the encrypted result. Suggest a brute-force method by which Eve can guess password letters in Alice’s password. Hint: Exploit these properties of exclusive-OR: . Get this solution

6.6 An earlier version of WTLS supported a 40-bit XOR MAC and also supported RC4 stream encryption. The XOR MAC works by padding the message with zeros, dividing it into 5-byte blocks and XORing these blocks together. Show that this scheme does not provide message integrity protection. Get this solution

Solutions - Network Security Essentials - Stallings - 4th ed - Chapter 5

Review Questions

5.1 What are the advantages of each of the three approaches shown in Figure 5.1? Get this solution

5.2 What protocols comprise SSL? Get this solution

5.3 What is the difference between an SSL connection and an SSL session? Get this solution

5.4 List and briefly define the parameters that define an SSL session state. Get this solution

5.5 List and briefly define the parameters that define an SSL session connection. Get this solution

5.6 What services are provided by the SSL Record Protocol? Get this solution

5.7 What steps are involved in the SSL Record Protocol transmission? Get this solution

5.8 What is the purpose of HTTPS? Get this solution

5.9 For what applications is SSH useful? Get this solution

5.10 List and briefly define the SSH protocols. Get this solution

Problems
5.1 In SSL and TLS, why is there a separate Change Cipher Spec Protocol rather than
including a change_cipher_spec message in the Handshake Protocol? Get this solution

5.2 What purpose does the MAC serve during the change cipher spec SSL exchange? Get this solution

5.3 Consider the following threats to Web security and describe how each is countered by
a particular feature of SSL.
a. Brute-Force Cryptanalytic Attack: An exhaustive search of the key space for a
conventional encryption algorithm.
b. Known Plaintext Dictionary Attack: Many messages will contain predictable
plaintext, such as the HTTP GET command. An attacker constructs a dictionary
containing every possible encryption of the known-plaintext message.When an
encrypted message is intercepted, the attacker takes the portion containing the
encrypted known plaintext and looks up the ciphertext in the dictionary. The
ciphertext should match against an entry that was encrypted with the same secret
key. If there are several matches, each of these can be tried against the full ciphertext
to determine the right one.This attack is especially effective against small key
sizes (e.g., 40-bit keys).
c. Replay Attack: Earlier SSL handshake messages are replayed.
d. Man-in-the-Middle Attack: An attacker interposes during key exchange, acting as
the client to the server and as the server to the client.
e. Password Sniffing: Passwords in HTTP or other application traffic are eavesdropped.
f. IP Spoofing: Uses forged IP addresses to fool a host into accepting bogus data.
g. IP Hijacking: An active, authenticated connection between two hosts is disrupted
and the attacker takes the place of one of the hosts.
h. SYN Flooding:An attacker sends TCP SYN messages to request a connection but
does not respond to the final message to establish the connection fully. The
attacked TCP module typically leaves the “half-open connection” around for a
few minutes. Repeated SYN messages can clog the TCP module. Get this solution

5.4 Based on what you have learned in this chapter, is it possible in SSL for the receiver
to reorder SSL record blocks that arrive out of order? If so, explain how it can be
done. If not, why not? Get this solution

5.5 For SSH packets, what is the advantage, if any, of not including the MAC in the scope
of the packet encryption? Get this solution

Solutions - Network Security Essentials - Stallings - 4th ed - Chapter 4

4.1 “We are under great pressure, Holmes.” Detective Lestrade looked nervous.“We have
learned that copies of sensitive government documents are stored in computers of one
foreign embassy here in London. Normally these documents exist in electronic form only
on a selected few government computers that satisfy the most stringent security requirements.
However, sometimes they must be sent through the network connecting all government
computers. But all messages in this network are encrypted using a top secret
encryption algorithm certified by our best crypto experts. Even the NSA and the KGB
are unable to break it.And now these documents have appeared in hands of diplomats of
a small, otherwise insignificant, country.And we have no idea how it could happen.”
“But you do have some suspicion who did it, do you?” asked Holmes.
“Yes, we did some routine investigation.There is a man who has legal access to
one of the government computers and has frequent contacts with diplomats from the
embassy. But the computer he has access to is not one of the trusted ones where these
documents are normally stored. He is the suspect, but we have no idea how he could
obtain copies of the documents. Even if he could obtain a copy of an encrypted document,
he couldn’t decrypt it.”
“Hmm, please describe the communication protocol used on the network.”
Holmes opened his eyes, thus proving that he had followed Lestrade’s talk with an
attention that contrasted with his sleepy look.
“Well, the protocol is as follows. Each node N of the network has been assigned
a unique secret key Kn. This key is used to secure communication between the node
and a trusted server.That is, all the keys are stored also on the server. User A, wishing
to send a secret message M to user B, initiates the following protocol:
1. A generates a random number R and sends to the server his name A, destination
B, and E(Ka, R). Get this solution

2. Server responds by sending E(Kb, R) to A.
3. A sends E(R,M) together with E(Kb, R) to B.
4. B knows Kb, thus decrypts E(Kb, R) to get R and will subsequently use R to
decrypt E(R,M) to get M.
You see that a random key is generated every time a message has to be sent. I admit
the man could intercept messages sent between the top secret trusted nodes, but I see
no way he could decrypt them.”
“Well, I think you have your man, Lestrade. The protocol isn’t secure because
the server doesn’t authenticate users who send him a request. Apparently designers
of the protocol have believed that sending E(Kx,R) implicitly authenticates user X as
the sender, as only X (and the server) knows Kx. But you know that E(Kx, R) can be
intercepted and later replayed. Once you understand where the hole is, you will
be able to obtain enough evidence by monitoring the man’s use of the computer he
has access to. Most likely he works as follows: After intercepting E(Ka, R) and
E(R,M) (see steps 1 and 3 of the protocol), the man, let’s denote him as Z, will continue
by pretending to be A and...
Finish the sentence for Holmes.

4.2 There are three typical ways to use nonces as challenges. Suppose Na is a nonce generated
by A,A

Describe situations for which each usage is appropriate. Get this solution

4.3 Show that a random error in one block of ciphertext is propagated to all subsequent
blocks of plaintext in PCBC mode (see Figure F.2 in Appendix F). Get this solution

4.4 Suppose that, in PCBC mode, blocks Ci and Ci 1 are interchanged during transmission.
Show that this affects only the decrypted blocks Pi and Pi 1 but not subsequent blocks. Get this solution

4.5 In addition to providing a standard for public-key certificate formats, X.509 specifies
an authentication protocol.The original version of X.509 contains a security flaw.The
essence of the protocol is
A B: A {tA, rA, IDB}
B A: B {tB, rB, IDA, rA}
A B: A {rB}
where tA and tB are timestamps, rA and rB are nonces, and the notation X {Y} indicates
that the message Y is transmitted, encrypted, and signed by X.
The text of X.509 states that checking timestamps tA and tB is optional for
three-way authentication. But consider the following example: Suppose A and B have
used the preceding protocol on some previous occasion, and that opponent C has
intercepted the preceding three messages. In addition, suppose that timestamps are
not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C
initially sends the first captured message to B:
C B: A {0, rA, IDB}
B responds, thinking it is talking to A but is actually talking to C:
B : C: B{0, roe B, IDA, rA}

C meanwhile causes A to initiate authentication with C by some means. As a result,A
sends C the following:
C responds to A using the same nonce provided to C by B.
A responds with
This is exactly what C needs to convince B that it is talking to A, so C now repeats the
incoming message back out to B.
So B will believe it is talking to A, whereas it is actually talking to C. Suggest a simple
solution to this problem that does not involve the use of timestamps. Get this solution

4.6 Consider a one-way authentication technique based on asymmetric encryption:
A B: IDA
B A: R1
A B: E(PRa, R1)
a. Explain the protocol.
b. What type of attack is this protocol susceptible to? Get this solution

4.7 Consider a one-way authentication technique based on asymmetric encryption:
A B: IDA
B A: E(PUa, R2)
A B: R2
a. Explain the protocol.
b. What type of attack is this protocol susceptible to? Get this solution

4.8 In Kerberos, when Bob receives a ticket from Alice, how does he know it is genuine? Get this solution

4.9 In Kerberos, when Bob receives a ticket from Alice, how does he know it came from
Alice? Get this solution

4.10 In Kerberos, Alice receives a reply, how does she know it came from Bob (that it’s not
a replay of an earlier message from Bob)? Get this solution

4.11 In Kerberos, what does the ticket contain that allows Alice and Bob to talk securely? Get this solution

4.12 The 1988 version of X.509 lists properties that RSA keys must satisfy to be secure,
given current knowledge about the difficulty of factoring large numbers. The discussion
concludes with a constraint on the public exponent and the modulus n:
It must be ensured that e log2(n) to prevent attack by taking the
eth root mod n to disclose the plaintext.
Although the constraint is correct, the reason given for requiring it is incorrect.What
is wrong with the reason given and what is the correct reason? Get this solution

4.13 Find at least one intermediate certification authority’s certificate and one trusted root
certification authority’s certificate on your computer (e.g. in the browser). Print
screenshots of both the general and details tab for each certificate. Get this solution

4.14 NIST defines the term cryptoperiod as the time span during which a specific key is
authorized for use or in which the keys for a given system or application may remain
in effect. One document on key management uses the following time diagram for a
shared secret key.

Explain the overlap by giving an example application in which the originator’s usage
period for the shared secret key begins before the recipient’s usage period and also
ends before the recipient’s usage period. Get this solution

4.15 Consider the following protocol, designed to let A and B decide on a fresh, shared
session key K'AB.We assume that they already share a long-term key KAB.
1. A B: A, NA
2. B A: E(KAB, [NA, K'AB])
3. A B: E(K'AB, NA)
a. We first try to understand the protocol designer’s reasoning:
• Why would A and B believe after the protocol ran that they share K'AB with
the other party?
• Why would they believe that this shared key is fresh?
In both cases, you should explain both the reasons of both A and B, so your answer
should complete the following sentences.
A believes that she shares K'AB with B since . . .
B believes that he shares K'AB with A since . . .
A believes that K'AB is fresh since . . .
B believes that K'AB is fresh since . . .
b. Assume now that A starts a run of this protocol with B. However, the connection
is intercepted by the adversary C. Show how C can start a new run of the protocol
using reflection, causing A to believe that she has agreed on a fresh key with B (in
spite of the fact that she has only been communicating with C).Thus, in particular,
the belief in (a) is false.
c. Propose a modification of the protocol that prevents this attack. Get this solution

4.16 What are the core components of a PKI? Briefly describe each component. Get this solution

4.17 Explain the problems with key management and how it affects symmetric cryptography. Get this solution

4.18 Consider the following protocol:
A KDC: IDA 7IDB 7N1
KDC A: E(Ka, [KS 7IDB 7N1 7E(Kb, [KS 7IDA]))
A B: E(Kb, [KS 7IDA])
B A: E(KS, N2)
A B: E(KS, f(N2))
a. Explain the protocol.
b. Can you think of a possible attack on this protocol? Explain how it can be done.
c. Mention a possible technique to get around the attack—not a detailed mechanism,
just the basics of the idea.
Note: The remaining problems deal with a cryptographic product developed by IBM,
which is briefly described in a document at this book’s Web site in IBMCrypto.pdf.
Try these problems after reviewing the document. Get this solution

4.19 What is the effect of adding the instruction EMKi?
EMKi: X E(KMHi, X) i 0, 1 Get this solution

4.20 Suppose N different systems use the IBM Cryptographic Subsystem with host master
keys KMH[i] (i 1, 2, . . . , N). Devise a method for communicating between systems
without requiring the system to either share a common host master key or to
divulge their individual host master keys. Hint: Each system needs three variants of its
host master key. Get this solution

4.21 The principal objective of the IBM Cryptographic Subsystem is to protect transmissions
between a terminal and the processing system. Devise a procedure, perhaps
adding instructions, which will allow the processor to generate a session key KS and
distribute it to Terminal i and Terminal j without having to store a key-equivalent
variable in the host. Get this solution

Solutions - Network Security Essentials - Stallings - 4th ed - Chapter 3

3.1 Consider a 32-bit hash function defined as the concatenation of two 16-bit functions:
XOR and RXOR, which are defined in Section 3.2 as “two simple hash functions.”
a. Will this checksum detect all errors caused by an odd number of error bits?
Explain.
b. Will this checksum detect all errors caused by an even number of error bits? If
not, characterize the error patterns that will cause the checksum to fail.
c. Comment on the effectiveness of this function for use as a hash function for
authentication. Get this solution

3.2 Suppose H(m) is a collision-resistant hash function that maps a message of arbitrary
bit length into an n-bit hash value. Is it true that, for all messages x, x' with x x', we
have H(x) H(x')? Explain your answer. Get this solution

3.3 State the value of the padding field in SHA-512 if the length of the message is
a. 1919 bits
b. 1920 bits
c. 1921 bits Get this solution

3.4 State the value of the length field in SHA-512 if the length of the message is
a. 1919 bits
b. 1920 bits
c. 1921 bits Get this solution

3.5 a. Consider the following hash function. Messages are in the form of a sequence of Get this solution

Then, add each column mod 26 and add the result to the running total, mod 26. In this

example, the running total is (24, 2, 6, 10). Round 2: Using the matrix from round 1,
rotate the first row left by 1, second row left by 2, third row left by 3, and reverse the
order of the fourth row. In our example:

Now, add each column mod 26 and add the result to the running total. The new running
total is (5, 7, 9, 11).This running total is now the input into the first round of the
compression function for the next block of text. After the final block is processed,
convert the final running total to letters. For example, if the message is ABCDE
FGHIJKLMNOP, then the hash is FHJL.
a. Draw figures comparable to Figures 3.4 and 3.5 to depict the overall tth logic and
the compression function logic.
b. Calculate the hash function for the 48-letter message “I leave twenty million dollars
to my friendly cousin Bill.”
c. To demonstrate the weakness of tth, find a 48-letter block that produces the same
hash as that just derived. Hint: Use lots of A’s. Get this solution

3.7 It is possible to use a hash function to construct a block cipher with a structure similar
to DES. Because a hash function is one way and a block cipher must be reversible (to
decrypt), how is it possible? Get this solution

3.8 Now consider the opposite problem: Use an encryption algorithm to construct a oneway
hash function. Consider using RSA with a known key.Then process a message consisting
of a sequence of blocks as follows: Encrypt the first block, XOR the result with
the second block and encrypt again, and so on. Show that this scheme is not secure by
solving the following problem. Given a two-block message B1, B2, and its hash, we have
RSAH(B1, B2) RSA(RSA(B1) B2)
Given an arbitrary block C1, choose C2 so that RSAH(C1, C2) RSAH(B1, B2).
Thus, the hash function does not satisfy weak collision resistance. Get this solution

3.9 One of the most widely used MACs, referred to as the Data Authentication Algorithm,
is based on DES. The algorithm is both a FIPS publication (FIPS PUB 113) and
an ANSI standard (X9.17). The algorithm can be defined as using the cipher block
chaining (CBC) mode of operation of DES with an initialization vector of zero
(Figure 2.10). The data (e.g., message, record, file, or program) to be authenticated is
grouped into contiguous 64-bit blocks: P1, P2, . . . , PN. If necessary, the final block is
padded on the right with 0s to form a full 64-bit block.The MAC consists of either the
entire ciphertext block CN or the leftmost Mbits of the block with 16 M 64. Show
that the same result can be produced using the cipher feedback mode. Get this solution

3.10 In this problem, we will compare the security services that are provided by digital signatures
(DS) and message authentication codes (MAC).We assume that Oscar is able
to observe all messages send from Alice to Bob and vice versa. Oscar has no knowledge
of any keys but the public one in case of DS. State whether and how (i) DS and
(ii) MAC protect against each attack.The value auth(x) is computed with a DS or a
MAC algorithm, respectively.
a. (Message integrity) Alice sends a message x “Transfer $1000 to Mark”
in the clear and also sends auth(x) to Bob. Oscar intercepts the message and
replaces “Mark” with “Oscar”.Will Bob detect this?
b. (Replay) Alice sends a message x “Transfer $1000 to Oscar” in the
clear and also sends auth(x) to Bob. Oscar observes the message and signature
and sends them 100 times to Bob.Will Bob detect this?
c. (Sender Authentication with cheating third party) Oscar claims that he sent some
message x with a valid auth(x) to Bob, but Alice claims the same. Can Bob clear
the question in either case?
d. (Authentication with Bob cheating) Bob claims that he received a message x
with a valid signature auth(x) from Alice (e.g., “Transfer $1000 from Alice to
Bob”) but Alice claims she has never sent it. Can Alice clear this question in
either case? Get this solution

3.11 Figure 3.14 shows an alternative means of implementing HMAC.
a. Describe the operation of this implementation.
b. What potential benefit does this implementation have over that shown in Figure 3.6? Get this solution

Get this solution

Get solution for 3.13

Get solution for 3.14

3.15 In a public-key system using RSA, you intercept the ciphertext C 10 sent to a user
whose public key is e 5, n 35.What is the plaintext M? Get this solution

3.16 In an RSA system, the public key of a given user is e 31, n 3599.What is the private
key of this user? Get this solution

3.17 Suppose we have a set of blocks encoded with the RSA algorithm and we don’t have the
private key.Assume n pq, e is the public key. Suppose also someone tells us they know
one of the plaintext blocks has a common factor with n. Does this help us in any way? Get this solution

3.18 Show how RSA can be represented by matrices M1, M2, and M3 of Problem 3.4. Get this solution

3.19 Consider the following scheme.
1. Pick an odd number, E.
2. Pick two prime numbers,P and Q, where (P 1)(Q 1) 1 is evenly divisible by E.
3. Multiply P and Q to get N.
4. Calculate .

Is this scheme equivalent to RSA? Show why or why not. Get this solution

3.20 Suppose Bob uses the RSA cryptosystem with a very large modulus n for which the
factorization cannot be found in a reasonable amount of time. Suppose Alice sends a
message to Bob by representing each alphabetic character as an integer between
0 and 25 (A 0, . . ., Z 25), and then encrypting each number separately using
RSA with large e and large n. Is this method secure? If not, describe the most efficient
attack against this encryption method. Get this solution

3.21 Consider a Diffie-Hellman scheme with a common prime q 11 and a primitive root
α 2.
a. If user A has public key YA 9, what is A’s private key XA?
b. If user B has public key YB = 3, what is the shared secret key K? Get this solution