Presentation is loading. Please wait.

Presentation is loading. Please wait.

Midterm NS 23.04.2008 Note = Anzahl Pkte/48 x 5 + 1 1.4/4; 2. 4/4; 3. 4/4; 4. 4/4 5. 16/16; 6. 16/16 2.Durchschnitt: 4.5.

Published byEustace Lane Modified over 8 years ago

Similar presentations

Presentation on theme: "Midterm NS 23.04.2008 Note = Anzahl Pkte/48 x 5 + 1 1.4/4; 2. 4/4; 3. 4/4; 4. 4/4 5. 16/16; 6. 16/16 2.Durchschnitt: 4.5."— Presentation transcript:

1 Midterm NS 23.04.2008 Note = Anzahl Pkte/48 x 5 + 1 1.4/4; 2. 4/4; 3. 4/4; 4. 4/4 5. 16/16; 6. 16/16 2.Durchschnitt: 4.5

2 Aufgabe 1a) und 1b) Compression algorithms work very efficiently if i) the plaintext contains lots of repetitive pattern and ii) it is encoded in ASCII. Encrypted text is implicitly non redundant and binary which would offer little chance to compression algorithms to do their work. You need to know after the decryption how many ASCII characters the plain but compressed text contains in order to check (admittedly at very low security level) its integrity. For this reason this number is not specially protected.

3 Aufgabe 2a und 2b) a)Forbid HTTP GET to perform non-query: IETF RFC 2616: “ The GET and HEAD methods should not have the significance of taking an action other than retrieval. Those methods ought to be considered safe. This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.” If look = 0 ! you delete data in the DB. b)PUT. The browser checks the repetition of a PUT-request, so the user is aware that something is going on ( Resend?).

4 Aufgabe 3a) and 3b) a)The #define keyword only substitute a ASCII-sequence with another one without checking anything. Use enum (it's a int type in C/C++) and can be verified at compile time. What happens if the function flushplay() does not work as intended? b)Use enum and check the return value of flushplay().

5 Aufgabe 4a) 4b) 4c) a)Sometimes, unprivileged users must be able to accomplish tasks that require privileges. An example is the passwd program, which allows you to change your password. Changing a user's password requires modifying the password field inthe /etc/passwd file. However, you should not give a user access to change thisfile directly - the user could change everybody else's password as well! b)Likewise, the mail program requires that you be able to insert a message into the mailbox of another user, yet you should not to give one user unrestricted access to another's mailbox.To get around these problems, UNIX allows programs to be endowed with privilege. Processes executing these programs can assume another UID or GID when they're running. A program that changes its UID is called a SUID program (set-UID); a program that changes its GID is called a SGID program (set-GID). A program can be both SUID and SGID at the same time. When a SUID program is run, its effective UID becomes that of the owner of the file, rather than of the user who is running it. This concept is so clever that AT&T patented it. c)Least privilege and separation (compartmentalization) of rights.

6 Aufgabe 5a) Message 1: A → S: A║B║N A A wishes to communicate with B via a TTP S. Message 2 : S → A: {N A ║B║K AB ║{K AB ║A}K BS }K AS S sends to A a session key K_{AB} and an encrypted version for B. Message 3 : A → B: {K AB ║A}K BS A sends to be the encrypted ticket (Kerberos!) she received from S. Message 4 : B → A: {N B }K AB B decrypts the session key and sends a nonce to A. Poor man authentication of B. Message 5 : A → B: {N B -1}K AB A decrypts the message and sends to B the (nonce -1). Poor man authentication of A.

7 Aufgabe 5b) 5c) 5d) 5e) b)Protocol to establish a symmetrical session key between two strangers using a TTP. Weak authentication of A in confront of B and vice versa. c)Many weak points: i.No time stamps are used : Oscar can try a replay attack with Message 4 anytime. ii.Oscar can play the role of S as long he owns K OS and A has K AO d)i. Replay, ii. Man-in-the-middle. e)Time stamps (see Kerberos) for i. and Message 1: A → S: {A║B║N A }K AS for ii.

8 Aufgabe 6a) and 6b) 1.Change the database, so that it contains the MD5 values of the modified files, rather than the original files. Defence: Physically separate the DB from your machine (simple: make a copy of the Tripwire-DB on a tape). 2.Change the function that calculates MD5, so that it returns the old values, rather than the new ones. Defence: JUnit test of MD5 on a separate standalone and protected machine with known vectors. 3.Hack the kernel so that the Tripwire program thinks it is reading the files in the /bin and /usr/bin directories, when it is in fact reading other files (presumably the original copies). Defence: Pretty difficult: use chroot or carefully observe the logfiles for suspect activity or use a secure OS-kernel. 4.Hack the Tripwire program, so that it says that nothing is wrong, when in fact something is. Defence: Use only an original tripwire executable from a personal memory sticker. 5.Hack Bob’s operating system, so that Bob sees the Tripwire program report that everything is okay, when in fact it is reporting something else. Defence: You are in a quite desperate situation.

Download ppt "Midterm NS 23.04.2008 Note = Anzahl Pkte/48 x 5 + 1 1.4/4; 2. 4/4; 3. 4/4; 4. 4/4 5. 16/16; 6. 16/16 2.Durchschnitt: 4.5."

Similar presentations

Chapter 10 Real world security protocols

Chapter 10 Real world security protocols
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.

19.1 Silberschatz, Galvin and Gagne ©2003 Operating System Concepts with Java Chapter 19: Security The Security Problem Authentication Program Threats.
Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.

Security A system is secure if its resources are used and accessed as intended under all circumstances. It is not generally possible to achieve total security.
Kerberos Authenticating Over an Insecure Network.

Kerberos Authenticating Over an Insecure Network.
CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.

CSI 400/500 Operating Systems Spring 2009 Lecture #20 – Security Measures Wednesday, April 29 th.
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.

EEC 693/793 Special Topics in Electrical Engineering Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering.
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.

Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 24 Fall 2002.
More on AuthenticationCS-4513 D-term 20081 More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.

More on AuthenticationCS-4513 D-term More on Authentication CS-4513 Distributed Computing Systems (Slides include materials from Operating System.
EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University

EEC 688/788 Secure and Dependable Computing Lecture 7 Wenbing Zhao Department of Electrical and Computer Engineering Cleveland State University
Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University.

Security Module – Part 1 Spring 2006 V.T. Raja, Ph.D., Oregon State University.
Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Alexander Potapov.  Authentication definition  Protocol architectures  Cryptographic properties  Freshness  Types of attack on protocols  Two-way.

Similar presentations

Ads by Google