Question 1
(a) Assume a webserver is accessible only via TLS with Forward Secrecy. The operator of the webserver wants to enable a webfilter which checks all incoming traffic to the webserver for malware before it reaches the webserver.
(i) Why is this not possible if the webfilter only gets the private key of the webserver and a feed of the incoming traffic? [4 marks]
(ii) Which changes are necessary to make these checks possible? Justify your answer. [4 marks]
(b) Assume a webserver uses AES in counter mode. Furthermore assume the attacker has managed to install malware on the webserver which sets the nonce used in the counter mode to a value specified by the attacker. If the malware can in addition cause the webserver to encrypt data of the attacker’s choice, can the attacker decrypt all traffic to the website? Justify your answer. [7 marks]
Model answer / LOs / Creativity:
(a) (i) Because of forward secrecy, passive attacks (like this) do not work.
(ii) The traffic needs to be decrypted first and then sent to the webfilter, or the session keys need to be sent to the webfilter as well. Either of these solutions is fine.
(b) Always use the same nonce for all encryptions and decryptions, and ask for the encryption of a long sequences of 0’s with this nonce. Now you can xor all encrypted traffic with this data.
– 2 – Turn Over
No calculator
Question 2
(a) Is it safe to replace nonces by timestamps in a security protocol? Justify your answer.
[5 marks]
(b) Consider the following protocol: A → B:NA,B
B → A : EA(NA),EA(SignB(Pay Elvis £5),Pay Elvis £5)
Assume different protocol runs produce different payment messages. Is this protocol
secure? If yes, explain why. If not, give an attack in Alice-Bob notation. [5 marks] (c) Consider the following protocol:
A → B:EB(NA,A) B → A:EA(NB,B)
A → B:EB(NB)
where NA and NB are nonces, and #(NA,NB) is a symmetric key based on the hash of NA and NB. By giving an attack in Alice-Bob notation, show that this protocol does not satisfy key agreement. [5 marks]
Model answer / LOs / Creativity:
(a) In general no. As an example, if in the Needham-Schroder protocol the nonces are replaced by timestamps, the key is guessable.
(b) Because there are two separate encryptions in the second message, a replay attack will work. A trace is given below, where PayE is the message
EA(SignB(Pay Elvis £5), Pay Elvis £5) and PayC is the message
.
EA(SignB(Pay Charlie £5), Pay Charlie £5)
A → B:NA′,B
B → E(A) : EA(NA′ ),PayC
which is vulnerable to an attack when there are two runs of this protocol and the – 3 – Turn Over
A → B:NA,B
B → E(A) : EA(NA),PayE
E(B) → A : EA(NA),PayC
(c) This is the Needham-Schroder protocol without the nonce NA in the second message,
E(B) → A : EA(NA′ ),PayC
No calculator
attacker exchanges the messages EA(NB) and EA(NB′ ) which Alice cannot detect, as NA is not part of this message. A trace for the two sessions is given below:
A → B:EB(NA,A) B → E(A):EB(NB)
A → B:EB(NA′,A) B → E(A):EB(NB′ )
E(B) → A:EB(NB′ )
the two keys as #(NA,NB) and #(NA′ ,NB′ ).
E(B) → A:EB(NB)
Now A calculates the two keys as #(NA,NB′ ) and #(NA′ ,NB), whereas B calculates
– 4 – Turn Over
No calculator
Question 3
(a) Browsers allow access to cookies only if the domain of the cookie is the same as the domain for the website. Describe an attack which is prevented by this restriction. [4 marks]
(b) A website uses https for authentication but the link to the general conditions of use on the same domain uses only http. How could an attacker get access to this
website without authentication?
(c) Consider the following php-code running on a web server:
1 ¡?php
2 $filename = $ ̇REQUEST[”filename”];
3 $command = ”ls -l /var/www/img/” . ”$filename”; 4
5 system(”$command”. $result);
6 if($res¡¿0)–
[4 marks]
7 8 ̋
echo File ”$filename” already uploaded;
9 10 11
else–
mysqli ̇multi ̇query($con,”INSERT INTO pictures (username, filename)
VALUES (” . get ̇current ̇user() ”, ” . ”$filename)”);
12 ̋ 13 ?¿
Describe three security weaknesses in this website, how they might be exploited and explain why these weaknesses are serious. [9 marks]
Model answer / LOs / Creativity:
(a) Website A could obtain session cookies for website B and use them to connect directly to website B.
(b) The cookies are automatically sent to the website, hence packet sniffing on the unencrypted connection will give the session cookie to the attacker.
(c) The weaknesses are arbitrary command execution, cross-site scripting attacks and SQL injection. Arbitrary command execution give you control over the server, the SQL injection gives you access to the underlying database, and the cross site script- ing makes it possible to execute javascript provided by the attacker on the browser of the client, thereby possibly granting remote attackers access to the current session by stealing the session cookies.
– 5 – End of Paper
No calculator