Raluca & 2016
CS 161 Computer Security
Midterm 2
Print your name: 2.2in, 2.2in (last) (first)
I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that any academic misconduct will be reported to the Center for Student Conduct, and may result in partial or complete loss of credit.
Sign your name: 4in
Print your class account login: cs161- .5in and SID: 2in
Your TA’s name: 4in
Your section time: 4in
Exam # for person sitting to your left:
1.2in
Exam # for person sitting to your right:
1.2in
You may consult one sheet of paper (double-sided) of notes. You may not consult other notes, textbooks, etc. Calculators, computers, and other electronic devices are not permitted.
You have 80 minutes. There are ?? questions, of varying credit (?? points total). The questions are of varying difficulty, so avoid spending too long on any one question. Parts of the exam will be graded automatically by scanning the bubbles you fill in, so please do your best to fill them in somewhat completely. Don’t worry—if something goes wrong with the scanning, you’ll have a chance to correct it during the regrade period.
If you have a question, raise your hand, and when an instructor motions to you, come to them to ask the question.
Do not turn this page until your instructor tells you to do so.
Run LATEX again to produce the table Page 1 of ??
Problem 1 True/False (?? points) Circle True or False. Do not justify your answer.
(a) True or False: Randomizing the DNS query identifier prevents an on-path at- tacker (sitting between the client and the DNS server) from spoofing DNS responses.
(b) True or False: One defense against the is to randomize the destination port along with randomizing the identifier field.
(c) True or False: An off-path attacker can intercept and modify the DNS reply sent by the DNS server to the client.
(d) True or False: In order to determine whether a given certificate is valid, it is sufficient to only verify the signature on the given certificate.
(e) True or False: If an attacker learns the internal state of an HMAC-based pRNG (HMAC-DRBG) they can reconstruct previous outputs.
(f) True or False: If an attacker learns the internal state of an HMAC-based pRNG (HMAC-DRBG) they can predict future outputs.
(g) True or False: if an attacker connected to your local wireless network using WPA2-Enterprise (like AirBears2) they can directly observe all your network traffic?
Midterm 2 Page 2 of ?? CS 161 – FA 17
(h) True or False: You click the “Forgot password” link on the website, and the web server sends you an email with your password in it (in plaintext). Assume that this communication is over SSL/TLS so an attacker cannot eavesdrop on it. True or False: The website stores only hashed passwords.
(i) True or False: As long as one uses long and randomly-generated passwords, it is safe to use the same password for all your online accounts.
(j) True or False: Consider that a server stores hashed passwords, each salted with a large and randomly chosen salt and stored along with the salt, instead of storing only hashed passwords (with no salt). This prevents an attacker who stole the salted hashed passwords database from mounting a dictionary attack.
Midterm 2 Page 3 of ?? CS 161 – FA 17
Problem 2 Shorts (?? points) (a) An eavesdropper sees a target log into a WPA2-PSK secured network and sees the
4-way handshake. The eavesdropper sees • The network’s passphrase
• The access point’s ANonce
• The client’s SNonce
What else does she need to compute the pairwise transport key? (Write only the item(s) in your best answer; do not write a laundry list of tries as we will penalize that).
Midterm 2
Page 4 of ?? CS 161 – FA 17
(b) The Free Birdseed #1: Wile-E-Coyote of ACME Inc is seeding a cryptographic pRNG. He doesn’t know much about security, so he’s not sure what would be a good way to come up with a seed. Which of these, used alone, would be sufficiently secure? Circle zero or more options, and briefly explain why unselected options are unsuitable.
1. The process ID of Mr Coyote’s application
2. A cryptographic hash of the application binary
3. Wind speeds across the Bay Bridge as reported by ACME weather app (It’s number four on the App Store, “but we’re really hoping to bump that up with our upcoming redesign,” according to the developer.)
4. Precise timing (including microseconds) and coordinates taken from a minute of hectic flailing of the user’s mouse
5. The sum of two numbers modulo a large fixed prime p, each generated from a source of randomness, knowing that one of these sources is actually broken, but the other works as expected
(c) The Free Birdseed #2: Mr Coyote comes up with a more convoluted process instead. When his application starts up, it will:
1. Instantiate a PRNG with the user ID as the seed
2. Use the PRNG to establish an encrypted connection to the BIG-SEED server which returns a large random string S
3. Reseed the PRNG with S
Suppose an attacker can eavesdrop on the application’s communications over the network, but cannot tamper with them. Describe how the attacker can predict future random numbers generated by Mr Coyote’s application.
Midterm 2 Page 5 of ?? CS 161 – FA 17
Problem 3 The No Such Agency’s Attack Tools (?? points) The No Such Agency maintains numerous network presences, including off-path, on- path, and full man-in-the-middle positions, and all these positions have the capability of creating arbitrary packets and sending them into the network. But overall the NSA prefers using the least powerful attack for the job at hand, so they will prefer an off-path attack over an on-path attack, and an on-path attack over a man-in-the-middle attack, as it is easier to be an on-path attacker and easier still as an off-path attacker.
For each attack scenario, which type of attack does the NSA select and why can’t the NSA use a less powerful attack? None could also be an option.
(a) The NSA can generate only a single query against a target DNS server they seek to cache poison, and they want to reliably cache poison the target.
(b) The NSA seeks to create a UDP request which appears to come from an arbitrary IP to the remote server. This request will compromise the remote server, and the NSA doesn’t need to see the reply.
(c) The NSA seeks to create a TCP connection which appears to be from an arbitrary IP to a remote server. This request will compromise the remote server, and the remote server uses the current time to generate the initial sequence number.
Midterm 2 Page 6 of ?? CS 161 – FA 17
(d) The NSA seeks to create a TCP connection which appears to be from an arbitrary IP to a remote server. This request will compromise the remote server, and the remote server uses a secure RNG to generate the initial sequence number.
(e) The NSA seeks to inject content into an existing active TCP connection between the victim and a web server. The NSA knows this victim is very paranoid and records raw traffic and requires that the victim be unable to determine that the NSA modified this traffic.
(f) The NSA seeks to inject content into a TLS web connection that uses RSA key exchange. The NSA has a copy of the server’s key. The NSA knows the victim is not recording raw traffic and so can’t detect additional replies from the server. The cryptography is otherwise secure.
(g) The NSA seeks to inject content into a TLS web connection that uses DHE key exchange. The NSA has a copy of the server’s key. The NSA knows the victim is
Midterm 2 Page 7 of ?? CS 161 – FA 17
not recording raw traffic and so can’t detect additional replies from the server. The cryptography is otherwise secure.
(h) The NSA seeks to inject content into a TLS web connection to Google, where the client is using Chrome. The NSA has a forged certificate for the server signed by a different Certificate Authority than the one Google uses.
Midterm 2 Page 8 of ?? CS 161 – FA 17
Problem 4 Applied Cryptography (?? points) Mr Wile-E-Coyote needs to deploy a system to authenticate user passwords on a web server that does not use TLS to transmit the password from the user using an encrypted channel. He needs to develop alternate approaches where the web browser downloads JavaScript from the server to perform password calculations. In what follows, a passive attacker is an attacker that does not modify any of the traffic it sees.
(a) Mr Coyote’s first implementation has the javascript which the web browser down- loads from the server compute H(passwd) and send it to the server. Does this protocol prevent a passive observer from directly seeing the user’s password? Why?
(b) Does this protocol prevent a passive observer from logging in as the user? Why?
(c) Mr Coyote’s second implementation has the Javascript compute H(passwd) which is used as a seed for a pRNG. This pRNG then generates a private key that is used to encrypt a channel to the server. Does this protocol prevent a passive observer from logging in as the user? Why?
(d) Is this implementation secure against a man-in-the-middle? Why or why not?
(e) Mr Coyote, tired of dealing with poor solutions, decides to switch his web server to TLS with a certificate purchased from SureSign. He is worried about other certificate authorities, notably Verislime. Does certificate pinning give Mr Coyote protection against an attacker who can compromise a different certificate authority?
Midterm 2 Page 9 of ?? CS 161 – FA 17
Problem 5 TLS (?? points) An attacker is trying to attack the company WoSlime and its users. Assume that users always visit WoSlime’s website with an HTTPS connection, using Diffie-Hellman and AES encryption. (You may assume that WoSlime does not use certificate pinning) For each of the following attack scenarios, circle all of the options that an attacker could achieve in that attack scenario, and give no further explanation.
(a) If the attacker obtains the private key of a certificate authority trusted by users of WoSlime, the attacker could:
1. impersonate the WoSlime web server to a user
2. discover some of the plaintext of data sent during a past connection between a user and WoSlime’s website
3. discover all of the plaintext of data sent during a past connection between a user and WoSlime’s website
4. replay data that a user previously sent to the WoSlime server over a prior HTTPS connection
5. none of the above
(b) If the attacker obtains a copy of WoSlime’s certificate, the attacker could:
1. impersonate the WoSlime web server to a user
2. discover some of the plaintext of data sent during a past connection between a user and WoSlime’s website
3. discover all of the plaintext of data sent during a past connection between a user and WoSlime’s website
4. replay data that a user previously sent to the WoSlime server over a prior HTTPS connection
5. none of the above
(c) If the attacker is a man in the middle on a HTTPS connection between a user and WoSlime’s website, the attacker could:
1. impersonate the WoSlime web server to this user
2. discover some of the plaintext of data sent during this connection
3. discover all of the plaintext of data sent during this connection
4. discover the amount of plaintext data sent during this connection
5. discover all of the plaintext of data sent during a past connection between a user and WoSlime’s website
6. replay data that a user previously sent to the WoSlime server over a prior HTTPS connection
Midterm 2
Page 10 of ?? CS 161 – FA 17
Midterm 2
Page 11 of ?? CS 161 – FA 17
7. none of the above
(d) Suppose the attacker obtains the private key that was used by WoSlime’s server during a past connection between a victim and WoSlime’s server, but not the current private key. Also, assume that the certificate corresponding to the old private key has been revoked and is no longer valid. This attacker could:
1. impersonate the WoSlime web server to this user
2. discover all of the plaintext of data sent during a current connection (one where the current private key is used) between a user and WoSlime’s website
3. (due to an ambiguity this was also accepted
4. none of the above
discover all of the plaintext of data sent during a past connection (one where the old private key was used) between a user and WoSlime’s website
Problem 6 DNS (?? points) A lookup for www.berkeley.edu on a DNS resolver with an empty cache begins by query- ing the root, then an .edu authority server, and then a berkeley.edu authority server.
(a) ThelookupattherootindicatesthattheNSrecordsfor.eduarea.gtld-servers.net and b.gtld-servers.info and provides IPs for both systems. Which part of the response contains the IP addresses?
(b) Can a nameserver safely cache the result for b.gtld-servers.info? Why?
(c) ThelookupattherootindicatesthattheNSrecordsfor.eduarea.gtld-servers.edu and b.gtld-servers.info and provides IPs for both systems. Which part of the response contains the IP addresses?
(d) The .edu DNS server says that adns1.berkeley.edu and sns-pb.isc.org are the nameservers for .berkeley.edu and provides the IP for both. If the resolver wishes to cache the IP addresses, which IPs can it cache?
(e) As a reminder, the transaction ID is 16 bits, the UDP source port is 16 bits, and the UDP destination port is 16 bits. If the resolver fully randomizes the ports in a request to the maximum extent possible, how many bits of entropy would an off-path attacker have to guess?
(f) If the resolver randomly capitalizes the request (e.g. wwW.BerKeLEy.eDU), what is the minimum additional entropy added to requests for berkeley domains?
Midterm 2 Page 12 of ?? CS 161 – FA 17
Problem 7 A simpler “TLS” for secure Messaging (?? points) Consider that Alice and Bob want to communicate securely, but there is an on-path attacker who aims to modify or read their conversations. They each have a public-key pair (PKA,SKA) for Alice and (PKB,SKB) for Bob. Unfortunately, Alice does not know Bob’s public key, Bob does not know Alice’s public key, there is no certificate authority here and none of them have any certificate on their keys.
Fortunately, when Alice and Bob setup the channel for communication, the attacker was not ready to mount an active attack and he/she can only observe the packets between the two. Namely, the attacker is an eavesdropper, but not a man-in-the-middle attacker. After the setup phase, the attacker starts figuring out how to modify the traffic sent between the two of them, and acts as a full man-in-the-middle attacker.
How can Alice and Bob communicate securely? Answer the questions below by simply presenting each message sent between Alice and Bob with no explanation. Use the notation Enc() for encryption (either symmetric or asymmetric), Sign() for signing, Verify() for verifying, and MAC() for mac-ing (but you don’t have to use all these algorithms). For each of these algorithms specify concretely the key to be used and the plaintext on which to use it.
(a) What messages do they send each other in the setup phase?
(b) After the setup phase, Alice wants to send messages m1, . . . , mn to Bob. Write down what she sends. Make sure that your solution prevents against replay attacks, namely, the attacker cannot send an old message to Bob instead of a new message and convince him it is a new message. You only need to worry about the messages sent from Alice to Bob here.
Midterm 2 Page 13 of ?? CS 161 – FA 17