======================================================================
		   CMSC 491N/691N Network Security
		       Prof. Krishna Sivalingam
			      Spring 2005
				Quiz 2
======================================================================

1. List the major security services provided by IPSec's AH and ESP
   options.

Refer to Table 16.1

2. Given that ESP seems to provide AH's functionality (as an option),
   is AH necessary? Does AH provide something that ESP does not?

Look at Figure 16.6(b) and (c) - AH authenticates all non-mutable
fields in original IP header.

Look at Figure 16.9(a) and (b): The Authentication does not include
original IP header.

Hence, if the original IP header also needs to be authenticated
besides the confidentiality provided by ESP, AH is necessary.

3. During the initial OpenSSL authentication, what is the purpose of
   the HMAC of the handshake messages sent between the client and the
   server?

To integrity protect the first set of messages where the cookies and
crypto suite information is exchanged. This will prevent a
man-in-the-middle attack in step 1 for instance, where someone can
suppress the original message and send a weaker set of crypto suites.

4. Consider a one-way authentication system based on public key
   techniques:

   A -> B: IDA
   B -> A: R1
   A -> B: E_KR_a(R1)

   What type of attack is this susceptible to?

Someone (eg C) can use this mechanism to get A to sign a
message. Then, C will present this signature to D along with the
message, claiming it was sent by A. This is a problem if A uses its
public/private key for both authentication, signatures, etc.

   If the following protocol were to be used, what attack would this be
   susceptible to?

   A -> B: IDA
   B -> A: E_KU_a(R2)
   A -> B: R2

Someone (eg C) can use this mechanism to get A to decrypt a message
(i.e. send that message as R2) that it has eavesdropped from the
network (originally sent to A).

5. Consider the NSP protocol below. Can you think of a possible
   attack on this protocol? Explain how it can be done.

   A -> KDC:	   IDA || IDB || N1
   KDC -> A:	   E_K_a[K_s ||IDB || N1 || E_K_b[ K_s || IDA]]
   A -> B:	   E_K_b[K_s || IDA]
   B -> A:	   E_K_s[N2]
   A -> B:	   E_K_s[f(N2)]
   
If someone manages to get an old K_s, they can replay the message from
step 3 to B and communicate with B, pretending to be A.

   Mention a possible technique to get around the attack - not a
   detailed mechanism, just the basics of the idea.

Timestamps as in Denning's mechanism or other subsequent mechanisms.

========================================================================