Question 8: What kind of atatcks can be prevented by TLS/SSL? Give at least thre

Question

Question 8: What kind of atatcks can be prevented by TLS/SSL? Give at least three exemples.   

Question 9: Prove or refute. TLS prevents a man-in-the-middle attack.

Question 10: A clever student from UWT decided to design his own challenge-response authentication mechanism. His protocol goes as follows:

Assume that Alice and Bob shared a secret key k

When Alice wants to authenticate herself to Bob, Alice sends a message requesting that the authentication protocol begins.

Bob sends Alice a random challenge r. r is a random binary string of length l

Alice encrypts r using RC4 and k as its key and sends the result back to Bob

Bob decrypts Alice’s message and checks if the resulting message equals the challenge r sent in a previous step. If this is the case, Alice is authenticated.

Is this protocol secure? If it is secure, argue why it is the case. If it is insecure show an attack and propose a modified protocol that fixes the problem.

Question 11: Explain in details the cryptosystem RSA. How are keys generated? How is the encryption algorithm? How is the decryption algorithm?

Question 12: “Textbook RSA” like you described in the previous question is not secure. Explain why. Describe the padding OAEP and how it is used with RSA to make it secure.

Question 13: What are digital certificates and why are they useful? What is public key infra-structure? Explain how it works and how it solves the authentication problem in public key cryptography.

Explanation / Answer

Solution 8 :    As we know that the basic/main aim of any security provider is to make the system reliable as well as private so that data privacy , data security and data integrity ( lossless data transfer) could take place. Now, Here , There are so many Attacks which can be prevented by Transport Layer Security (TLS)/Secure Sockets Layer (SSL) :

(i) CRIME and BREACH attacks

(ii) BEAST attacks

(iii) POODLE attacks

(iv) Renegotiation attacks

(v) Sweet32 attacks

Now , lets discuss first three attacks :

(a) CRIME and BREACH attacks : CRIME stands for "Compression Ratio Info-leak Made Easy" and BREACH stands for "Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext". In this type of attack , Transport Layer Security (TLS)/Secure Sockets Layer (SSL) protects the system from unauthorized access by hacker/attacker by exploiting the HTTP compressions ( by BREACH ) as well as by exploiting a valid computer session which is also called as session/cookie hijacking. when large amounts of information/data exchange in the system , TLS/SSL reduces the usage of bandwidth so that integrity ( lossless data transfer) and security could be preserve.

(b) BEAST attacks : BEAST stands for "Browser Exploit Against SSL/TLS" which clearly states about the encryption of the data/information. i.e. , Attackers usually decrypt the data ( which is exchanged between two parties) by injecting packets into the TLS stream because Attackers have a reasonable control of the victim’s browser.

(c) POODLE attacks : POODLE stands for "Padding Oracle On Downgraded Legacy Encryption" which downgrades the connection to the endanger so that attacker couldn't be able to intercept the traffic from the established connection between client and server( because the initiation of the handshake would get started by the client and then client send the list of the supported SSL/TLS versions).

Related Questions

Navigate

• Browse (All)
• Browse Q
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.