Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

A client wants to establish an SSL connection to a server. An attacker, whose go

ID: 3913337 • Letter: A

Question

A client wants to establish an SSL connection to a server. An attacker, whose goal is to pretend being the server, has successfully intercepted the connection between the client and the server and can therefore manipulate any data on the wire (man-in-the-middle). Explain whether and how the client can detect that manipulation in case the attacker performs the following steps:

1. When the server sends its certificate, the attacker replaces the server public key stored in the “Public Key” field with his own and forwards the modified certificate to the client.

2. When the server sends its certificate, the attacker replaces the server public key stored in the “Public Key” field with his own, removes the existing signature and adds the one created using his own private key.

3. The attacker drops the packet with the “Pre-Master Secret” sent from the client to the server and forwards a new pre-master secret to the server, which he randomly generated and encrypted with the server’s public key.

Explanation / Answer

1.To modify the ssl connection between the user and server,let us assume that the attacker and the user are on the same network and the attacker was able to use ssl strip to removes the ssl connection so that there would be no secure connection.And he was able to modify the public key but the certificate wouldnt be valid and it shows https with an red sign with an cross and user gets an warning before he proceeds that the connection isnt secure

2.They are few companies which provide the ssl security like verisign etc. The ssl certificates are made in such a way that it is an hash combined of both private key and public key once the hash is verified the connection establishes otherwise it shows an error of connection not secure so even if he changes the existing signature the hash wouldnt be valid.(To know more about creating and deploying the ssl certificates on local host or your own website refer openssl on github)

3.Even though the user allows the connection the ssl connection created by the attacker wouldnt be valid because on the server side it doesnt accept the hash of the ssl certificate and it rejects the connection and the connection is establieshed in http and the warning is shown in the url as https in red color with cross on it.To get an https connection one can use https everywhere extension.

Related Questions

A clean-up project that is conducted in a manner that is not inconsistent with t
Question #158774
A cleaner is trying to get to a window on the side of a house by climbing a unif
Question #1701262
A cleaning and repair firm that wants to generate business during low demand per
Question #2644315
A cleaning service cleans homes. For each house call, the cost to the company is
Question #3210518
A cleaning service sends crews to residential homes on either a once-a-month or
Question #3367392
A cleaning service sends crews to residential homes on either a once-a-month or
Question #3367637
A cleaning service sends crews to residential homes on either a once-a-month or
Question #3367740
A cleaning service sends crews to residential homes on either a once-a-month or
Question #3367843
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
A client wants a new patio that surrounds a koi pond (the exact design is on the
Next
A client wants to know what common protocol suites are used in networking and wo

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.