网络安全基础{英文答案}_OCR

Chapter 1 Introduction

Answers to Questions

1. The OSI Security Architecture is a framework that provides a systematic way of defining the requirements for security and characterizing the approaches to satisfying those requirements. The document defines security attacks, mechanisms, and services, and the relationships among these categories.
2. Passive attacks have to do with eavesdropping on, or monitoring, transmissions. Electronic mail, file transfers, and client/server

exchanges are examples of transmissions that can be monitored. Active attacks include the modification of transmitted data and attempts to gain unauthorized access to computer systems.

1. Passive attacks: release of message contents and traffic analysis.

Active attacks: masquerade, replay modification of messages, and denial of service.                                     •

1. Authentication: The assurance that the communicating entity is the one that it claims to be.

Access control: The prevention of unauthorized use of a resource (i.e.z this service controls who can have access to a resource, under what conditions access can occur, and what those accessing the resource are allowed to do).

Data confidentiality: The protection of data from unauthorized disclosure.

Data integrity: The assurance that data received are exactly as sent by an authorized entity (i.e., contain no modification, insertion, deletion, or replay).

Nonrepudiation: Provides protection against denial by one of the entities involved in a communication of having participated in all or part of the communication.

Availability service: The property of a system or a system resource being accessible and usable upon demand by an authorized system entity, according to performance specifications for the system (i.e., a system is available if it provides services according to the system design whenever users request them).

-5-

1. See Table 1.3.
2. Economy of mechanism: the design of security measures embodied in

both hardware and software should be as simple and small as possible.

Fail-safe defaults: access decisions should be based on permission rather than exclusion.

Complete mediation: every access must be checked against the access control mechanism.

Open Design: the design of a security mechanism should be open rather than secret.

Separation of privilege: a practice in which multiple privilege attributes are required to achieve access to a restricted resource. Least Privilege: every process and every user of the system should operate using the least set of privileges necessary to perform the task.

Least common mechanism: the design should minimize the functions shared by different users, providing mutual security. Psychological acceptability: the security mechanisms should not interfere unduly with the work of users, while at the same time meeting the needs of those who authorize access. Isolation: a principle that applies in three contexts. (1) public access systems should be isolated from critical resources (data, processes, etc.) to prevent disclosure or tampering. (2) the processes and files of individual users should be isolated from one another except where it is explicitly desired. (3) security mechanisms should be isolated in the sense of preventing access to those mechanisms. Encapsulation: a specific form of isolation based on object-oriented functionality. <

Modularity: refers both to the development of security functions as separate, protected modules and to the use of a modular architecture for mechanism design and implementation.

Layering: the use of multiple, overlapping protection approaches addressing the people, technology, and operational aspects of information systems.

Least Astonishment: means that a program or user interface should always respond in the way that is least likely to astonish the user.

1. An attack surface consists of the reachable and exploitable vulnerabilities in a system. An attack tree is a branching, hierarchical data structure that represents a set of potential techniques for exploiting security vulnerabilities.

Answers to Problems

-6-

1. The system must keep personal identification numbers confidential, both in the host system and during transmission for a transaction. It must protect the integrity of account records and of individual transactions. Availability of the host system is important to the economic well being of the bank, but not to its fiduciary responsibility. The availability of individual teller machines is of less concern.
2. The system does not have high requirements for integrity on individual transactions, as lasting damage will not be incurred by occasionally losing a call or billing record. The integrity of control programs and configuration records, however, is critical. Without these, the switching function would be defeated and the most important attribute of all - availability - would be compromised. A telephone switching system must also preserve the confidentiality of individual calls, preventing one caller from overhearing another.
3. a. The system will have to assure confidentiality if it is being used to

publish corporate proprietary material.

1. The system will have to assure integrity if it is being used to laws or regulations.
2. The system will have to assure availability it is being used to

publish a daily paper.                                                     'J :

1. a. An organization managing public information on its web server

determines that there is no potential impact from a loss of confidentiality (i.e., confidentiality requirements are not applicable), a moderate potential impact from a loss of integrity, and a moderate potential impact from a loss of availability.

1. A law enforcement organization managing extremely sensitive investigative information determines that the potential impact from a loss of confidentiality is high, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is moderate.
2. A financial organization managing routine administrative information (not privacy-related information) determines that the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low.
3. The management within the contracting organization determines that: (i) for the sensitive contract information, the potential impact from a loss of confidentiality is moderate, the potential impact from a loss of integrity is moderate, and the potential impact from a loss of availability is low; and (ii) for the routine administrative information (non-privacy-related information), the potential impact from a loss of confidentiality is low, the potential impact from a loss of integrity is low, and the potential impact from a loss of availability is low.

-7-

1. The management at the power plant determines that: (i) for the sensor data being acquired by the SCADA system, there is no potential impact from a loss of confidentiality, a high potential impact from a loss of integrity, and a high potential impact from a loss of availability; and (ii) for the administrative information being processed by the system, there is a low potential impact from a loss of confidentiality, a low potential impact from a loss of integrity, and a low potential impact from a loss of availability. Examples from FIPS 199.

13	Release of message contents	Traffic analysis	Masquerade	Replay	Modification of messages	Denial of service
Peer entity authentication			Y
Data origin authentication			Y
Access control			Y
Confidentiality	Y
Traffic flow confidentiality		V
Data integrity _____________	__________________			Y	Y
Non-repudiation			Y
Availability	—	—				Y

 

-8-

1.6	Release of message contents	Traffic analysis	Masquerade	Replay	Modification of messages	Denial of service
Encipherment	Y
Digital signature			Y	Y	Y
Access control	Y	Y	Y	Y		Y
Data integrity				Y	Y
Authentication exchange	Y		Y	Y		Y
Traffic padding		Y
Routing control	Y	Y				Y
Notarization			Y	Y	— Y —

1.7

__________	Open	Safe	〜--------------- - -----------------
Pirk 丨 nek            Learn		Cut Open                             Install
Combination		S afe                   Improperly

 

Find Writ- Get Combo

ten Combo from Target

 

 

 

 

1. We present the tree in text form; call the company X: Survivability Compromise: Disclosure of X proprietary secrets OR 1. Physically scavenge discarded items from X OR I. Inspect dumpster content on-site

1. Inspect refuse after removal from site

1. Monitor emanations from X machines

AND 1. Survey physical perimeter to determine optimal monitoring position

1. Acquire necessary monitoring equipment
2. Setup monitoring site
3. Monitor emanations from site

1. Recruit help of trusted X insider

OR     1. Pl lint spy as trusted insider

2. Use existing trusted insider

1. Physically access X networks or machines

OR 1. Get physical, on-site access to Intranet

2. Get physictil access to external machines

1. Attack X intranet using its connections with Internet

OR 1. Monitor communications over Intemet for leakage

1. Get trusted process to send sensitive in formal ion to attacker over Internet
2. Gain privileged access to Web server

1. Attack X intranet using its connections with public telephone network (PTN) OR 1. Monitor communications over PTN for leakage of sensitive information

2. Gain privileged access to machines on intianet connected via Internet

Chapter 2 Symmetric Encryption and Message Confidentiality

Answers to Questions

1. Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.
2. Permutation and substitution.
3. One secret key.
4. A stream cipher is one that encrypts a digital data stream one bit or

one byte at a time. A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length.                                             4

1. Cryptanalysis and brute force.
2. In some modes, the plaintext does not pass through the encryption function, but is XORed with the output of the encryption function. The math works out that for decryption in these cases, the encryption function must also be used.
3. With triple encryption, a plaintext block is encrypted by passing it through an encryption algorithm; the result is then passed through the same encryption algorithm again; the result of the second encryption is passed through the same encryption algorithm a third time. Typically, the second stage uses the decryption algorithm rather than the encryption algorithm.
4. There is no cryptographic significance to the use of decryption for the second stage. Its only advantage is that it allows users of 3DES to

decrypt data encrypted by users of the older single DES by repeating the key.

 

Answers to Problems

 

1 A 3 G 6 o 9 T

2 c a. 1 ■ 2

9 u 1 c 7 s 3 K

6 R 5 o low 8 丁 2 E

 

 

 

T	R	F	H	E	H	■ •龍'  ■■ F	丁	I	N
B	R	0	u	Y	R	下	u	s	T
E	A	E	丁	H	G	I	s	R	E
H	F	T	E	A	T -	「■ Y	R	N	D
I	R	0	L	下	A	0	U	G	S
H	L	L	E	下	I	N	I	B	I
下	I	H	I	u	0	V	E	U	F
E	D	M	T	c	E	S	A	T	W
T	L	E	D	M	N	E	D	L	R
A	P	T	S	E	T	E	R	F	0

ISRNG EYHAT NTEDS

 

BUTLF TUCME IFWRO

 

RRAFR HRGTA HUTEL

 

LIDLP IOENT EITDS

 

FTIYO TUSRU

 

NVSEE IE ADR

 

TBEHI FOETO

 

HTETA LHMET

 

 

1. The two matrices are used in reverse order. First, the ciphertext is laid out in columns in the second matrix, taking into account the order dictated by the second memory word. Then, the contents of the second matrix are read left to right, top to bottom and laid out in columns in the first matrix, taking into account the order dictated by the first memory word. The plaintext is then read left to right, top to bottom.
2. Although this is a weak method, it may have use with time-sensitive information and an adversary without immediate access to good cryptanalysis (e.g., tactical use). Plus it doesn’t require anything more than paper and pencil, and can be easily remembered.

2.2 a. Let -X be the additive inverse of X. That is -X | + | X = 0. Then: P = （C H -KJ ㊉ Ko

1. First, calculate -C. Then -C' = （P'㊉ Ko） [T] （-KJ. We then have: C [T] -C = （P ㊉ Ko） |T] （P* ㊉ Ko）

However, the operations I + I and ㊉ are not associative or distributive with one another, so it is not possible to solve this equation for Ko.

1. a. The constants ensure that encryption/decryption in each round is different.

b. First two rounds:

 

1. First, let’s define the encryption process:

L2 = Lq E ［(Ro « 4) ［T| Ko］㊉［Ro E ㊉［(Ro >> 5) E KJ

R2 = Ro H ［(L2 « 4) H K2］㊉［L2 H 82］㊉［(L2 >> 5) ［T］ K3］

Now the decryption process. The input is the ciphertext (L2/ R2), and the output is the plaintext (Lo, Ro). Decryption is essentially the same as encryption, with the subkeys and delta values applied in reverse order. Also note that it is not necessary to use subtraction because there is an even number of additions in each equation.

 

l()= l2 L+J ［(ro

% = R2 H ［(L2 « 4) H K2］㊉［L2 H S2］㊉［(L2 >> 5) H k3］

 

« 4) H Ko］㊉［Ro H ㊉［(% >> 5) E KJ

d.

 

 

1. To see that the same algorithm with a reversed key order produces the correct result； consider Figure 2.2, which shows the encryption process going down the left-hand side and the decryption process going up the right-hand side for a 16-round algorithm (the result would be the same for any number of rounds). For clarity, we use the notation LEj and REj

for data traveling through the encryption algorithm and LD, and RDj for data traveling through the decryption algorithm. The diagram indicates that, at every round, the intermediate value of the decryption process is equal to the corresponding value of the encryption process with the two halves of the value swapped. To put this another way, let the output of the ith encryption round be LEj| |REj (Lj concatenated with Rj). Then the corresponding input to the (16 - i)th decryption round is RDj| |LD). Let us walk through the figure to demonstrate the validity of the preceding assertions. To simplify the diagram, it is unwrapped, not showing the swap that occurs at the end of each iteration. But note that the intermediate result at the end of the ith stage of the encryption process is the 2w-bit quantity formed by concatenating LEj and RE(, and that the intermediate result at the end of the ith stage of the decryption process is the 2w-bit quantity formed by concatenating LDj and RD(. After the last iteration of the encryption process, the two halves of the output are swapped, so that the ciphertext is REi6| |LEi6. The output of that round is the ciphertext. Now take that ciphertext and use it as input to the same algorithm. The input to the first round is REigI |LEi6, which is equal to the 32-bit swap of the output of the sixteenth round of the encryption process.                                                                '

Now we would like to show that the output of the first round of the decryption process is equal to a 32-bit swap of the input to the sixteenth round of the encryption process. First, consider the encryption process. We see that:

LEj.6 = RE15 REi6 = LE15 ㊉ F(REi5z K16) On the decryption side:

LDi = RDo = LEi6 = RE15 RDi = LDo ㊉ F(RDo, Kie) =RE16 ㊉ F(REi5/ Kis)

=[LEis ㊉ F(REi5/Kl6)J ㊉ F(REi5, Kie) The XOR has the following properties: [A㊉B]㊉C = A㊉[B㊉C] D ㊉ D = 0

E ㊉ 0 = E

Thus, we have LDi = RE15 and RDi = LE15. Therefore, the output of the first round of the decryption process is LE15IIRE15, which is the 32- bit swap of the input to the sixteenth round of the encryption. This

correspondence holds all the way through the 16 iterations, as is easily shown. We can cast this process in general terms. For the ith iteration of the encryption algorithm:

LEj    = REj-i

REi = LEr® FfREj-i, Kj)

Rearranging terms:

REj-1 = LEi

LEj-i = RE,㊉ F(REj-i, Kj) = REj ㊉ F(LEiz Kj)

Thus, we have described the inputs to the ith iteration as a function of the outputs, and these equations confirm the assignments shown in the right-hand side of the following figure.                                                            、

Finally, we see that the output of the last round of the decryption process is REq| |LEo. A 32-bit swap recovers the original plaintext, demonstrating the validity of the Feistel decryption process.

1. Because of the key schedule, the round functions used in rounds 9 through 16 are mirror images of the round functions used in rounds 1 through 8. From this fact we see that encryption and decryption are identical. We are given a ciphertext c. Let m = c. Ask the encryption oracle to encrypt ml. The ciphertext returned by the oracle will be the decryption of c.
2. For 1 < i < 128, take cl e {0, l}128 to be the string containing a 1 in position i and then zeros elsewhere. Obtain the decryption of these 128 ciphertexts. Let mp m2, . . . , m128 be the corresponding plaintexts. Now, given any ciphertext c which does not consist of all zeros, there is a unique nonempty subset of the c/s which we can XOR together to obtain c. Let 1(c) c {1, 2, . • . , 128} denote this subset. Observe

C=㊉ Ci = ® E(/Hf.) = E| © zn； I

碑) 碑)                   )

Thus, we obtain the plaintext of c by computing ㊉ nr. Let 0 be the 'e'(r)

all-zero string. Note that 0 = 0 ㊉ 0. From this we obtain E(0) = E(0 ㊉

0) = E(0)㊉ E(0) = 0. Thus, the plaintext of c = 0 is m = 0. Hence we can decrypt every c e <0, I}128.

 

2.7 a.

>aiT Probability 00 (o.5 - a)2 =o.25 - a + a2 01 (0.5^8)2^(0.5 + a) _ 0.25 - d2____________________ 10 (0.5 + 3)7(0.5 :a)              0.25丁a 11 (o.5 + a)2 =0.25 + d + d2

 

 

1. Because 01 and 10 have equal probability in the initial sequence, in the modified sequence, the probability of a 0 is 0.5 and the probability of a 1 is 0.5.
2. The probability of any particular pair being discarded is equal to the probability that the pair is either 00 or 11, which is 0.5 + 2d2, so the expected number of input bits to produce x output bits is x/(0.25 - a2).
3. The algorithm produces a totally predictable sequence of exactly alternating I's and 0・s.

1. a. For the sequence of input bits alz a2,…，an, the output bit b is

defined as:

b = ai ㊉ a2 ㊉."㊉ ar

1. 0.5 - 2d2
2. 0.5 - 834
3. The limit as n goes to infinity is 0.5.

1. Use a key of length 255 bytes. The first two bytes are zero; that is K[0] =K[l] = 0. Thereafter, we have: K[2] = 255; K[3] = 254; ... K[255] =

2.

1. 1. a. Simply store i, j, and S, which requires 8 + 8 + (256 x 8) = 2064

bits

b. The number of states is [256! x 2562]。21700. Therefore, 1700 bits are required.

1. 1. a. By taking the first 80 bits of v II c, we obtain the initialization vector, v. Since v, c, k are known, the message can be recovered (i.e., decrypted) by computing RC4(v II k)㊉ c.
2. If the adversary observes that vi = for distinct /, j then he/she knows that the same key stream was used to encrypt both mi and rrij. In this case, the messages mf and may be vulnerable to the type of cryptanalysis carried out in part (a).
3. Since the key is fixed, the key stream varies with the choice of the 80-bit vf which is selected randomly. Thus, after approximately

 

messages are sent, we expect the same v, and hence

 

 

the same key stream, to be used more than once.

1. The key k should be changed sometime before 240 messages are sent.
   1. a. No. For example, suppose Cx is corrupted. The output block P3

depends only on the input blocks C2 and C3，

1. An error in affects Cr But since Cx is input to the calculation of C2, C2 is affected. This effect carries through indefinitely, so that all ciphertext blocks are affected. However, at the receiving end, the decryption algorithm restores the correct plaintext for blocks except the one in error. You can show this by writing out the equations for the decryption. Therefore, the error only effects the corresponding decrypted plaintext block.
   1. In CBC encryption, the input block to each forward cipher operation

(except the first) depends on the result of the previous forward cipher operation, so the forward cipher operations cannot be performed in parallel. In CBC decryption, however, the input blocks for the inverse cipher function (i.e., the ciphertext blocks) are immediately available, so that multiple inverse cipher operations can be performed in parallel. <                                                     ；

1. 1. If an error occurs in transmission of ciphertext block C(/ then this error propagates to the recovered plaintext blocks Pj and Pi+1.
   2. After decryption, the last byte of the last block is used to determine the amount of padding that must be stripped off. Therefore there must be at least one byte of padding.
   3. a. Assume that the last block of plaintext is only L bytes long, where L

< 2w/8. The encryption sequence is as follows (The description in RFC 2040 has an error; the description here is correct.):

1. Encrypt the first (/V - 2) blocks using the traditional CBC technique.
2. XOR Pyy-i with the previous ciphertext block to create
3. Encrypt YA/_1 to create EN_V
4. Select the first L bytes of E/v^1 to create CN.
5. Pad with zeros at the end and exclusive-OR with to create \N.
6. Encrypt XN to create

The last two blocks of the ciphertext are and CN. b- P/v-i = CN_2 ㊉ D(K, [CN II X]) PNWX= {CN II 00...0)㊉ D(K,

PN = left-hand portion of (PN II X) where II is the concatenation function

1. 1. a. Assume that the last block (PN) has j bits. After encrypting the last

full block              encrypt the ciphertext (C^j) again, select the

leftmost j bits of the encrypted ciphertext, and XOR that with the short block to generate the output ciphertext.

1. While an attacker cannot recover the last plaintext block, he can change it systematically by changing individual bits in the ciphertext. If the last few bits of the plaintext contain essential information, this is a weakness.
   1. Nine plaintext characters are affected. The plaintext character corresponding to the ciphertext character is obviously altered. In addition, the altered ciphertext character enters the shift register and is not removed until the next eight characters are processed.

Chapter 3 Public-Key Cryptography and Message Authentication

Answers to Questions

1. Message encryption, message authentication code, hash function.
2. A message authentication code is an authenticator that is a cryptographic function of both the data to be authenticated and a secret key.
3. (a) A hash code is computed from the source message, encrypted using symmetric encryption and a secret key, and appended to the message. At the receiver, the same hash code is computed. The incoming code is decrypted using the same key and compared with the computed hash code, (b) This is the same procedure as in (a) except that public-key encryption is used; the sender encrypts the hash code with the sender’s private key, and the receiver decrypts the hash code with the sender’s public key. (c) A secret value is appended to a message and then a hash code is calculated using the message plus secret value as input. Then the message (without the secret value) and the hash code are transmitted. The receiver appends the same secret value to the message and computes the hash value over the message plus secret value. This is then compared to the received hash code.
4. 1. H can be applied to a block of data of any size.

1. H produces a fixed-length output.
2. H(x) is relatively easy to compute for any given xz making both hardware and software implementations practical.
3. For any given value hf it is computationally infeasible to find x such that H(x) = h. This is sometimes referred to in the literature as the one-way property.
4. For any given block x, it is computationally infeasible to find y * x with H(y) = H(x).
5. It is computationally infeasible to find any pair (x, y) such that H(x) =H(y).

1. The compression function is the fundamental module, or basic building block, of a hash function. The hash function consists of iterated application of the compression function.
2. Plaintext: This is the readable message or data that is fed into the algorithm as input. Encryption algorithm: The encryption algorithm performs various transformations on the plaintext. Public and private keys: This is a pair of keys that have been selected so that if one is used for encryption, the other is used for decryption. The exact transformations performed by the encryption algorithm depend on the public or private key that is provided as input. Ciphertext: This is the scrambled message produced as output. It depends on the plaintext and the key. For a given message, two different keys will produce two different ciphertexts. Decryption algorithm: This algorithm accepts the ciphertext and the matching key and produces the original plaintext.
3. Encryption/decryption: The sender encrypts a message with the recipient's public key. Digital signature: The sender Hsigns" a message with its private key. Signing is achieved by a cryptographic algorithm applied to the message or to a small block of ckta that is a function of the message. Key exchange: Two sides cooperate to exchange a session key. Several different approaches are possible, involving the private key(s) of one or both parties.
4. The key used in conventional encryption is typically referred to as a secret key. The two keys used for public-key encryption are referred to as the public key and the private key.
5. A digital signature is an authentication mechanism that enables the creator of a message to attach a code that acts as a signature. The signature is formed by taking the hash of the message and encrypting the message with the creator’s private key. The signature guarantees the source and integrity of the message.

Answers to Problems

3.1 a. Yes. The XOR function is simply a vertical parity check. If there is an odd number of errors, then there must be at least one column that contains an odd number of errors, and the parity bit for that column will detect the error. Note that the RXOR function also catches all errors caused by an odd number of error bits. Each RXOR bit is a function of a unique "spiral" of bits in the block of data. If there is an odd number of errors, then there must be at least one spiral that contains an odd number of errors, and the parity bit for that spiral will detect the error.

1. No. The checksum will fail to detect an even number of errors when both the XOR and RXOR functions fail. In order for both to fail, the pattern of error bits must be at intersection points between parity spirals and parity columns such that there is an even number of error bits in each parity column and an even number of error bits in each spiral.
2. It is too simple to be used as a secure hash function; finding multiple messages with the same hash function would be too easy.

1. The statement is false. Such a function cannot be one-to-one because the number of inputs to the function is of arbitrary, but the number of unique outputs is 2n. Thus, there are multiple inputs that map into the same output.
2. a. 1 bit

1. 1024 bits
2. 1023 bits

1. a. 1919

1. 1920
2. 1921

1. a. It satisfies properties 1 through 3 but not the remaining properties.

For example, for property 4, a message consisting of the value h satisfies H(/i) = h. For property 5, take any message M and add the decimal digit 0 to the sequence; it will have the same hash value.

1. It satisfies properties 1 through 3. Property 4 is also satisfied if n is a large composite number, because taking square roots modulo such an integer n is considered to be infeasible. Properties 5 and 6 are not satisfied because -M will have the same value as M.
2. 955

 

1. a. Overall structure:

Message

 

1 事 1 1 1 1 1 1 1 1 1 I 1 1 1 --------- 16 letters --------- 1 曜 1 1 1 1 1 1 1 • ・ 1 1 1 ---------- 16 tellers —   w2

 

IV 0000

 

	Compression function F: Mi		H		/I6		hash

 

 

Column-wise mod 26 addition )

row-wise ]

rotations J

►〔 Column-wise mod 26 addition〕

Hi

1. BFQG
2. Simple algebra is all you need to generate a result:

AYHG DAAAAAAAAAAAAAAAAAAA

aaaaaaaaaaaaaaaaaaaaaaaa

1. If you examine the structure of a single round of DES, you see that the round includes a one-way function, F, and an XOR:

Rj = Lkl ㊉ F(Rhl, Kj)

 

For DES, the function F is depicted in Figure 2.2. It maps a 32-bit R and a 48-bit K into a 32-bit output. That is, it maps an 80-bit input into a

32-bit output. This is clearly a one-way function. Any hash function that produces a 32-bit output could be used for F. The demonstration in the text that decryption works is still valid for any one-way function F.

1. The opponent has the two-block message Bl, B2 and its hash RSAH(B1, B2). The following attack will work. Choose an arbitrary Cl and choose C2 such that:

C2 = RSA(Cl)㊉ RSA(Bl)㊉ B2 then RSA(Cl)㊉ C2 = RSA(Cl)㊉ RSA(Cl)㊉ RSA(Bl)㊉ B2 =RSA(Bl)㊉ B2

so RSAH(C1, C2)         = RSA[RSA(C1)㊉ C2)] = RSA[RSA(B1)㊉ B2]

=RSAH(B1, B2)

1. The CBC mode with an IV of 0 and plaintext blocks DI, D2, . . Dn and

64-bit CFB mode with IV = DI and plaintext blocks D2, D3, . .                                                         Dn

yield the same result.

1. a. Will be detected with both (i) DS and (ii) MAC.

1. Won't be detected by either (Remark: use timestamps).
2. (i) DS: Bob simply has to verify the message with the public key from both. Obviously, only Alice's public key results in a successful verification.

(ii) MAC: Bob has to challenge both, Oscar and Bob, to reveal their secret key to him (which he knows anyway). Only Bob can do that.

1. (i) DS: Alice has to force Bob to prove his claim by sending her a copy of the message in question with the signature. Then Alice can show that message and signature can be verified with Bob’s public key ) Bob must have generated the message.

(ii) MAC: No, Bob can claim that Alice generated this message.

1. a. Two quantities are precomputed:

f(IV, (/<+ ㊉ ipad)) f(IV, (/<+ ㊉ opad))

where f(cv, block) is the compression function for the hash function, which takes as arguments a chaining variable of n bits and a block of b bits and produces a chaining variable of n bits. These quantities only need to be computed initially and every time the key changes. In effect, the precomputed quantities substitute for the initial value (IV) in the hash function. With this implementation, only one additional instance of the compression function is added to the processing normally produced by the hash function.

b. This is a more efficient implementation. This more efficient implementation is especially worthwhile if most of the messages for which a MAC is computed are short.

1. We use Figure 3.7a but put the XOR with Kr after the final encryption. For this problem, there are two blocks to process. The output of the encryption of the first message block is E(K, 0) = CBC(KZ 0) = To ㊉ Kv This is XORed with the second message block (To ㊉ 7\), so that the input to the second encryption is (7\ ㊉ Kr) = CBC(/<, 1) = E(KZ 1). So the output of the second encryption is E(K, [E(K, 1)]) = CBC(K, [CBC(K, 1)]) = r2 ㊉ Kv After the final XOR with Klf we get VMAC(K, [0 II (丁0 ㊉ TJ]) = T2.

3.13

5	2	1	4	5
1	4	3	2	2
3	1	2	5	3
4	3	4	1	4
2	5	5	3	1

1. Assume a plaintext message p is to be encrypted by Alice and sent to Bob. Bob makes use of Ml and M3, and Alice makes use of M2. Bob chooses a random number, k, as his private key, and maps k by Ml to get x, which he sends as his public key to Alice. Alice uses x to encrypt p with M2 to get z, the ciphertext, which she sends to Bob. Bob uses k to decrypt z by means of M3, yielding the plaintext message p.
2. If the numbers are large enough, and Ml and M2 are sufficiently random to make it impractical to work backwards, p cannot be found without knowing k.

3.14 a. n = 33;(|)⑻=20; d = 3; C = 26.

1. n = 55; 0(n) = 40; d = 27; C = 14.
2. n = 77; 0(n) = 60; d = 53; C = 57.
3. n = 143;(|)(/7)= 120;     = 11; C = 106.
4. n = 527; 0(n) = 480; d = 343; C = 128. For decryption, we have 128343 mod 527= 128256 x 12864 x 12816 x 1284 x 1282 x 1281 mod

527	=35 x 256 x 35 x 101 x 47 x 128 = 2 mod 527 =2 mod 257

3.15 M = 5

3.16 d = 3031

1. Yes. If a plaintext block has a common factor with n, modulo n then the encoded block will also have a common factor with n, modulo n. Because we encode blocks that are smaller than pq, the factor must be p or q and the plaintext block must be a multiple of p or q. We can test each block for primality. If prime, it is p or q. In this case we divide into n to find the other factor. If not prime, we factor it and try the factors as divisors of n.
2. Refer to Figure 3.10 The private key k is the pair {d, n}; the public key x is the pair {e, n}; the plaintext p is M; and the ciphertext z is C. Ml is formed by calculating d = e*1 mod 0(n). M2 consists of raising M to the power e (mod n). M2 consists of raising C to the power d (mod n).

3-19 Yes.

1. Consider a set of alphabetic characters {A, Br …，Z}. The corresponding integers, representing the pos.tion of each alphabetic character in the alphabet, form a set of message block values SM = {0, 1, 2,…，25}. The set of corresponding ciphertext block values SC ={0e mod N, le mod N'25e mod N}, and can be computed by everybody with the knowledge of the public key of Bob.

Thus, the most efficient attack against the scheme described in the problem is to compute Me mod N for all possible values of M, then create a look-up table with a ciphertext as an index, and the corresponding plaintext as a value of the appropriate location in the table. 7 *

1. a. XA = 6

b. K = 3

Chapter 4

Key Distribution and User Authentication

 

Answers to Questions

1. For two parties A and B, key distribution can be achieved in a number of ways, as follows:

1. A can select a key and physically deliver it to B.
2. A third party can select the key and physically deliver it to A and B.
3. If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key.
4. If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links to A and B.
   1. A session key is a temporary encryption kev used between two principals. A master key is a long-lasting key that is used between a key distribution center and a principal for the purpose of encoding the transmission of session keys. Typically, the master keys are distributed by noncryptographic means.
   2. A key distribution center is a system that is authorized to transmit temporary session keys to principals. Each session key is transmitted in encrypted form, using a master key that the key distribution center shares with the target principal.
   3. A full-service Kerberos environment consists of a Kerberos server, a number of clients, and a number of application servers.
   4. A realm is an environment in which: 1. The Kerberos server must have the user ID (UID) and hashed password of all participating users in its database. All users are registered with the Kerberos server. 2. The Kerberos server must share a secret key with each server. All servers are registered with the Kerberos server.
   5. Version 5 overcomes some environmental shortcomings and some technical deficiencies in Version 4.
   6. A nonce is a value that is used only once, such as a timestamp, a counter, or a random number; the minimum requirement is that it differs with each transaction.
   7. 1. The distribution of public keys. 2. The use of public-key encryption to distribute secret keys
   8. 1. The authority maintains a directory with a {name, public key} entry for each participant. 2. Each participant registers a public key with the directory authority. Registration would have to be in person or by some form of secure authenticated communication. 3. A participant may replace the existing key with a new one at any time, either because of the desire to replace a public key that has already been used for a large amount of data, or because the corresponding private key has been compromised in some way. 4. Periodically, the authority publishes the entire directory or updates to the directory. For example, a hard-copy version much like a telephone book could be published, or updates could be listed in a widely circulated newspaper. 5. Participants could also access the directory electronically. For this purpose, secure, authenticated communication from the authority to the participant is mandatory.
   9. A public-key certificate contains a public key and other information, is created by a certificate authority, and is given to the participant with the matching private key. A participant conveys its key information to another by transmitting its certificate. Other participants can verify that the certificate was created by the authority.
   10. 1. Any participant can read a certificate to determine the name and public key of the certificate's owner. 2. Any participant can verify that the certificate originated from the certificate authority and is not counterfeit. 3. Only the certificate authority can create and update certificates. 4. Any participant can verify the currency of the certificate.
   11. X.509 defines a framework for the provision of authentication services by the X.500 directory to its users. The directory may serve as a repository of public-key certificates. Each certificate contains the public key of a user and is signed with the private key of a trusted certification authority.
   12. A chain of certificates consists of a sequence of certificates created by different certification authorities (CAs) in which each successive certificate is a certificate by one CA that certifies the public key of the next CA in the chain.
   13. The owner of a public-key can issue a certificate revocation list that revokes one or more certificates.

Answers to Problems

1. i) Sending to the server the source name A, the destination name Z

(his own), and E(Ka, R), as if A wanted to send him the same message encrypted under the same key R as A did it with B

1. The server will respond by sending E(KZ, R) to A and Z will intercept that
2. because Z knows his key Kz, he can decrypt E(KZ, R), thus getting his hands on R that can be used to decrypt E(尺，M) and obtain M.

1. All three really serve the same purpose. The difference is in the vulnerability. In Usage 1, an attacker could breach security by inflating Na and withholding an answer from B for future replay attack, a form of suppress-replay attack. The attacker could attempt to predict a plausible reply in Usage 2, but this will not succeed if the nonces are random. In both Usage 1 and 2, the messages work in either direction. That is, if N is sent in either direction, the response is E[Kf N]. In Usage 3, the message is encrypted in both directions; the purpose of function f is to assure that messages 1 and 2 are not identical. Thus, Usage 3 is more secure.
2. An error in Cx affects P： because the encryption of Cx is XORed with IV to produce Pi. Both C£ and affect P2, which is the XOR of the encryption of C2 with the XOR of C： and Pr Beyond that, PN] is one of the XORed inputs to forming PN.
3. Let us consider the case of the interchange of and C2. The argument will be the same for any other adjacent pair of ciphertext blocks. First, if Ci and C2 arrive in the proper order:

Pr = E[K, CJ ㊉ IV

P2 = E[K, c2]㊉ q ㊉ Pi = E[K, c2]㊉                                            ㊉                               E[K, CJ ㊉ IV

P3 = E[K, C3]㊉ C2 ㊉ P2 = E[K, C3]㊉ C2 ㊉ E[K, C2]㊉ q ㊉ E[K, CJ ㊉ IV Now suppose that and C2 arrive in the reverse order. Let us refer to the decrypted blocks as Q(.

Qx= e[k,c2] ©iv

Q2 = E[K, CJ ㊉ c2 ㊉ Qt = E[K, CJ ㊉ c2 ㊉ E[K, C2]㊉ IV Q3 = E[K, C3]㊉ q ㊉ Q2 = E[K, C3]㊉ q ㊉ E[K, CJ ㊉ C2 ㊉ E[K, C2]㊉ IV The result is that 本 Pj Q2 本 P2; but Q3 = P3. Subsequent blocks are clearly unaffected.

1. The problem has a simple fix, namely the inclusion of the name of B in

the signed information for the third message, so that the third message now reads:                                                             1

A^B:            A <rB, B}

1. a. This is a means of authenticating A to B. serves as a challenge,

and only A is able to encrypt so that it can be decrypted with Afs public key.

b. Someone (e.g., C) can use this mechanism to get A to sign a message. Then, C will present this signature to D along with the message, claiming it was sent by A. This is a problem if A uses its public/private key for both authentication, signatures, etc.

1. a. This is a means of authenticating A to B. Only A can decrypt the

second message, to recover R2.

b. Someone (e.g. C) can use this mechanism to get A to decrypt a message (i.e., send that message as /?2) that it has eavesdropped from the network (originally sent to A).

1. It contains the Alice's ID, Bob's name, and timestamp encrypted by the KDC-Bob secret key.
2. It contains Alice's name encrypted by the KDC-Bob secret key.
3. It has a nonce (e.g.r time stamp) encrypted with the session key.
4. It contains the session key encrypted by the KDC-Bob secret key.
5. Taking the eth root mod n of a ciphertext block will always reveal the plaintext, no matter what the values of e and n are. In general this is a very difficult problem, and indeed is the reason why RSA is secure. The point is that, if e is too small, then taking the normal integer eth root will be the same as taking the eth root mod n, and taking integer eth roots is relatively easy.
6. Here is an example of a trusted root CA certificate from Firefox.

0       、 Certificate ViewerfBuiltin Object Token:DigiCert High Assurance EV Root CAH

 

General

Details

 

 

 

 

 

 

 

This certificate has been verified for the following uses:

Email Signer Certificate

SSL Certificate Author ty

Status Responder Certificate Issued To

 

 

 

Common Name (CN) Organization (0) Organizational Unit (OU) Serial Sumber	DigiCert High Assurance EV Root CA DigiCert Inc www.digicert.com 02:AC:5C:26:6A:0B:40:9B:8F:0B:79:F2:AE:46:25:77
Issued By Common Name (CN) Organization (O) Organizational Unit (OU) Validity Issued On Expires On Fingerprints SHA1 Fingerprint MD5 Fingerprint	DigiCert High Assurance EV Root CA DigiCert Inc www.digicertxom 11/9/06 11/9/31 5F B7 EE 06：33：E2 59 D8 AD OC 4C:9A:E6 D3:8F 1A 61:C7:DC 25 D4:74:DE:57 5C 39 B2 D3 9C 85:83 C5 CO 65:49 8A

1. When a symmetric key is used to protect stored information, the recipient usage period may start after the beginning of the originator usage period as shown in the figure. For example, information may be encrypted before being stored on a compact disk. At some later time, the key may be distributed in order to decrypt and recover the information.
2. a. A believes that she shares /CAB with B since her nonce came back in message 2 encrypted with a key known only to B (and A). B believes that he shares /<'AB with A since NA was encrypted with K・ab, which could only be retrieved from message 2 by someone who knows /<\B (and this is known only by A and B). A believes that K・ab is fresh since it is included in message 2 together with NA (and hence message 2 must have been constructed after message 1 was sent). B believes (indeed, knows) that K’AB is fresh since he chose it himself.

b. B. We consider the following interleaved runs of the protocol:

1.	A ->C(B):	A,%
1'.	C(B) -^A :	巳為
2'・	A -C(B):	E(KAB,[NA9KfAB])
2.	C(B) -A :	E(KAB.[NA,KfAB])
3.	A —C(B):	^fAB. Na)

 

C cannot encrypt A’s nonce, so he needs to get help with message 2. He therefore starts a new run with A, letting A do the encryption and reflecting the reply back. A will accept the unprimed protocol run and believe that B is present.

c. To prevent the attack, we need to be more explicit in the messages, e.g. by changing message 2 to include the sender and receiver (in this order), i.e. to be              [A, B, NA,

1. A typical PKI consists of seven core components. These are briefly described below:

1. Digital certificates (public-key certificates, X.509 certificates): A digital certificate is a signed data structure that binds one or more attributes of an entity with its corresponding public key. By being signed by a recognized and trusted authority (i.e. the Certification Authority) a digital certificate provides assurances that a particular public key belongs to a specific entity (and that the entity possesses the corresponding private key).
2. Certification Authority (CA): Certification Authorities are the people, processes and tools that are responsible for the creation, issue and management of public-key certificates that are used within a PKI.
3. Registration Authority (RA): Registration Authorities are the people, processes and tools that are responsible for authenticating the identity of new entities (users or computing devices) that require certificates from CAs. RAs additionally maintain local registration data and initiate renewal or revocation processes for old or redundant certificates. They act as agents of CAs (and in that regard can carry out some of the functions of a CA if required).
4. Certificate repository: A database, or other store, which is accessible to all users of a PKI, within which public-key certificates, certificate revocation information and policy information can be held.
5. PKI client software: Client-side software is required to ensure PKI- entities are able to make use of the key and digital certificate management services of a PKI (e.g. key creation, automatic key update and refreshment).
6. PKI-enabled applications: Software applications must be PKI- enabled before they can be used within a PKI. Typically this involves modifying an application so that it can understand and make use of digital certificates (e.g. to authenticate a remote user and authenticate itself to a remote user).
7. Policy (Certificate Policy and Certification Practice Statement): Certificate Policies and Certification Practice Statements are policy documents that define the procedures and practices to be employed in the use, administration and management of certificates within a PKI.

1. The primary weakness of symmetric encryption algorithms is keeping the single key secure. Known as key management, it poses a number of significant challenges. If a user wants to send an encrypted message to another using symmetric encryption, he must be sure that she has the key to decrypt the message. How should the first user get the key to the second user? He would not want to send it electronically through the Internet, because that would make it vulnerable to eavesdroppers. Nor can he encrypt the key and send it, because the recipient would need some way to decrypt the key. And if he can even get the get securely to the user, how can be he certain that an attacker has not seen the key on that person's computer? Key management is a significant impediment to using symmetric encryption. ’
2. a. A requests a session key for use between A and B from the KDC. A

nonce is used for challenge-response.

1. If someone manages to get an old K5, they can replay the message from step 3 to B and communicate with B, pretending to be A.
2. Timestamps included with the message can counter this vulnerability

4. 19 Adding EMK0 would allow users to generate personal session keys, which could be exchanged, avoiding the necessity of storing a key variable in a user-to-user session.

4.20 Host / has master key KMH/F with variants KMH", j = 0, 1, 2.

KMHZ 0: used to encrypt session key KS

KMHy used to encrypt user master keys (at Host /) KMH/ 2: used to encrypt cross domain key KMH(/Z j) = KMH(J, /) (Host / to Host j)

Host i stores E[KMH^2/ KMH(/Z J)] and uses a translation instruction RFMK*：                  '

RFMK*[E[KMH/ 2, KMH(/；j)], E(KMH, 0, KS)] -> E(KMH,j7 K)] A second translation function RTMK (at Host j) RTMK[E[KMH; 2, KMH(J, '■)], E(KMH('; j), KS)] E(KMH; 0, KS)] which may be deciphered by a user at Host j.

4.21 One solution is to add an instruction similar to RFMK of the form KEYGEN[RNZ KMT" KMT^]

which will interpret RN as E(KMH0, KS) and return both E(KMH/Z KS) and E(KMH;7 KS), which are sent to the terminals i and j, respectively. RN need not be maintained at the host.

Chapter 5 Network Access Control and Cloud Security

Answers to Questions

1. Network access control (NAC) is an umbrella term for managing access to a network. NAC authenticates users logging into the network and determines what data they can access and actions they can perform. NAC also examines the health of the user’s computer or mobile device (the endpoints).
2. The Extensible Authentication Protocol (EAP) acts as a framework for network access and authentication protocols. CAP provides a set of protocol messages that can encapsulate various authentication methods to be used between a client and ?n authentication server. EAP can operate over a variety of network and link level facilities, including point-to-point links, LANs, and other networks, and can accommodate the authentication needs of the various links and networks.
3. EAP-TLS (EAP-Transport Layer Security): EAP-TLS (RFC 5216) defines how the TLS protocol (described in Chapter 17) can be encapsulated in EAP messages. EAP-TTLS (EAP-Tunneled TLS) is similar to EAP-TLS except only the server has a certificate to authenticate itself to the client first. EAP-GPSK (EAP Generalized Pre-Shared Key) is an EAP method for mutual authentication and session key derivation using a Pre-Shared Key (PSK). EAP-GPSK specifies an EAP method based on pre-shared keys and employs secret key-based cryptographic algorithms. EAP-IKEv2 supports mutual authentication and session key establishment using a variety of methods.
4. EAPOL (EAP over LAN) operates at the network layers and makes use of an IEEE 802 LAN, such as Ethernet or Wi-Fi, at the link level. EAPOL enables a supplicant to communicate with an authenticator and supports the exchange of EAP packets for authentication.
5. IEEE 802. IX, Port-Based Network Access Control was designed to provide access control functions for LANs.
6. NIST defines cloud computing as follows: A model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.
7. Software as a service (SaaS): The capability provided to the consumer is to use the provider's applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a Web browser. Instead of obtaining desktop and server licenses for software products it uses, an enterprise obtains the same functions from the cloud service. Platform as a service (PaaS): The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. PaaS often provides middleware-style services such as database and component services for use by applications. In effect, PaaS is an operating system in the cloud. Infrastructure as a service (IaaS): The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources w iere the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. IaaS enables customers to combine basic computing services, such as number crunching and data storage, to build highly adaptable computer systems.
8. The NIST cloud computing reference architecture focuses on the requirements of uwhat" cloud services provide, not a uhow to" design solution and implementation. The reference architecture is intended to facilitate the understanding of the operational intricacies in cloud computing. It does not represent the system architecture of a specific cloud computing system; instead it is a tool for describing, discussing, and developing a system-specific architecture using a common framework of reference.
9. Abuse and nefarious use of cloud computing: For many cloud providers (CPs), it is relatively easy to register and begin using cloud services, some even offering free limited trial periods. This enables attackers to get inside the cloud to conduct various attacks, such as spamming, malicious code attacks, and denial of service. Insecure interfaces and APIs: CPs expose a set of software interfaces or APIs that customers use to manage and interact with cloud services. The security and availability of general cloud services is dependent upon the security of these basic APIs. Malicious insiders: Under the cloud computing paradigm, an organization relinquishes direct control over many aspects of security and, in doing so, confers an unprecedented level of trust onto the CP. One grave concern is the risk of malicious insider activity. Cloud architectures necessitate certain roles that are extremely high-risk. Examples include CP system administrators and managed security service providers. Shared technology issues: IaaS vendors deliver their services in a scalable way by sharing infrastructure. Often, the underlying components that make up this infrastructure (CPU caches, GPUs, etc.) were not designed to offer strong isolation properties for a multi-tenant architecture. Data loss or leakage: For many clients, the most devastating impact from a security breach is the loss or leakage of data. Account or service hijacking: With stolen credentials, attackers can often access critical areas of deployed cloud computing services, allowing them to compromise the confidentiality, integrity, and availability of those services. Unknown risk profile: In using cloud infrastructures, the client necessarily cedes control to the cloud provider on a number of issues that may affect security.

Answers to Problems

1. Data link Iayer: responsible for transmitting and receiving EAP frames between the peer and authenticator. EAP Iayer: receives and transmits EAP packets via the lower layer, implements duplicate detection and retransmission, and delivers and receives EAP messages to and from the EAP peer and authenticator layers. EAP peer/authenticator layer: EAP peer and authenticator layers demultiplex incoming EAP packets according to their Type, and deliver them to the EAP method corresponding to that Type. EAP method 備ayer: EAP methods implement the authentication algorithms and receive and transmit EAP messages via the EAP peer and authenticator layers. Since fragmentation support is not provided by EAP itself, this is the responsibility of EAP methods.

 

Chapter 6 Transport-Level Security

Answers to Questions

1. The advantage of using IPSec (Figure 6.1a) is that it is transparent to end users and applications and provides a general-purpose solution. Further, IPSec includes a filtering capability so that only selected traffic need incur the overhead of IPSec processing. The advantage of using TLS is that it makes use of the reliability and flow control mechanisms of TCP. The advantage of application-specific security services (Figure 6.1c) is that the service can be tailored to the specific needs of a given application.
2. TLS handshake protocol; TLS change cipher spec protocol; TLS alert protocol; TLS record protocol.
3. Connection: A connection is a transport (in the OSI layering model definition) that provides a suitable type of service. For TLS, such connections are peer-to-peer relationships. The connections are transient. Every connection is associated with one session. Session: A TLS session is an association between a client and a server. Sessions are created by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which can be shared among multiple connections. Sessions are used to avoid the expensive negotiation of new security parameters for each connection.
4. Session identifier: An arbitrary byte sequence chosen by the server to identify an active or resumable session state. Peer certificate: An X509.v3 certificate of the peer. Compression method: The algorithm used to compress data prior to encryption. Cipher spec: Specifies the bulk data encryption algorithm (such as null, DES, etc.) and a hash algorithm (such as MD5 or SHA-1) used for MAC calculation. It also defines cryptographic attributes such as the hash_size. Master secret: 48-byte secret shared between the client and server. Is resumable: A flag indicating whether the session can be used to initiate new connections.

6.5 Server and client random: Byte sequences that are chosen by the server and client for each connection. Server write MAC secret: The secret key used in MAC operations on data sent by the server. Client -41-

© 2017 Pearson Education, Inc., Hoboken. NJ All rights reserved.

 

write MAC secret: The secret key used in MAC operations on data sent by the client. Server write key: The conventional encryption key for data encrypted by the server and decrypted by the client. Client write key: The conventional encryption key for data encrypted by the client and decrypted by the server. Initialization vectors: When a block cipher in CBC mode is used, an initialization vector (IV) is maintained for each key. This field is first initialized by the TLS Handshake Protocol. Thereafter the final ciphertext block from each record is preserved for use as the IV with the following record. Sequence numbers: Each party maintains separate sequence numbers for transmitted and received messages for each connection. When a party sends or receives a change cipher spec message, the appropriate sequence number is set to zero. Sequence numbers may not exceed 264 - 1.

1. Confidentiality: The Handshake Protocol defines a shared secret key that is used for conventional encryption of TLS payloads. Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC).
2. Fragmentation; compression; add MAC; encr/pt; append TLS record header.
3. HTTPS (HTTP over TLS) refers to the combination of HTTP and TLS to implement secure communication between a Web browser and a Web server.
4. The initial version, SSH1 was focused on providing a secure remote logon facility to replace TELNET and other remote logon schemes that provided no security. SSH also provides a more general client/server capability and can be used for such network functions as file transfer and e-mail. *
5. Transport Layer Protocol: Provides server authentication, data confidentiality, and data integrity with forward secrecy (i.e., if a key is compromised during one session, the knowledge does not affect the security of earlier sessions). The transport layer may optionally provide compression. User Authentication Protocol: Authenticates the user to the server. Connection Protocol: Multiplexes multiple logical communications channels over a single underlying SSH connection.

 

Chapter 7 Wireless Network

Security

Answers to Questions

1. Basic service set.
2. Two or more basic service sets interconnected by a distribution system.
3. Association: Establishes an initial association between a station and an AP. Authentication: Used to establish the identity of stations to each other. Deauthentication: This service is invoked whenever an existing authentication is to be terminated. Disassociation: A notification from either a station or an AP that an existing association is terminated. A station should give this notification before leaving an ESS or shutting down. Distribution: used by stations to exchange MAC frames when the frame must traverse the DS to get from a station in one BSS to a station in another BSS. Integration: enables transfer of data between a station on an IEEE 802.11 LAN and a station on an integrated IEEE 802.x LAN. MSDU delivery: delivery of MAC service data units. Privacy: Used to prevent the contents of messages from being read by other than the intended recipient. Reassocation: Enables an established association to be transferred from one AP to another, allowing a mobile station to move from one BSS to another.
4. It may or may not be.
5. Mobility refers to the types of physical transitions that can be made by a mobile node within an 802.11 environment (no transition, movement from one BSS to another within an ESS, movement from one ESS to another). Association is a service that allows a mobile node that has made a transition to identify itself to the AP within a BSS so that the node can participate in data exchanges with other mobile nodes.
6. IEEE 802.Hi addresses three main security areas: authentication, key management, and data transfer privacy.

 

1. Because WEP works by XORing the data to get the ciphertext, bit flipping survives the encryption process. Flipping a bit in the plaintext always flips the same bit in the ciphertext and vice versa.

 

Chapter 8 Electronic Mail Security

Answers to Questions

1. RFC 5321 defines the fields in the outer SMTP envelope of an email message. RFC 5322 defines the Internet Message Format, which is the format of the email message inside the SMTP envelope.
2. SMTP encapsulates an email message in an envelope and is used to relay the encapsulated messages from source to destination through multiple MTAs. Multipurpose Internet Mail Extension (MIME) is an extension to the RFC 5322 framework that is intended to address some of the problems and limitations of the use of Simple Mail Transfer Protocol (SMTP) or some other mail transfer protocol and RFC 5322 for electronic mail. MIME defines a number of content formats and transfer encodings.
3. Content-Type: Describes the data contained in the body with sufficient detail that the receiving user agent can pick an appropriate agent or mechanism to represent the data to the user or otherwise deal with the data in an appropriate manner.

Content-Transfer-Encoding: Indicates the type of transformation that has been used to represent the body of the message in a way that is acceptable for mail transport.

1. Base64 is an encoding scheme for binary data. Each group of three octets of binary data is mapped into four ASCII characters.
2. Many electronic mail systems only permit the use of blocks consisting of ASCII text.
3. S/MIME (Secure/Multipurpose Internet Mail Extension) is a security enhancement to the MIME Internet e-mail format standard, based on technology from RSA Data Security.
4. Authentication, confidentiality, e-mail compatibility, and compression.
5. A detached signature is useful in several contexts. A user may wish to maintain a separate signature log of all messages sent or received. A detached signature of an executable program can detect subsequent -48-

© 2017 Pearson Education, Inc., Hoboken. NJ All rights reserved.

 

virus infection. Finally, detached signatures can be used when more than one party must sign a document, such as a legal contract. Each person*s signature is independent and therefore is applied only to the document. Otherwise, signatures would have to be nested, with the second signer signing both the document and the first signature, and so on.

1. DomainKeys Identified Mail (DKIM) is a specification for cryptographically signing e-mail messages, permitting a signing domain to claim responsibility for a message in the mail stream. Answers to Problems

1. If the mail data itself contains the character sequence "<CR><LF>.<CRxLF>"z the SMTP-client will insert an additional period at the beginning of the line, thus transmitting it as ,,<CR><LF>..<CRxLF>".
2. Post Office Protocol (POP3) POP3 allows an email client (user agent) to download an email from an email server (MTA). POP3 user agents connect via TCP to the server (typically port 110). The user agent enters a username and password (either stored internally for convenience or entered each time by the user for stronger security). After authorization, the UA can issue POP3 commands to retrieve and delete mail.

As with POP3, Internet Mail Access Protocol (IMAP) also enables an email client to access mail on an email server. IMAP also uses TCP, with server TCP port 143. IMAP is more complex than POP3. IMAP provides stronger authentication than POP3 and provides other functions not supported by POP3.

1. The signature should be generated before compression for two reasons:

1. It is preferable to sign an uncompressed message so that one can store only the uncompressed message together with the signature for future verification. If one signed a compressed document, then it would be necessary either to store a compressed version of the message for later verification or to recompress the message when verification is required.
2. Even if one were willing to generate dynamically a recompressed message for verification, the typical lossless compression algorithm presents a difficulty. The algorithm usually is not deterministic; various implementations of the algorithm achieve different tradeoffs in running speed versus compression ratio and, as a result, produce different compressed forms. However, these different compression algorithms are interoperable because any version of the algorithm can correctly decompress the output of any other version. Applying the hash function and signature after compression would constrain all S/MIME implementations to the same version of the compression algorithm.

1. Basically, the DNS can scale well with the growth of the Internet. A centralized database such as the HOSTS.TXT system would not be appropriate for today’s Internet, as the file, and hence the costs of its distribution, would be too large. Because of its distributed nature, the DNS allows organizations to manage their own domain space, while the old HOSTS.TXT system required changes to be submitted to the maintainer of the centralized database, something unthinkable for a huge international network as today*s Internet.
2. We trust this owner, but that does not necessarily mean that we can trust that we are in possession of that owner's public key.
3. In X.509 there is a hierarchy of Certificate Authorities. Another difference is that in X.509 users will only trust Certificate Authorities while in PGP users can trust other users.
4. This is just another form of the birthday paradox discussed in Appendix U. Let us state the problem as one of determining what number of session keys must be generated so that the probability of a duplicate is greater than 0.5. From Equation (6) in Appendix U, we have the approximation:

k = 1.18xVk For a 128-bit key, there are 2128 possible keys. Therefore

jt = 1.18xx/2H?=1.18x2M

1. Again, we are dealing with a birthday-paradox phenomenon. We need to calculate the value for:

P(/?, k) = Pr [at least one duplicate in k items, with each item able to

take on one of n equally likely values between 1 and n]

 

In this case, k = N and n

=264. Using equation (5) of Appendix U:

 

 

 

 

1. a. Not at all. The message digest is encrypted with the sendees

private key. Therefore, anyone in possession of the public key can decrypt it and recover the entire message digest.

b. The probability that a message digest decrypted with the wrong key would have an exact match in the first 16 bits with the original message digest is

2~16.                                                      I

1. It certainly provides more security than a monoalphabetic substitution. Because we are treating the plaintext as a string of bits and encrypting 6 bits at a time, we are not encrypting individual characters. Therefore, the frequency information is lost, or at least significantly obscured.
2. a. The first step is to convert the characters into 8-bit ASCII with zero parity. Consulting the table in Appendix Q, we have the following correspondence: p 01110000 I 01101100 a 01100001

i 01101001 n 01101110 t 01110100 e 01100101

x 01111000 t 01110100

Next, we block these off into groups of 6 bits, show the 6-bit decimal value, and do the encoding.

011100 000110 110001 100001 011010 010110 111001 110100

28        6      49       33      26             22    57       52

cGxhaW5 0

011001 010111 100001 110100

25 23 33 52 Z   X         h         0

So the radix-64 encoding is cGxhaW50ZXh0

b. All of the characters are "safe", so the quoted-printable encoding is simply plaintext

8.12
	Requires PKIX validation	Does not require PKIX validation
TLSA RR contains a trust anchor that issued one of the certificates	PKIX-TA	DANE-TA
TLSA matches an end entity, or leaf certificate	PKIX-EE	DANE-EE

 

Chapter 9 IP Security

Answers to Questions

1. Secure branch office connectivity over the Internet: A company can build a secure virtual private network over the Internet or over a public WAN. This enables a business to rely heavily on the Internet and reduce its need for private networks, saving costs and network management overhead. Secure remote access over the Internet: An end user whose system is equipped with IP security protocols can make a local call to an Internet service provider (ISP) and gain secure access to a company network. This reduces the cost of toll charges for traveling employees and telecommuters. Establishing extranet and

画ntranet connectivity with partners: IPSec can be used to secure communication with other organizations, ensuring authentication and confidentiality and providing a key exchange mechanism. Enhancing electronic commerce security: Even though some Web and electronic commerce applications have built-in security protocols, the use of IPSec enhances that security.

1. Access control; connectionless integrity; data origin authentication; rejection of replayed packets (a form of partial sequence integrity); confidentiality (encryption); and limited traffic flow confidentiality
2. A security association is uniquely identified by three parameters: Security Parameters Index (SPI): A bit string assigned to this SA and having local significance only. The SPI is carried in AH and ESP headers to enable the receiving system to select the SA under which a received packet will be processed. IP Destination Address:

Currently, only unicast addresses are allowed; this is the address of the destination endpoint of the SA, which may be an end user system or a network system such as a firewall or router. Security Protocol Identifier: This indicates whether the association is an AH or ESP security association.

A security association is normally defined by the following parameters:

Sequence Number Counter: A 32-bit value used to generate the Sequence Number field in AH or ESP headers, described in Section 9.3 (required for all implementations). Sequence Counter Overflow: A -53-

flag indicating whether overflow of the Sequence Number Counter should generate an auditable event and prevent further transmission of packets on this SA (required for all implementations). Anti-Replay Window: Used to determine whether an inbound AH or ESP packet is a replay, described in Section 9.3 (required for all implementations). AH Information: Authentication algorithm, keys, key lifetimes, and related parameters being used with AH (required for AH implementations). ESP Information: Encryption and authentication algorithm, keys, initialization values, key lifetimes, and related parameters being used with ESP (required for ESP implementations). Lifetime of this Security Association: A time interval or byte count after which an SA must be replaced with a new SA (and new SPI) or terminated, plus an indication of which of these actions should occur (required for all implementations). IPSec Protocol Mode: Tunnel, transport, or wildcard (required for all implementations). These modes are discussed later in this section. Path MTU: Any observed path maximum transmission unit (maximum size of a packet that can be transmitted without fragmentation) and aging variables (required for all implementations).

1. Transport mode provides protection primarily ror upper-layer protocols. That is, transport mode protection extends to the payload of an IP packet. Tunnel mode provides protection to the entire IP packet.
2. A replay attack is one in which an attacker obtains a copy of an authenticated packet and later transmits it to the intended destination. The receipt of duplicate, authenticated IP packets may disrupt service in some way or may have some other undesired consequence.
3. 1. If an encryption algorithm requires the plaintext to be a multiple of some number of bytes (e.g.z the multiple of a single block for a block cipher), the Padding field is used to expand the plaintext (consisting of the Payload Data, Padding, Pad Length, and Next Header fields) to the required length. 2. The ESP format requires that the Pad Length and Next Header fields be right aligned within a 32-bit word. Equivalently, the ciphertext must be an integer multiple of 32 bits. The Padding field is used to assure this alignment. 3. Additional padding may be added to provide partial traffic flow confidentiality by concealing the actual length of the payload.
4. Transport adjacency: Refers to applying more than one security protocol to the same IP packet, without invoking tunneling. This approach to combining AH and ESP allows for only one level of combination; further nesting yields no added benefit since the processing is performed at one IPSec instance: the (ultimate)

-54-

 

destination. Iterated tunneling: Refers to the application of multiple layers of security protocols effected through IP tunneling. This approach allows for multiple levels of nesting, since each tunnel can originate or terminate at a different IPSec site along the path.

1. Oakley is a key exchange protocol based on the Diffie-Hellman algorithm but providing added security. Oakley is generic in that it does not dictate specific formats. ISAKMP provides a framework for Internet key management and provides the specific protocol support, including formats, for negotiation of security attributes.

Answers to Problems

9.1 row 1: Traffic between this host and any other host, both using port 500, and using UDP, bypasses IPsec. This is used for IKE traffic.

row 2: ICMP message to or from any remote address are error messages, and bypass IPSec.

row 3: Traffic between 1.2.3.101 and 1 23.0/24 is intranet traffic itnd must be protected by ESP，with the exception of traffic defined in earlier rows, row 4: TCP traffic between this host (1.2 3 101) and the sender (1.2.4.10) on server port 80 is ESP protected.

row 5: TCP traffic between this host(! 2.3.101) and the sender (1.2.4.10) on server port 80 is protected by TLS and so can bypass IPSec. row 6: Any other traffic between 1.23.101 and 1.2.3.0/24 is prohibited and is discarded.

row 7: Any other traffic between 1.2.3.101 goes to the Internet and bypasses IPSec.

IPv4		orig IP | hdr         |	TCP	Data
…z lorig IP IPv6 I hdr	extension headers |         (if present)         |		TCP	Data

 

9.2.

 

 

authenticated except for mutable fields—►

IPv4

(a) Before Applying AH

 

 

 

 

authenticated except for mutable fields

IPv6

orig IP hdr

hop-by-hop，des“ I routing, fragment

A II

dest

TCP

Data

(b) Transport Mode

 

 

aiitfu nticated except for mutable fields in the new IP header

 

◄------------		new IP header and its extension headers
new IP I	ext	I orig IP	ext          I                 |
hdr       |	headers	|AH| hlr	headers | TCP |	Data

IPv6

 

authenticated except for mutable fields in

 

(c) Tunnel Mode

 

 

 

9.3

9.4

AH provides access control, connectionless integrity, data origin authentication, and rejection of replayed packets. ESP provides all of these plus confidentiality and limited traffic flow confidentiality.

 

1. Immutable: Version, Internet Header Length, Total Length, Identification, Protocol (This should be the value for AH.), Source Address, Destination Address (without loose or strict source routing). None of these are changed by routers in transit.

Mutable but predictable: Destination Address (with loose or strict source routing). At each intermediate router designated in the source routing list, the Destination Address field is changed to indicate the next designated address. However, the source routing field contains the information needed for doing the MAC calculation. Mutable (zeroed prior to ICV calculation): Type of Service (丁OS), Flags, Fragment Offset, Time to Live (TTL), Header Checksum. TOS may be altered by a router to reflect a reduced service. Flags and Fragment offset are altered if an router performs fragmentation. TTL is decreased at each router. The Header Checksum changes if any of these other fields change.

1. Immutable: Version, Payload Length, Next Header (This should be the value for AH.), Source Address, Destination Address (without Routing Extension Header)

Mutable but predictable: Destination Address (with Routing Extension Header)

Mutable (zeroed prior to ICV calculation): Class, Flow Label, Hop Limit

1. IPv6 options in the Hop-by-Hop and Destination Extension Headers contain a bit that indicates whether the option might change (unpredictably) during transit.

Mutable but predictable: Routing

Not Applicable: Fragmentation occurs after outbound IPSec processing and reassembly occur before inbound IPSec processing , so the Fragmentation Extension Header, if it exists, is not seen by IPSec.

9.5 a. The received packet is to the left of the window, so the packet is discarded; this is an auditable event. No change is made to window parameters.

1. The received packet falls within the window. If it is new, the MAC is checked. If the packet is authenticated, the corresponding slot in the window is marked. If it is not new, the packet is discarded. In either case, no change is made to window parameters.
2. The received packet is to the right of the window and is new, so the MAC is checked. If the packet is authenticated, the window is advanced so that this sequence number is the right edge of the window, and the corresponding slot in the window is marked. In this case, the window now spans from 120 to 540.

1. From RFC 2401

IPv4 Header Fields	Outer Header at Encapsulator	Inner Header at Decapsulator
version	4(1)	no change
header length	constnicted	no chiinge
TOS	copied from inner header (5)	no change
total length	constnicted	no change
ID	constructed	no change
Flags	constructed. DF (4)	no change
Fragment offset	constructed	no chiinge
TTL	constnicted	decrement (2)
protocol	AH，ESP, routing header	no change
checksum	constructed	no change
source address	constructed (3)	no change
destination address	constnicted (3)	no change
options	never copied	no change

 

 

IPv6 Header Fields	Outer Header at                     1 Encapsulator	r dinner Header at Decapsulator
version	6(1)	no change
class	copied or configured (6)	no change
flow id	copied or configured	no change
length	constructed	no change
next header	AH、ESP. routing header	no chiinge
hop count	constnicted (2)	decrement (2)
source address	constnicted (3)	no change
dest address	constructed (3)	no change
extension headers	never copied	no chiinge

 

1. The IP version in the encapsulating header can be different from the value in the inner header.
2. The TTL in the inner header is decremented by the encapsulator prior to forwarding and by the decapsulator if it forwards the packet.
3. src and dest addresses depend on the SA, which is used to determine the dest address, which in turn determines which src address (net interface) is used to forward the packet.
4. configuration determines whether to copy from the inner header (IPv4 only), clear or set the DF.
5. If Inner Hdr is IPv4, copy the TOS. If Inner Hdr is IPv6, map the Class to TOS.
6. If Inner Hdr is IPv6, copy the Class. If Inner Hdr IPv4, map the TOS to Class.

 

1. We show the results for IPv4; IPv6 is similar.

 

ESP trlr

authenticated except for mutable fields

encrypted

°2P                   TCP |

Data

AH

authenticated except for mutable fields- ----------------- ncrypted

orig IP hdr

new IP hdr

 

TCP

I SI， trlr

 

 

 

 

 

 

 

◄-authenticated except for mutable fields-►

◄--------------------- encry pted------------------------ ►

new IP hdr

ESP hdr

orig IP hdr

AH

TCP

Data

ESP trlr

 

1. This order of processing facilitates rapid detection and rejection of replayed or bogus packets by the receiver, prior to decrypting the packet, hence potentially reducing the impact of denial of service attacks. It also allows for the possibility of parallel processing of packets at the receiver, \.e.f decryption can take place in parallel with authentication.
2. The Initial Exchanges and the CREATE_CHILD_SA Exchange
3. It is an addition to the IP layer.

Chapter 10 Malicious Software

Answers to Questions

1. 1. The three broad mechanisms malware can use to propagate are: infection of existing executable or interpreted content by viruses that is subsequently spread to other systems; exploit of software vulnerabilities either locally or over a network by worms or drive-by- downloads to allow the malware to replicate; and social engineering attacks that convince users to bypass security mechanisms to install trojans, or to respond to phishing attacks.
   2. Four broad categories of payloads that malware may carry are: corruption of system or data files; theft of service in order to make the system a zombie agent of attack as part of a botnet; theft of information from the system, especially of logins, passwords or other personal details by keylogging or spy ware programs; and stealthing where the malware hides it presence on the system from attempts to detect and block it.
   3. The typical phases of operation of a virus or worm are: a dormant phase (when the virus is idle), a propagation phase (where it makes copies of itself elsewhere), a triggering phase (when activated), and an execution phase (to perform some target function).
   4. Some mechanisms a virus can use to conceal itself include: encryption, stealth, polymorphism, metamorphism.
   5. Machine executable viruses infect executable program files to carry out their work in a manner that is specific to a particular operating system and, in some cases, specific to a particular hardware platform. Macro viruses infect files with macro or scripting code that is used to support active content in a variety of user document types, and is interpreted by an application.
   6. A worm may access remote systems to propagate using: an electronic mail or instant messenger facility, file sharing, remote execution capability, remote file access or transfer capability, or a remote login capability.
   7. A ud「ive-by-download〃 exploits browser vulnerabilities so that when the user views a web page controlled by the attacker, it contains code that exploits some browser bug to download and install malware on the system without the user's knowledge or consent. It differs from a worm since it does not actively propagate as a worm does, but rather waits for unsuspecting users to visit the malicious web page in order to spread to their systems.
   8. A logic bomb is code embedded in the malware that is set to "explode” when certain conditions are met, such as the presence or absence of certain files or devices on the system, a particular day of the week or date, a particular version or configuration of some software, or a particular user running the application. When triggered, the bomb executes some payload carried by the malware.
   9. A backdoor is a secret entry point into a program or system that allows someone who is aware of the backdoor to gain access without going through the usual security access procedures. A bot subverts the computational and network resources of the infected system for use by the attacker. A keylogger captures keystrokes on the infected machine, to allow an attacker to monitor sensitive information including login and password credentials. Spyware subverts the compromised machine to allow monitoring of a wide range of activity on the system, including monitoring the history and content of browsing activity, redirecting certain web page requests to fake sites controlled by the attacker, dynamically modifying data exchanged between the browser and certain web sites of interest; which can result in significant compromise of the user's personal information. A rootkit is a set of programs installed on a system to maintain covert access to that system with administrator (or root) privileges, whilst hiding evidence of its presence to the greatest extent possible. These can all be present in the same malware.
   10. A rootkit may be placed in: user mode where it can intercept calls to APIs and modify results; in kernel mode where it can intercept kernel API calls and hide it presence in kernel tables; in a virtual machine hypervisor where it can then transparently intercept and modify states and events occurring in the virtualized system; or in some other external mode such as BIOS or in BIOS or system management mode, where it can directly access hardware.
   11. Malware countermeasure elements include prevention in not allowing malware to get into the system in the first place, or blocking its ability to modify the system, via policy, awareness, vulnerability mitigation and threat mitigation; detection to determine that it has occurred and locate the malware; identification to identify the

specific malware that has infected the system; and removaI to remove all traces of malware virus from all infected systems so that it cannot spread further.

1. 1. Three places malware mitigation mechanisms may be located, are: on the infected system, where some host-based ''anti-virus" program is running, monitoring data imported into the system, and the execution and behavior of programs running on the system; as part of the perimeter security mechanisms used in an organizations firewall and intrusion detection systems; or it may use distributed mechanisms that gather data from both host-based and perimeter sensors, potentially over a large number of networks and organizations, in order to obtain the largest scale view of the movement of malware.
   2. The four generations of anti-virus software are:

First generation: simple scanners that require a malware signature to identify it

Second generation: heuristic scanners use heuristic rules to search for probable malware instances, or uses integrity checking to identify changed files

Third generation: activity traps that identify malware by its actions rather than its structure in an infected program

Fourth generation: full-featured protection uses packages of a variety of anti-virus techniques used in conjunction, including scanning and activity trap components.

1. 1. Behavior-blocking software integrates with the operating system of a host computer and monitors program behavior in real time for malicious actions. The behavior blocking software then blocks potentially malicious actions before they have a chance to affect the system.. 令
   2. A denial of service (DoS) attack is an attempt to prevent legitimate users of a service from using that service. When this attack comes from a single host or network node, then it is simply referred to as a DoS attack. A more serious threat is posed by a DDoS attack. In a DDoS attack, an attacker is able to recruit a number of hosts throughout the Internet to simultaneously or in a coordinated fashion launch an attack upon the target.

Answers to Problems

1. The program will loop indefinitely once all of the executable files in the system are infected.
2. D is supposed to examine a program P and return TRUE if P is a computer virus and FALSE if it is not. But CV calls D. If D says that CV is a virus, then CV will not infect an executable. But if D says that CV is not a virus, it infects an executable. D always returns the wrong answer.
3. The original code has been altered to disrupt the signature without affecting the semantics of the code. The ineffective instructions in the metamorphic code are the second, third, fifth, sixth, and eighth.
4. a. The following is from Spafford, E. ” The Internet Worm Program: An

Analysis." Purdue Technical Report CSD-TR-823.

Common choices for passwords usually include fantasy characters, but this list contains none of the likely choices (e・g., ''hobbit: ''dwarf", Ugandalf\ ''skywalker", ''conan"). Names of relatives and friends are often used, and we see women’s names like ''jessica", ''Caroline", and ”edwina〃，but no instance of the common names ''jennifer" or Mkathy\ Further, there are almost no men’s names such as uthomas/z or either of ''stepherT or ''steven〃 (or Ueugene,r!). Additionally, none of these have the initial letters capitalized, although that is often how they are usee ;n passwords. Also of interest, there are no obscene words in tnis dictionary, yet many reports of concerted password cracking experiments have revealed that there are a significant number of users who use such words (or phrases) as passwords. The list contains at least one incorrect spelling: ’'commrades〃 instead of''comrades"; I also believe that ''markus" is a misspelling of umarcus〃. Some of the words do not appear in standard dictionaries and are non-English names: ”jixian"' ''vasant", ''puneet", etc. There are also some unusual words in this list that I would not expect to be considered common: ''anthropogenic", ''imbroglio", vumesh〃，'’rochester", ''fungible", ”cerulean", etc.

b. Again, from Spafford:

I imagine that this list was derived from some data gathering with a limited set of passwords, probably in some known (to the author) computing environment. That is, some dictionary-based or brute­force attack was used to crack a selection of a few hundred passwords taken from a small set of machines. Other approaches to gathering passwords could also have been used: Ethernet monitors, Trojan Horse login programs, etc. However they may have been cracked, the ones that were broken would then have been added to this dictionary. Interestingly enough, many of these words are not in the standard on-line dictionary (in /usr/dict/words). As such, these words are useful as a supplement to the main dictionary­based attack the worm used as strategy #4, but I would suspect them to be of limited use before that time.

1. Logic bomb.
2. Backdoor.
3. The found USB memory stick may pose a range of threats to the confidentiality, integrity and availability of the work system. Each of the malware propagation mechanisms we discuss could use such a memory stick for transport. It may carry a program infected with an executable virus, or document infected with a macro virus, which if run or opened can allow the virus to run and spread. It could carry a malicious worm that may be run automatically using the auto run capability, or by exploiting some vulnerability when the USB stick is viewed. Or it could contain a trojan horse program or file that would threaten the system if installed or allowed to run. You can mitigate these threats, and try to safely determine the contents of the memory stick, by scanning the memory stick with suitable, up-to-date anti- virus software for any signs of malware - though this will not detect unknown, zero-day exploits. You could examine the memory stick in a controlled environment, such as a live-boot linux or other system, or in some emulation environment, which cannot be changed even if the malware does manage to run.
4. Observations of your home PC is responding very slowly, with high levels of network activity, may indicate the presence of malware, likely including bot code, on the system. The slow response and net traffic could be caused by it participating in a botnet, perhaps distributing spam emails, performing DDoS attacks, or other malicious activities. This malware could have gained access to the system as a result of installing some trojan program perhaps advertised in spam email or on a compromised website, from a drive-by-download, or from exploit of some vulnerability on the system by a worm. Possible steps to check whether this has occurred include examining the process/task list for unknown programs executing, looking at logs of network traffic kept by a host firewall program to see which programs are generating traffic, or scanning the system with suitable, up-to-date anti-virus software for any signs of malware - though this will not detect unknown, zero-day exploits. If you do identify malware on your PC, you may be able to restore it to safe operation using suitable, up-to- date anti-virus software, provided the malware is known. Otherwise you may have to erase all storage and rebuild the system from scratch.
5. If a user installs some custom codec claimed needed to view some videos, they may actually be installing trojan horse code. It may indeed allow viewing of the video, or may just be an excuse to compromise the system. Such code may pose a range of threats to the confidentiality, integrity and availability of the system. It may include backdoor, bot, keylogger, spyware, rootkit or indeed any other malware payloads.
6. If when you download and start to install some game app, you are asked to approve the access permissions ''Send SMS messages" and to nAccess your address-book”，you should indeed be suspicious that a game wants these types of permissions, as it would not seem needed just for a game. Rather it could be malware that wants to collect details of all your contacts, and either return them to the attacker via SMS, or allow the code to send SMS messages to your contacts, perhaps enticing them to also download and install this malware. Such code is a trojan horse, since it contains covert functions as well as the advertised functionality.
7. If you should open the PDF attachment, then it could contain malicious scripting code that could run should you indeed select the 'Open' button. This may be either worm (specifically exploiting a client-side vulnerability), or trojan horse code. You could you check your suspicions without threatening your system by using the scroll bar to examine all the code about to be executed should you select the 'Open' button, and see if it looks suspicious. You could also scan the PDF document with suitable, up-to-date anti-virus software for any signs of malware - though this will not detect unknown, zero-day exploits. This type of message is associated with a spear-phishing attack, given that the email was clearly crafted to suit the recipient. That particular e-mail would only have been sent to one or a few people for whom the details would seem plausible.
8. This email is attempting a general phishing attack, being sent to very large numbers of people, in the hope that a sufficient number both use the named bank, and are fooled into divulging their sensitive login credentials to the attacker. The most likely mechanism used to distribute this e-mail is via a botnet using large numbers of compromised systems to generate the necessary high volumes of spam emails. You should never ever follow such a link in an email and supply the requested details. You should only ever access sensitive sites by directly entering their known URL into your browser. It may be appropriate to forward a copy of such emails to a relevant contact at the bank if they ask for this. Otherwise it should just be deleted.