Programming > QUESTIONS & ANSWERS > New York University CSCI-SHU MISC CS6823: Introduction to Programming and Problem Solving+Sample Fin (All)

New York University CSCI-SHU MISC CS6823: Introduction to Programming and Problem Solving+Sample Final_2 Answers Network Security Sample Final #2 Answers

Document Content and Description Below

New York University CSCI-SHU MISC CS6823+Sample Final_2 Answers Network Security Sample Final #2 Answers 1. PKI/TLS In April 2014, a security vulnerability called Heartbleed was discovered ... which can obtain the private TLS keys from a server. Suppose Trudy used the Heartbleed bug to successfully obtain the private TLS keys from amazon.com. 1a. [4 pts] If amazon.com always uses the ciphersuite TLS_RSA_WITH_AES_256_CBC_SHA, are prior encrypted connections protected after Trudy steals the key? Explain why. No, prior connections are not protected because this ciphersuite does not have the property of perfect forward security. Each time a TLS connection is established, the same RSA key is used for key exchange and authentication, therefore when the TLS private keys are lost, all prior connections can be decrypted. 1b. [4 pts] How can Trudy use the stolen private key to MITM a TLS connection and see encrypted data between a user and amazon.com? Explain why this cannot be easily done without the private key. With the private key, Trudy can successfully impersonate amazon.com without causing browser errors stating that certificates are bad. This cannot be done without the private keys because the browser is supposed to detect any errors during certificate validation. 1c. [2 pts] Is it possible for a CA to issue more than one TLS certificate for amazon.com? Explain why or why not. Yes, it’s possible because issuing certificates is not a technical limitation, and a CA is free to (and commonly does) issue multiple TLS certificates for a single domain name. 1d. [4 pts] Suppose a root CA was vulnerable to Heartbleed and lost its private keys. What can a user do to protect him or herself from being ea 2. IPSec 2a. [3 pts] How are the orders of the IPSec headers different in tunnel mode and transport mode? In tunnel mode, the IPSec header is added to the front of the packet, while in transport mode, the IPSec header is added after the IP header, and the IP header protocol field is modified. 2b. [2 pts] In an IPSec ESP Header, why can’t the SPI be in the encrypted portion of the IPSec record? The IPSec SPI cannot be encrypted because the receiving device needs the SPI to determine witch SA this IPSec packet belongs to. 2c. [3 pts] How does IPSec stop replay attacks? IPSec uses an authenticated sequence number in the header. If the sequence number is already seen or outside of the window, it will be dropped. [Show More]

Last updated: 3 years ago

Preview 1 out of 10 pages

Buy Now

Instant download

We Accept: