Tietoliikenneohjelmistojen ja multimedian laboratorio

Telecommunications architectures

2001: Home assignment 7 - Model answer

Notice! The role of this model answer is instructional only. Everything that is asked in the assignment may not be covered in detail. The model answer gives you the content of the answer and an idea of what it should be. The things that are important in the grading of the homework have been emphasized. Please, inform the course staff if you think that there is a mistake in the model answer!

1. Miscellaneous (6 points)

  1. What is the difference between terms "authenticated" and "authorized"? (2 points)

    Autentication: Is this process really Scott's process?
    Authorization: Does Scott have permission to delete this file?
    So the main difference is that in first case we are interested in with who we are talking and at the second case we wonder if that particular instance have permission to do something.

  2. How big risk is generated by laptops, handcomputers (Palm pilots ect.), WLANs, mobile phones etc. for companies data security? How these devices should be protected? (4 points)

    This is an opinion question. All good answers are accepted. The following things might pop up:
    - The data at laptops is not (usually) encrypted
    - Handcomputer have nowday more and more data without any protection
    - How meny phonenumber do you really remember?
    - Do you store any important information in SMS?
    - WLANs are not safe!!!

2. S-HTTP and SSL (6 points)

  1. Explain how a SSL connection is established. (4 points)

    When SSL connection is established client and server will use handshake protocol to agree:
    1) protocol version
    2) cryptographic algorithms
    3) do they autenticate each other
    4) change secrets with public key method.

    The process is about following:
    Client
    Server
    Client Hello
    Server Hello
    Certificate* or Server key exchange*
    Certificate Request*
    Server Hello Done
    Certificate* or No certificate*
    Client Key Exchange
    Certificate Verify*
    Change Cipher Spec
    Finished
    Change Cipher Spec
    Finished
    Connection is ready.
    * message is optional or it depends on selected algorithm

    1) Clien sends ClientHello message to server.
    Hello-message includes:
    - protocol version
    - session ID
    - cipher suite
    - compression method
    Clien might also send two random values in ClientHello.random

    2) Server response with ServerHello (include same attributes than ClientHello) and ServerHello.random if needed.

    3) Server might also send:
    - Server's Certificate or it will send ServerKeyExchange-message if server doesn't have certificate or it's certificate is only for signing.
    - CertificateRequest is sent if server wants to autenticate client.

    4) Server sends ServerHelloDone

    5) Client will next autenticate server, it will check that server's sertificate is valid, CA is trusted and sertificate is coming from address where it should come.

    Client response:
    - Certificate or no_certificate (if server wants to autenticate client)
    - ClientKeyExchange At this point client will generate pre-master secret and encrypt it with servers public key.
    - Certificate Verity message is sent, if client have singning ability, to verify the certificate.
    [ChangeCipherSpec]Client will generate master secret from premaster.
    - Finished (This message is crypted with new algorithm, keys and it tells that I'm ready.)

    6) if servet have wanted to autenticate client, it checks sertificate validity etc.
    [ChangeCipherSpec] Server will generate master secret from premaster.
    Server response:
    - Finished (This message is crypted with new algorithm, keys, and it tells that server is ready.)

    7) The conection is ready for use.


  2. What is S-HTTP? (2 points)

    S-HTTP is an extension to the HTTP for secure document transfer. It does not use any particular algorithm for encryption but it supports for example RSA. Notice that S-HTTP is NOT HTTPS (which is HTTP over SSL). Main difference between these two is that whet SSL is working just above TCP when S-HTTP is workin above HTTP applications.

3. Firewalls (6 poists)

  1. What is port scanning and what are possible dangers generated by it? (1 point)

    In port scanning intruder is trying to find open services from computer for using them for his own purposes. For example hacker can try to use sendmail-bug to have computer's password file.

  2. Name at least two techniques that firewalls are using to control traffic and explain them. (3 points)

    First technique is packet filtering. In this method there is some rules for accepting incoming or outgoing packet. If these rules are not conformed packet are simply dropped. For example all packet form outside to port 23 (telnet) can be forbidden.

    Other method is appication gateway. Now selection can be based on header information, message sizes or even contents of packets. We can define that some application can not send or reserve data from outside.

    Third method is circuit level gateway which is combination of packet filtering and application level firewall.

  3. Test your own computer with some scanner. What was the result and what should be done to improve security? (2 points)

    For this question there is no correct answer. Main point is to get students to think if they're safe and what should be done if they are not...

4. Digital signature (7 points)