Homework 3
Handed out: March 1,
2005
Due back: March
8th, 2005, 11:59pm, 2005(by submission timestamp).
Submission: Electronic
upload submission (see instruction online at the course webpage)
Notes: 1. To be done individually.
2.
Please do not give a simple yes/no as results to some of the questions. Briefly explain why and how you obtain that
result.
- Suppose
filtering routers are arranged as in the Figure below; the primary
firewall is R1. Explain how to configure R1 and R2 so that outsiders can
Telnet to net 2 but not to hosts on net 1.
Be careful about “leapfrogging” breakins
to net 1.
- Timing
attack problem. Modify the following
password checking code discussed in the lectures so that it is not
vulnerable to timing attacks.
int password-check( char *inp,
char *pwd) {
if (strlen(inp) != strlen(pwd)) return 0;
for( i=0; i
< strlen(pwd); ++i)
if ( *inp[i] != *pwd[i] )
return
0;
return 1;
}
- Describe
each of the following three kinds of access control mechanisms in terms of
(a) ease of determining authorized access during execution, (b) ease of adding
access to all objects for a new subject, (c) ease of deleting access to an
object by a subject, and (d) ease of creating a new object to which all
subjects by default have access.
Please try to keep your answer short to a few key points.
- Per-object
access control list
- Access
control matrix
- Capability
- Represent
the ownerships and permissions shown in this UNIX directory listing as a access control matrix. Note: asw
is a member of two groups: users and devel; gmw is a member of only
“users” group. Treat each of the two users and two groups as a domain, so
the matrix has four rows (one per domain) and four columns (one per file).
-rw- r- -
r- - 2 gmw users
-rwxr-x r-x 1 asw devel
-rw-rw- - - - 1 asw users
-rw- r- -
- - - 1 asw devel
- Whether
IPSec will work with Network Address Translation
(NAT) depends on which mode of IPSec and NAT we
use. Suppose that we use true NAT, where only IP addresses are translated
(without port translation). Will IPSec and NAT work in each of the following
cases? Briefly explain why or why
not.
- IPSec using AH transport mode
- IPSec using AH tunnel mode
- IPSec using ESP transport mode
- IPSec using ESP tunnel mode
Note:
a) The TCP/UDP checksum includes
the TCP/UDP header, the TCP/UDP payload, and the three fields from the IP header – protocol number, source IP address, and destination
IP address.
b) The discussion in KPS book Ch
17.2.1 may not be entirely correct.