Homework 3


Handed out:    March 1, 2005

Due back:        March 8th, 2005, 11:59pm, 2005(by submission timestamp).

Submission:     Electronic upload submission (see instruction online at the course webpage)

Notes:              1. To be done individually.

                        2. Please do not give a simple yes/no as results to some of the questions.  Briefly explain why and how you obtain that result.


  1. Suppose filtering routers are arranged as in the Figure below; the primary firewall is R1. Explain how to configure R1 and R2 so that outsiders can Telnet to net 2 but not to hosts on net 1.  Be careful about “leapfrogging” breakins to net 1.




  1. Timing attack problem.  Modify the following password checking code discussed in the lectures so that it is not vulnerable to timing attacks.


int password-check( char *inp, char *pwd)  {

                              if   (strlen(inp)  !=  strlen(pwd)) return 0;

                              for( i=0; i < strlen(pwd); ++i)

                             if  ( *inp[i]  !=  *pwd[i]  )

                                    return 0;

                             return 1;



  1. Describe each of the following three kinds of access control mechanisms in terms of (a) ease of determining authorized access during execution, (b) ease of adding access to all objects for a new subject, (c) ease of deleting access to an object by a subject, and (d) ease of creating a new object to which all subjects by default have access.  Please try to keep your answer short to a few key points.
    1. Per-object access control list
    2. Access control matrix
    3. Capability


  1. Represent the ownerships and permissions shown in this UNIX directory listing as a access control matrix. Note: asw is a member of two groups: users and devel; gmw is a member of only “users” group. Treat each of the two users and two groups as a domain, so the matrix has four rows (one per domain) and four columns (one per file).

-rw- r- - r- - 2 gmw users

-rwxr-x  r-x 1 asw devel

-rw-rw- - - - 1 asw users

-rw- r- - - - - 1 asw devel


  1. Whether IPSec will work with Network Address Translation (NAT) depends on which mode of IPSec and NAT we use. Suppose that we use true NAT, where only IP addresses are translated (without port translation).  Will IPSec and NAT work in each of the following cases?  Briefly explain why or why not.
    1. IPSec using AH transport mode
    2. IPSec using AH tunnel mode
    3. IPSec using ESP transport mode
    4. IPSec using ESP tunnel mode


a) The TCP/UDP checksum includes the TCP/UDP header, the TCP/UDP payload, and the three fields from the IP header – protocol number, source IP address, and destination IP address.

b) The discussion in KPS book Ch 17.2.1 may not be entirely correct.