You may submit your solutions either electronically, as a document in Canvas, or in class on paper (one or the other though – don’t submit some problems online and some on paper!). Note that some questions require drawing diagrams – if you submit an electronic document, either use an appropriate tool to draw neat diagrams (e.g., LucidChart or Visio) or scan a neat hand-drawn picture. It is almost impossible to make a neat diagram in Word or some other tool that is not designed for this, so do not try.
Remember to fully explain your answers!
Find a news story of a recent security incident that involved a malicious attacker (that shouldn’t be hard!), and describe what happened. Your description should include a statement about each of the “big three” security goals, indicating whether it was violated (and if it was, how it was violated). Also speculate on what type of attacker was involved and what the attacker’s motive may have been.
In this question, you are to get a feel for how vulnerable modern systems are by exploring the “National Vulnerability Database” that NIST maintains, which is at https://nvd.nist.gov/.
Locate the full list of vulnerabilities, and pick a random month from last year (e.g., maybe your birthday month) and see how many vulnerabilities were reported that month. Report how many there were for the month, and calculate the average number of vulnerabilities reported per day. If you were a security professional, and spent on average 5 minutes looking at each CVE to see if it applied to systems you manage, how much time per week would you spend reviewing CVEs?
Look into some of these vulnerabilities (you can just click randomly on the CVEs in your chosen month) to see how they are reported. Can you find any that give vulnerabilities associated with software or systems that you use? Report on your findings, and describe how you can determine the risk to the “big three” security goals based on the information reported in the CVE entry. Looking into the information reported in a CVE, how could you filter reports (e.g., with an automated tool) to reduce the amount of time you would need to spend reviewing CVEs that are relevant to your systems?
Consider a chat system, where users connect to a chat server and can send private messages back and forth with other users. Draw out a model of such a system, identify locations for data at rest, data in motion, and data in use, and define confidentiality, integrity, and availability concerns for data and systems in your model (like we did for the payment system in class). Ideally, only the two participants in a chat should be able to understand the messages – in particular, the chat server should not be able know what the users are saying to each other.
As mentioned on page 27, AES can use keys that are 128, 196, or 256 bits long. For each part below, show your work — don’t just give final answers!
How many different 128-bit keys are possible? If you performed a brute-force decryption attack that could test 1 trillion (1012 or approximately 240) keys per second, how long would it take you to test all 128-bit keys? Give your answer in both seconds, and in a more understandable unit (weeks? months? years? centuries?).
As described on page 34, if you are looking at English text, then the number of n-bit strings that are valid English text is approximately 20.16n. Consider what would happen if someone used an English phrase for the AES key. How many 128-bit sequences are valid English phrases (approximately)? If you could test 1 trillion English phrases per second, how long would it take you to test all 128-bit English phrases?
What do these two results tell you about the use of English phrases for encryption keys? Is it a good idea?
Consider the following scenario, commonly called a “Man-in-the-Middle Attack”: I am using a restaurant’s guest WiFi for internet access, and want to set up an encrypted connection to workplace.com to do some confidential work. I don’t have an encryption key I can use with workplace.com so my computer first contacts workplace.com using an unprotected connection to ask for their public key. After I get the public key, I use that to encrypt further communication with the server. Unfortunately, the restaurant intercepts the public key that workplace.com sends to me, and replaces it with its own (for which it knows the private or decryption key).
Draw a diagram that shows the three parties involved (me, the restaurant network router, and the workplace.com server), and show the communications described above on your diagram.
Describe how digital certificates can be used to secure this protocol.
Consider the following set of subjects and objects in the Bell-LaPadula model, with clearances and classifications as shown (C, S, and TS stand for “Classified”, “Secret” and “Top Secret”, which is in increasing level of classification):
Subject clearances:
Object classifications:
Write out the access control matrix that shows both read and write permissions for all four subjects and three objects (use “R” to denote read permission, and “W” to denote write permission).
In the Bell-LaPadula model, there is typically a classification label of ("Unclassified", {}). What users will be able to read a file with this label? Justify your answer by working through the definition of the “simple security property” and the definition of the BLP partial ordering (given on page 453 of the textbook).
The “Bandit” wargame on overthewire.org consists of a sequence of challenges to test your skill with basic Linux command-line usage. For this question, solve up through Level 5 of the Bandit wargame (getting to Level 6), which will require you to demonstrate skills that are vital for future hands-on exercises in this class (logging in with SSH, examining files, working with directories, working with unusual file names and hidden files, etc.). Document how you solved the challenges by providing a one or two sentence description saying what you did for each level. [Reminder: Figure these challenges out yourself. Do not search for solutions online, or ask others for solutions.] Note: If you solve the first 20 levels, you will receive 5 points extra credit.