Homework 8 - Chapter 8 (extra credit)
Due: Monday, March 17, 2014 at 11:55pm
NO LATE ASSIGNMENTS WILL BE ACCEPTED.
- One common feature of popular PHP forum software is the "Keep me logged
in" feature where the website sends an authentication cookie after the
user types an appropriate username and password. On future visits, if the
cookie is present, the user does not have to provide a password. What are
the security implications of such a feature?
- One general principle behind authentication is "what you know", i.e.
asking the user for information only the user can provide. Give another
principle that can be used for authentication.
- At what level in the protocol stack (e.g. data link, network, etc) must a
stateful inspection firewall that is aware of the File Transfer Protocol
(FTP) operate? Justify your answer.
- What is the purpose of an intrusion detection system (IDS)? How does this
differ from an intrusion prevention system (IPS)?
- Can cryptography provide solutions for confidentiality, integrity,
nonrepudiation, and availability? Explain why or why not.
- What is the primary difference between symmetric key and public key
encryption algorithms?
- What is the purpose of a public key infrastructure or a trusted link
system such as certificate authorities?
- A fundamental cryptographic principle states that all messages must have
redundancy. But redundancy helps an intruder tell if a guessed plaintext
is correct. Consider two forms of redundancy. First, the initial n bits
of the plaintext contain a known pattern. Second, the final n bits of
the message contain a hash over the message. From a security point of
view, are these two equivalent? Discuss your answer.
- When using Diffie-Hellman key exchange, why is it difficult to protect
against a man-in-the-middle attack when neither party has any a priori
knowledge of each other, such as the server public key in SSH?
- Let's revisit Question 1. Would it be any more secure to use a Kerberos
ticket for the "Keep me logged in" feature? Why or why not?