Homework 2

CS155, Spring 2007

Due: Thursday, May 17

Problem 1 - cookies

A web server requires each user to log in. However, the implementers of the web site are worried about storing passwords on the server, since they are afraid someone might break in and steal them. Therefore, they decide to use a clever idea. When a user creates an account, the account number is stored on the server and the user's password is stored in a cookie on the user's machine. Then, when the user tries to log in later, the server compares the password typed in by the user with the password stored in the user's cookie.

  1. Assuming that the implementers have not thought of any other clever ideas, how would you log into another users account without knowing their password?
  2. Describe at least one method that you could use to keep passwords in cookies (and not on the server), but prevent the attack you devised in part (a)?

Problem 2

Consider a broken web-based mail system. Suppose the web system displays incoming email messages in a web browser using the following HTML sketch:
        ---  Headers  ---
        <DIV ID="msg">
        ---  Verbatim Email Message ---
  1. Give an example email message you could send to a user of this web system that would allow you to read all of that user's incoming email. You may assume the web system uses a cookie called SessionID to authenticate user requests after user login.
  2. How could the web-based email system defend against such attacks?

Problem 3 - TCP Sequence numbers

Suppose a spammer sends spam email from IP address a.b.c.d. This IP address is quickly added to a blacklist and mail servers ignore all emails from this IP address.

  1. Can the spammer evade the blacklisting mechanism by sending packets with a spoofed source IP address? Recall that the SMTP protocol runs on top of TCP. You may assume that the victim mail server generates random and unpredictable TCP sequence numbers for new connections.
  2. Suppose a certain mail server generates TCP sequence numbers for new connections using a predictable algorithm, say the initial sequence number for connection i is simply the number i. Explain exactly how a spammer can fool the mail server into accepting spam from it by spoofing source IP addresses in packets.
  3. Recall that SMTP is an interactive protocol. An SMTP transcript looks as follows:

    Sender:      MAIL FROM:   <someone@somewhere.com>
    Mail Serv:   250 Ok
    Sender:      RCPT TO: <target@victim.com>
    Mail Serv:   250 Ok
    Sender:      DATA
    Mail Serv:   354 End data with .
    Sender:      Some message data
                 Second line
    Mail Serv:   250 Ok
    ... and the message is delivered.

You may assume that the SMTP PIPELINING extension is allowed by the mail server.

Problem 4 - dictionary attacks and MiTM

In class we discussed an authentication method called challenge-response for authenticating a user to a server. At a high level, the basic mechanism works as follows:

     Browser                          Server
     -------     I am user Alice      ------
   pwd              Nonce  N               pwd
                   MAC(pwd, N)
               ------------------>     check MAC
The following questions ask whether various attackers can impersonate the user and login to the server on behalf of the user.
  1. Is this method vulnerable to dictionary attack by an eavesdropper? If so explain how; if not explain why not.
  2. Suppose the protocol is run over SSL (where the SSL session was authenticated using the server's certificate).
    1. Is the resulting protocol vulnerable to dictionary attack by an eavesdropper?
    2. Is the resulting protocol vulnerable to a Man in the Middle attack?
    If so explain how; if not explain why not. You may assume that users ignore any SSL warning pop-up and click "continue" to proceed.
  3. Suppose the protocol is run over SSL as in part (b), but the browser uses the following key Kb to compute the MAC:
                       Kb = (pwd) || (client-ssl-session-key)
    where || denotes concatination and client-ssl-session-key is the SSL session key currently used by the browser. The server checks the MAC using the following key:
                       Ks = (pwd) || (server-ssl-session-key)
    where server-ssl-session-key is the SSL session key currently used by the server. Is the resulting protocol vulnerable to your attacks from part (b)? If so explain how; if not explain why not.

Problem 5 - Firewalls

Consider a company, example.com, with the following network topology:

Example.com is extremely paranoid about the prospect of a Trojan horse surreptitiously sending the source code of their product out over the network. Therefore, they issue every employee a small hardware authentication device, and wish to require that any communication to the outside world be authenticated by a human typing in a security code computed by and displayed on this authentication device.

  1. To enforce the policy, the administrators set up a single machine, gatekeeper.example.com, that can talk both to internal company machines and to the rest of the Internet. Employees can log into gatekeeper from internal machines using SSH and their hardware authentication device. From gatekeeper, they can SSH to the rest of the Internet. All other machines at the company are on a separate subnet ( and can exchange packets with gatekeeper but not with the outside world. Machines on the outside Internet should not be able to SSH to gatekeeper.

    Describe how to enforce this policy with stateless packet filtering on Router A and/or Router B. Describe the precise packet filtering rules you would put in place at each router. You may assume that the routers only forward IPv4 traffic.

  2. After several days of this new policy, employees become annoyed that many applications seem to lock up for periods of a minute or so. People suspect that the problem is caused by attempts to create TCP connections to the outside world, which instead of failing instantly take approximately one minute. After all, clients' TCP implementations treat packets dropped by the firewall policy just the same as packets dropped because of congestion--they back off and keep trying.

    To solve the problem, the administrators re-configure their routers not just to drop packets silently, but in certain cases to send packets back to the source of a dropped packet. Describe precisely what the routers can send back to make prohibited outgoing TCP connections fail quickly. (Assume they cannot make any changes to the TCP implementation on clients.)

  3. After the fix from the previous part, things improve somewhat, but applications are still locking up. It is determined that the problem is DNS lookups to the outside world, which are also taking a long time to fail. To solve the problem, the administrators run a caching resolver on gatekeeper, and configure all the internal clients to use gatekeeper as their DNS nameserver. The administrators figure that since DNS is a read-only protocol, it is safe to allow internal machines to query for IP addresses of hosts anywhere on the Internet, as long as any actual communication to those IP addresses is blocked by the routers.

    Where is the flaw in the administrators' logic? Explain how a clever Trojan horse with access to the secret source code on client.example.com can collude with another machine on the Internet to leak the source code, even without access to the hardware authentication device.