# midterm SP ## task 1 > Question 1 (max score: 1.5): User Alice wants to sign a message M in order to send it to user Bob. Alice works with asymmetric cryptography: she owns the private key A_k_priv and shared the corresponding public key A_k_pub with Bob. Moreover, since the message M is very large, Alice aims to exploit a message digest algorithm (say SHA-2, but could be any) to accomplish the signature as efficiently as possible. Describe the workflow that Alice and Bob go through with message digesting, encryption and decryption to send and validate, respectively, the signed message. 1. Alice sign using any MDA with A_k_priv (algorithm should support asymmetric encryption in our case), making it possible for Bob to verify Alice is holding private key and the MDC is not changed 2. Bob will get the message in plaintext + A_k_pub (he already has it) + MDC. He can decrypt MDC, calculate hash by itself using the same MDA (but with no encryption in the end) and confirm that message is the same if the codes are matching ## Task 2 Question 2 (max score: 1.5): Consider a firewall configured to apply an ACL that consists only of the following filtering rules access-list 111 deny ip 10.132.0.0 0.0.255.255 any access-list 111 permit ip any any In particular consider the case in which the source addresses mentioned in the first rule belong to a local network, and the firewall applies these rules to the packets that it receives at the interface eth0 that is connected to an outside network, i.e., a network other than that local network. interface eth0 ip access-group 111 in Say to which range of source and destination IP addresses the first rule applies, and explain how this ACL can play a role in preventing some IP spoofing attacks. It applies to *everything*, except 10.132.0.0/16. So, this ACL doesn't allow for packages coming from outside of the network to have specified 10.132.0.0/16 as their source, which would mean that a package from outside is pretending to be local (which might be a DMZ), if that was true, it means transpasing into DMZ by ip spoofing ## Task 3 Question 3 (max score: 1.5): Say which three statements out of the following ones apply for a firewall that is using NAT masquerade configured to map all private addresses 192.168.1.0/24 to the public address 149.132.160.211 (that is, 149.132.160.211 is the public IP address of the firewall and 192.168.1.* are the IP addresses in the private network that the firewall is protecting by using NAT): 1. When an application within the network 192.168.1.0/24 contacts an application in an external network, the external application will receive packets in which the source IP address is 149.132.160.211. 2. The applications in external networks can initiate connections to an application within the network 192.168.1.0/24, but to do so they have to specify 149.132.160.211 as destination IP address. 3. The hosts within the network 192.168.1.0/24 are completely unreachable from external applications in any case. In fact, the applications in external networks cannot even reply to an application within the network 192.168.1.0/24. 4. The applications in external networks cannot ever initiate connections to any application within the network 192.168.1.0/24, but, if contacted from one of those applications, they can reply. 5. There can be both cases in which the firewall will rewrite the source IP address of a packet sent from the network 192.168.1.0/24, and cases in which it rewrites the destination IP address of a packet received from external networks. 6. The IP address 192.168.1.0 will be the only private address known to external applications. Answer by writing the three numbers that correspond to your selection. 1 4 5 (all asuming no port-forwarding is done) ## Task 4 Question 4 (max score: 1.5): Say which three statements out of the following ones apply for applications that protect their traffic by using data encryption according to protocol TLS: 1. The protocol allows for the TCP and IP addresses of the applications not to be disclosed to any third party that is possibly sniffing the network traffic. 2. The Application Data packets include data encrypted by using symmetric (secret key) cryptography. 3. The Handshake Phase of the protocol typically relies on symmetric (secret key) cryptography. 4. The Handshake Phase of the protocol may require the exchange of certificates between the parties. 5. The protocol allows for the data related to the application protocol not to be disclosed to any third party that is possibly sniffing the network traffic. 6. In Application Data packets, the SSL header includes the decryption key such that it allows for the receiver to decrypt the data. Answer by writing the three numbers that correspond to your selection. 2 4 5