Homework answers / question archive / Exercise 7

Exercise 7

Computer Science

Share With

---

Exercise 7.12 (Protocol version downgrade-dance attach). Implementations of TLS and SSL specify the version of the protocol in the client Hello and Server Hello messages. If the server does not support the client’s version, then it replies with an error message. When the client receives this error message (‘version not supported’), it re-tries the handshake using the best-next version of TLS/SSL supported by the client. This method of ensuring backward compatibility with older versions of TLS/SSL is referred to as downgrade dance.

1. Present a sequence diagram showing how a MitM attacker can exploit the downgrade dance mechanism, to cause the server and client to use an out-dated version of the protocol, allowing the attacker to exploit vulnerabilities of that version.
2. The TLS Fallback Signaling cipher suite value (SCSV), discussed in subsection 7.5.6, is designed in 7.5.6, is designed mitigate this risk. Let vc denoted the TLS version run by the client and vg denote the TLS version run by the
3. server. Present a sequence diagrams showing TLS connections where (1)
4. client and server support SCSV and vz > vs, (2) same, ve = vs, (3) same,
5. Ue < Us, (4) any of these, with a MitM attacker who tries to cause use of
6. VETSION Um < MiN(Ve, Ve).
    

 

Exercise 8.15 (SCSV certificate extension). The TLS Fallback Signaling Ci-

pher Suite Value (SCSV) [229], discussed in subsection 7.5.6, is designed to

mitigate the Protocol verston downgrade-dance attack; see subsection 7.5.6 and

Exercise 7.12.

1. Consider a MitM attacker who impersonates as web-server victim.com, to

cause the client to downgrade to an insecure version of TLS; in this version,

the attacker is able to find out the master key during the handshake. To

foil SCSV, the attacker ignores it, i.e., behaves as if victim.com does not

support SCSV. Show a sequence diagram showing how this attacker is able

to establish the connection with the client tn spite of SCSV.

2. Present an alternative defense to SVSV, which also prevents protocol

downgrade attacks ustng a signalling mechanism, but a different signalling

mechanism which uses an X.509 certificate extension.

3. Should your X.509 extension be always marked critical? Always non-

critical? Sometimes (when?) ? Justify.

Foundations of Cybersecurity: Applied Introduction to Cryptography

542 CHAPTER 8. PUBLIC KEY INFRASTRUCTURE (PKI)

4. Suppose a domain adopts your design, and upgrades its certificate accord-

ingly. Is tt required to revoke the previous certificate? Justify; if st is

required - present an attack if this isn't done (with sequence diagram).
Exercise 7.14 (TLS server without randomness). An JoT device provides http

 

interface to clients, 1.e., acts as a tiny web server. For authentication, clients

 

send their commands together unith a secret password, e.g., on, <password> and

 

off, <password>. Communication is over TLS for security, with the RSA-based

 

SSL/TLS handshake, as in Figure 7.10.

 

Foundations of Cybersecurity: Applied Introduction to Cryptography

454 CHAPTER 7. TLS/SSL PROTOCOLS: WEB-SECURITY AND BEYOND

The IoT device does not have a source of randomness, hence, it computes

 

the server-random rg from the client-random, using a fixed symmetric key ks

(kept only by the device), as: rs = AES,,(rc).

 

1. Present a message sequence diagram showing how an attacker, which can

eavesdrop on a connection in which the client turned the device ‘on’, can

later turn the device ‘on’ again, without the client betng involved.

 

2. Would your answer change (and how), tf the device supports [D-based

 session resumption? Ticket-based session resumption?

 

3. Show a secure method for the server to compute the server-random method,

which will not require a source of randomness. The loT device may use

and update a state variable s; you solutton consists of the computation of

the server-random: rs = and of the update to the state

variable performed at the end of every handshake: s = .

 

3. Suppose that an adversary, Eve, creates a public and private key and tricks Bob into registering pkg

as a trusted certificate authority (that is, Bob thinks Eve is a trusted certificate authority). Assume

that Alice is a web server and Bob a client and they connect to one another using SSL/TLS. Show a

Man in the Middle attack allowing Eve to listen in on all communication between Alice and Bob even

if Alice and Bob use SSL/TLS and even if Alice (the server) has a certificate from a real certificate

authority (Alice does not trust Eve as a CA).