Fill This Form To Receive Instant Help
Fill This Form To Receive Instant Help
Homework answers / question archive / Exercise 7
Exercise 7.12 (Protocol version downgrade-dance attach). Implementations of TLS and SSL specify the version of the protocol in the client Hello and Server Hello messages. If the server does not support the client’s version, then it replies with an error message. When the client receives this error message (‘version not supported’), it re-tries the handshake using the best-next version of TLS/SSL supported by the client. This method of ensuring backward compatibility with older versions of TLS/SSL is referred to as downgrade dance.
Exercise 8.15 (SCSV certificate extension). The TLS Fallback Signaling Ci-
pher Suite Value (SCSV) [229], discussed in subsection 7.5.6, is designed to
mitigate the Protocol verston downgrade-dance attack; see subsection 7.5.6 and
Exercise 7.12.
1. Consider a MitM attacker who impersonates as web-server victim.com, to
cause the client to downgrade to an insecure version of TLS; in this version,
the attacker is able to find out the master key during the handshake. To
foil SCSV, the attacker ignores it, i.e., behaves as if victim.com does not
support SCSV. Show a sequence diagram showing how this attacker is able
to establish the connection with the client tn spite of SCSV.
2. Present an alternative defense to SVSV, which also prevents protocol
downgrade attacks ustng a signalling mechanism, but a different signalling
mechanism which uses an X.509 certificate extension.
3. Should your X.509 extension be always marked critical? Always non-
critical? Sometimes (when?) ? Justify.
Foundations of Cybersecurity: Applied Introduction to Cryptography
542 CHAPTER 8. PUBLIC KEY INFRASTRUCTURE (PKI)
4. Suppose a domain adopts your design, and upgrades its certificate accord-
ingly. Is tt required to revoke the previous certificate? Justify; if st is
required - present an attack if this isn't done (with sequence diagram).
Exercise 7.14 (TLS server without randomness). An JoT device provides http
interface to clients, 1.e., acts as a tiny web server. For authentication, clients
send their commands together unith a secret password, e.g., on, <password> and
off, <password>. Communication is over TLS for security, with the RSA-based
SSL/TLS handshake, as in Figure 7.10.
Foundations of Cybersecurity: Applied Introduction to Cryptography
454 CHAPTER 7. TLS/SSL PROTOCOLS: WEB-SECURITY AND BEYOND
The IoT device does not have a source of randomness, hence, it computes
the server-random rg from the client-random, using a fixed symmetric key ks
(kept only by the device), as: rs = AES,,(rc).
1. Present a message sequence diagram showing how an attacker, which can
eavesdrop on a connection in which the client turned the device ‘on’, can
later turn the device ‘on’ again, without the client betng involved.
2. Would your answer change (and how), tf the device supports [D-based
session resumption? Ticket-based session resumption?
3. Show a secure method for the server to compute the server-random method,
which will not require a source of randomness. The loT device may use
and update a state variable s; you solutton consists of the computation of
the server-random: rs = and of the update to the state
variable performed at the end of every handshake: s = .
3. Suppose that an adversary, Eve, creates a public and private key and tricks Bob into registering pkg
as a trusted certificate authority (that is, Bob thinks Eve is a trusted certificate authority). Assume
that Alice is a web server and Bob a client and they connect to one another using SSL/TLS. Show a
Man in the Middle attack allowing Eve to listen in on all communication between Alice and Bob even
if Alice and Bob use SSL/TLS and even if Alice (the server) has a certificate from a real certificate
authority (Alice does not trust Eve as a CA).
