hws/hw01.tex
author Christian Urban <urbanc@in.tum.de>
Sat, 08 Oct 2016 13:54:14 +0100
changeset 471 97ab057cbd2e
parent 464 f76e1456b365
child 475 c5d9e164c5f1
permissions -rw-r--r--
updated
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     1
\documentclass{article}
169
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
     2
\usepackage{../style}
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     3
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     4
\begin{document}
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     5
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     6
\section*{Homework 1}
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
     7
382
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
     8
\HEADER
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
     9
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    10
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    11
\begin{enumerate}
165
6f84ad98cf49 added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 97
diff changeset
    12
\item {\bf (Optional)} If you want to have a look at the code
169
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    13
  presented in the lectures, install \texttt{Node.js} available (for free) from
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    14
\begin{center}
165
6f84ad98cf49 added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 97
diff changeset
    15
\url{http://nodejs.org}
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    16
\end{center}
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    17
371
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    18
It needs also the Node-packages Express, Cookie-Parser,
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    19
Body-Parser and Crypto. They can be easily installed using the
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    20
Node package manager \texttt{npm}.
165
6f84ad98cf49 added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 97
diff changeset
    21
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    22
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    23
\item Practice thinking like an attacker. Assume the following situation:
169
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    24
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    25
  \begin{quote}\it
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    26
    Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    27
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    28
    \noindent
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    29
    \begin{tabular}{@ {}l}
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    30
      Write the first 100 digits of pi:\\
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    31
      3.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    32
    \end{tabular}
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    33
  \end{quote}
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    34
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    35
\noindent
169
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    36
Think of ways how you can cheat in this exam? How would you defend
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
    37
against such cheats.
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    38
371
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    39
\item Here is another puzzle where you can practice thinking
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    40
      like an attacker: Consider modern car keys. They
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    41
      wirelessly open and close the central locking system of
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    42
      the car. Whenever you lock the car, the car ``responds''
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    43
      by flashing the indicator lights. Can you think of a
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    44
      security relevant purpose for that? (Hint: Imagine you
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    45
      are in the business of stealing cars. What attack would
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    46
      be easier to perform if the lights do not flash?)
464
f76e1456b365 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 459
diff changeset
    47
      %Should the car also make a ``beep noise'' when it
f76e1456b365 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 459
diff changeset
    48
      %unlocks the doors? Which threat could be thwarted
f76e1456b365 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 459
diff changeset
    49
      %by that?
328
7ae9a893b76f updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 171
diff changeset
    50
371
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    51
\item And another one: A water company installed devices that
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    52
      transmit meter readings when their company car drives
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    53
      by. How can this transmitted data be abused, if not
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    54
      properly encrypted? If you identified an abuse, then how
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    55
      would you encrypt the data so that such an abuse is
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    56
      prevented. Hint: Consider the fact that every person
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    57
      uses approximately 120l of water every day.
690d778b9127 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 370
diff changeset
    58
382
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    59
%\item And another one: Nowadays everybody and their
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    60
%      grandmother seems to be scared about a bomb going off at
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    61
%      a big event, say a football game. To mitigate such a
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    62
%      threat, you order expensive metal detectors and hire a
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    63
%      security team that will staff these detectors at each
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    64
%      game. Think whether people are really safer at a
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    65
%      football game with metal detectors or not. Hint: People
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    66
%      certainly might *\emph{feel}* safer by going through
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    67
%      metal detectors, but the question is whether they
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    68
%      *\emph{are}* safer. Hint: Consider how people arrive at
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    69
%      such an event: within a relative short amount of time,
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    70
%      thousands, if not more, spectators will arrive at your
5b943e29b717 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 380
diff changeset
    71
%      football game.
370
ddac52c0014c updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 350
diff changeset
    72
372
486153025d71 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 371
diff changeset
    73
%% CYA security - cover-your-ass
486153025d71 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 371
diff changeset
    74
% It's an attitude I've seen before: "Something must 
486153025d71 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 371
diff changeset
    75
% be done. This is something. Therefore, we must do it." 
486153025d71 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 371
diff changeset
    76
% Never mind if the something makes any sense or not.
486153025d71 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 371
diff changeset
    77
    
459
514485146641 updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 456
diff changeset
    78
372
486153025d71 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 371
diff changeset
    79
486153025d71 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 371
diff changeset
    80
350
54d6fc856950 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 328
diff changeset
    81
%\item Imagine there was recently a break in where computer criminals
54d6fc856950 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 328
diff changeset
    82
%  stole a large password database containing 
54d6fc856950 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 328
diff changeset
    83
165
6f84ad98cf49 added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 97
diff changeset
    84
\item Explain what hashes and salts are. Describe how they can be used
6f84ad98cf49 added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 97
diff changeset
    85
  for ensuring data integrity and storing password information.
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
    86
171
6cdf4d3906e2 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 169
diff changeset
    87
\item What is the difference between a brute force attack and a 
6cdf4d3906e2 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 169
diff changeset
    88
  dictionary attack on passwords? 
380
948f4b39d55d updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 372
diff changeset
    89
  
413
0f824ca252e4 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 384
diff changeset
    90
\item Even good passwords consisting of 8 characters, can be
0f824ca252e4 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 384
diff changeset
    91
      broken in around 50 days (obviously this time varies a
0f824ca252e4 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 384
diff changeset
    92
      lot and also gets shorter and shorter over time). Do you
0f824ca252e4 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 384
diff changeset
    93
      think it is good policy to require users to change their
0f824ca252e4 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 384
diff changeset
    94
      password every 3 months (as King's did until recently)?
0f824ca252e4 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 384
diff changeset
    95
      Under which circumstance should users be required to
0f824ca252e4 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 384
diff changeset
    96
      change their password?
171
6cdf4d3906e2 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 169
diff changeset
    97
459
514485146641 updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 456
diff changeset
    98
\item The biggest dictionary for dictionary attacks I know
514485146641 updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 456
diff changeset
    99
      contains 15 Billion entries. If you try out all of these
514485146641 updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 456
diff changeset
   100
      15 Billion entries in order to hack one password how
514485146641 updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 456
diff changeset
   101
      much percent of the full brute-force space did you
514485146641 updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 456
diff changeset
   102
      cover. For this assume passwords use 62 charcaters and
514485146641 updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 456
diff changeset
   103
      are typically 8 characters long.
514485146641 updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 456
diff changeset
   104
14
Christian Urban <urbanc@in.tum.de>
parents: 10
diff changeset
   105
\item What are good uses of cookies (that is browser cookies)?
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   106
169
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
   107
\item Why is making bank customers liable for financial fraud a bad
2866fae8c1cf updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 165
diff changeset
   108
design choice for credit card payments?
165
6f84ad98cf49 added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 97
diff changeset
   109
456
f65e4fa6e902 updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents: 413
diff changeset
   110
\item \POSTSCRIPT
10
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   111
\end{enumerate}
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   112
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   113
\end{document}
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   114
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   115
%%% Local Variables: 
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   116
%%% mode: latex
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   117
%%% TeX-master: t
c8ff4c853130 new version
Christian Urban <urbanc@in.tum.de>
parents:
diff changeset
   118
%%% End: