author | Christian Urban <urbanc@in.tum.de> |
Sat, 08 Oct 2016 13:54:14 +0100 | |
changeset 471 | 97ab057cbd2e |
parent 464 | f76e1456b365 |
child 475 | c5d9e164c5f1 |
permissions | -rw-r--r-- |
10 | 1 |
\documentclass{article} |
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
2 |
\usepackage{../style} |
10 | 3 |
|
4 |
\begin{document} |
|
5 |
||
6 |
\section*{Homework 1} |
|
7 |
||
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
8 |
\HEADER |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
9 |
|
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
10 |
|
10 | 11 |
\begin{enumerate} |
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
12 |
\item {\bf (Optional)} If you want to have a look at the code |
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
13 |
presented in the lectures, install \texttt{Node.js} available (for free) from |
10 | 14 |
\begin{center} |
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
15 |
\url{http://nodejs.org} |
10 | 16 |
\end{center} |
17 |
||
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
18 |
It needs also the Node-packages Express, Cookie-Parser, |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
19 |
Body-Parser and Crypto. They can be easily installed using the |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
20 |
Node package manager \texttt{npm}. |
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
21 |
|
10 | 22 |
|
23 |
\item Practice thinking like an attacker. Assume the following situation: |
|
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
24 |
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
25 |
\begin{quote}\it |
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
26 |
Prof.~V.~Nasty gives the following final exam question (closed books, closed notes):\bigskip |
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
27 |
|
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
28 |
\noindent |
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
29 |
\begin{tabular}{@ {}l} |
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
30 |
Write the first 100 digits of pi:\\ |
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
31 |
3.\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_\_ |
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
32 |
\end{tabular} |
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
33 |
\end{quote} |
10 | 34 |
|
35 |
\noindent |
|
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
36 |
Think of ways how you can cheat in this exam? How would you defend |
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
37 |
against such cheats. |
10 | 38 |
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
39 |
\item Here is another puzzle where you can practice thinking |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
40 |
like an attacker: Consider modern car keys. They |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
41 |
wirelessly open and close the central locking system of |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
42 |
the car. Whenever you lock the car, the car ``responds'' |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
43 |
by flashing the indicator lights. Can you think of a |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
44 |
security relevant purpose for that? (Hint: Imagine you |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
45 |
are in the business of stealing cars. What attack would |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
46 |
be easier to perform if the lights do not flash?) |
464
f76e1456b365
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
459
diff
changeset
|
47 |
%Should the car also make a ``beep noise'' when it |
f76e1456b365
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
459
diff
changeset
|
48 |
%unlocks the doors? Which threat could be thwarted |
f76e1456b365
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
459
diff
changeset
|
49 |
%by that? |
328
7ae9a893b76f
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
171
diff
changeset
|
50 |
|
371
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
51 |
\item And another one: A water company installed devices that |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
52 |
transmit meter readings when their company car drives |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
53 |
by. How can this transmitted data be abused, if not |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
54 |
properly encrypted? If you identified an abuse, then how |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
55 |
would you encrypt the data so that such an abuse is |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
56 |
prevented. Hint: Consider the fact that every person |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
57 |
uses approximately 120l of water every day. |
690d778b9127
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
370
diff
changeset
|
58 |
|
382
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
59 |
%\item And another one: Nowadays everybody and their |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
60 |
% grandmother seems to be scared about a bomb going off at |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
61 |
% a big event, say a football game. To mitigate such a |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
62 |
% threat, you order expensive metal detectors and hire a |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
63 |
% security team that will staff these detectors at each |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
64 |
% game. Think whether people are really safer at a |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
65 |
% football game with metal detectors or not. Hint: People |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
66 |
% certainly might *\emph{feel}* safer by going through |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
67 |
% metal detectors, but the question is whether they |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
68 |
% *\emph{are}* safer. Hint: Consider how people arrive at |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
69 |
% such an event: within a relative short amount of time, |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
70 |
% thousands, if not more, spectators will arrive at your |
5b943e29b717
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
380
diff
changeset
|
71 |
% football game. |
370
ddac52c0014c
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
350
diff
changeset
|
72 |
|
372
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
73 |
%% CYA security - cover-your-ass |
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
74 |
% It's an attitude I've seen before: "Something must |
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
75 |
% be done. This is something. Therefore, we must do it." |
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
76 |
% Never mind if the something makes any sense or not. |
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
77 |
|
459
514485146641
updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
78 |
|
372
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
79 |
|
486153025d71
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
371
diff
changeset
|
80 |
|
350
54d6fc856950
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
328
diff
changeset
|
81 |
%\item Imagine there was recently a break in where computer criminals |
54d6fc856950
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
328
diff
changeset
|
82 |
% stole a large password database containing |
54d6fc856950
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
328
diff
changeset
|
83 |
|
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
84 |
\item Explain what hashes and salts are. Describe how they can be used |
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
85 |
for ensuring data integrity and storing password information. |
10 | 86 |
|
171
6cdf4d3906e2
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
169
diff
changeset
|
87 |
\item What is the difference between a brute force attack and a |
6cdf4d3906e2
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
169
diff
changeset
|
88 |
dictionary attack on passwords? |
380
948f4b39d55d
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
372
diff
changeset
|
89 |
|
413
0f824ca252e4
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
384
diff
changeset
|
90 |
\item Even good passwords consisting of 8 characters, can be |
0f824ca252e4
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
384
diff
changeset
|
91 |
broken in around 50 days (obviously this time varies a |
0f824ca252e4
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
384
diff
changeset
|
92 |
lot and also gets shorter and shorter over time). Do you |
0f824ca252e4
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
384
diff
changeset
|
93 |
think it is good policy to require users to change their |
0f824ca252e4
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
384
diff
changeset
|
94 |
password every 3 months (as King's did until recently)? |
0f824ca252e4
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
384
diff
changeset
|
95 |
Under which circumstance should users be required to |
0f824ca252e4
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
384
diff
changeset
|
96 |
change their password? |
171
6cdf4d3906e2
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
169
diff
changeset
|
97 |
|
459
514485146641
updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
98 |
\item The biggest dictionary for dictionary attacks I know |
514485146641
updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
99 |
contains 15 Billion entries. If you try out all of these |
514485146641
updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
100 |
15 Billion entries in order to hack one password how |
514485146641
updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
101 |
much percent of the full brute-force space did you |
514485146641
updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
102 |
cover. For this assume passwords use 62 charcaters and |
514485146641
updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
103 |
are typically 8 characters long. |
514485146641
updated home works
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
456
diff
changeset
|
104 |
|
14 | 105 |
\item What are good uses of cookies (that is browser cookies)? |
10 | 106 |
|
169
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
107 |
\item Why is making bank customers liable for financial fraud a bad |
2866fae8c1cf
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
165
diff
changeset
|
108 |
design choice for credit card payments? |
165
6f84ad98cf49
added homework
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
97
diff
changeset
|
109 |
|
456
f65e4fa6e902
updated
Christian Urban <christian dot urban at kcl dot ac dot uk>
parents:
413
diff
changeset
|
110 |
\item \POSTSCRIPT |
10 | 111 |
\end{enumerate} |
112 |
||
113 |
\end{document} |
|
114 |
||
115 |
%%% Local Variables: |
|
116 |
%%% mode: latex |
|
117 |
%%% TeX-master: t |
|
118 |
%%% End: |