Logout Open In App
Open In App
Warning: foreach() argument must be of type array|object, bool given in /var/www/html/web/app/themes/studypress-core-theme/template-parts/header/mobile-offcanvas.php on line 20

Chapter 8: Problem 5

Alice wants to communicate with the www.vunl Web site, but the entry for this domain in her name server was poisoned so that the packets end up at an attacker-controlled machine. To what extent is the attacker able to compromise Confidentiality, Integrity, and Authenticity in the following cases: (a) unencrypted (http) communication between Alice and www.vu.nl, (b) encrypted (https) communication between Alice and www.vu.nl when the Web site uses a self-signed certificate, (c) encrypted (https) communication between Alice and www.vu nl when the Web site uses a certificate signed by a legitimate certificate authority?

Short Answer

Expert verified
(a) Complete compromise of CIA. (b) Confidentiality maintained, but integrity and authenticity compromised. (c) CIA generally protected, but DNS hijacking remains a risk.

Step by step solution

01

Understand the Terms

Confidentiality ensures that data is only accessible to authorized parties. Integrity ensures that the data hasn't been altered in an unauthorized way. Authenticity ensures that the communication parties are who they claim to be.
02

Case (a) - HTTP Communication

In unencrypted HTTP communication, the attacker can intercept and read all the data, compromising confidentiality completely. The attacker can also modify the data, compromising integrity. Since there's no verification of identity in HTTP, authenticity is also not ensured.
03

Case (b) - HTTPS with Self-Signed Certificate

An HTTPS connection using a self-signed certificate provides encryption, so confidentiality is maintained as data between Alice and the attacker is encrypted. However, without a trusted certificate authority, authenticity is compromised as the attacker can impersonate the www.vu.nl website. Integrity could also be compromised if the attacker provides a fake self-signed certificate.
04

Case (c) - HTTPS with Trusted Certificate Authority

With a legitimate certificate authority, the attacker faces challenges. Confidentiality is generally maintained with encryption, integrity is preserved since alteration can be detected, and authenticity is verified through the trusted authority. However, if the attacker has already hijacked the DNS, they might attempt a man-in-the-middle attack, yet this is much more complicated.

Unlock Step-by-Step Solutions & Ace Your Exams!

  • Full Textbook Solutions

    Get detailed explanations and key concepts

  • Unlimited Al creation

    Al flashcards, explanations, exams and more...

  • Ads-free access

    To over 500 millions flashcards

  • Money-back guarantee

    We refund you if you fail your exam.

Start your free trial

Over 30 million students worldwide already upgrade their learning with Vaia!

Key Concepts

These are the key concepts you need to understand to accurately answer the question.

DNS Spoofing
DNS Spoofing is a malicious activity where an attacker alters the DNS records to redirect internet traffic to a different destination than intended. This can happen when an attacker "poisons" the DNS cache, leading users to illegitimate sites unknowingly. Imagine walking through a doorway expecting to enter a grocery store, but instead, you find yourself in a junkyard due to a swapped sign.
  • During DNS Spoofing, attackers can trick users into divulging sensitive information or infect their systems with malware.
  • The information is redirected to attackers, making it appear legitimate at the outset.
  • It is a major threat to internet security, especially since it targets the foundational layer of internet communication—the DNS.

Preventative measures include implementing DNS security extensions (DNSSEC) and regularly updating DNS server configurations. DNSSEC can authenticate the origin and integrity of DNS data, helping to protect against spoofing.
Confidentiality
Confidentiality in the context of network security refers to keeping information secret from unauthorized users. In simple terms, it ensures that sensitive data is accessed only by those with the right permissions. For Alice trying to communicate with a website, confidentiality is crucial to keep her data safe from attackers.
  • From our exercise, without encryption (HTTP), attackers can easily eavesdrop and steal sensitive information like passwords and personal data.
  • However, using HTTPS encrypts data in transit, enhancing confidentiality. It ensures that even if packets are intercepted, they are unreadable to those without the key.
  • Self-signed certificates provide some level of encryption, but the trustworthiness can be questioned since they aren't validated by an external authority.

Adopting strong encryption methods, like TLS, and using reputable certificate authorities are effective ways to secure confidential information.
Integrity
Integrity ensures that information remains unaltered during transmission. In network security, data integrity means maintaining the accuracy and consistency of data over its entire lifecycle.
  • For example, if Alice sends data but it's altered by an attacker due to DNS Spoofing, the integrity is compromised.
  • With unencrypted HTTP, modifications can be made easily, misleading the parties involved.
  • HTTPS helps by using cryptographic hash functions to detect any alterations.
  • When using a trusted certificate authority, pop-ups or warnings are issued if changes occur, alerting users to potential tampering.

Maintaining integrity is essential for building trust in communications and preventing malicious activities. This can involve mechanisms like checksums and digital signatures to verify that data remains untouched.
Authenticity
Authenticity is about confirming that the entities we communicate with are who they claim to be. It involves verifying identities to ensure users do not fall victim to deceitful activities.
  • Under HTTP, there’s no mechanism to validate the identity, leaving users vulnerable to DNS Spoofing.
  • A self-signed certificate doesn't suffice for authenticity as it lacks external verification, making impersonation straightforward for attackers.
  • Conversely, a certificate from a trusted authority authenticates the identity, helping users recognize legitimate sites.
  • It also employs cryptographic techniques to ensure that communications have not been altered en route.

To genuinely secure authenticity, one should rely on HTTPS connections verified by a trusted certificate authority, which helps confirm the legitimacy of the communication endpoint before any data transactions.

One App. One Place for Learning.

All the tools & learning materials you need for study success - in one app.

Get started for free

Most popular questions from this chapter

What is an algorithmic complexity DoS attack?

Alice and Bob use RSA public key encryption in order to communicate between them. Trudy finds out that Alice and Bob shared one of the primes used to determine the number \(n\) of their public key pairs. In other words, Trudy found out that \(n_{a}=p_{a} \times q\) and \(n_{b}=p_{b} \times q\). How can Trudy use this information to break Alice's code?

A few years from now, you are a teaching assistant for Computer Networks. You explain to the students that in RSA cryptography, the public and private keys consist of \((e, n)\) and \((d, n)\) respectively. The possible values of \(e\) and \(d\) depend on a value \(z\),whose possible values depend in turn on \(n\). One of the students comments that this scheme is unnecessarily complicated, and proposes to simply it. Instead of selecting \(d\) as a relative prime to \(z, d\) is selected as a relative prime to \(n\). Then \(e\) is found such that \(e \times d=1\) modulo \(n\). This way, \(z\) is no longer needed. How does this change affect the effort required to break the cipher?

Point-of-sale terminals that use magnetic-stripe cards and PIN codes have a fatal flaw: a malicious merchant can modify his card reader to log all the information on the card and the PIN code in order to post additional (fake) transactions in the future. Next generation terminals will use cards with a complete CPU, keyboard, and tiny display on the card. Devise a protocol for this system that malicious merchants cannot break.

Alice wants to communicate with Bob, using public-key cryptography. She establishes a connection to someone she hopes is Bob. She asks him for his public key and he sends it to her in plaintext along with an X.509 certificate signed by the root CA. Alice already has the public key of the root CA. What steps does Alice carry out to verify that she is talking to Bob? Assume that Bob does not care who he is talking to (e.g., Bob is some kind of public service).
See all solutions

Recommended explanations on Computer Science Textbooks

Databases

Read Explanation

Big Data

Read Explanation

Data Structures

Read Explanation

Blockchain Technology

Read Explanation

Computer Organisation and Architecture

Read Explanation

Cloud Services

Read Explanation
View all explanations

What do you think about this solution?

We value your feedback to improve our textbook solutions.

Study anywhere. Anytime. Across all devices.

Sign-up for free