The University of Sydney School of Computer Science Dr Suranga Seneviratne Senior Lecturer - Security INO3616/CSEC3616/CSEC5616 - S2 2024 Assignment - 3 This is an individual assignment. This assignment worths 10% of the final marks of the course and covers the content of Weeks 7-9 (inclusive). Submit your final report as a PDF and artefacts (i.e., the certificate generated in Q1-(d) ) as a zip file in Canvas. In Canvas, under Assignment 3, you will find two links to submit your report and artefacts separately. Final Report and Artefacts: Due by Week 11, Sunday the 20th of October, 2024 11:59 PM *** IMPORTANT ***: In your answer sheet DO NOT repeat the questions. Simply include the question number and your answer only. If you include question text in your answer sheet, your TurnItIn score will be high and there will be additional checks. This will cause a delay in releasing your marks. We will also impose a penalty of 10% of the total marks. 1 Public Key Infrastructure and Transport Layer Security (30 marks) a) Inspect a certificate (3 marks) Inspect the given full-cert-chain.pem containing a chain of certificates using a tool such as openssl and complete the blanks in Figure 1. Issuer Subject Organization: i) ......................... Common Name: ii) ....................... Organization: iii) ....................... Common Name: iv) ....................... Issuer Subject Organization: v) ......................... Common Name: vi) ....................... Organization: vii) ........................ Common Name: viii) ..................... Issuer Subject Organization: ix) ...................... Common Name: x) ...................... Organization: xi) ....................... Common Name: xii) ...................... End CertificateIntermediate CertificateRoot Certificate Figure 1: full-cert-chain.pem Certificate Chain b) Study the given trace file 1.pcapng and answer the following questions You are given two Wireshark (https://www.wireshark.org/) traces taken while the homepage of The University of Sydney. The two traces are in pcapng (https://pcapng.com/) format. Your task is to install Wireshark software in you computer, inspect the traces, and answer the following questions. 1 i What are the source and destination IP addresses of the given communication? (2 marks) ii Which one of these is a private IP address? Explain why a private IP address is used in this setting. (2 marks) iii Explain the functionality of the first three packets of the trace file. (2 marks) iv Draw and annotate a protocol diagram using the first five TLS packets of the trace (An example protocol diagram can be found in Slide 55 of Week 8 lecture slides). (2 marks) v What is the agreed cipher suite between the client and the server. (1 marks) vi Explain what cryptographic scheme/methods are used in the selected cipher stream for; Key Exchange, Authentication, Encryption, Encryption/Bock Mode, Message Authentication. (2 mark) vii What are the last four bytes of the server’s Diffie-Hellman public key. (1 marks) viii Export the three certificates in the Server’s Certificate Message and fill a Figure similar to Figure 1. Here you will have to do your own search and find how to export certificates from Wireshark and and view them using openssl you learned during tutorials. (5 marks) c) A different trace Study the given trace file 2.pcapng. You will notice that the TLS protocol flow is different here. Explain why some TLS messages such as Server Certificate are not visible in plaintext format in this trace (2 marks). d) Build your own certificate chain Make a three-level certificate chain of your own using openssl. For the Common Names (CN) use your Student ID and suffixes "Root", "Intermediate" and "End". You can use any value for the rest of the parameters. Collate the three certificates of one pem file and submit in the artefacts link (This is the second link in Canvas for Assignment 3). Include and explain the sequence of openSSL commands you used in the report. (8 marks). 2 Key Exchange (20 marks) Consider the following protocol, designed to let A and B decide on a fresh, shared session key K ′AB. We assume they already share a long-term key KAB. 1. A→ B : A,NA 2. B → A : E(KAB, [NA,K ′AB]) 3. A→ B : E(K ′AB, NA) a) Answer the following questions regarding the protocol designer’s reasoning (8 marks). • Why would A and B believe after the protocol ran that they share K ′AB with the other party. • Why would they believe that this shared key is fresh? 2 In both cases, you should explain both the reasons of both A and B, so your answer should complete the sentences. A believes that she shares K ′AB with B since ... B believes that he shares K ′AB with A since ... A believes that K ′AB is fresh since ... B believes that K ′AB is fresh ... b) Person in the middle (8 marks) Assume now that A starts a run of this protocol with B. However, the connection is intercepted by the adversary C. Show how C can start a new run of the protocol using reflection (i.e., C sending a message back to A based on what it received from A), causing A to believe that she has agreed on a fresh key with B (in spite of the fact that she has only been communicating with C). Thus, in particular, the belief in (a) is false. c) Modifying the protocol (4 marks) Propose a modification of the protocol that prevents this attack. 3 IP Security (IPSec) (10 marks) i Explain why IPSec is required. (1 marks) ii Explain the AH and ESP modes of IPSec highlighting the differences between them. (2 marks) iii Explain the difference between transport and tunnel mode of IPSec. (1 marks) iv Describe and explain each of the entries in the table shown in Figure 2. For example row 1 can be explained as “Traffic between this host and any other host, both using port 500, and using UDP, bypasses IPsec. This is used for IKE traffic.”. (6 marks) Figure 2: Host SPD Example 4 Firewalls (20 marks) We will configure firewalls in this task. Figure 3 shows a possible firewall setup. Your goals are: • Outgoing traffic is only allowed to TCP ports 80 (HTTP), 443 (HTTPS), and 25 (SMTP); plus UDP ports 53 (DNS), 123 (NTP). 3 • Incoming traffic is always allowed if there is an established connection, i.e. if the connection has been established from a host in the local network. • Host 129.78.1.1 is reachable (incoming connection) from everywhere on port 80. • Host 129.78.1.2 is reachable (incoming connection) on port 22 (SSH) from 129.78.0.0/16. • Incoming and outgoing ping packets are allowed • No other incoming traffic is allowed. Internet Packet Filtering Router 129.78.0.0/16 eth0 eth1 Figure 3: Firewall setup. a) Configuring a stateful firewall (10 marks) Write stateful rules in table form as shown in the lecture. A template is given in Table 1. You are free to add more rows to the table, if required. However, do not add too many unnecessary rules. Implement the policies using as less rules as possible. b) Converting to stateless filtering (10 marks) Convert your rules to stateless filtering rules. A template is given in Table 2. Again you are free to add more rows to the table, if required. However, do not add too many unnecessary rules. Implement the policies using as less rules as possible. 5 Incident Analysis: Optus Data Breach (20 marks) Read about the Optus Data Breach that happened in 2022 and answer the following questions. There have been many new reports and expert commentary on this - you should be able to find many resources online. a) Briefly explain what happened (12 marks). Include the following in your answer. • What data was breached? (2 marks) • How did the attacker obtain access to data? (2 marks) 4 Rule Incoming Src IP Dst IP Proto Src Port Dst Port State Action Interface A B C D E F G Table 1: Template for stateful filtering. Rule Iface Src IP Dst IP Proto Src Port Dst Port ACK Action A B C D E F G Table 2: Template for stateless filtering. 5 • How did Optus respond when they came to know about the breach? This answer should cover not only technical aspects but also legal, customer relations, and public relations aspects. (4 marks) • What are the possible risks (i.e., to the impacted users) associated with this data breach? (4 marks) b) Storing personal information (4 marks) What makes this attack significant is the fact that driver’s licence numbers and passport numbers were breached for a fraction of Optus customers. • Explain why Optus was storing such information. (2 marks) • Explain a better method of storing such information to avoid this type of data breach happening. (2 marks) c) The aftermath (4 marks) The repercussions of this attack will linger for several years, impacting all stakeholders. These include Optus customers, whose data was compromised, Optus as a corporate entity, and the Australian government along with other regulatory bodies. • Explain two steps taken by Optus (in collaboration of other stakeholders) to protect some of the impacted users? (4 marks) 6 51作业君版权所有