* 4 *

Authentication

Self-test problems

  1. Explain what is meant by entity authentication and origin authentication.
  2. Explain how encryption can play a role in authenticating an entity.
  3. What is meant by replay attack? How can one protect against such an attack?
  4. Explain how a challenge response system can be deisgned so that it is not necessary to send a password over the network.

Graded problems

These exercises can be done as a group.
  1. This exercise is about executing commands remotely using Secure Shell authentication. In the old rsh protocol, you would use the .rhosts file to declare trusted hosts. The problem with this was that it was easy to falsify the protocol request and gain illegal access to user accounts. With secure shell, you use a public and private key pair which ensures that the connection will be authenticated by host/username since only the owner of a private key can decrypt the commands.
    ssh cube /bin/ls
    
    Or, you can log onto other hosts in the network without giving a password.
    ssh mulder
    
    Last login: Wed Aug 25 10:45:15 1999
    You have mail.
    Linux mulder 2.2.10 #1 SMP Fri Jul 23 14:43:11 MET DST 1999 i586 unknown
    
    mulder%
    
    Explain why this is more secure than the old .rhosts approach. What is the purpose of the pass-phrase you were asked for? Would the use of a pass phrase increase security?
  2. The secure shell authentication above, is similar to the idea behind PGP/GPG. If public-private key technology had not been invented, we would have had to use something like the Needham-Schroeder protocol in order build a secure shell, i.e. Kerberos on a large scale. Does the public-private key technology improve our ability to trust identity? Would Needham-Schroeder work as well? (Think about trust and third parties). Needham-Schroeder needs a server with trusted keys on it -- does ssh need this? What happens the first time you connect to a host?
  3. Using the methods and examples in the lecture on risk assessment, draw a fault tree for cheating on exams. Your fault tree should include written exams and project exams. For each possible threat, describe how the examinination system attempts to achieve security. How good is the examination system, in protecting students and the college from fraud?

Back