* 5 *


  1. What is a replay attack? How can we avoid replays?Eavesdrop/wiretap during challenge/response authentication. Record a session and try to play back the correct response to challenges at later time. Solution: include a timestamps or session-dependent data.
  2. What is meant by a session key? What is meant by a one-time password? Session key is a random encryption key which is used only for the duration of the current session. A one-time password is an authentication key which is generated randomly and used in place of a password in order to authenticate a user. In order to obtain a one-time password, the user must know his or her password, but by sending the one-time password, we avoid sending the true password over the network where it could be overheard on a wiretap.
  3. Explain how encryption can help with message authentication, even if the encryption is weak and easily broken. If encryption is based on a secret, know only to the sender and receiver, then the receiver and sender can be sure of one-another's identities in virtue of being able to decrypt data. If encryption is based on one-time keys in addition, then it doesn't matter that the encryption is weak, as long as the encryption could not be broken and faked while the message is being transmitted.
  4. Describe the basic idea behind the Kerberos system. What are the major drawbacks of Kerberos?Drawbacks are security problems in multiuser systems.