exam 3

Question 1

what is slow start

Answer 1

• a technique to discover the network capacity
• start with cong win = 1
• double each RTT (grow exponentially)
• keeps growing until it hits a threshold or packet loss
• then AIMD starts

Question 2

what is DECbit

Answer 2

• early congestion control
• routers set DECbit in packet header if its experiencing congestion
• sender looks at DECbit on ACKS and adjusts the window size acordingly

Question 3

Random Early Detection (RED)

Answer 3

• used to detect and signal congestion before it happens
• drops packets based on threshold sizes of queue

q < min: no packets dropped
q >max: all incoming packets drops
min < q < max: packets randomly drop with prob linear to q

Question 4

Source-Based Congestion
Avoidance

Answer 4

source watches for signs that routers queue is building up

can watch for:
- RTT changes
- throughut

Question 5

what is “fair” in fair queueing

Answer 5

• each flow gets reasonable access to resources
• no starvation
• equal access under equal condition
• proportional resource alocation

Question 6

what is the min-max alg

Answer 6

• to maximize the minimum alocation we can provide to each flow

1) divide recourse evenly to all flows
2) if a flow has excess they return the excess
3) excess is split between the rest of the flows

Question 7

how does weighted min-max differ

Answer 7

• each flow has a weight
• instead of equal split, it is porportional to the weights.

let c = capacity
1) add up all weights = n
2) for flow i with weight w: allocate (w/n) * c

Question 8

FIFO

Answer 8

• first in first out
• uses tail drop to drop packet if queue is full

Question 9

priority queue

Answer 9

• multiple queues for different priorities
• serve highest priority first
• can cause starvation

Question 10

fair queueing

Answer 10

• separate queue for each flow
• each queue gets a turn by round robin

Question 11

fair queueing with variable packet length

Answer 11

• way to choose which packet to consume

let Si = 0 for flow i

when a packet is consumed from flow i, Si += P (P = packet length)

choose packet such that (Si + P) is min

break ties with lowest flow ID

weighted version: Si += P/wi

Question 12

confidentiality

Answer 12

control access to info

Question 13

integrity

Answer 13

keeping info valid, data wasnt changed or altered

Question 14

availability

Answer 14

keep info available

Question 15

authenticity

Answer 15

data came from trusted/correct source

Question 16

accountability

Answer 16

actions by a user can be traced back to them

Question 17

non-repudiation

Answer 17

once something is done, you cant deny it was done

Question 18

passive attacks

Answer 18

• does not disrupt operations
• used to listen and gain info
• hard to detect, easy to prevent

Question 19

active attack

Answer 19

• very broad, can disrupt operations
• hard to prevent, easy to detect

Question 20

message release attack

Answer 20

• passive
• read contents of messages directly
• prevent using encryption

Question 21

traffic analysis

Answer 21

• learn info like credentials, location… without directly seeing the messages

Question 22

masqurade attacks

Answer 22

• active
• pretending to be someone else to gain unauthorized access to systems.

Question 23

replay attack

Answer 23

• active
• capture message, then replay it unchanged to the receiver
• used to gain information

Question 24

modification of message attack

Answer 24

• active
• intercepts and alters message between 2 parties

Question 25

denial of service attack

Answer 25

- active - goal of disrupting operations of system. - can be done by overloading the server

Question 26

symmetric vs asymmetric encryption

Answer 26

symmetric: - both users use the same key asymmetric: - use private and public keys

Question 27

what does the strength of the security rely on

Answer 27

- the length of the key - encryption alg complexity the encryption alg is known by everyne

Question 28

how to ensure message was not tampered or corupted

Answer 28

mac: - F (k, msg) - a function creates a value from a key, and the message - the value is sent along with the message - the receiver computes a value and compares it to the sent value one way hash: - no key - message is hashed and encrypted with a shared secret - receiver de-crypts it and computes its own hash and compares

Question 29

predeistribution of public keys

Answer 29

- user gives the world their public key along with their id - attacker will want to give their public key along with someone elses id - we use CA to verify the authenticity of the key

Question 30

CA

Answer 30

- acts as a chain of vouching - starts at a core trusted org and branches down

Question 31

how does challenge response work

Answer 31

- to authenticate a user without sharing the secret 1) client sends auth request to server 2) server sends challenge to user (timestamp) 3) client computes answer to challenge (signs timestamp with private key) 4) server verfies solution (using clients public key)

Question 32

what is challenge-response vulnerable to

Answer 32

MITM attacker gets the answer from client and sends to server. so it authenticates itselfw

Question 33

what is challenge-response immune to

Answer 33

replay attacks since it uses a unique challenge each time the attacker cant simply resend the same thing

Question 34

public key authorization with clock sync

Answer 34

- alice sends timestamp to bob - bob checks if request is fresh - bob replys with a session key that they then use for coms

Question 35

public key authorization with no clock sync

Answer 35

- alice sends timestamp to bob, bob sends his time and alices back to alice - alice decides if its fresh - alice sends bob sesh key

Question 36

symmetric key

Answer 36

- all users give the master key to the KDC - KDC generates a session key - users use the session key for coms

Question 37

needham-shroeder

Answer 37

- based on symetric key - only one user contacts the KDC - KDC returns a sesh key and a ticket - user gives ticket to other user who decrypts it to get the key

Question 38

how does needham-shroeder prevent replay attacks

Answer 38

- it uses nonce (random num) to ensure uniqueness of session

Question 39

kuberos

Answer 39

- based on needham-shroeder - for client server coms - auth by password - master key is derived from pass 1) client sends auth req to KDC with name and pass as the master key 2) KDC auth system returns a ticket 3) client sends the ticket to KDC ticket granter 4) ticket granter returns a token to the client 5) client shares token with server

Question 40

goal of Diffie-Hellman Key Agreement

Answer 40

- to agree on a shared key without accually sharing a key

Question 41

how does Diffie-Hellman Key Agreement work

Answer 41

- users agree on large prime num P and base prime root g - each user generates a private key (a) - each user generates public key (k) by doing g^a mod P - users exchange public keys - users do: k^a mod P - due to modular exponentiation, they both end up with the same key

Question 42

what is Diffie-Hellman Key Agreement vulnerable to what, why, fix

Answer 42

MITM it doesnt provide authentication so someone could intercept and create their own keys and relay the messages fix it with predistributed public keys

Question 43

Pretty Good Privacy (for what, how)

Answer 43

- for email and files - user has public and private key - user generates session key - user encrypts message with session key and encrypts session key with receivers public key - send msg and session key to receiver - reciever decrypts them with their public key - dups possible

Question 44

how is IPsec modular

Answer 44

allows users to select from a variety of cryptographic algorithms

Question 45

applications of IPsec

Answer 45

- secure branch office over internet - secure remote access over internet

Question 46

IPsec transport mode

Answer 46

- only payload is encrypted - used for end-to-end coms