EXERCISES

Question 1

1. cookie = K, src 2. cookie = h(src) 3. cookie = h(K)
2. cookie = K, src
3. cookie = h(src)
4. cookie = h(K)

Answer 1

An attacker initiates one normal 3-way handshake and now has the key. Now the attacker can calculate all cookies for spoofed requests.

There is no secret in the cookie, the attacker can just calculate the cookie for all spoofed requests.

The cookie is the same for every spoofed source address and the cookie never changes. An attacker initiates one normal 3-way handshake and now has the cookie.

Question 2

b) Authorization and Authentication are often used in conjunction. Think about a scenario where Authorization and Authentication are both needed.

Answer 2

• Needed in scenarios where we want to achieve fine-grained access control.
• For instance, we want to create an access control system that enforces that Alice may create, read, and modify files in a file system.
• However, Bob can only read the files Alice, and other users have created.
• In the first step, such an access control system must authenticate the user; in the second step, it can determine (and enforce) the user’s access rights.

Question 3

c) Can you think about a scenario where some actions/events/… are authorized, but no authentication is needed?

Answer 3

• For instance, a network firewall.
• It works on IPs, ports, and protocols but usually does not (need to) authenticate communicating parties.
• However, it authorizes some communication events based on a rule list and discards others.