计算机代考程序代写 SQL scheme x86 javascript dns database chain compiler Java cache algorithm 2021 – cscodehelp代写

Can the ABtesters JavaScript library running on Bear Bank’s homepage steal customer passwords from the login form in the iframe?
(A) Yes, because the ABtesters JavaScript library is running on the same page as the iframe.
(B) Yes, because the ABtesters JavaScript library can execute any JavaScript it wants on the Bear Bank’s homepage.
(C) No, because the ABtesters JavaScript library is not developed by Bear Bank itself.
(D) No, because the ABtesters JavaScript library has a different origin than the login form. (E)
(F)
After a user successfully logs into their account, Bear Bank’s website sets a session_token cookie to track the user’s logged in status and allows users to transfer funds by making a GET request to https://bearbank.com/transfer.
Q4.4 (3 points) Which of the following cookie attributes would cause the session_token cookie to be sent in a request to https://bearbank.com/transfer? Select all that apply.
(G) Domain=bearbank.com; Path=/transactions
(H) Domain=bearbank.com; Path=/transfer; Secure
(I) Domain=auth.bearbank.com; Path=/login; HttpOnly; Secure (J) None of the above
(K)
(L)
Solution: No. iframes have the origin of the website that’s being loaded, so the login form (domain auth.bearbank.com) inside the iframe has a different origin from the JavaScript library (domain bearbank.com) outside the iframe. The ABtesters JavaScript library outside the iframe will not be able to directly interact with the login form inside the iframe.
Solution: The browser sends a cookie to a given URL if the cookie’s Domain attribute is a domain-suffix of the URL domain, and the cookie’s Path attribute is a prefix of the URL path. In other words, the URL domain should end in the cookie’s Domain attribute, and the URL path should begin with the cookie’s Path attribute.
The first option will not be sent because the cookie path /transactions does not match the website path /transfer.
Final
Page 10 of 36
CS 161 – Spring 2021

The second option will be sent because the domain and path both match, and the request is over HTTPS (so the Secure flag does not stop the cookie from being sent).
The third option will not be sent because the cookie path /login does not match the website path /transfer.
Note that the HttpOnly flag prevents cookies from being loaded by JavaScript, so it is irrelevant here.
Q4.5 (3points) BearBankrealizesthattherearenoCSRFprotectionsonthetransferform,whichmeans attackers can steal money from users’ accounts.
Which of the following are reliable defenses against CSRF attacks? Select all that apply.
Clarification during exam: Everyone will receive credit for this question because we did not specify what it means for a defense to be “reliable.”
(A) Add a random CSRF token to the transfer form each time the page loads
(B) Check the referrer header on the server when processing the transfer form submission (C) Move the transfer form to an iframe hosted at https://transfer.bearbank.com (D) None of the above
(E)
(F)
Solution: The definition of “reliable” was not clear, so we gave everyone points for this question.
The intended solution was:
As discussed in lecture, CSRF tokens and checking the referer headers are valid CSRF defenses.
Submitting the transform form with a POST request is not a valid CSRF defense, because CSRF attacks are still possible on POST requests.
Moving the transfer form to a different origin does not prevent CSRF attacks.
The following subparts are independent of the previous subparts.
Tree Bank is different bank considering alternative security methods. Once a user is logged in, they can send HTTP requests to Tree Bank to make transactions. Each request contains a session token set by the server when the user first logged in. The requests do not contain any counters or timestamps. The requests are sent over HTTP (not HTTPS).
Eve is an on-path attacker.
Q4.6 (4 points) Eve observes a single request from EvanBot to Tree Bank, which contains a transaction. What can Eve do? Select all that apply.
Final Page 11 of 36 CS 161 – Spring 2021

(G) Learn EvanBot’s session token
(H) Learn the contents of EvanBot’s transaction (I) Learn EvanBot’s password
(J) Repeat EvanBot’s transaction
(K) None of the above
(L)
Q4.7 (4 points) Assume that the user knows Tree Bank’s public key, and Tree Bank’s corresponding private has not been compromised. Suppose that Tree Bank requires that the user encrypt the entire HTTP request (including the transaction and token) with the ElGamal scheme from lecture before sending it to the bank.
Solution: Eve sees the request and the session token. The token lets Eve hijack EvanBot’s session. Eve can replay the transaction (or log in and re-execute the transaction manually). Eve never sees EvanBot’s password in the request.
Solution: is vulnerable to replay attacks, so Eve can replay EvanBot’s transaction. However, does not leak plaintext if Eve only sees a single encryption.
Final
Page 12 of 36 CS 161 – Spring 2021
Q4.8
Eve observes a single encrypted request from EvanBot to Tree Bank, which contains a transaction. What can Eve do? Select all that apply.
(A) Learn EvanBot’s session token
(B) Learn the contents of EvanBot’s transaction (C) Learn EvanBot’s password
(D) Repeat EvanBot’s transaction
(E) None of the above
(F)
(3 points) What is the best way for the bank to defend against Eve’s attacks, and what concept best describes the design flaw that allowed Eve to compromise EvanBot’s requests?
(G) Use DNSSEC. Don’t build your own crypto. (H) Use TLS. Don’t build your own crypto.
(I) Use DNSSEC. Security is economics.

Final
Page 13 of 36 CS 161 – Spring 2021
(J) Use TLS. Security is economics. (K) Use DNSSEC. Least privilege. (L) Use TLS. Least privilege.
Solution: TLS gives us end-to-end security for communication across an insecure channel. The bank and user are trying to build their own crypto which is a bad idea.

Q5 TC sPeedy (15 points) To improve the speed of TCP, Alice suggests modifying the TCP protocol to allow data to be sent in the SYN and SYN-ACK packets during the 3-way handshake. The data in the SYN packet is immediately accepted by the server during the initial handshake (before the 3-way handshake finishes).1
Clarification during exam: In sub-parts 4 and 5, in subsequent connections, the token is sent only in the SYN packet.
Q5.1 (3 points) Which of the following attacks are possible on this modified scheme? Select all that apply.
Clarification during exam: “Reliably”means that the attacker doesn’t have to guess any values. (A) An off-path attacker can reliably inject packets after a connection has been established.
(B) An off-path attacker can reliably execute a RST injection attack.
(C) An off-path attacker can fool the server into accepting some spoofed data. (D) None of the above
(E)
(F)
Solution: After a connection has been established, an off-path attacker needs to guess se- quence numbers to inject a packet, so they cannot reliably inject packets into the connection or execute a RST injection attack.
However, the off-path attacker can spoof a SYN packet with some data. Since the SYN packet only contains a random initial sequence number, the off-path attacker doesn’t need to guess any sequence numbers. Since the server immediately accepts data in the SYN packet, the server will accept this spoofed data.
Q5.2 (2 points) Alice notices that her modified scheme may be vulnerable to a DoS attack where the attacker sends a large data payload in the SYN packet without completing the TCP handshake. She proposes including SYN cookies as part of her modification.
True or False: SYN cookies provide a valid defense against the proposed DoS attack. (G) True (H) False (I) (J) (K) (L)
1TCP Fast Open (TFO) started out in 2011 in an effort to reduce the the overhead of TCP’s 3-way handshake. However, the TFO project was scrapped and is currently disabled on all browsers. In this question, you will explore the TFO protocol and its potential vulnerabilities.
Solution: No, SYN cookies do not protect against an attacker who conducts a DoS attack by sending a large data payload in the SYN packet. SYN cookies merely protect against the accumulation of connection metadata due to incomplete 3-way handshakes. However,
Final Page 14 of 36 CS 161 – Spring 2021

regardless of whether SYN cookies are enabled or not, the server will still have to consume resources to receive data before the 3-way handshake is complete, making it vulnerable to a DoS attack.
The intent of this question is for students to analyze the ability of SYN cookies to mitigate the DoS vulnerability presented by the inclusion of data as part of the SYN packet, prior to the completion of the 3-way handshake.
Q5.3 (4 points) Alice uses her modified 3-way handshake to form a TCP connection with a server. Assume that source port randomization is not in use.
What fields would an on-path attacker have to guess in order to inject some data from Alice’s client to the server?
(A) Client IP address and port (D) Client sequence number (B) Server IP address and port (E) None of the above
(C) Server sequence number
(F)
Solution: Theon-pathattackercanseeallthefieldsintheunencryptedTCPpacket,including both IP addresses, both ports, and both sequence numbers, so they don’t need to guess anything.
Alice modifies her protocol to use a cryptographic token. When a client and server connect for the first time:
1. The client sends a SYN packet with a token request.
2. The server generates a token using a MAC function with a key known only to the server and responds with a SYN-ACK packet to the client containing the token. The client and server both store the token.
3. The client responds with an ACK packet, as in normal TCP.
In subsequent connections, the client skips the 3-way handshake by sending the SYN packet with both the token and data (similar to Alice’s modification from previous parts). The server verifies the value of the token and acknowledges both the SYN and the data. The server may begin sending data to the client before receiving the client’s ACK as part of the handshake. The server rejects the SYN and data if the token is invalid.
Here are diagrams detailing the protocol:
Final Page 15 of 36 CS 161 – Spring 2021

Client
Server Client
Server
(I) MITM hijacking
(L)
Initial handshake
Subsequent handshakes
Q5.4 (3 points) Which of the following attacks on TCP becomes more difficult with the addition of the token? Select all that apply.
(G) RST injection (J) None of the above (H) Blind hijacking (K)
Solution: The token is merely intended to speed up the establishment of new connections in lieu of redundant 3-way handshakes. It makes no security provisions.
Q5.5 (3points) Amajorissuewiththisprotocolisthatitisvulnerabletoreplayattacks,asanadversary can spoof a connection by replaying the token. A potential workaround is to modify the TTL (time to live) of the token. Name one benefit and one drawback of using a shorter TTL rather than a longer TTL.
Enter your answer in the text box on Exam Tool.
Solution: If one wants to mitigate replay attacks, it is intuitive to use a short TTL, since the window in which replay attacks can be conducted will be minimized. If one wants to maximize speed, it is intuitive to use a long TTL.
Final Page 16 of 36 CS 161 – Spring 2021
SYN-ACK + token + data
SYN-ACK + data
SYN + token request
ACK
SYN + token + data
ACK

Q6 UnicornBox v2 (17 points) UnicornBox decides to implement 2-factor authentication (2FA).
The server stores a table of active codes with the following schema:
1 2 3 4 5
CREATE TABLE IF NOT EXISTS users ( username TEXT,
code TEXT,
−− Additional fields not shown.
);
When a user wants to log in:
1. The user logs in by making a POST request with their username and password.
2. The server randomly generates a 10-digit numerical code and stores it in the users table.
3. The server sets a cookie with name = auth_user and value = the user’s username in the user’s browser. The server also sends a text to the user’s phone with the code.
4. The user makes a GET request to https://unicornbox.com/confirm?code=$code, where $code is the code that was entered.
5. The server runs the SQL query SELECT username FROM users WHERE code = ‘$code’, where $code is the value submitted by the user.
6. The server checks that the value returned by the SQL query matches the username sent in the auth_user cookie in the request submitted by the user.
Clarification during exam: For all sub-parts, the user has an entry in the table. Clarification during exam: “CalCentral” should be “UnicornBox” in the question text.
Clarification during exam: In step 1, the server verifies the password and will not proceed if the password is wrong.
Q6.1 (5 points) Assume that evan is the name of an account in UnicornBox with an entry in the users table.
Construct an input for $code that would cause the SQL query in step 5 to return evan. Enter your answer in the text box on Exam Tool.
Solution: One possible answer: ‘ OR username = ‘evan’ —
The first quote closes the opening quote in the query. The OR statement forces the query to return the username evan. The comment at the end forces the query to ignore the closing quote. The full query becomes
SELECT username FROM users WHERE code = ” OR username = ‘evan’ –‘
Q6.2 (4 points) How can you log in as evan without knowing their password? You may use PAYLOAD to reference your answer from the previous part.
Final Page 17 of 36 CS 161 – Spring 2021

Hint: You will need 2 steps. List both.
Enter your answer in the text box on Exam Tool.
Solution: First, we should figure out where to put PAYLOAD from the previous ques- tion. Note that $code in the SQL query comes from the argument supplied to https://unicornbox.com/confirm?code=$code in Step 4, so we probably want to make a GET request to this URL with the payload. Next, note that in Step 6, the result of the SQL query is compared to the username in the cookie, so we want to set a cookie with the name evan. In summary:
First: Set a cookie auth_user=evan.
Second: Make a GET request to https://unicornbox.com/confirm?code=PAYLOAD.
Q6.3 (4 points) Which of these defenses would stop your exploit from above? Select all that apply. (A) Using SQL prepared statements
(B) Rate limiting requests to the UnicornBox server
(C) Putting the hash of the username in the cookie instead of the username (D) Using a 20-digit code instead of a 10-digit code
(E) None of the above
(F)
Solution: Prepared statements will defend against the SQL injection attack, so the exploit will no longer work.
Rate limiting requests will not stop the exploit, since we only needed to send one GET request.
Putting the hash of the username in the cookie will not stop the exploit, since we can just modify the first step to put the hash of the victim’s username in the cookie. (Remember that everyone can calculate a hash.)
A firewall would probably not be able to detect the contents of the exploit, because it’s being sent over HTTPS.
Final
Page 18 of 36 CS 161 – Spring 2021
Q6.4 (4points) ConsideramodificationtoSteps5and6.IfthereareanyrowsreturnedbytheSQLquery, then the verification succeeds without checking the value of the returned username. However, the server returns an error without executing the query if the format of the code is not exactly 10 numerical digits.
True or False: The modified scheme is no longer exploitable using SQL injection. Briefly justify (1 sentence) your answer.

(G) True (H) False (I) (J) (K) (L) Enter your answer in the text box on Exam Tool.
Solution: It is impossible to bypass the single quote if the input contains only numerical digits, so the scheme is safe from SQL injection.
Final Page 19 of 36 CS 161 – Spring 2021

Q7
Plaintext Feedback (15 points) Consider the “plaintext feedback” (PFB) mode where the encryption formula for ciphertext block Ci is given as follows:
C0 = IV
Ci =E(K,Pi)⊕Ci−1
E is AES encryption and D is AES decryption.
M1 M2 M3
IV
KKK
C1 C2 C3
Final
Page 20 of 36 CS 161 – Spring 2021
Encryption
Clarification during exam: IVs are always randomly generated and never reused in this question.
Clarification during exam: Mi in the encryption diagram refers to plaintext block Pi. Q7.1 (3 points) Which of these is the corresponding decryption equation?
(A)Pi =D(K,Ci ⊕Ci−1) (B)Pi =D(K,Ci ⊕Pi−1) (C)Pi =D(K,Pi ⊕Pi−1)
(D)Pi =E(K,Ci ⊕Ci−1) (E)Pi =E(K,Ci ⊕Pi−1) (F)Pi =E(K,Pi ⊕Pi−1)
Q7.2 (3 points) Alice and Bob are communicating using PFB mode. Alice encrypts and sends a 10-block message encrypted using PFB. Bob receives the message, but the 6th ciphertext block C6 is lost in transmission. Which blocks of plaintext can Bob recover? Assume Bob is aware that C6 was lost in transmission.
(G) Bob can recover all blocks of the message.
(H) Bob can recover all blocks up to and including P6, but no block after that. (I) Bob can recover all blocks up to and including P5, but no block after that. (J) Bob can recover all blocks except for P6 and P7.
(K) Bob can recover all blocks except for P6.
Encryption
Encryption
Solution: Pi = D(K, Ci ⊕ Ci−1)

Solution: According to the decryption equation, to recover plaintext block Pj , we need Cj and Cj−1.
If we’re missing C6, we won’t be able to decrypt P6, because decrypting P6 requires C6 and C5. We also won’t be able to decrypt P7, because decrypting P7 requires C7 and C6. No other plaintext blocks depend on C6 for decryption.
Q7.3
(L) Bob cannot recover any block of the message.
(3 points) PFB mode is not IND-CPA secure. To prove this, the adversary will win the IND-CPA game against the challenger as follows:
First, the adversary sends two messages, P and P′. The first message P is 3 unique, randomly generated blocks, P = P1∥P2∥P3. Which of the following values of P ′ would allow the adversary to win the IND-CPA game?
(A) P ′ = P1′ ∥P1′ ∥P1′ , where P1′ is a randomly generated block
(B) P ′ = P1′ ∥P2′ ∥P3′ , where P1′ , P2′ , and P3′ are unique, randomly generated blocks (C)P′ =P1∥P2∥P3
(D) P′ = P1′∥P2′∥P3′, where Pi′ is the same as Pi, but with the last bit flipped
(E) P′ = P1′∥P2′∥P3′, where Pi′ is the same as Pi, but every bit flipped
(F)
Solution: Intuitively, we want to pick a plaintext such that the ciphertext leaks some infor- mation about what message was encrypted.
First, we can eliminate (C), because if we sent two identical plaintext messages, the problem of deciding which message was encrypted wouldn’t be well-defined.
We can also eliminate (D) and (E). If we flip some bits in the plaintext block, after it gets passed through the block cipher encryption, the output will be indistinguishable from random, so this won’t help us distinguish what message was encrypted.
Similarly, if we send a completely randomly different message, the output of the block ciphers will still be indistinguishable from random.
However, if we choose the plaintext to be the same block repeated 3 times, the block cipher will produce the same output 3 times, because block ciphers are deterministic. We can leverage this to win the IND-CPA game (see the next part for how).
Final
Page 21 of 36 CS 161 – Spring 2021
Q7.4
(3 points) The challenger sends back a ciphertext C = C0∥C1∥C2∥C3, which is an encryption of either P or P ′. Describe a strategy that the adversary should use to deduce whether P or P ′ was encrypted that would allow them to win the IND-CPA game with probability greater than 12 .
Enter your answer in the text box on Exam Tool.

Solution: Let’s try running the encryption algorithm with a message that consists of one plaintext block repeated three times.
Note that we’re denoting every Pi as P1 because the plaintext blocks are repeated.
C1 =E(K,P1)⊕C0 =E(K,P1)⊕IV
C2 =E(K,P1)⊕C1 =E(K,P1)⊕E(K,P1)⊕IV =IV C3 =E(K,P1)⊕C2 =E(K,P1)⊕IV
There are a few discernible patterns here to help you win the IND-CPA game. You could note that C0 = C2 = IV , or C1 = C3. More generally, if we pass in repeated plaintext blocks, the ciphertext will be two repeated blocks.
Also note that this pattern does not occur if we pass in random, different blocks, because the output of the block cipher will be different for each plaintext block.
Thus a winning strategy would be: if you see repeated ciphertext blocks, guess P . Otherwise, guess P′.
Another strategy is to XOR each ciphertext block with the previous ciphertext block. If the plaintext blocks are the same, then the result will be the same values:
C1 ⊕ C0 = (E(K, P1) ⊕ IV ) ⊕ IV = E(K, P1) C2 ⊕C1 =(E(K,P1)⊕C1)⊕C1 =E(K,P1) C3 ⊕C2 =(E(K,P1)⊕C2)⊕C2 =E(K,P1)
If the plaintext blocks are different, the results E(K, P1), E(K, P2), E(K, P3) would likely be different.
Final
Page 22 of 36
CS 161 – Spring 2021
Q7.5 (3 points) Which of the following are true about PFB mode? Select all that apply. (A) Decryption is parallelizable
(B) PFB provides integrity
(C) The plaintext must be padded to a multiple of the block length (D) None of the above
(E)
(F)

Solution: Decryption is parallelizable. Looking at the equation, we see that we need only ciphertext blocks Ci and Ci−1 to generate the plaintext block Pi. We already have all the ciphertext blocks when we’re decrypting, and we don’t need to wait for any other plaintext blocks to be calculated before we can run the decryption algorithm on a block.
Block ciphers do not provide integrity.
Because the message blocks are being directly used as an input to the cipher, the blocks must be exactly the right length (128 B for AES), requiring padding.
Final Page 23 of 36 CS 161 – Spring 2021

Q8 Caltopia DNS (21 points) EvanBot is trying to determine the IP address of caltopia.com with DNS. However, some attackers on the network want to provide EvanBot with the wrong answer.
EvanBot
Attacker 1
Resolver
Assumptions:
• Eachattackerisaman-in-the-middle(MITM)attackerbetweentheirtwoneighborsonthediagram above.
• No attackers can perform a Kaminsky attack.
• Standard DNS (not DNSSEC) is used unless otherwise stated.
• No private keys have been compromised unless otherwise stated.
• In each subpart, both EvanBot’s cache and the local resolver’s cache start empty.
• Each subpart is independent.
Clarification during exam: Assume that bailiwick checking is in use for this entire question.
In each subpart, EvanBot performs a DNS query for the address of caltopia.com.
Q8.1 (4 points) In this subpart only, assume the attackers only passively observe messages.
Which of the attackers would observe an A record with the IP address of caltopia.com as a result of EvanBot’s query? Select all that apply.
(A) Attacker 1 (C) Attacker 3 (E) None of the above
(B) Attacker 2 (D) Attacker 4
(F)
Solution: The A type record is sent from the caltopia.com name server to the resolver, and then from the resolver to EvanBot.
Q8.2 (3 points) Which of the attackers can poison the local resolver’s cached record for cs161.org by injecting a record into the additional section of the DNS response? Select all that apply.
Note: Attacker 1 has intentionally been left out as an answer choice.
Final Page 24 of 36 CS 161 – Spring 2021
Attacker 2
Attacker 3
Root nameserver
.com nameserver
Attacker 4
caltopia.com
nameserver

(G) Attacker 2 (I) Attacker 4 (K)
(H) Attacker 3 (J) None of the above
(L)
Solution: cs161.orgisinbailiwickforroot,soAttacker2couldaddarecordforcs161.org in the response from root.
However, cs161.org is not in bailiwick for .com or caltopia.com, so attackers 3 and 4 cannot add a record for cs161.org in the responses from .com or caltopia.com.
Q8.3 (4points) AssumethattheresolverandthenameserversallvalidateDNSSEC,butEvanBotdoesnot validate DNSSEC. Which of the attackers can poison EvanBot’s cached record for caltopia.com by modifying the DNS response? Select all that apply.
(A) Attacker 1 (C) Attacker 3 (E) None of the above
(B) Attacker 2 (D) Attacker 4
(F)
Solution: SincetheresolverandthenameserversallvalidateDNSSEC,anyattackerbetween the resolver and a name server can’t do anything to inject malicious records. However, since EvanBot doesn’t validate DNSSEC, Attacker 1 can inject a malicious A record.
Q8.4 (5 points) In this subpart only, assume the attackers only passively observe messages.
Assume that everyone validates DNSSEC. Which of the following records would Attacker 3 observe as a result of EvanBot’s query? Select all that apply.
(G) DS record with hash of the .com name server’s public KSK
(H) DS record with hash of the caltopia.com name server’s public KSK (I) A record with the IP address of caltopia.com
(J) A record with the IP address of the caltopia.com name server
(K) DNSKEY record with the .com name server’s public KSK
(L) None of the above
Solution: The .com name server returns:
• A DNSKEY record with its public keys (option K)
• An NS record with the domain of the next name server (caltopia.com)
• An A record with the IP of the next name server (caltopia.com) (option J)
Final
Page 25 of 36
CS 161 – Spring 2021

• A DS record with hash of the next name server’s public KSK (option H)
Option (G) would be returned by .com’s parent (the root), so Attacker 2 would see this record,
not Attacker 3.
Option (I) would be returned by the caltopia.com name server, so Attacker 4 would see this, not Attacker 3.
Q8.5 (3points) AssumethateveryonevalidatesDNSSEC,andthecaltopia.comnameserver’sprivate KSK has been compromised (i.e. all attackers know the caltopia.com name server’s private KSK). No other private keys have been compromised.
Can EvanBot trust that they received the correct IP address of caltopia.com? (A) Yes, because the ZSK that signs the A record has not been compromised
(B) Yes, because the trust anchor (the root’s KSK) has not been compromised
(C) No, because the compromised KSK can be used to sign a malicious A record
(D) No, because the compromised KSK can be used to sign a fake ZSK that is used to sign a malicious A record
(E) (F)
Q8.6 (2 points) True or False: DNSSEC prevents Attacker 4 from learning the IP address of caltopia.com.
Solution: The chain of trust has been broken, so EvanBot can’t trust that they received the correct IP address anymore.
The KSK is only used to sign ZSKs, so the attacker will have to sign a fake ZSK first, and then use the fake ZSK to sign the malicious A record.
Final
Page 26 of 36
CS 161 – Spring 2021
(G) True (H) False (I)
(J) (K) (L)
Solution: DNSSEC provides no confidentiality over the DNSSEC records.

Q9
Mutuality
Recall the TLS handshake:
Client
(18 points)
1. Client sends 256-bit random number Rb and supported ciphers 2. Server sends 256-bit random number Rs and chosen cipher
3. Server sends certificate
4. DH: Server sends {g, p, ga mod p} −1
Server
5. Server signals end of handshake
6. DH: Client sends gb mod p RSA: Client sends {P S}
Client and server derive cipher keys Cb, Cs and integrity keys Ib, Is from Rb,Rs,PS
7. Client sends MAC(dialog, Ib) 8. Server sends MAC(dialog, Is)
9. Client data takes the form {M1, MAC(M1, Ib)}Cb 10. Server data takes the form {M2, MAC(M2, Is)}Cs
Final
Page 27 of 36 CS 161 – Spring 2021
In TLS, we verify the identity of the server, but not the client. How would we modify TLS to also verify the identity of the client?
Clarification during exam: All parts of this question refer to a modified TLS scheme designed to verify the identity of the client.
Q9.1 (3 points) Which of these additional values should the client send to the server? (A) A certificate with the client’s public key, signed by the client’s private key
(B) A certificate with the client’s public key, signed by the server’s private key
(C) A certificate with the client’s private key, signed by a certificate authority’s private key (D) A certificate with the client’s public key, signed by a certificate authority’s private key (E)
(F)
2. ServerHello
3. Certificate
4. ServerKeyExchange
5. ServerHelloDone
8. ChangeCipherSpec, Finished
10. Application Data
1. ClientHello
6. ClientKeyExchange
7. ChangeCipherSpec, Finished
9. Application Data

Final
Page 28 of 36 CS 161 – Spring 2021
Solution: This is analogous to the server sending its certificate, which has the server’s public key, signed by the certificate authority’s private key.
Q9.2 (3 points) How should the client send the premaster secret in RSA TLS?
(G) Encrypted with the server’s public key, signed by the client’s private key
(H) Encrypted with the client’s public key, signed by the server’s private key
(I) Encrypted with the server’s public key, signed by a certificate authority’s private key (J) Encrypted with the client’s public key, signed by a certificate authority’s private key (K)
(L)
Solution: The client should encrypt the premaster secret with the server’s public key so that the server can decrypt it (just like in regular TLS).
However, the client should additionally sign the premaster secret, so that the server can validate the signature and confirm that the server is talking to the correct client. The client should sign the premaster secret with their own private key. (The client doesn’t know the certificate authority’s private key, and the CA’s private key is only used to sign certificates anyway.)
Q9.3 (3 points) EvanBot argues that the key exchange protocol in Diffie- LS doesn’t need to be changed to support client validation. Is EvanBot right?
(A) Yes, because only the client knows the secret a, so the server can be sure it’s talking to the legitimate client
(B) Yes, because the server has already received and verified the client’s certificate
(C) No, the client must additionally sign their part of the Diffie-Hellman exchange with the client’s private key
(D) No, the client must additionally sign their part of the Diffie-Hellman exchange with the certificate authority’s private key
(E) (F)
Solution: Diffie-Hellmanonitsowndoesn’tprovideanyauthenticity.Wealsoneedtheclient to sign their Diffie-Hellman message.

Q9.4 (2 points) True or False: The server can be sure that they’re talking to the client (and not an attacker impersonating the client) immediately after the client and server exchange certificates.
(G) True (H) False (I) (J) (K) (L)
Solution: False. Remember that certificates are public, and attackers can present a certificate for anyone. The ClientHello and ServerHello messages only contain random nonces and an agreement on what algorithms to use, so they also do not give the client and server any guarantees about who they’re talking to.
The client and the server need to wait at least until the signatures are exchanged to verify that they’re talking to the correct person. If an attacker tampers with the handshake, the client and the server may even have to wait until the MACs are exchanged.
Q9.5 (3points) AtwhatstepintheTLShandshakecanboththeclientandserverbesurethattheyhave derived the same symmetric keys?
(A) Immediately after the TCP handshake, before the TLS handshake starts (B) Immediately after the ClientHello and ServerHello are sent
(C) Immediately after the client and server exchange certificates
(D) Immediately after the client and server verify signatures
(E) Immediately after the MACs are exchanged and verified
(F)
Q9.6 (4 points) Which of these keys, if stolen individually, would allow the attacker to impersonate the client? Select all that apply.
(G) Private key of a certificate authority (H) Private key of the client
(I) Private key of the server
(J) Public key of a certificate authority (K) None of the above
(L)
Solution: The reasoning here is the same as in regular TLS. A MITM could tamper with messages, and the client and server will only detect this once they verify the MAC on the entire handshake.
Final
Page 29 of 36
CS 161 – Spring 2021

Solution: IftheattackerstealstheprivatekeyofatrustedCA,theycansignafakecertificate claiming that the attacker’s public key belongs to the client.
If the attacker steals the private key of the client, they can sign messages as the client. Stealing the public key of the server doesn’t help the attacker impersonate the client.
Final Page 30 of 36 CS 161 – Spring 2021

Q10 Storefront
Consider the following vulnerable C code:
1 2 3 4 5 6 7 8 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
(26 points)
void copy_string(char ∗dst , const char ∗src , size_t n) {
for (size_t i = 0; i < n + 1; i++) { dst[i] = src[i]; if (src[i] == ’’) { break ; } } } void add_to_store (char ∗ lst ) { char listing [256]; copy_string ( listing , lst , 256) ; printf("Contacting server to add: %s... ", listing); contact_server_and_wait(listing); // Implementation not shown. } void invoke(char ∗ lst ) { add_to_store ( lst ) ; } int main ( void ) { char buf [4096]; do { fgets(stdin, buf, 4096); invoke ( buf ) ; } while (strcmp(buf, "exit") != 0); return 0; } Definitions of relevant C functions may be found on the last page of this exam. Assume you are on a little-endian 32-bit x86 system. Assume that there is no compiler padding or saved additional registers in all questions. For the first four parts, assume that no memory safety defenses are enabled. Clarification during exam: The strcmp function is identica