Password management application

Password management application

1. A) Network Diagram:

b) Firewall Rules:

Rule

Transport

Source IP

Source Port

Destination IP

Destination Port

Action

1

any

External

any

138.77.179.0/24

any

Allow

2

TCP

10.2.1.0/24

any

External

80

Allow

3

TCP

10.2.2.0/24

any

External

80

Allow

4

TCP

10.2.3.0/24

any

External

80

Allow

5

tsl/ssl

10.2.1.0/24

any

External

443

Allow

6

tsl/ssl

10.2.2.0/24

any

External

443

Allow

7

tsl/ssl

10.2.2.0/24

any

External

443

Allow

8

tcp

External

80

138.77.179.44

any

Allow

9

tsl/ssl

External

443

138.77.179.44

any

Allow

10

tcp

138.77.179.44

22

31.13.75.0/24

23

Allow

11

tcp

138.77.179.44

22

23.63.9.0/24

23

Allow

12

tcp

138.77.179.44

1234

31.13.75.0/24

any

Allow

13

tcp

138.77.179.44

1234

23.63.9.0/24

any

Allow

14

tcp

138.77.179.44

22

104.55.0.0/16

23

Allow

15

tcp

138.77.179.44

1234

104.55.0.0/16

any

Allow

Rule Number

Explanation

1

Allows external nodes only in DMZ

2,3,4,5,6,7

Allows Student, Stuff and Research subnet to send HTTP and HTTPS request to the internet

8,9

Allow HTTP and HTTPS response to NAT Box, Assuming All inter HTTP and HTTPS request will pass through Network Address Translation Processes in NAT

10,11,12,13

Allows research partners to access internal data server access using SSH and special file transfer protocol running on port 1234

14, 15

Allows lead of research team to access file server from through home IP commercial ISP

104. c) Using rule 14 and 15 allows the professor to access from home. The main limitation of this rule is anyone can try access the internal resource of the organization presenting in the IP range 104.55.0.0/16. Professor may opt for fixed IP from the commercial ISP which providing the internet in his/her home. And specify only that IP in rule 14 and 15 will solve this matter.

Answer 2.

1. A) MAC address filter: MAC address is a 48-bit unique identifier which uniquely identifies any network interface within a shared link (LAN) and layer-II (data-link layer) it is used to identify the actual recipient of any frame. This address can be used to incorporate network security by filtering out illegitimate recipients from the network. This technique is known as MAC address filtering.

Wi-fi routers in a link perform this kind of filtering. Routers maintained a list of legitimate MAC addresses (white-list) of that network and based on that they forward packet in the network. If any intruder is able to enter in the network and configure a topologically correct address for that network, it not able to performs any malicious task due to this kind of filtering.

Drawback:

This kind of filtering fails under spoofing attack by the intruder, intruder first snoops all communication in the channel and create a list of valid MAC of that link, it the absence of any such MAC it tries to mimic that MAC for his device and get access to the network resource.

This filtering also slow down the communication as prior to forwarding any frames it performs validation of the destination, and it is an overhead of this technique.

1. b) WPA-Personal (CBC-MAC Protocol) is based on Advanced Encryption Standard (AES) algorithm. In generally 256 bits are used for the key, but it also supports other lengths of key also like 64bit, 128bit, 152bit,160bit and 504bit WEP-Personal key. For this key generation, a passphrase is required. Passphrase length should be in the range of 8-63 characters and all characters should be printable ASCII characters only. The standardized PBKDF2 function is used for a passphrase to key computation. This function takes four parameters as the passphrase, eight octets random salt string, iteration count, required key length. Internally it invokes HMAC and SHA1 function iteratively to produce the key.

Chance of brute force attack on CCMP protocol is very small if it uses 128bit of more number bit in its key. In such scenario minimum 3.4×1034 number of the possible key are possible and selecting the correct key from that large set is next to impossible. A super computer will take 1 billion-billion years to crack a 128-bit key. Moreover, there is a provision to specify the key refreshment time in CCMP which makes it more resistant to brute force attack.

Answer 3.

A)Recommendations of secure password:

Recommendation 1: Do not use any dictionary word in the password, the advantage of doing this that the attacker will not get any easy clue about the password. There is a difficulty with this technique, human mind remembers any name by its context, that is why we easily remember dictionary word but in the case of non-dictionary that chance of forgotten password is high. So if you want to use any non-dictionary word in your password then try to add a context with that word, it will help you to remember the word as well as the password.

Recommendation 2: Do not use any proper noun which is directly related to you (Ex. Your name, family member’s name, pet’s name, your city name, etc.), Attacker always tries to predict the password using related names that belong to you. This approach is also may make your password difficult to remember.

Recommendation 3: Chose your password as a mix sequence of upper and lower case characters. This alteration also makes the password more strong, because if an attacker can predict the phase for the password still, he has to know which character are in uppercase and which are in lower case. Though these kinds of the password are strong, it is difficult to type on the keyboard as we have to press shift key of caps-lock during key pressing.

B)Rules for a password:

Rule 1: A password must have at least one uppercase letter, one lowercase letter, and one special character. This approach makes the set of the possible password is very large, which makes brute force attack very difficult for the attackers. The difficulty with this kind of password is: it is difficult to type using the keyboard, if a password is frequently then, may fill irritated while typing the password.

Rule 2: User id should not be part of the password. People frequently make this kind of mistake where they use the username as a part of the password; it helps an attacker to guess the password easily. The disadvantage of this approach: whenever we deal with multiple passwords people attach a username to the password to relate the password with the user account, if we follow this approach then it is not possible.

Rule 3: Repeating phrase is not allowed in the password [Ex: A4sd@A4sd@]. If attacker understands that password containing repeating words then it easy to predict that password, as attacker have to make a prediction about half of the password.

1. C) A password manager is nothing but an application which manages multiple passwords on behalf of a user. Now a day’s people deals with multiple secured web-based applications, and they need to remember multiple passwords which sometimes become very difficult, the password manager is one of the easiest solutions for this problem. It generate strong passwords for the different user account and remembers them using the database, whenever a user tries to login in a system it provides the login credential of the user from its database. The user has to remember only one password which is the master password of the ‘password manager.’ Using master password user can login into ‘password manager’ and see all the details regarding stored password and also manage them. This concept of ‘password manager’ is implemented in two-way, web-based and standalone application. In the first approach, password database is stored on the web server and in the second approach, user machine is used to store password database. These two approaches have their strength and weakness, as per the need we should choose the proper solution.

D)Advantages of password management application:

Easy to generate a secured and strong password for different web-based applications.

No need to remember multiple applications for different applications, password manager remembers them on behalf of the user.

Useful to store the password in a secure manner, as most of the password manager store them in the database in an encrypted manner.

Convenient login procedure for the user application, no need to type the password in the web portal, password manager automatically place the password in the password field and saves typing time and eliminate the chance of typing error of user.

Disadvantages of password management application:

If user entirely depends on the password manager, then it is very problematic because if the password manager’s database somehow gets corrupted or the user forgets the master password of the application, then the user will lose all login credentials which are stored in the database.

If an attacker somehow gets access to the password manager of the user, then all login details of the user will become available for the attacker.

If the user relies on any unsafe password manager, then the application may become a potential threat to the user also, as it may theft user login credentials silently.

E)

Web-based password management

Standalone password management

Store password database on the server side of the password management provider.

Store password database in the user’s machine standalone.

Supports user portability, i.e. user can take advantage of password management from any system which is connected in the web.

Lacks in user portability, to use the standalone password management, password database should reside on the user’s computer or in a network attached memory device.

The level of security and reliability is less; as user store his secret login credential to some third party.

Level of security and reliability is high; as user store the login credential in a database which is situated locally

Durability is high for this kind of application. If user machine gets crashed, password database will remain unaffected as it situated in server side.

Less durable, as user system crash may cause permanent data loss for the password manager.

Example: LastPass, Encryptr, Intuitive Password etc.

Example: GNOME Keyring, KeePass, etc.

1. F) If we opt for standalone password manager software for a particular organization, then we should store the password database in the Network-Attached Storage (NAS) with RAID facility. This approach will ensure that the database will remain within the organization and if any individual system gets crashed, then it will not affect password.

Answer 4.

1. A) certificate.pem and https.pcap are uploaded in the Moodle, First one is the certificate file and the second one is for HTTPS traffic trace.

B)

Client

192.168.1.11

Client Hello

Server Hello

Certificate

New Session Ticket

Application Data

Application Data

Encrypted Alert

Server

192.168.2.21

Flow-graph generated in Wireshark

Server Key Exchange

Server Hello Done

Client Key Exchange

Change Cipher Spec

Hello Request

Hello Request

Change Cipher Spec

Encrypted Handshake Message

Application Data

Encrypted packets

c)

HTTPS web-server is running on 443 port.

AES_128 symmetric key cipher was used for encrypting.

ECDHE_RSA public key cipher was used for exchanging a secret.

SHA256 is used for in signing the web servers certificate.

1. D) All modern browsers maintain a list of legitimate and trusted Certificate Authorities (CA) and attach root-CA certificates with their browsers. During any SSL-based communication client browser asks the server to prove its authenticity and in response server send a chain of certificates containing a root, primary and intermediate certificates. Browser match root certificate with locally stored root certificate and if it is authentic then accept all other certificate as all other certificates are dependent on root certificate. Then they perform parameter exchange for the secure connection.

The main drawback of this approach is that we are totally relying on web-browser, and if browser root-CA browser contains any wrong entry then the user may identify any valid browser and an unauthorized one, and it is a reverse thing in also possible.

Answer 5.

1. A) If the malicious user performs snooping from an intermediate router, it will get aware about the source, and destination IP addresses easily. This information is always present in the IP header without any encryption. If these two are IP are geo-enabled-IP, then the malicious node will get location information about the source and destination node.
2. B) If C remain behind a NAT box, in that scenario malicious node will get information only about S and the NAT box of C. Whenever any we use NAT before gateway router, it replaces the source IP in the network packet by its IP. In that case, a malicious user will think that the packet is originated by the NAT. Unfortunately, the geographical location of NAT and all nodes present in the subnet of NAT do not differ too much, so malicious user will get a rough idea regarding the location of C.
3. C) If C was communicating with S using VPN where VPN server is connected to a router present in the path between C and S but not in Rm. Now if the router of VPN is present after Rm from the side of C, in that case, a malicious node will get information about C and R. In the case of Rm present after VPN then it will not get any information about C.
4. D) Potential disadvantages of VPN:

Performance Reduction: If we use VPN then it makes the routing sub-optimal, as the path between source to VPN and VPN to the destination may follow the optimal path, but the optimal path between source to destination may not pass through VPN. Moreover, due to tunneling VPN introduces extra overhead in communication.

Trust issue of VPN: Whenever we communicate via VPN, we send a packet designated for a particular recipient to VPN, now VPN may make tempering in the packet.

Log file high jacking: If the malicious node can hijack the log file stored in the VPN server then it is possible to identify all the packet flow which has been performed via that VPN.

1. E) Tor or Onion Routing is mainly used for anonymous routing. It is based on nested encryption of the application layer data like layers of an onion. Tor performs multiple encryptions of the data along with IP address of the next destination node and sends it randomly selected Tor relays which are nothing but a through a virtual circuit. Each Tor relay opens the outer layer of the packet using decryption via its private key and gets the address of the next relay. The last relay in the path decrypts the last layer of encryption and sends the actual data to its destination.

As the last relay deliver the packet to the destination, not as the actual packet generated at a source node, so destination not also remain unaware about the onion routing, so there is no need to inform S about Tor-based communication, S will assume they are communicating normally.

1. f) As the number of relays present in the Tor is high and selection of relay is done in random so communication flow monitoring is next to impossible in Tor. It is the main advantage of Tor on VPN.

1. g) The sub-optimality effect is more prominent in the case of Tor-based communication due to the presence of multiple Tor relay in the communication path; it is the major disadvantage of Tor over VPN.