Tutorial #18

  1. As a Web user, how can you tell if the site you're communicating with is using SSL security?

  2. This question concerns X.509 site certificates.

    1. List at least three (3) important pieces of information contained in a site certificate.

    2. Why is a site certificate necessarily encrypted using the private key of the CA which issued it?

    3. why is a site certificate considered to be an essential tool for conducting E-Commerce on the Web?

    4. How important is the secrecy of its private key to the business success of a CA?

    5. (Harder) To what extent are site certificates susceptible to "man-in-the-middle" security attacks? Discuss

  3. Describe briefly the "handshake" protocol used in the Secure Sockets Layer (SSL) encryption protocol. The "handshake" is the name given to the exchange of the first few messages between client and server. Ignore client-side authentication.

  4. Let's pretend you're writing a Web-based system which will run over an SSL connection. What changes must you make to the HTML you generate/create for this situation, compared to a system which runs over an unencrypted connection?

  5. Why would you want a personal (client) X.509 certificate, analogous to a site certificate? Under what circumstances might client certificates be important?

  6. Some years ago (whilst your lecturer was busily surfing to the Dilbert site), Netscape presented him with the following message:
    The certificate that the site 'www.unitedmedia.com' has presented does not contain the correct site name. It is possible, though unlikely, that someone may be trying to intercept your communication with this site. If you suspect the certificate shown below does not belong to the site you are connecting with, please cancel the connection and notify the site administrator.
    Here is the Certificate that is being presented
    Certificate for: United Media
    Signed by: RSA Data Security, Inc.
    Encryption: Export Grade (RC4-Export with 40-bit secret key)
    1. What's going on here? How could it happen?

    2. What is "Export Grade Encryption"?

  7. In the lecture, it was claimed that the encryption approach used by PGP combines the best features of symmetric and public key encryption. How?

  8. What are the characteristics of a PGP signed email message? Can you think of a situation where you might desire to use such a digital signature?

  9. In the lecture it was claimed that it's easy in PGP to combine both encryption and digital signing of a message, although the details were not given. Draw a "block diagram" showing how this might be accomplished.

  10. In the lecture, it was claimed that in an X.509 Public Key Infrastructure, trust is hierarchical. What does this mean? How does the PGP model of trust differ from this, and why is it important that PGP certificates allow multiple signers?

  11. A friend who you know very well has handed you a copy of her public key on a floppy disk, and you've verified with her (by checking the key fingerprint) that it's really her key. Should you sign the corresponding certificate? Why, or why not?

  12. What would you expect to do at a PGP signing party?

  13. (Practical question -- you would have to have used PGP to know this) How does PGP ensure that my private key is kept secure?

    La Trobe Uni Logo

Copyright 2003 by Philip Scott, La Trobe University.
Valid HTML 3.2!