Comp 349/449 final exam: wireless networks The exam is due Friday, December 12, 2008. If you have no idea how to do one of these, you probably just need a hint. Write me. Many of the answers are relatively short. You may use the book, your notes, other books, and the internet. You may NOT ask other people for assistance (except me). =============================== 1. Suppose a satellite link has a 50 megabit/sec data rate. As discussed in class, the total propagation delay from a terrestrial sender to terrestrial receiver is 250 ms. If packets are 1KByte in size, how many packets can be in transit concurrently? =============================== 2. WiMAX uses a 16-bit "connection code" as the only address field; this is negotiated at "association time", and the AP (Access Point) and STAtion continue to use this code throughout the lifetime of that association. Wi-fi, of course, has no less than four 48-bit address fields. Outline how you might bring the WiMAX approach to wi-fi. Precise details are not required, but you should indicate the general implementation issues (such as who is in charge of the connection codes). Are there some wi-fi features that would be especially difficult to convert? If not, how would they be changed? Here are a few things to consider in particular: * At least in fixed-location WiMAX, the list of possible STAtions is limited, and is pretty well fixed in advance. * Wi-fi becomes an extension of the ethernet to which the AP is connected, and must support unicast and broadcast packets * Wi-fi needs to support STAtions that connect only briefly and are never seen before or after. * Ad-hoc wi-fi networks [this is probably the longest problem on this exam.] =============================== 3. (a) What is the role of Pseudo-Noise (PN) sequences in DSSS? How random, in a general sort of way, do they have to be? (b). Suppose a signal has a 1 MHz bandwidth, and DSSS is used to spread the signal over a 20 MHz band. A noise pulse, also occupying a 1 MHz band, interferes with the spread signal. Explain what happens at the receiving end so that the effect of the noise pulse is reduced 20-fold. =============================== 4. (a) Suppose a transmission medium is modulated at 1mbps, or 1 bit / µsec. The signal arrives along both the line-of-sight path, and also along a reflected path that is 1200 meters longer. If the data transmitted is 101101110, which bits are subject to multipath interference? Note that the signal speed is 300 meters / µsec. (b). What is a benefit to the use of Barker codes; that is, what problem do Barker codes help with? =============================== 5. In the Fluhrer,Mantin & Shamir RC4 attack, when we are working on finding key[4] (by looking at IV's of the form (4,-1,X)), where do we make use of the previously discovered Key[3]? (Recall Key[3] is the first unknown key byte; Key[0]...Key[2] is from the IV.) =============================== 6. Suppose a manufacturer advertises its wireless cards as "WEP Safe". They claim that they have implemented a feature whereby IV's are considered sequentially, eg (0,0,0), (0,0,1), (0,0,2), ..., but that a value of -1 (=255) for the second byte is simply skipped over: the IVs go from (0,254,255) to (1,0,0),(1,0,1),...(instead of to (0,255,0), which would be the next one in sequential order but the middle byte, 255, is also -1). More generally, the IVs skip from (N,254,255) to (N+1,0,0), etc. (a). How does this affect the FMS attack as we considered it in class? (b). Do you think it makes it safe to use WEP encryption? =============================== 7. Suppose the first 5 bytes of an RC-4 key are [4,255,4,243,2] (note 255=-1, 243=-13) (a). Give the changes to the RC-4 permutation array S after 5 swaps (i=0 to i=4). (b). Give S[S[1]+S[S[1]]] for S in this state. =============================== 8. Suppose the first 3 bytes (the IV) of an RC-4 key are [0,0,0]. (a). Give the changes to the RC-4 permutation array S after 3 swaps (i=0 to i=2). (b). Give S[S[1]+S[S[1]]] for S in this state. =============================== 9. If the first byte of an RC4 IV is 0, then during the key-scheduling phase the very first swap will be between i=0 and j= (i + S[i] + key[i]) = (0 + 0 + 0). Swapping S[i] and S[j] when i=j=0 has no effect. Give a 3-byte IV so that, none of the first three RC4 key-scheduling swaps has any effect; in other words, for each stage i, i=0,1,2, we have j=i. (Not all the IV bytes are 0, although the first one is.) =============================== 10. In the FMS attack, you generate a guess, g(X,Out), given the IV and the first keystream byte Out. Typically, about 5% of the guess values are right, leaving 95% that are wrong. Why couldn't 10% of the 95% that are wrong all be the same wrong value W, making W your best guess instead of the correct one? (More precisely, why is this wrong-guess scenario unlikely?) ===============================