Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Similar documents
Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Cristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.

Winter 2018 CS134: Computer and Network Security Homework 2 Due: 02/26/18, 11:59pm

Fall 2010/Lecture 32 1

T Cryptography and Data Security

Issues. Separation of. Distributed system security. Security services. Security policies. Security mechanism

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CS Computer Networks 1: Authentication

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Cryptographic Protocols 1

Lecture 15 Public Key Distribution (certification)

Test 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.

Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena

Key Management and Distribution

Information Security CS 526

Lecture 13. Public Key Distribution (certification) PK-based Needham-Schroeder TTP. 3. [N a, A] PKb 6. [N a, N b ] PKa. 7.

Test 2 Review. (b) Give one significant advantage of a nonce over a timestamp.

User Authentication. Modified By: Dr. Ramzi Saifan

ICS 180 May 4th, Guest Lecturer: Einar Mykletun

ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification

Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10

Session key establishment protocols

Session key establishment protocols

Spring 2010: CS419 Computer Security

Lecture 9. Authentication & Key Distribution

UNIT - IV Cryptographic Hash Function 31.1

Applied Cryptography and Computer Security CSE 664 Spring 2017

User Authentication. Modified By: Dr. Ramzi Saifan

CT30A8800 Secured communications

Authentication in Distributed Systems

Information Security. message M. fingerprint f = H(M) one-way hash. 4/19/2006 Information Security 1

Lecture Notes 14 : Public-Key Infrastructure

Public-key Cryptography: Theory and Practice

Key Management and Distribution

Datasäkerhetsmetoder föreläsning 7

Lecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to share so many secrets?!?

Course Administration

Introduction and Overview. Why CSCI 454/554?

Authentication Handshakes

Cryptography and Network Security

Network Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions

Chapter 9: Key Management

Acknowledgments. CSE565: Computer Security Lectures 16 & 17 Authentication & Applications

Certificateless Public Key Cryptography

CS 494/594 Computer and Network Security

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Distributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018

Chapter 8. Network Security. Cryptography. Need for Security. An Introduction to Cryptography 10/7/2010

Key Agreement Schemes

Modelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI

10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms

CSC 5930/9010 Modern Cryptography: Public-Key Infrastructure

Lecture 1: Course Introduction

Public Key Algorithms

Security Handshake Pitfalls

Outline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication

CS 470 Spring Security. Mike Lam, Professor. a.k.a. Why on earth do Alice and Bob need to talk so much?!? Content taken from the following:

Overview of Authentication Systems

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSC 474/574 Information Systems Security

Cryptography and Network Security

Module: Authentication. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS November 2018

ECE 646 Lecture 3. Key management

Security Handshake Pitfalls

Session Key Distribution

Public-Key Infrastructure NETS E2008

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

PROVING WHO YOU ARE TLS & THE PKI

CS530 Authentication

(2½ hours) Total Marks: 75

Kerberos and Public-Key Infrastructure. Key Points. Trust model. Goal of Kerberos

Real-time protocol. Chapter 16: Real-Time Communication Security

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

CS 161 Computer Security

X.509. CPSC 457/557 10/17/13 Jeffrey Zhu

CIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols

Public Key Cryptography, OpenPGP, and Enigmail. 31/5/ Geek Girls Carrffots GVA

Unit-VI. User Authentication Mechanisms.

Authentication Part IV NOTE: Part IV includes all of Part III!

Massachusetts Institute of Technology Handout : Network and Computer Security October 23, 2003 Professor Ronald L. Rivest.

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Exercises with solutions, Set 3

0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken

User Authentication Protocols Week 7

1. Diffie-Hellman Key Exchange

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Chapter 8. Network Security. Need for Security. An Introduction to Cryptography. Transposition Ciphers One-Time Pads

EEC-682/782 Computer Networks I

Lecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin

Fall 2005 Joseph/Tygar/Vazirani/Wagner Final

Grenzen der Kryptographie

KEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington

Verteilte Systeme (Distributed Systems)

L7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806

Transcription:

Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted on Wednesday, 11/30/2016 Full Name: UCI ID Number: Sources: Guidelines: Use any word processor (or handwrite and scan your answers). Upload your solutions as a PDF to the associated EEE dropbox (labeled CS134: Homework 3 ). No late submission will be accepted into the EEE dropbox. The solution to the homework will be posted on Wednesday 11/30/2016, no late submission (even via email) will be accepted after posting of the solution. No collaboration is allowed. The only people you may ask for help are the TA and professor for the course. Copying, paraphrasing or copying answers from the internet or other sources is not allowed, and to do so would be a violation of academic honesty. You must list any sources you used to arrive at your answers (e.g., reference books, Wikipedia etc). Warning: any submission not following the above guidelines may receive a score of zero.

1 [5 pts total] Multiple Choice Questions There is only one correct answer for each of the following question. Answer justification is not required. 1. Which of the following is NOT an example of biometric authentication? A. Retina scans B. Handwriting pressure C. Voice recognition D. Kerberos E. All of the above 2. Which of the following can be used to avoid replay attacks in authentication protocols A. Nonce B. Monotonically increasing sequence number C. Time-stamp D. Random number used no more than once E. All of the above 3. What is a role of Key Distribution Center (KDC)? A. To establish a shared secret key between two parties B. To bind public key to a specific entity C. To securely relay a message from one side to the other D. To securely distribute shared public-/private key to multiple entities 4. What is a role of Certification Authorities (CA)? A. To establish a shared secret key between two parties B. To bind a public key to a specific entity C. To securely relay a message from one side to the other D. To securely distribute shared public-/private key to multiple entities 5. What protocol is Station-to-Station protocol based on? A. Lightweight Directory Access Protocol B. X.509 Authentication Protocol C. Fiat-Shamir Identification Protocol D. Diffie-Hellman Key Exchange 6. What is a typical lifetime of a certificate of root certification authorities? A. 24 hours B. 5-7 days C. 3-5 months D. 3-5 years E. All of the above Page 2

7. Which of the following is NOT true about X.509 Standard? A. It defines format for certificates B. It defines format for certificate revocation lists C. It cannot be used in S/MIME, PEM, IPSec, SSL/TLS and SSH D. It supports both hierarchical model and cross certificates 8. Which of the following is NOT an access right in Unix? A. Read B. Write C. Delete D. Execute 9. What is the length of proof when certificates are revoked, using certificate revocation lists (CRL)? Assume n is number of revoked certificates. A. O(1) B. O(log(n)) C. O(n) D. O(n 2 ) 10. Suppose Alice wants to encrypt and send a message to Bob. Which of the following should be included in the encrypted message so that Bob can detect the freshness of the message? A. Nonce B. Monotonically increasing number C. Time-stamp D. Her public key certificate Page 3

2 [5 pts total] Fill In The Blanks 1. The goal of Needham-Schroeder Protocol (Symmetric Key version) is to establish a session key between two parties 2. The goal of Needham-Schroeder Protocol (Public Key version) is to perform mutual authentication 3. Before using a certificate, one should check its expiration time and the most recent revocation status. 4. Certificate revocation tree (CRT) is based on Merkle hash trees. 5. Suppose a CRT contains two leaves: a hash of (, 10) and a hash of (10, ). If a certificate number 15 is revoked and needs to be added into that CRT, the leaves of the resulting CRT will become a hash of (, 10), a hash of (10, 15) and a hash of (15, ). 6. An entity that can securely issue certificates is called Certification Authority. 7. The purpose of including a nonce in an authentication protocol is to prevent replay/playback attacks. 8. In X.500 naming, L stands for locality and O stands for organization. 9. In distributed settings, capabilities are the best access control type. 10. Some examples of objects in access control are files, memory and processes. An example of subjects in access control is users or processes. Page 4

3 [4 pts] Authentication Recall the authentication protocol in Homework 1: We learned from the solution of Homework 1 that an adversary can bypass this authentication protocol without knowing K AB. This can be done by using a response from the second connection as a challenge reply to the first connection. This attack is called a reflection attack. Present two ways to modify this authentication protocol in order to avoid the reflection attack. Write down the modified protocols in details and state your assumptions clearly. Page 5

Solution: One way to do it is to change K AB (r a ) to K AB (r a B) and K AB (r b ) to K AB (r b A). The resulting protocol will be: 1. A B: r a 2. B A: K AB (r a B) 3. B A: r b 4. A B: K AB (r b A) Or use distinct keys: K AB and K BA in different directions, i.e., changing K AB (r b ) to K BA (r b ). The resulting protocol will be: 1. A B: r a 2. B A: K AB (r a ) 3. B A: r b 4. A B: K BA (r b ) Or use sequence numbers or timestamps instead of nonces in the above protocols. Page 6

4 [3 pts] Interleaving Attack Consider the mutual authentication protocol with a pre-shared symmetric key K: 1. A B : A, S 2. B A : E K (S + 1, A) 3. A B : E K (S + 2, B) Assume E() is a secure block cipher (e.g., AES) and S is a 32-bit monotonically increasing sequence number and maintained by both A and B. A and B reject the authentication if S in the first step is less than or equal to their maintained value. Does the interleaving attack work on this protocol? If so, write down how the attack can be carried out and how to fix it. Otherwise, explain why the attack won t work. Solution: Yes, the attack can be carried out as follows: 1. E picks a very large number S (i.e. pick S = 2 32 3) 2. E B : A, S 3. B E : E K (S + 1, A) 4. E A : B, S + 1 5. A E : E K (S + 2, B) 6. E B : E K (S + 2, B) One way to fix this is to make messages (2) and (3) asymmetrical. E K (S + 1, B, A). For example, (2) becomes Page 7

5 [3 pts] Access Control Your website development company has 50 web developers and has developed over 10,000 web pages. A software developer may have one or more of the following access rights for a given web page: READ, MODIFY and KILL. READ allows viewing a page, MODIFY allows making changes to a page and KILL allows removing a page. If your goal is to minimize delay when a web developer tries to access a web page, which access control structure is the best: (1) Access Control Matrix, (2) Access Control Lists or (3) Capabilities? Justify your answer. Solution: Since the number of objects is much higher than the number of subjects, we should use Access Control Lists. In the worst case scenario, using an ACL would take 50 iterations to search in a list. If we use capabilities-based access control, it would take at most 10,000 iterations since each capability contains at most 10,000 objects. Access control matrix is an abstraction of ACLs and Capabilities and should not be directly used. Page 8

6 [4 pts] Public Key Certification and Revocation Alice and Bob communicated via signed email. Bob receives four messages from Alice: (1) one on Monday morning, (2) one on Tuesday night, (3) one on Wednesday night, (4) one on Thursday morning. Bob check all four emails on Friday at noon and find out that all signatures are valid. Consider two scenarios: (a) How should Bob treat these messages from Alice if he found out that Alice s public key certificate expires on Wednesday at 2pm. (b) Suppose Bob receives her weekly CRL on Friday at noon, which includes Alice s public key certificate. Alice s public key certificate was compromised and she reported it on Wednesday at 2pm. How should Bob treat these messages from Alice in this case? Solution: (a) Bob should trust only first two messages since they were signed when Alice s public certificate was still valid. Bob should reject messages (3) and (4) since Alice s public key certificate already expired. (b) Bob should reject all messages since Alice s public key certificate has been revoked. Page 9

7 [4 pts] Public-Key Certificate Look into the security settings for your web browser and answer the following questions: (a) For your personal certificate, what signature algorithm is used? (b) What is your public key length? (c) If you inspect further in the security settings, you will see that your web browser installs many certificates of root (not intermediate) certification authorities (CA). Why does your web browser need to keep track of many root certificates, instead of just one? (d) Take a look at one root certificate. What is its X.500 Distinguished Name? Also, answer (a) and (b) for this root certificate. Solution: (a) The answer can vary. (b) The answer can vary. (c) Because certificates of different websites may be signed by different CAs. So, we need to store many root certificates in order to validate certificates of various websites. Also, having only one CA could cause a single point of failure, which is a global damage, if an adversary can compromise that CA. With multiple root CAs, the damage from compromising one CA is localized within that CA. (d) The answer can vary. Page 10

8 [4 pts] Certification Revocation Trees Suppose a certificate authority (CA) uses a Certificate Revocation Tree (CRT) to represent revoked certificates. The CA has issued a total of 500,000 certificates. Of those, 512 have been revoked. (a) What is the height of the CRT? (b) Suppose Alice wants to check whether Bob s certificate is revoked or not. Using this CRT, how many hashes and/or signature verification does she need to compute? (c) If another certificate is revoked, what needs to be updated in the original CRT to support this revocation? (d) After you update the CRT in (c), what is the height of the new CRT? Solution: (a) 10. Note that 512 certificates are revoked but since we represent a leaf node as a range, we will need 513 leaf nodes for storing the corresponding ranges. Thus, the height of the tree is log(513) = 10. (11 is also accepted if you start counting the height of the tree from 1.) (b) She would need to re-compute the root hash and it would take as many hashes as the height of the tree (1 hash for the corresponding leaf node and 10 more hashes for hash values along the path to the root.). Then, she performs one signature verification on that root hash. (c) One of its leaf nodes needs to be split into two new nodes. Suppose A is revoked and A is in (B, C), which is one of the leaf nodes. Then, (B, C) needs to be split into (B, A) and (A, C). Hashes of these two new nodes and their ancestors need to be computed. Signature for tree root needs to be re-computed as well. (d) 10. (or 11 if the depth of the split leaf node is 10.) Page 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback