1
CS 3IS3. Sample solutions to the assignment 2.
Total of this assignment is 206 pts. Each assignment is worth 20% of total. Many solutions are not unique.
If you think your solution has been marked wrongly, write a short memo stating where marking in wrong and what you think is right, and resubmit to me via e-mail (as pdf). The deadline for a complaint is 2 weeks after the assignment is marked and returned.
1.[10] Suppose that passwords are stored as follows, where there are 128 possible choices for each character: If a password exceeds 16 characters, it is truncated to 16 characters. If à password is less than 16 characters, it is padded with “A” until it is exactly 16 characters. The resulting 16-character password is split into two parts, X0 and X1, where X0 consists
of the first six characters and X1 consists of the last 10 characters. The password is hashed
as Y0 = h(X0, S0) and Y1= h(X1,S1), where S0 and S1 are each 64-bit salt values. The values
(Y0,S0) and (Y1,S1) are stored for use in password verification.
a.[3] Precisely how are (Y0,S0) and (Y1,S1) used to verify an entered password?
b.[3] What is the expected work for an exhaustive search to recover one particular password (for example, the administrator's password)?
c.[4] How would you attack a password in a way that could provide a significant shortcut over an exhaustive search or a standard dictionary attack? Explain.
Solution.
a. Follow the same process with the putative password, hashing the first half with S0
and the second half with S1. It is a match if the first hash matches Y0 and the
second matches Y1.
b. The work is 256.
c. Attack the second half first, and if solved, use the result to build a custom dictionary for the first half. For any password that is at least 9 characters, and somewhat less than 16, this approach would be likely to yield a significant short-cut.
2.[10] Suppose that you have n accounts, each of which requires a password. Trudy has a dictionary and the probability that a password appears in Trudy's dictionary is p. a.[3] If you use the same password for all n accounts, what is the probability that your
password appears in Trudy's dictionary?
2
least one of your passwords appears in Trudy's dictionary? Show that if n = 1, your answer agrees with your answer to part a.
c.[4] Which is more secure, choosing the same password for all accounts, or choosing different passwords for each account? Why?
Solution.
a. The probability is p.
b. The probability is 1 - (1 - p)n. Note that if n = 1, then the probability is p, which agrees with part a.
c. The probability that Trudy can get one (or more) or your passwords is lowest if you have only one password (assuming that n > 1). However, a single password puts all of your eggs in one basket, so to speak, which could be a very bad thing. For example, if one of the accounts does not hash passwords, Trudy might have a good chance of obtaining your password from that account, and if you use the same password everywhere, you're hosed. So, as always, it depends. … But, as a general rule, using the same password in lots of places is a bad idea.
3.[10] MAC addresses (see LN 10, page 26 or textbook-appendix 1) are globally unique and they don't change except in rare instances where hardware changes.
a.[3] Explain how the MAC address on your computer could be used as a “something you have” form of authentication.
b.[3] How could you use the MAC address as part of a two-factor authentication scheme? c.[4] How secure is your authentication scheme in part ‘a’? How much more secure is your
authentication scheme in part ‘b’? Solution.
a. If the MAC address appears in the packets, this could be used to indicate that it is the correct machine.
b. Also require a password or biometric.
c. The scheme in part a is not very secure – it is easy to spoof the MAC address (this is often done during attacks on WEP). The scheme in part b is better (much better if a strong biometric is used).
3
4.[6] Suppose that Alice uses two distinct passwords - one strong password for sites where she believes security is important (e.g., her online bank), and one weak password for sites where she does not care much about security (e.g., social networking sites).
a.[3] Alice believes this is a reasonable compromise between security and convenience. What do you think?
b.[3] What are some practical difficulties that might arise with such an approach?
Solution.
a. I think it is reasonable. The one difference is that in practice, it is not always possible to choose the same simple password for multiple sites (due to requirements on length, upper-case, special characters, etc.). So, in practice, we usually have 2 distinct “families" of passwords, where the passwords within each family are closely related.
b. The different password requirements on different sites can be an issue. Also, it's easy to accidentally use the strong password on non-important site and/or a site that might not treat passwords properly.
5.[14] A popular "something you have" method of authentication is the RSA SecurlD. The SecurelD system is often deployed as a USB key. The algorithm used by SecurlD is similar to that given for the password generator illustrated on page 25 of LN7 and in Figure 7.8 of the textbook. However, no challenge R is sent from Bob to Alice; instead, the current time T (typically, to a resolution of one minute) is used. That is, Alice's password generator computes h(K,T) and this is sent directly to Bob, provided Alice has entered the correct PIN (or password).
a.[3] Draw a diagram analogous to that on page 25 of LN7 and in Figure 7.8 illustrating the SecurlD algorithm.
b.[4] Why do we need T? That is, why is the protocol insecure if we remove T?
c.[4] What are the advantages and disadvantages of using the time T as compared to using a random challenge R?
d.[3] Which is more secure, using a random challenge R or the time T? Why?
Solution. a. Easy.
4
b. If there is no challenge T, then the response is always the same, h(K), which would eliminate the need for Alice to actually posses the SecurID device. So, it would not be a “something you have" form of authentication. Also, if Trudy observed one response, she would be able to replay that response forever to (mis)authenticate as Alice.
c. By using T, we save one message - there is no need to send the challenge. Note that T acts like a challenge R that Alice knows, so there is no need to send it. The down side to using T is that time becomes a security issue - if Alice and Bob's clocks are out of sync, by more than a minute, they cannot communicate. This opens up a new avenue of attack for Trudy.
d. Both are equally secure if implemented correctly.
6.[6] Suppose that you work in a classified environment where MLS is employed and you have a TOP SECRET clearance.
a.[3] Describe a potential covert channel involving the User Datagram Protocol (UDP). b.[3] How could you minimize your covert channel in part ‘a’, while still allowing network
access and communication by users with different clearances? Solution.
a. This is not so easy as with TCP, since the headers are smaller. But you could simply send a series of UDP packets and use the delay between packets to encode information (e.g., “long" delay is a 1 while a “short" delay is a 0).
b. If you suspect such a covert channel is being used, you could randomly delay packets.
7.[10] The high water mark principle and low water mark principle both apply in the realm of multilevel security.
a.[4] Define the high water mark principle and the low water mark principle in the context of MLS.
b.[3] Is BLP consistent with a high water mark principle, a low water mark principle, both, or neither? Justify your answer.
c.[3] Is Biba's Model consistent with a high water mark principle, a low water mark principle, both, or neither? Justify your answer.
5 Solution.
a. “High watermark" means that you start out at a low level clearance, and your active clearance gets upgraded as needed - up to the maximum level that you are allowed. The low watermark applies to integrity, and it means that your integrity level goes down to the integrity level of data that you read.
b. BLP with the weak tranquility property is compatible with a high watermark. c. Biba's model is compatible with a low watermark.
8.[8] This question requires some reading of Chapter 8 of the textbook and some using of Google would also be helpful.
It was very briefly discussed the following methods of inference control: query set size control; -N-respondent, k% dominance rule; and randomization.
a.[4] Explain each of these three methods of inference control.
b.[4] Briefly discuss the relative strengths and weaknesses of each of these methods.
Solution.
a. Query set size control - don't return the answer if too few respondents. N-respondent, k% dominance rule - essentially, a more refined form of query set size control, where answer is not returned if k% or more comes from N or fewer respondents. Randomization is just what it says - add some random noise to the reply.
b. The first two will increase the difficulty of finding specific information, but probably not prevent such attacks. A weakness of randomization is that it could be a problem if very precise answers are necessary (e.g., if you are doing research on a rare disease).
9.[6] This problem deals with visual CAPTCHAs
a.[3] Describe an example of a real-world visual CAPTCHA not discussed in the class (and textbook, and explain how this CAPTCHA works, that is, explain how a program would generate the CAPTCHA and score the result, and what a human would need to do to pass the test.
6 Solution:
a. For a typical test-based CAPTCHA, a word is randomly selected from a (large) dictionary and then a randomly-selected distortion (from a large set of possible
distortions) is applied, and the result is displayed. The human needs to type in the word. b. We assume that the attacker knows the dictionary, the set of possible distortions, and has
access to the software
10.[10] The anomaly-based intrusion detection example presented in this chapter is based on file-use statistics.
a.[4] Many other statistics could be used as part of an anomaly-based IDS. For example, network usage would be a sensible statistic to consider.
List five other statistics that could reasonably be used in an anomaly-based IDS. b.[3] Why might it be a good idea to combine several statistics rather than relying on just a
few?
c.[3] Why might it not be a good idea to combine several statistics rather than relying on just a few?
Solutions:
a. Commands issued, typing speed, mouse movements, activity versus inactivity, time of use, among many, many other possibilities.
b. More statistics would give a clearer view of the user's activity.
c. More statistics would make it slower, and it might also tend to give more false alarms, since a legitimate user is more likely to vary from one of the statistics.
11.[6] Consider the results given in Table 8.6 (textbook) or at the bottom of page 31 of LN 9. a.[2] For the subsequent time interval, what is the largest possible value
for A3 that will not trigger a warning from the IDS?
b.[2] Give values for A0, A1, and A2 that are compatible with the solution to part ‘a’.
c.[2] Compute the statistic S, using the solutions from parts ‘a’ and ‘b’, and the Hi values in
7 Solutions:
a. The value of A3 ≥ 0.39 will trigger an alarm, while A3 = 0.36, with A0 = 0.02, A1 = 0.32,
and A2 = 0.30, will stay well below the threshold of S = 0.1.
b. See part a. c. See part a.
12.[8] Consider the following protocol, where KAB is a shared symmetric key, CLNT and SRVR
are constants, and K = h(S,RA,RB) is the session key.
a.[4] Does Alice authenticate Bob? Justify your answer. b.[4] Does Bob authenticate Alice? Justify your answer.
Solutions:
a. Yes. The final message will convince Alice that she has made contact with Bob. Only Bob knows KAB, which is needed to determine S, which is needed to compute K, and if
Alice decrypts and finds SRVR, then she knows that the responder must know K. b. Yes, but this is somewhat subtle. Note that Trudy (masquerading as Alice) can send a
random string of bits in message 3 in place of E(S, KAB). Bob would then “decrypt" this
random string and whatever the result, he would assume that it is S. However, Trudy cannot determine a valid K without knowing the result S that Bob obtains, and Trudy cannot know this unless she knows KAB. Therefore, Bob authenticates Alice in message 3
when he decrypts E(CLNT, K) and finds the results is CLNT. Since Trudy cannot compute E(CLNT, K), Bob does not mistake Trudy for Alice.
8
13.[10] For some particular security protocol, suppose that Trudy can construct messages that appear to any observer (including Alice and/or Bob) to be valid messages between Alice and Bob. Then the protocol is said to provide plausible deniability. The idea here is that Alice and Bob can (plausibly) argue that any conversation they had using the protocol never actually occurred - it could have been faked by Trudy. Consider the following protocol, where K = h(RA, RB, S).
Does this protocol provide plausible deniability? If so, why? If not, slightly modify the protocol so that it does, while still providing mutual authentication and a secure session key.
9
14.[10] Design a mutual authentication protocol that employs digital signatures for authentication and provides plausible deniability (see Question 12).
Solution:
15.[6] For each of the following cases, design a mutual authentication and key establishment protocol that uses public key cryptography and minimizes the number of messages. a.[3] Use a timestamp to authenticate Alice and a nonce to authenticate Bob.
b.[3] Use a nonce to authenticate Alice and a timestamp to authenticate Bob. Solutions:
a. Mimic the protocol the “sign and encrypt" with a timestamp protocol, but include a nonce with the first message, and replace the key K with the nonce in message 2 (actually, there is then no need to encrypt the second message). This requires just two messages.
b. This seems to require three messages, since Bob must send the nonce/challenge in message 2, and Alice must then respond appropriately in message 3. So there is no benefit to this approach as compared to using nonces.
10
16.[8] Consider the authentication protocol below, which is based on knowledge of a shared 4-digit PIN number and uses Diffie-Hellman. Here, KPIN = h(PIN) and K = gab mod p.
a.[3] Suppose that Trudy passively observes one iteration of the protocol. Can she then determine the 4-digit PIN number? Justify your answer.
b.[5] Suppose that Trudy can actively attack the protocol. Can she determine the 4-digit PIN? Explain.
Solutions:
a. As a passive attacker, Trudy would need to solve the discrete log problem, which we assume is infeasible, so the answer is no.
b. Trudy can act as a MiM, but she only gets one chance (per iteration) to guess the PIN, since she must do so in real time. This gives her a 1/10,000 chance of success, per
iteration. Note that after the fact, she cannot guess the PIN, since she would need to break the discrete log problem, which implies that offline PIN cracking is not feasible in this case. So, her probability of success depends on how many iterations of the protocol she can attack. Of course, once she discovers the PIN, she can continue to break the protocol until the PIN changes.
It is worth noting that this use of Diffie-Hellman makes a weak PIN-based (or password-based) protocol more secure, at virtually no additional cost.
17.[8] In the Fiat-Shamir protocol on page 9 of LN12 or in Figure 9.32 of the textbook, suppose that Alice gets lazy and she decides to use the same “random” r for each iteration.
a.[4] Show that Bob can determine Alice's secret S. b.[4] Why is this a security concern?
Solutions:
a. At the first iteration Bob sends e = 0, and he receives r in message three. At the next iteration Bob sends e = 1, and he receives rS in message three. Bob (or anyone else who observed the messages) can find S from r-1rS.
b. Anyone who knows S can impersonate Alice, thereby breaking the security of the protocol.
11
18.[6] Consider the SSH protocol on page 3 of LN 13 or in Figure 10.1 of the textbook. One variant of the protocol allows us to replace certificateA with Alice's public key. In this
version of the protocol, Alice must have a public/private key pair, but she is not required to have a certificate. It is also possible to replace certificateB with Bob's public key.
a.[2] Suppose that Bob has a certificate, but Alice does not. What must Bob do so that he can authenticate Alice?
b.[2] Suppose that Alice has a certificate, but Bob does not. What must Alice do so that she can authenticate Bob?
c.[2] What are the significant advantages and disadvantages of this public key version of SSH, as compared to the certificate version on page 3 of LN 13 or in Figure 10.1?
Solutions:
a. Bob must have some way to associate a public key with Alice. Typically, this is accomplished by having a database of public keys and Bob simply looks up “Alice's" public key to be sure that it really belongs to Alice. Note that this would work well for a small number of users, but it would probably be impractical if there are a large number of users.
b. Similar to part a, Alice must have some way to associate “Bob's" public key with Bob. c. Advantages: no certificates required which eliminates many PKI issues. Disadvantages:
must have knowledge of public keys in advance and must have a way to associate public keys to users (typically, via a database lookup).
19.[6] Consider the SSL protocol on page 7 of LN 13 or in Figure 10.4 of the textbook. This protocol does not allow Bob to remain anonymous, since his certificate identifies him. a.[4] Modify the SSL session protocol so that Bob can remain anonymous with respect
to a passive attacker.
b.[2] Can you solve part a without increasing the number of messages? Solutions:
a. Alice sends ga mod p in message 1, Bob sends gb mod p in message 2, and encrypts his certificate in message 2 with the key K = gab mod p. A passive attacker cannot do the man-in-the-middle attack that would be needed to decrypt the certificate.
12
20.[6] IKE has two phases, Phase 1 and Phase 2. In IKE Phase 1, there are four key options and, for each of these, there is a main mode and an aggressive mode.
a.[3] What are the primary differences between main mode and aggressive mode?
b.[3] What is the primary advantage of the Phase 1 digital signature key option over Phase 1 public key encryption?
Solutions.
a. Main mode tries to hide identities (although without success in symmetric key mode). Also, main mode MUST be implemented, while aggressive mode SHOULD be implemented.
b. There is no need to know the public keys to begin the protocol. Since everyone knows their private key, you can start the protocol without waiting around to obtain the other side's public key. Of course, at some point, you need the other party's public key (to verify the “proof"), but obtaining the public key can be done in parallel with the protocol.
21.[4] In IKE Phase 1 digital signature main mode, proofA and proofB are signed by Alice and
Bob, respectively. However, in IKE Phase 1, public key encryption main mode, proofA
and proofB are neither signed nor encrypted with public keys. Why is it necessary to sign
these values in digital signature mode, yet it is not necessary to public key encrypt (or sign) them in public key encryption mode?
Solution.
In signing mode, the signature is used to authenticate. In encryption mode, the proofs need not be signed or encrypted since the symmetric key encryption with the key K is used for
authentication. More precisely, private key operations are needed to determine K, since the nonces are encrypted, so knowledge of K provides authentication.
22.[12] Consider the Kerberos interaction discussed in Section 10.5.2 and LN 14. a.[3] Why is the ticket to Bob encrypted with KB
b.[3] Why is "Alice" included in the (encrypted) ticket to Bob?
13
d.[3] Why is the ticket to Bob sent to Alice (who must then forward it to Bob) instead of being sent directly to Bob?
Solutions:
a. So that only Bob can decrypt it. The session key KAB that Alice and Bob will share is
included in the ticket.
b. Bob will know that the included key is to be used to communicate with Alice.
c. This serves no obvious purpose, since the ticket to Bob is already encrypted with KB,
which only Bob and the KDC know. Also, Alice sends the ticket to Bob without any additional encryption.
d. It would be more efficient (in terms of bandwidth usage) to send it directly to Bob, but then Bob would have to remember this info until Alice contacts him. That is, Bob would have to maintain state, and Kerberos is all about being stateless.
23.[9] This problem deals with Kerberos.
a.[3] Why can Alice remain anonymous when requesting a ticket to Bob?
b.[3] Why can Alice not remain anonymous when requesting a TGT from the KDC? c.[3] Why can Alice remain anonymous when she sends the "ticket to Bob" to Bob?
Solutions:
a. Usually, anonymity with symmetric keys is, at best, difficult (see IPSec, for example). However, in Kerberos, anonymity when requesting a ticket is easy, since all TGTs are encrypted with KKDC, which is known only to the KDC. Consequently, the KDC does not need to know whose TGT it is before decrypting it.
b. At this point, Alice does not have any TGT/credentials, so the trick described in the solution to part a does not apply.
c. The ticket to Bob (which is encrypted) tells Bob that he should be communicating with Alice.
14
24.[11] WEP is supposed to protect data sent over a wireless link. As discussed in the text, WEP has many security flaws, one of which involves its use of initialization vectors, or IVs. WEP IVs are 24 bits long. WEP uses a fixed long-term key K. For each packet, WEP sends an IV in the clear along with the encrypted packet, where the packet is encrypted with a stream cipher using the key KIV = (IV, K), that is, the IV is pre-pended to the
long-term key K. Suppose that a particular WEP connection sends packets containing 1500 bytes over an 11 Mbps link.
a.[4] If the IVs are chosen at random, what is the expected amount of time until the first IV repeats? What is the expected amount of time until some IV repeats?
b.[4] If the IVs are not selected at random but are instead selected in sequence, say, IVi = i,
for i = 0,1,2,... ,224 - 1, what is the expected amount of time until the first IV repeats?
What is the expected amount of time until some IV is repeated? c.[3] Why is a repeated IV a security concern?
Solutions:
a. The expected number of IVs until the first one repeats is given by n in the equation (1-
p)n = 1/2, where p = 1/224. Solving, we find that n ≈ 11,629,079. At 11 Mbps and 1500 bytes per packet, there are about 916 packets per second. So, we would expect to see the first IV again after about 11,629,079/916 ≈ 12,696 seconds, which is about 3.5 hours. By the birthday problem, some IV will repeat after about 212 packets. Again, at 11 Mbps and 1500 bytes per packet, there are about 916 packets per second. So, we would expect to see a repeated IV after about 212/916 ≈ 4:5 seconds.
b. In this case, the first repeat occurs after 224 packets have been observed, which takes about 224/916 ≈ 18,316 seconds, which is a little more than 5 hours.
c. This is at least as bad as a one-time pad being used more than once. That is, repeated IVs make cryptanalytic attacks a realistic possibility, and the more repeats for a give IV, the stronger the attacks become.
25.[6] Suppose that we modify WEP so that it encrypts each packet using RC4 with the key K, where K is the same key that is used for authentication.
a.[3] Is this a good idea? Why or why not?
15 Solutions:
a. It's a very bad idea. In WEP, the keystream is repeated each time the IV repeats
(assuming that the long-term key K doesn't change). However, this modified version is even worse, since each packet is encrypted with the same keystream| this is at least as bad as using a one-time pad over and over and over and over and … .
b. It would be worse. While the way that the key K and IV are combined in WEP leads to a fairly simple cryptanalytic attack, this attack would be even easier.
