ICS 134 – Spring 2011: Homework 2 Name: Q1 Student ID: Q2 /20 Q3 /20 Q4 /20 Q5 /20 TOTAL /20 /100 Due: Wednesday, May 18, 2011 @noon Turning it in: Email your homework as a single-file PDF attachment to edecrist@uci.edu. Use subject line: “ICS134 HW2”. Warning: Homework submissions not following above guidelines will not be graded. 1 Problem 1: Recall the man-in-the-middle (MiTM) attack discussed in class. Suppose that Alice and Bob, instead of using plain Diffie-Hellman, run the following key agreement protocol: 1. 2. 3. Alice Bob: Alice, PKAlice Bob generates random value y Bob Alice: Bob, PKBob, E ( PKAlice, g y mod p ) Alice generates random value x Alice Bob: E ( PKBob, g x mod p ) Where PKAlice is Alice’s public key and PKBob is Bob’s public key. E(PK,X) denotes public key encryption of X under public key PK. At the end of the protocol, both Alice and Bob compute the same key: K = g xy mod p. Is this protocol susceptible to man-in-the-middle attack? Explain why or why not? 2 Problem 2: Recall the zero-knowledge “cave” example (discussed in class) that illustrates the utility of zero knowledge in real life. What is the importance of this step in the protocol? What would happen if it were skipped? 3) V looks into the cave (while standing at point A) 3 Problem 3: What would happen if we replace squaring in Fiat-Shamir with cubing? In other words, on the Prover side, we have: I=S3 mod n and x=R3 mod n. And, on the Verifier side, we check that, either R3 mod n = x and (RS)3 mod n = X*I mod n 4 Problem 4: Alice and Bob have never communicated and have no shared secrets. But, they want to establish a secure communication channel (i.e., somehow compute a common secret key). They don’t like difficult math like Diffie-Hellman . So, instead, they do the following: 1. Alice composes N different “puzzles” of the form Xi = E(ki, Pi || Ki) for 0<i<=N, where ki is a unique key, per puzzle, Ki is another unique per-puzzle key and Pi is a (also unique) puzzle number/counter. E(ki, “Alice”||Pi || Ki) denotes the encryption, under key ki, of string “Alice” together with Pi and Ki. 2. Alice stores copies of all unencrypted puzzles in her local table (see step 4 below). 3. Alice shuffles all puzzles (so their order is random) and sends all of them to Bob. 4. After receiving all puzzles, Bob picks one of them at random and breaks it by brute force. Doing so takes O(2M) work where M is the size (in bits) of each ki. Let’s say, he breaks the puzzle Xj (by computing kj) and obtains Pj and Kj. 5. Now, Bob sends a message to Alice: Pj, E(Kj,”Bob”). NOTE: Keep in mind that Pj is the puzzle number! 6. Alice receives this message and, using Pj, looks up the correct puzzle Xj in her table, gets Kj and decrypts Bob’s message. 7. From here on, Alice and Bob have a common secret key – Kj. Eve is a strictly PASSIVE adversary. She eavesdrops on ALL messages between Alice and Bob. Her goal, is to determine the key Kj. How much work would she need to do in order to compute Kj? 5 Problem 5 Suppose that Alice sees Bob’s RSA signatures on two distinct messages m 1 and m2: S1 = m1d mod n and S2= m2d mod n where d is Bob’s private key and (e, n) are his public exponent and modulus, respectively. a) How can Alice compute/fake Bob’s signatures on: m1j , m2-1 and m1j m2k for any arbitrary positive integers j and k? b) How can these attacks be avoided? 6