Qualifier Exam in Information Security
Fall 2009
To pass the written exam, you must (a) answer at least one question in each of the three sections
to the satisfaction of the examiners and (b) accumulate at least 60 total points.
1
System and Software Security
Problem 1, 10 points.
The problem of shredding or deleting all copies of data after it has been shared over the Internet
presents numerous challenges. We may have to trust applications that access the shared data and
the platforms on which they run. Encryption may have to be used to ensure unauthorized parties do
not access and make copies of the data that would be hard to delete. The recently proposed Vanish
system tackles this problems and relies on another set of assumptions. In this question, you need to
discuss solutions for digital data shredding with assumptions made in each of the following cases.
• The machine where the owner of a data object creates the data is trusted. Also, all authorized
users and their applications are trusted.
• Each machine where a data copy may exist has a trusted hypervisor and one trusted virtual
machine. Applications that access the data may run in other, non-trusted virtual machines.
• Each machine where a data copy may exist runs a multi-level secure operating system that can
perform label checking and enforce access based on labels. You will need to define meaningful
labels that help you with data shredding.
• No machine, including the data owner machine, can be trusted because it may be compromised
or may come under the control of someone like law enforcement agencies.
First, outline the guarantees that shredding should provide. For each case, either argue why a protocol
that provides there guarantees does not exist or outline the protocol and discuss its correctness. Also
comment on the various assumptions and what you think of the viability of a practical data shredding
solution for the online world.
Problem 2, 10 points.
Electronic medical records have been in the news recently because of their potential for improving
patient health care while reducing cost. Such medical records contain structured data that may be
stored in a database system. Database systems are subject to query inference attacks even when access
control ensures that only legitimate users are allowed to see record fields or their aggregations that
do not appear to violate confidentiality. Give an example of an inference attacks and discuss ways in
which these could be countered.
Problem 3, 10 points.
Propose a password-based authentication system that uses pictograms displayed on the screen rather
than a password typed at the keyboard. Explain how your system functions, distinguishes legitimate
users from those who do not know the secret, and is user-friendly. Supposing that a user can try 1
password per second, how much time on average is needed to break your system?
2
Network Security
Problem 4, 10 points.
EBay wants to create a system where customers commit to bids on items at a particular time ti . Assume they provide a system where each customer (Bob in this example) uses a shared key (kEbay,bob )
to commit to a bid D. Bob provides EkEBay,bob (“Bob”) to EBay as this commitment. Identify at
least three problems with this scheme, i.e., why does it not provide the desired properties? Create a
construction that solves the problems you identified.
Problem 5, 10 points.
Over the past 25 years, the rise of personal computers as the dominant computing infrastructure led
to widespread use of locally-executing applications and locally-stored data. In recent years, however,
web applications are beginning to replace local applications.
• How have web applications changed the problems and solutions of software security? That is,
what problems of traditional software have little importance to web applications, and what new
challenges arose with web applications? How do these changes impact the nature of solutions
developed by researchers?
• Compare and contrast security issues of a web-based email service, such as Gmail or Hotmail,
with those of a more traditional IMAP-based email service.
• Compare and contrast security issues of a web-based word processor, such as Google Docs, with
those of a more traditional local word processor like Microsoft Word.
Problem 6, 10 points.
Banks offering online web-based account access to their clients face numerous threats, many of which
financially damage themselves or their clients. One such threat may come from malware that executes
on a client’s system and initiates fraudulent financial transactions that, from the bank’s perspective,
appear to come from the legitimate user of the system. Suppose that the bank hires you to develop a
solution addressing spoofed transactions: their central servers should only process authentic requests
from client systems. They use a username and password authentication scheme.
• Propose a solution that includes alterations at the client systems. These may include changes to
client hardware, software, or human behaviors. Analyze the ability of your solution to address
the threat of client-side malware infections.
• Propose a solution that uses no client-side alterations; the bank only allows you to alter serverside hardware or software. You are not allowed to require customers to change their behaviors.
Analyze the ability of your system to address the threat of client-side malware infections.
3
Cryptography
Problem 7, 10 points.
Your company developed a new deterministic MAC that is not only unforgeable, but also hides information about the underlying message. Of course, tagging the same message twice yields equal tags,
but other than that no information is leaked. You are asked to prove this new privacy property of
the MAC under some assumption. But what definition will you use? The PRF definition could work
but it is too strong for your MAC as the tags may contain fixed bits. The IND-CPA definition for
encryption can be applied for MACs as well, but it is not suitable (too strong) as any deterministic
scheme is IND-CPA insecure. Modify the IND-CPA definition so it becomes suitable for deterministic
MACs.
Problem 8, 10 points.
In some applications of public-key encryption it is important that ciphertexts hide the identities of the
receivers, i.e. it is hard to find the correspondence between ciphertexts and public keys with which
tthe ciphertexts are created. The receiver indistinguishability property can be defined like this. The
adversary is given two public keys pk0 , pk1 and outputs a message. The message is encrypted under pkb
for random bit b. The adversary outputs its guess of b. We call the scheme receiver indistinguishable
if no efficient adversary can guess the challenge bit correctly with probability much higher than 1/2.
• Does this property imply IND-CPA? Does IND-CPA imply it? Justify your answer.
• Do you think ElGamal (assume all users use the same group) and RSA-OAEP schemes are
receiver-indistinguishable? You don’t have to give proofs, but justify your answer.
Problem 9, 10 points.
Shannon’s theorem implies that it is not possible to encrypt long messages with a single short key
without violating perfect secrecy. Your colleague suggests that it is nevertheless possible to encrypt
multiple random messages with a single short key as follows. Let K be a random n-bit string shared
between Alice and Bob. To send random n-bit messages M1 , ...Mm Alice computes ciphertexts as
M1 ⊕ hK + 1i, ..., Mm ⊕ hK + mi, where hxi is a unique n-bit encoding of x. it is easy to check that
Bob can decrypt. What do you think of perfect secrecy of this scheme?