Quiz 1 Post-Mortem
Bruce Maggs
Quiz Scores
•
•
•
•
Quiz is graded on a curve
Average score: 66.76 / 100
Median score:
68 / 100
High score:
92 / 100
2
The operator can learn who (which IP addresses) are
accessing TOR, and which relay is next.
But the operator cannot see the contents of any
traffic, because it is encrypted all the way to the exit
relay.
The exit relay can see which “sites” the users of Tor
are connecting to, and if the traffic to those sites is
unencrypyted, it can see the traffic itself.
3
With enough relays, the attacker might be able to see the
entire path from first relay to exit relay. Even without
seeing the entire path, using timing information, the
attacker might still be able to determine which clients
were connecting to which sites.
Access to illegal Web sites might be attributed to you!
Or downloading copyrighted content by Tor users might
get you sued! Plus who wants the scrutiny of being on
the public list of Tor relays?
4
If both sides can store a lot of shared private data in advance, then they can
store a one-time pad of random bits, and have the most secure
communication possible.
Diffie-Hellman, SSH, TLS/SSL, Quantum Communication: (1) not the
“most” secure, and (2) don’t require pre-stored private shared data
5
In advance, client and server share a private key to
initialize CSPRNG. Now, for each login session,
both sides use CSPRNG to generate next password,
e.g., next 128 bits of pseudo-random data.
Note: this problem does not mention/require
encryption.
6
Bob’s login password on livingontheedge.cs.duke.edu, and the file
permissions on the private key protect the key.
The administrator of livingontheedge.cs.duke.edu can become root, and
then change user to become Bob and read the private key.
If gatewaymachine.getrichquick.com is compromised, then the attacker
can get everyone’s password, and users often use the same password on
muiltiple machines.
7
The client cannot differentiate between the
hosting service and the content provider. The
hosting service can modify the page so that the
client never connects directly to the content
provider, and now the hosting service is set up
as a man in the middle and can see all traffic.
8
By multiplying the two signatures, the attacker gets
((m12k+r1)(m22k+r2))d mod n =
(m1m222k+m1r22k+m2r12k+r1r2)d mod n ≠
(m1m22k+r3)d mod n
9
Multiplying the two signatures together gives
(MD5(m1)MD5(m2))d mod n ≠ MD5(m1m2)d mod n
Note: m1 and m2 are not secret. (And in part (a) r1 and r2
are not secret.) Therefore m1m2 and MD5(m1m2) are also
not secret. The difficulty “inverting” MD5 isn’t the main
issue here. (Except, it would be difficult to find an m3
such that MD5(m3) = MD5(m1m2), but even if you could
find such an m3, it would likely be garbage.)
10