1) A Fiat-Shamir protocol for message authentication uses 10 challenge-response rounds to verify the claimant. a) What is the probability that a dishonest claimant is falsely verified as an authentic entity, i.e., what is the probability that the dishonest claimant responds correctly to all 10 challenges? The probability that a dishonest claimant will falsely be verified is .5. Therefore .510 = 0.0009765625 b) A Guillou-Quisquater protocol uses an integer challenge c in the range [1, 20] inclusive, i.e., there are 20 different values for c. What is the minimum value of challenge-response rounds needed so that the probability of falsely verifying a dishonest claimant is equal to or smaller than the probability obtained in part (a)? You will need at least 3 challenges since the probability of falsely verifying would be 1/(3-1) = ½ . With 10 correct challenges, this would be equivalent to the response in part a. 2) Consider a password-based authentication system. The system uses a password file that stores the hashed value of each password. To simplify your calculations, assume that passwords in this system are exactly 10 bits long. a) What is the maximum number of attempts needed by an adversary launching a dictionary attack to gain access to all valid passwords in the system? The maximum amount would be 210 = 1024 attempts. This is considering each character has a length of one bit. It would be total number of unique combinations. b) Assume that the password file in this system stores the passwords of 225 users and all passwords are distinct. What is the maximum number of attempts needed in a dictionary attack launched to gain access to one valid password, i.e., the attack stops after finding the first valid password? 210 – 224 = 800 c) What is the length (in bits) of the salt needed to generate at least a five-fold increase in the maximum number obtained in part (a)? Assume the attacker does not have access to the salt field. I would assume it is 3 bits since you would need log25 . 3) The Needham-Schroeder protocol to generate a session key between two entities A and B with the help of KDC (key distribution center) consists of five steps. In the code below, Ra and Rb are two nonces, Ka is the secret key between KDC and A, Kb is the secret key between KDC and B, and Ks is the session key between A and B. step 1 A_KDC: A, B, Ra step 2 KDC_A: Eka(Ra, B, Ks, Ekb(A, Ks) ) step 3 A_B: Ekb(A, Ks) step 4 B_A: Eks(Rb) step 5 A_B: Ek(Rb-1) a) An adversary E recorded the five messages to establish a session key between A and B. At a later time after the session was terminated, the adversary somehow discovered the value of the session key Ks for the session he recorded. Can the adversary use a replay attack (i.e., use the recorded messages and his knowledge of the value of Ks) to create a session with Bob pretending to be entity A? Support your answer. Assume B does not keep track of nonces used in previous sessions. It is possible since A would be the one contacting the KDC and B doesn’t keep track of previous sessions. It would think it’s a new session and continue. b) Repeat part (a) for the Otway-Rees protocol which also consists of five steps. No the adversary cannot use it because there is a new session key assigned for every session, and it is terminated after the session is over. Additionally, B would contact the KDC and determine that this is a fake. 4) Consider a PKI mesh trust model connecting five certification authorities (roots). All five roots have identical hierarchical model. Specifically, root k (denoted CAk), 1 _ k _ 5, has a hierarchical model consisting of two children CAk,1, CAk,2 and each of these two children stores certificates for 100 users. a) What is the number of cross certificates used at the root level? 20 b) Using the notation X <<Y>>, write the chain of certificates used by user Ux to find the public key of user Uy. Assume Ux belongs to CA2,2 (the second child of Root 2) and Uy belongs to CA5,1 (the first child of Root 5). .