1) A Fiat-Shamir protocol for message authentication uses 10 challenge-response rounds to verify the
claimant.
a) What is the probability that a dishonest claimant is falsely verified as an authentic entity, i.e., what is
the probability that the dishonest claimant responds correctly to all 10 challenges?
The probability that a dishonest claimant will falsely be verified is .5. Therefore .510 = 0.0009765625
b) A Guillou-Quisquater protocol uses an integer challenge c in the range [1, 20] inclusive, i.e., there are
20 different values for c. What is the minimum value of challenge-response rounds needed so that the
probability of falsely verifying a dishonest claimant is equal to or smaller than the probability obtained in
part (a)?
You will need at least 3 challenges since the probability of falsely verifying would be 1/(3-1) = ½ .
With 10 correct challenges, this would be equivalent to the response in part a.
2) Consider a password-based authentication system. The system uses a password file that stores the
hashed value of each password. To simplify your calculations, assume that passwords in this
system are exactly 10 bits long.
a) What is the maximum number of attempts needed by an adversary launching a dictionary attack to gain
access to all valid passwords in the system?
The maximum amount would be 210 = 1024 attempts. This is considering each character has a
length of one bit. It would be total number of unique combinations.
b) Assume that the password file in this system stores the passwords of 225 users and all
passwords are distinct. What is the maximum number of attempts needed in a dictionary attack
launched to gain access to one valid password, i.e., the attack stops after finding the first valid
password?
210 – 224 = 800
c) What is the length (in bits) of the salt needed to generate at least a five-fold increase in the maximum
number obtained in part (a)? Assume the attacker does not have access to the salt field.
I would assume it is 3 bits since you would need log25 .
3) The Needham-Schroeder protocol to generate a session key between two entities A and B with the
help of KDC (key distribution center) consists of five steps. In the code below, Ra and Rb are two nonces,
Ka is the secret key between KDC and A, Kb is the secret key between KDC and B, and Ks is the session
key between A and B.
step 1 A_KDC: A, B, Ra
step 2 KDC_A: Eka(Ra, B, Ks, Ekb(A, Ks) )
step 3 A_B: Ekb(A, Ks)
step 4 B_A: Eks(Rb)
step 5 A_B: Ek(Rb-1)
a) An adversary E recorded the five messages to establish a session key between A and B. At a later time
after the session was terminated, the adversary somehow discovered the value of the session key Ks for
the session he recorded. Can the adversary use a replay attack (i.e., use the recorded messages and his
knowledge of the value of Ks) to create a session with Bob pretending to be entity A? Support your
answer. Assume B does not keep track of nonces used in previous sessions.
It is possible since A would be the one contacting the KDC and B doesn’t keep track of previous
sessions. It would think it’s a new session and continue.
b) Repeat part (a) for the Otway-Rees protocol which also consists of five steps.
No the adversary cannot use it because there is a new session key assigned for every session, and it
is terminated after the session is over. Additionally, B would contact the KDC and determine that
this is a fake.
4) Consider a PKI mesh trust model connecting five certification authorities (roots). All five
roots have identical hierarchical model. Specifically, root k (denoted CAk), 1 _ k _ 5, has a
hierarchical model consisting of two children CAk,1, CAk,2 and each of these two children stores
certificates for 100 users.
a) What is the number of cross certificates used at the root level?
20
b) Using the notation X <<Y>>, write the chain of certificates used by user Ux to find the public
key of user Uy. Assume Ux belongs to CA2,2 (the second child of Root 2) and Uy belongs to CA5,1
(the first child of Root 5).
.