Computer Security exam answers, 2004 Symmetric

advertisement
Computer Security exam answers, 2004
1. Symmetric-key encryption.
Alice and Bob wish to communicate using symmetric key encryption. They intend to use a
substitution cipher: the secret key is a permutation of bytes. (For example, the key may be
represented as an array [0...255] each cell of which is a number in the range 0—255, without
duplicates.)
(a)What attacks are possible on this scheme, under each of the following assumptions:
i. The attacker knows the plain text is an HTML page
Since the cipher is a simple substitution, the attacker can use her knowledge of the
structure of HTML pages to guess which characters represent <, >, /. Next, she can look
for HTML tags such as <html>, <body>, <ol>. In this way she can get a lot of the key, and
the more she gets, the easier it becomes to get the remainder.
ii. The attacker knows the plain text is a compressed page of ascii (the compression algorithm
is not known).
There are only two or three common compression algorithms, so a plausible attack is to
assume that it was one of them, such as ZIP, and cryptanalyse by looking for the headers
and other structures that it introduces. This is much harder than part (i), but still plausible.
(b)How many possible keys are there? (Your answer can be an expression, if you are not able to
evaluate it as a number.)
256! keys, which is about 10508.
(c) How does this encryption method compare with DES, in terms of
i. a cryptanalytic attack
Much easier than DES, as described above. There are no known cryptanalytic attacks on
DES.
ii. a brute-force attack?
Much harder than DES, which has only 256 keys, which is about 1016.
Note. Candidates don't need a calculator. It's obvious that 256! is much bigger than 256.
2. Secure hash functions.
(a)What are the important properties of secure hash functions such as MD5?
1. Given M, easy to compute h=H(M)
2. Given h, hard to compute M such that h=H(M) -- "one-way"
3. Hard to find M,M' such that H(M)=H(M') -- "collision resistant"
(b)Explain in what way MD5 is thought to be weak.
There is some evidence that one could find M and M' which violate property 3. A paper was
published in about 1996 which give M,M' for a version of MD5 which uses different initial
values than MD5. However, property 2 is still safe. No known cryptanalysis has threatened it.
(c) A software company uses the following method to distribute software to its clients.
 It puts the software on an insecure web server.
 The client downloads the software, and computes an MD5 hash of the downloaded file.
Then they telephone the software company, and read out the first four bytes of the hash
(which consists of 16 bytes).
 If the four bytes verify, the client accepts the software as securely transmitted.
The software company approaches you and asks your opinion on whether they should cease
using MD5 in this way, in view of its weakness.
i. Advise the company.
The company is effectively using a 4x8=32 bit hash. A brute force attack could be mounted
to reverse it. An attacker could create a compromised version of the software, and then
make 232 trivial variations of it in order to try to get one which hashed to the given hash.
(This could be done by adding 4 bytes to the end of the file, and considering all possible
values.) Thus, the weakness in the company's scheme is the way they are using MD5,
rather than MD5 itself.
ii. Would your advice be different if they verified all 16 bytes of the MD5 hash?
Yes. In this case I would advise them that their method is secure. To attack it, one would
have to reverse MD5, which is considered impossible and likely to remain so for the
forseeable future.
3. Public-key cryptography.
(a) Fred has implemented RSA. Part of his code is shown at the end of this examination paper. A
company has approached you to ask your opinion of whether they should accept Fred's
implementation. Advise them.
The implementation is very naïve. It produces the same key every time. Moreover, it has the
primes p and q embedded in the executable, instead of being chosen or constructed at random.
An attacker who has access to p and q can easily break RSA.
(b)Alice and Bob wish to issue a lengthy joint statement to newspaper N. N has asked for the
statement to be signed by each of A and B. They also want to prevent evesdropper E from
having prior access to the statement. Alice proposes the following protocol:
 Alice writes the statement, encrypts it with Bob's public key, and sends it to him. If he
accepts her version of the statement, he signs a secure hash h of it with his private key,
resulting in the message m={h}KB-1. He then encrypts his signature m with Alice's public
key, resulting in {m}KA, and sends it to her. Alice decrypts Bob's message to recover m, and
signs it with her private key. The result is {m}KA-1, i.e. {{h}KB-1}KA-1 . She puts the statement
together with the doubly-signed hash, encrypts them with N's public key, and sends it to N.
Assume that all public keys are reliably known, and that the cryptography is secure.
i. What cryptographic computations is N supposed to perform, in order to verify the
signatures?
N should decrypt the message with his private key, to recover the statement and the
doubly-signed signature. He should compare these two values, for equality:
 The hash of statement
 The doubly-signed hash, after decrypting it first with A's public key and then with B's.
ii. Comment on the proposed protocol.
1. Is it secure for A? For B? For N?
It is not secure for A, because B and N could conspire in the following way: B modifies
the statement of which he takes a hash. A signs his signature without checking it. N now
has proof that A and B agreed to the modified statement. Alice should sign a hash of the
statement independently, instead of signing Bob's signature.
I think it is secure for B and for N.
2. Can you optimise it without weakening its security?
The encryption by public key should all be done by session key, with the session key
encrypted by the relevant public key. Moreover, there is no need for Bob (or Alice) to
encrypt their signatures. The statement is not compromised by an attacker having access
to the signature.
4. Protocols and Trusted Computing.
A company called Mocrosift wishes to check that its customers are using its web browser
“Internet Deplorer” (ID), and not the rival product “Melizza”. It consults two security
companies to suggest an appropriate method. The companies respond as follows.


Protocol A. When ID access a web page from Mocrosift's sever, the server responds with a
challenge consisting of Mocrosift's public key. ID replies with a message consisting of
 a digital hash #A of the ID executable,
 a secret, which is embedded in ID's executable in a way resistant to tamper or extraction.
The message is encrypted with Mocrosift's public key before it is sent off. Mocrosift checks
that the digital hash #A is the correct hash for ID, and that the secret is correct. It sends the
web page.
Protocol B. When ID access a web page from Mocrosift's sever, the server responds with a
challenge consisting of a nonce. ID replies with a message consisting of
 the nonce, signed with a secret key which is embedded in ID's executable in a way resistant
to tamper or extraction.
Mocrosift verifies that the nonce is the one it sent. It sends the web page.
a) State your opinion about each of the proposals.
Proposal A is rubbish. The same message is sent every time. Proposal B is much better.
b) What attacks are available to Melizza on each of the proposals? Advise Mocrosift on whether
it should accept either of them.
Proposal A: simple capture and replay of the constant message.
Proposal B: I think there are no easy attacks. Hard attacks include:
Try to extract the secret key from the executable;
Try to wrap the executable of ID to encapsulate a service which correctly responds to the
challenge.
Accept B.
c) How can Trusted Computing enable the deployment of a protocol which is more secure than
either of the proposals above?
By using hardware keys and the attestation protocol described in the module content, a
protocol can be developed which is highly resistant, and moreover which if broken only
compromises an individual computer. (Thus, it is resistant to BORE: Break Once, Run
Everywhere).
5. Short notes.
Write short notes (maximum 100 words) on each of the following:
(a)The meaning of assets, threats, attacks, vulnerabilities, risk, and impact.
(b)How can companies and legislators prevent phishing?
(c) The desired properties of a digital cash system.
(d)Zero-knowledge protocols.
(e) Problems with logins by fingerprint recognition.
(f) Security in programming languages.
Bookwork.
Download