Add to collection(s) Add to saved
  1. Business

solutions

advertisement 
CSUS
COLLEGE OF ENGINEERING AND COMPUTER SCIENCE
Department of Computer Science (RVR 3018; 278-4238/6834)
C Sc 254 – Network Security, Fall 2006
Ghansah
Assignment #1 SOLUTIONS: Cryptography and Secure Communication
Fundamentals.
1. (25 points) Consider the following function f that maps any bitstring M longer than
128 into a bitstring f(M) of length 128. To compute f(M), first “pad” M with zeroes until
its length becomes a multiple of 128, then partition it into 128 groups of bits and for each
group compute the exclusive-OR (XOR) of the bits in it. Explain why this function f is
not suitable for use as a cryptographic one-way hash function.
SOLUTION:
The hash function partitions the message M into 128 groups of bits and for each
group of bit compute the XOR of the bits in it. This function produces a 128-bit
hash. If the hash is known, it is easy to reproduce the hash simply by providing a
129 bits string. For example, if the hash is
1 h2 h3 h4 …………………….. h128
This hash can easily reproduced by providing the bit string
0 h2 h3 h4 …………………….. h128 1 0 0 0 …………………0
(
127 0’s padded
)
Similarly, if the hash is
h1 h2 h3 h4 …………………….. h128
This bad guy can reproduce this has by presenting the 129 bit string
h1 h2 h3 h4 …………………….. h128 0
The system will pad it with 127 0 bits as follows.
h1 h2 h3 h4 …………………….. h128 0 0 0 0 …………………0
(
127 0’s padded
)
XOR of the first 128 bits with second 128 bits will produce a hash which is
the same as the original hash. That is, h1 h2 h3 h4 …………………….. h128
Therefore, it is not suitable for use as a cryptographic one-way hash function,
Since there are clearly too many collisions.
Another way we can look at the problem is as follows.
If f(M) is computed by padding M into multiple of 128 bits and then dividing them
into groups of bits then each group can have arbitrary number of bits. The bits
within each group is XORed. And placed in the corresponding position as part of
the hash. Example if M = 129 bits we will pad it to 256 bits and divide it into 128
groups with each group having 2 bits. Similarly if M is 300 bits it will be padded
1
with zeroes to 384. This will be divided into 128 groups of 3 bits each. Because each
XOR results in simply 0 or 1 there can be so many different combinations of bits
that can provide 0 or 1 in each hash, thus resulting in too many collisions.
The issue here is not that the above algorithm is not a 1-way hash function. Rather,
it is not a good cryptographic hash function because of too many collisions.
2. (25 points) Alice, Bob, Carol, and Dave have physical access to the five pieces of
information V,W,X, Y,Z. One day you decide that this should not continue: You want to
encrypt some of the pieces of information, using symmetric cryptography, in such a way
that
• Alice can read only V,W,X,
• Bob can read only W,X,
• Carol can read only Y,Z,
• Dave can read only V, Y,Z.
How would you achieve the above with the smallest possible number of keys? That is,
you get to choose the keys, to decide which files are encrypted with which keys, and to
decide who gets which key(s).
The information can be represented as follows using a matrix.
Alice
Bob
Carol
Dave
V
x
W
x
x
X
x
x
x
Y
Z
x
x
x
x
The above matrix shows that there is a minimum number of three keys needed to
encrypt the information and distributed as follows.
Key1-Alice and Dave share one key for reading file V.
Key2-Alice and Bob share one key for reading files W and X.
Key3- Carol and Dave share one key for reading files Y and Z.
3. (50 points) A bank B allows its customers to withdraw cash from their accounts at a
number of specialized automated teller machines (ATMs) that are only for cash
withdrawals (not for checking balances or performing other transactions). The ATMs
operate in the following way. (In what follows EB refers to encryption with the bank’s
secret key, in a single-key cryptosystem.) The bank asks the customer C to select a
secret number (called ”personal identification number”, denoted by PIN(C)). Then the
bank issues the customer C a special magnetized card that contains the following two
pieces of information (on separate portions of the magnetized strip on the card):
• The customer’s account number at the bank (call it AcNr(C)).
• EB(PIN(C)).
2
Each ATM of that bank can perform an EB(·) computation, and also stores a list of all the
valid account numbers. It does not store the dollar balance in each account (each ATM
limits cash withdrawals to no more than $200 per day for each account, and each
account contains at least $500 — the bank automatically closes an account whose
balance falls below the $500 minimum). When the customer C wants to withdraw cash
from an ATM, C inserts the card and the ATM reads the information on it and then
challenges C to enter PIN(C).
The ATM then
(i) verifies that the AcNr(C) that it read from the card is on its list of valid account
numbers, and then
(ii) encrypts (i.e., does an EB(·)) what C just entered and verifies that the result equals
the EB(PIN(C)) that is stored in the card.
If both (i) and (ii) are successfully verified the ATM allows the customer to withdraw the
cash (subject to the constraint that the total amount withdrawn by C that day from that
ATM does not exceed $200). The ATM also stores a record of the transaction that
consists of the account number and the amount just withdrawn. At midnight every day all
the ATMs communicate with the bank’s main computer, which updates all the customer
accounts by subtracting from their balances the amounts of cash withdrawn that day.
This off-line operation of the ATM allows the customers to quickly withdraw cash even
when the network is down or very slow (at peak-hours during the day); contrast this to
on-line operation, which would have required communication with the bank’s main
computer before a transaction can complete (and would have been problematic if the
network was down or very slow at the time of the transaction).
Note that, if the card is stolen from the customer, the thief cannot obtain PIN(C) from the
card because it is encrypted (this is why it is EB(PIN(C)) rather than PIN(C) that is stored
on the magnetic strip of the card — the latter would be insecure because the information
on the magnetic strip of a card is easy to read and modify).
1. Show how a dishonest customer C’ who knows AcNr(C) can steal from C (by
withdrawing cash from the account of C).
Since there is no authentication between the customer account (AcNr(C)) and the
encrypted PIN, (EB(PIN(C)), entered by the customer, it gives the dishonest
customer C’ opportunity to steal from C. All he (C’) has to do is as follows. Using
account ID (ArNr(C)) and his own encrypted PIN, EB(PIN(C’)), he can create a fake
card as shown.
AcNr(C)
EB(PIN(C’))
After the ATM verifies the existence of AcNr(C)), he (C’) enters his own PIN
number, ATM encrypts the PIN(C’), then verifies EB(PIN(C’)) against the
EB(PIN(C’)) stored in the card. It will match and he (C’) will be able to withdraw
money from account AcNr(C).
3
2. Suppose the theft occurs as in the above question 1. When C receives the end-ofmonth statement from the bank, C realizes what happened and complains to the bank.
Can the bank tell for sure whether the theft really occurred, i.e., that C is not lying ?
No, it is not possible for the bank to prove if someone else stole money from C
account unless there is surveillance camera since neither the ATM nor the bank
keeps any record to prove if invalid information was entered. That is, because there
is no proper authentication of source, we cannot tell if C is lying.
3. Without doing any modification to the card itself, explain how you would modify the
ATM protocol so that the identity of C’ is revealed if C’ were to steal from C as in
question 1. That is, when C gets the end-of-month statement and complains about illegal
withdrawals from her account, the bank should at least be able to find out which C’
committed the crime.
The problem with the case in question 1 is that the customer ID (ie. PIN(C)) is not
bound to the AcNr(C). We can solve this problem by having the ATM machine keep
track of the EB(PIN(C) ) of customer C. In this case if C’ submits AcNr(C) together
with PIN(C’) this record is stored by the ATM in its log and subsequently sent to the
bank. At the end of the month if C complains about illegal withdrawals the bank can
check the log to determine which PIN was used. It will find that PIN(C’) was used
for withdrawal on AcNr(C) account. That is C’ was the one who performed the
withdrawal on AcNr(C) account Note that it is easy to compute PIN(C) from EB(PIN(C) ) . Thus either one can be stored by the bank as needed. This solution
assumes that C’ is a valid customer with a bank account at the bank but who is
trying to impersonate C. If C’ is a bogus customer, the bank can only prove that C
did not perform the transaction but the bank cannot figure out who did it. A
different protocol will be needed for that.
4. In this question you are allowed to modify both the card’s design and the ATM
protocol: What should the card contain to prevent the theft by C’ ? How would the
corresponding ATM protocol be different ?
If the modification of both the card’s design and the ATM protocol is permitted, the
following things can be suggested. First of all, to modify the card’s design, we may
encrypt the customer’s account number on the special magnetized card. This may
add some confidentiality to the card holder. In addition, hash functions can be used
to maintain the integrity of the data on the card. A hash function is performed on
the concatenation of the account number and the PIN number. The result of the
hash is encrypted. The formal representation looks like this: Eb{H(AcNr(C)),
(PIN(C)}. This is added to the AcNr(C) and PIN(C) information already available
in the previous step
Using the above modification the following ATM protocol will be used. When a
customer submits the PIN number, the ATM machine will retrieve PIN(C) stored on
the card via decryption. It will then perform a hash of this PIN(C) concatenated
with AcNr(C). If the result of this hash is equal to the decrypted hash on the
magnetic card it will perform the transaction on behalf of C. Suppose C’ tries to
4
steal from C’s account using the method in 1), that is by supplying AcNr(C) and
PIN(C’), the result of the hash comparison will not match. That is,
H(AcNr(C))+(PIN(C)} is not equal to H(AcNr(C))+(PIN(C’)}. The ATM will refuse
the request. Thus the theft will fail.
5. Explain how a dishonest customer C can withdraw much more than the $200 daily
limit from her own account. What would the bank have to do to make this impossible?
To exceed the $200 withdrawal per day limit, on the same day, a customer can go to
one ATM machine and withdraw $200, then go to another ATM machine to
withdraw another $200, and so on. The Bank has to do the following things to make
it impossible:
A. Move to on-line operations so the system becomes a real-time system. When the
customer withdraws the money, the information will send to central computer. The
information can be immediately updated in each ATM machine.
B. Change the magnetized card to a smart card so that the card can store the
following information:
1. Date and time customer withdrew the money
2. The amount customer withdrew
The information should be encrypted by the bank to prevent changes by the
customer. Whenever a customer tries to withdraw money the ATM checks the
balance on the magnetic card to see if there is no violation before dispensing money
to the customer.
5
Related documents
3.4 Electronic Monetary processing
3.4 Electronic Monetary processing
Phase Diagram Worksheet 2
Phase Diagram Worksheet 2
Tutorial 1
Tutorial 1
9630-20-TW19 Family.SLDDRW
9630-20-TW19 Family.SLDDRW
UML Use Cases Design an information system for a bank company
UML Use Cases Design an information system for a bank company
Self-evaluation 21-5-2013
Self-evaluation 21-5-2013
LS2PAC ASD Library Catalog
LS2PAC ASD Library Catalog
Download
advertisement