solutions
advertisement
CSUS
COLLEGE OF ENGINEERING AND COMPUTER SCIENCE
Department of Computer Science (RVR 3018; 278-4238/6834)
C Sc 254 – Network Security, Fall 2006
Ghansah
Assignment #2 SOLUTIONS: Cryptography, Kerberos, PKI.
1. (30 points) 1024 people each have a document to timestamp, with Mi denoting
the document of the ith person. They don’t know each other, but Alice (who is not
one of them) knows them all and is aware of each one’s need for a timestamp.
Alice proposes that, instead of each of them individually placing her H(Mi) in the
personal ads section of the newspaper (as explained in class), Alice would save
everybody money by charging them a very small fee each and placing a single
hash in the newspaper (instead of 1024), in the following way:
1. Every person sends Alice her H(Mi).
2. Alice distributes to every jth person all of the H(Mi)’s that she received
(i.e., all 1023 hashes other than that person’s own – she also lets the
person know the person’s own index j, i.e., where that person’s own hash
would “fit” in the ordering), and she puts in the newspaper
H(H(M1),H(M2), . . . ,H(M1024))
where “,” denotes concatenation.
3. Each person verifies, when she receives the newspaper the next
morning, that the hash of the concatenation of the H(Mi)s (given to her by
Alice) is indeed equal to the ad that appears in the newspaper. If they
match then the person pays Alice.
They all agree, and the above steps take place; note that the above protocol
does not require Alice to reveal to any of these 1024 persons the identity of any
of the others (so it is possible that none of them knows any of the others).
Answer each of the following questions:
1. Suppose that 1023 of these 1024 participants know each other and
conspire against the remaining one. Can they really harm the victim, in the
sense that the victim pays Alice even though she can no longer claim in
court that document Mi existed when the newspaper ad appeared?
2. What if Alice herself is also a part of this conspiracy?
3. Suppose that, one day after the newspaper appears, the police arrest
Alice and 1023 of the participants for engaging in many criminal activities
over the five previous years. Do you think that a judge and/or jury should
still believe the claim of the remaining person that document Mi existed at
the time of the newspaper’s appearance?
4. Suppose Alice wants to start a business based on the above idea, for
timestamping massive amounts of electronic documents for corporate
customers. Her friend Bob recommends that Alice buy huge amounts of
storage so that she can permanently store the various H(Mi)s she
receives. Did Bob give her good advice, i.e., does she really need to
permanently store all of these H(Mi)s?
SOLUTION
Assumptions:
All participants use the same hashing algorithm
The hashing algorithm is a well-known, strong one such as MD5
The hashes are ordered when given out, and in addition, each
person knows their position in the ordering (this latter one is stated
in the problem but mentioned here for emphasis
1. Suppose that 1023 of these 1024 participants know each other and
conspire against the remaining one. Can they really harm the victim, in the
sense that the victim pays Alice even though she can no longer claim in
court that document Mi existed when the newspaper ad appeared?
Every jth person knows Mi , 1023 other hashes (ie. M1, … , Mj-1, … ,
M1024), and can compute their own hash H(Mi ).
Thus the jth person computes the final hash as follows
H(H(M1), H(M2), … , H(Mj), H(M j -1), …, H(M1024)). Let’s call this Hfinal
The above is equal to the hash Alice posted in the newspaper.
With the above scheme THERE IS NO WAY for the 1023 people to
collude to make the victim pay and make her unable to support her claim
in court. If they do they can be proved wrong.
First, Alice has to save all the 1024 hashes, in addition to the document,
Mj . Consequently she can produce a hash equal to the one published in
the newspaper. For the conspirators to win the argument, they have to
create a hash based on information that excludes Mj , such that their hash
is equal to Hfinal Given the property of hashes it is not possible for H(x) to
be equal to H(y), given two values x, and y.
2. What if Alice herself is also a part of this conspiracy?
Given the above assumptions, it is not possible for Alice to collude with
the 1023 others to exclude the victim's document such that they can win in
court. Alice can conspire all she wants with the others, as long as the
victim keeps all the hashes as stated above she can prove that the others
are lying by producing information that hashes to the one published as
stated above.
3. Suppose that, one day after the newspaper appears, the police arrest
Alice and 1023 of the participants for engaging in many criminal activities
over the five previous years. Do you think that a judge and/or jury should
still believe the claim of the remaining person that document Mi existed at
the time of the newspaper’s appearance?
If the hash is secure, the judge/jury should still believe the claim as the
victim still has access to all the hashes Alice used to generate the
published H(H(M1),…,H(M1024)). The victim can, in court, rehash her
message, insert her hash into the sequence provided by Alice, and hash
the concatenated hashes. The output will still match that published in the
paper, proving that the victim, at least, had a document when she said she
did. The victim can also bring in experts in one-way hashes and describe
the mathematical unlikelihood of being able to generate a Mi that perfectly
fits the single hash needed in the concatenated stream. In other the fact
that the others are criminals and possibly in prison cannot prevent the
victim for proving her claim. The hash evidence is enough.
4. Suppose Alice wants to start a business based on the above idea, for
timestamping massive amounts of electronic documents for corporate
customers. Her friend Bob recommends that Alice buy huge amounts of
storage so that she can permanently store the various H(Mi)s she
receives. Did Bob give her good advice, i.e., does she really need to
permanently store all of these H(Mi)s?
No, Bob gave bad advice. Alice should use the improved arbitrated
solution as describe on page 76. 1) client produces one-way hash of
document 2) client sends hash to Alice; 3) Alice appends the date and
time she received that hash onto the client’s hash and digitally signs the
result; 4) Alice sends the signed hash+timestamp back to the client. To
avoid the threat of collusion between Alice and a customer creating an
arbitrary time stamp, Alice should use a linking protocol to use feedback
from previous transactions into each new transaction.
2. (30 points) A group of n people (assume they are numbered 1, 2, . . . , n) want
to jointly, and randomly, choose a leader. That is, ideally everyone should have
the same probability of being chosen (even if a person is not popular at all, that
person’s probability should be 1/n). Design a protocol for achieving this. Your
protocol should be resistant to collusion (collusion is when a subset of the n
people is dishonest and conspires against the others), including the case when n
- 1 people collude against one person (but you do not need to consider the case
when all n of them collude – in that case they do not need a protocol of the kind
considered here). Make sure you give a proof that everyone has probability 1/n of
being leader, and discuss why your protocol is resistant to collusion.
SOLUTION
Each person , i, picks a random number from a large space. Let it be Ri.
Then the chosen leader will be H(R1, …, Rn) mod n
Each person has equal probability of being chosen because of the random
# each one picks. The hash makes it collusion resistant because its output
is unpredictable. The hash removes biases because no one knows what the
final hash will be.
Another method is to have round robin scheme where person i sends H(Ri)
to person i+1 who generates the hash Hi = H(Ri , H(R i-1))
Then Hn mod n will be the elected person.
3. (20pts) Problem 15.9 #5 (PKI) in Kaufman, … text
Otherwise, someone would post an old CRL, from before they were on the
revocation list.
4. (20pts) Problem 13.13 #1 (Kerberos) in Kaufman, … text
Let Alice be the user. In this variant, Alice’s TGT is just KAlice { “Alice”, SA },
where Alice (Actually, her workstation) has invented the session key S A.
This causes a problem for the KDC when it wants to get the session key
from the TGT. The KDC has to try user keys until it finds the correct key to
decrypt the TGT. To avoid this problem, Alice’s name/instance/realm
(unencrypted) should always be paired with the TGT when transmitted (it is
already included in the encrypted TGT).
Since the only purpose of the TGT is to allow use of the short term session
key SA instead of the long-term master key KAlice when Alice and the KDC
talk, and since knowledge of KAlice is all that is required for mutual
authentication of Alice and the KDC, there is no difference in security
between the two schemes except when Alice changes her password (and
thus her key KAlice ) during the session. If Alice believes someone has
learned her password and therefore changes it, with normal Kerberos the
TGT obtained by the imposter remains valid until expiration. With the
modified scheme, the TGT would be immediately invalidated, though
tickets could continue to be used until expiration.
In normal Kerberos, Alice can change her password (and thus her key K Alice
) during a session, because SA is used for encryption, and SA is in the TGT
encrypted with KKDC (so the TGT remains valid). In the variant, changing
KAlice invalidates the TGT, so to change her password, Alice would have to
send a message containing the old TGT, and the new KAlice encrypted with
the unchanged SA. She would then compute a new TGT for herself.
