Problem Set 1

advertisement
System and Network Security
Problem Set 1
Problem Set 1
Handed: Sunday, February 16, 2003
Due: Sunday, March 9, 2003
Problem 1:
Assume that Alice and Bob know each other’s public key. Design an authentication protocol
that uses exactly two messages (one message from Alice to Bob and one message from Bob
to Alice) and accomplishes both mutual authentication and establishment of a session key.
Problem 2:
Suppose two parties Alice and Bob want to communicate privately. They both hold public
keys in the traditional Diffie-Hellman model. An eavesdropper Eve stores all the encrypted
messages between them and one day manages to break into Alice and Bob computers and to
find the private keys, which correspond to their public keys. Show how using public-key
cryptography we can achieve perfect forward secrecy, i.e., Eve will not be able to gain any
knowledge about the messages that Alice and Bob exchanged before the disclosure of their
private keys.
Problem 3:
Design a variant of Kerberos in which the workstation generates a TGT. The TGT will be
encrypted with the user’s master key rather than the KDC’s master key. How does this
scheme compare with standard Kerberos in terms of efficiency and security? What happens
in each scheme if the user changes her password during a login session?
Problem 4:
Suppose we use Kerberos to secure electronic mail. The obvious way of accomplishing this
is for Alice, when sending a message to Bob, to obtain a ticket for Bob and include that in the
email message, and encrypt and/or integrity-protect the email message using the key in the
ticket. The problem is that, in this solution, the KDC gives Alice a quantity encrypted with
Bob’s password-derived master key, and then Alice could do off-line password guessing.
How might Kerberos be extended to email without allowing off-line password guessing?
Problem 5:
Some government X attempts to regulate Public-Key Cryptography by requiring that the
government be the only Certification Agency, and requiring that all public-key cryptography
users have their keys certified by the government. Furthermore, in order to have his public
key certified, a user must deposit (i.e., escrow) a copy of the corresponding private key with
the government. Give two ways in which the users may defeat the government’s objective,
and use the government-run CA service to provide authenticated private channels between
arbitrary pairs of users that the government cannot listen in to. Assume that the government
is only a passive listener, not an active attacker.
Dr. Shlomo Kipnis
HU – Spring 2003
System and Network Security
Problem Set 1
Problem 6:
In class, we studied key-distribution protocols that use a Key Distribution Center (KDC) and
are based on symmetric-key cryptography. Below is another key-distribution protocol that
uses a KDC and is based on public-key cryptography. We assume that the KDC knows the
public key of each entity in the system, and we assume that each entity in the system knows
the public key of the KDC. The protocol consists of seven messages as follows:
1. A  KDC:
A, B
2. KDC  A:
SIG Prv(KDC) ( B, Pub(B) )
3. A  B:
ENC Pub(B) ( R1, A )
4. B  KDC:
B, A, ENC Pub(KDC) ( R1 )
5. KDC  B:
SIG Prv(KDC) ( A, Pub(A) ) , ENC Pub(B) ( SIG Prv(KDC) ( R1, Ks, A, B )
)
6. B  A:
ENC Pub(A) ( SIG Prv(KDC) ( R1, Ks, A, B ) , R2 )
7. A  B:
ENCKs ( R2 )
In message 1, A informs the KDC of its intention to establish a secure connection with B. In
message 2, the KDC returns to A a copy of B’s public-key certificate. In message 3, using
B’s public key, A informs B of its desire to communicate and sends a random number R1. In
message 4, B asks the KDC for A’s public-key certificate and requests a session key. In this
message, B also includes A’s random number R1 encrypted with the KDC’s public key. In
message 5, the KDC returns to B a copy of A’s public-key certificate, and it also sends to B
the quadruple {R1, Ks, A, B}. This quadruple basically says that Ks is a secret key generated
by the KDC on behalf of the session between A and B, and it is tied to R1. This quadruple is
signed, using the KDC’s private key, to allow B to verify that the quadruple is indeed from
KDC. This quadruple is also encrypted using B’s public key, so that no other entity may use
the quadruple in an attempt to establish a fraudulent connection with A. In message 6, the
quadruple {R1, Ks, A, B}, still signed with the KDC’s private key, is relayed to A, together
with the random number R2 generated by B. All the foregoing are encrypted using A’s public
key. In message 7, A retrieves the session key Ks and uses it send to B the encryption of R2.
Questions:
(a) What is the role of R1 in the protocol? Which attacks are possible if R1 is not
included in the protocol?
(b) What is the role of R2 in the protocol? Which attacks are possible if R2 is not
included in the protocol?
(c) Find an attack on the protocol if, instead the quadruple {R1, Ks, A, B} in messages 5
and 6 of the protocol, we were to use the triple {R1, Ks, B}.
(d) What is the role of message 7 in the protocol?
(e) Design an alternative to the above protocol that achieves the same functionality and
uses only five messages in the following sequence:
1. A  B:
2. B  KDC:
3. KDC  B:
4. B  A:
5. A  B:
Show each of the five messages transmitted.
Dr. Shlomo Kipnis
HU – Spring 2003
Download