This preview has intentionally blurred sections. Sign up to view the full version.View Full Document
Unformatted text preview: Massachusetts Institute of Technology Handout 8 6.857: Network and Computer Security September 23, 2003 Professor Ronald L. Rivest Problem Set 1 Solutions Today’s L A T E X fun-fact: quotes are done “like this” and not ”like this.” (The difference is that you use two back-ticks ( ‘ ) for open quotes and two single-quotes ( ’ ) for close quotes. The double-quote mark is never used in L A T E X.) See http://www.maths.tcd.ie/~dwilkins/LaTeXPrimer/ for a good introductory L A T E X tutorial. No points were deducted for failure to use the correct L A T E X quotes. Problem 1-1. PGP (Courtesy of Lucy Jin, Xian Ke, Ryan Manuel, and Matt Wilkerson.) TA Notes: The biggest mistake made on this problem was confusing (or merging) the separate concepts of authenticity and trust . When Alice signs Bob’s key, she is asserting that the key belongs to Bob, i.e. that the key is authentic . She is not making any declaration about Bob’s inclination to be a responsible keysigner; that would be trust . To make an extreme example: suppose Chris is a malicious PGP user who deliberately signs bogus keys, like those of [email protected] . It is still appropriate for Simson to sign Chris’s key (after verifying his identity), even though he is fully aware of Chris’s evil ways. It would not be appropriate, however, for Simson (or anyone else) to trust any of Chris’s signatures. For this reason, trust is generally not “transitive” — indeed, it can stop after just one link. PGP is capable of using your trust of certain users to infer authenticity of new keys, via signatures made by those trusted users. Many students made the mistake of assuming that the only way to verify the trust on a key was by having the key signed by someone that they trust. • Simson’s PGP 2.6.2 RSA key, downloaded from the PGP key servers, matches the fingerprint on page 248 of the book PGP: Pretty Good Privacy , which is available in the library and some bookstores. 1 Simson’s PGP IDEA key was signed with the RSA key. One student wrote “I believe Simson’s key, because under his key there is his photograph. The chances of someone impersonating him to that extent I believe to be very slim.” In fact, anybody uploading a PGP key to the PGP keyserver is free to put any photograph they wish on the key. Unless the photograph is signed by a key you trust, it is meaningless. • Chris’s public key is on his website, at http://theory.lcs.mit.edu/~cpeikert/pubkey.asc . Al- though it is certainly possible that somebody could have modified the fingerprint in the PGP book and replaced the key on Chris’ website, these attacks would most likely have been detected and overcome (by reprinting the book or replacing the incorrect file on the theory.lcs.mit.edu webserver)....
View Full Document
- Spring '03
- Computer Security, ITunes, hash function, Cryptographic hash function