shw3 - 1825 10/TEL2810 Introduction to Security Homework 3-...

Info iconThis preview shows pages 1–8. Sign up to view the full content.

View Full Document Right Arrow Icon
Background image of page 1

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 2
Background image of page 3

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 4
Background image of page 5

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 6
Background image of page 7

Info iconThis preview has intentionally blurred sections. Sign up to view the full version.

View Full DocumentRight Arrow Icon
Background image of page 8
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: 1825 10/TEL2810 Introduction to Security Homework 3- Solution Total Points: 100 Due Date: Nov 29, 2011 Q1: Do the following from Section 8.7 (Green Book): Exercise 11, 12, 17 (Points 30) 112 Fermat’s Little Theorem says that, for integers a and n such that a and n are relatively prime, 57”] mod n = 1. Use this to show that decnphering of an enCIphered message produces the original message With the RSA cryptosystem. Does encrphering of a deCIphered message produce the original message also? Let m be the message, (e, n) the public key, and d the private key. Recall that ed mod ¢ (n) = 1, and the ciphertext c = me mod n. We need to show that cd mod n = m. To see this, compute: cdmod n = (me mod n)d mod n definition of c = madmod n fundamental laws of modular arithmetic = m“ ¢ ‘"’ *1) mod n as ed mod ¢ (n) = 1 means ed = k¢ (n) + 1 for some integer k = (mk¢ ‘"’ mod n)(m mod n) fundamental laws of modular arithmetic = ((m ¢ ‘"’ )k mod n)(m mod n) rearranging exponents = ((m¢ ‘"’ mod n)k mod n)(m mod n) fundamental laws of modular arithmetic = (1k mod n)(m mod n) Fermat’s Little Theorem =mmodnas(1kmodn)=1modn=1 =masm<n,mmodn=m proving the claim. The second part asks whether (md mod n)e mod n = m. To see this is true, note that exponentiation is commutative, so mde mod n = med mod n. So the proof is the same as above, with the first two steps replaced by: (md mod n)e mod n = m“ mod n fundamental laws of modular arithmetic = med mod n m“ = med as exponentiation is commutative Exercise 12 12: Consider the RSA cryptosystem. Show that the ciphertexts corresponding to the messages 0, 1 and n 1 are the messages themselves. Are there other messages that produce the same ciphertext as plaintext? m=n—1 Use induction to show that for all odd k the result holds. Basis: for k = 1 c =(n-1)1 mod n c = (n-l) You can try for k = 3 c =(n-1)3 mod n c = (n3-3n2 +3n-1) mod n c = 0 — 0 + 0 + (-1 mod n) [because: (any power ofn) mod n = 0] c = (-1) mod n Hypothesis: true for k, where k is odd i.e. m = (n-l) c = (n-1)k mod n =(n-1) Show, it is true for k + 2 (next odd value !) m = (n-l) c = (n-1)k * (n-l)2 mod n c = [((n-1)k mod n) * ((n-l)2 mod n)] mod n c = [((n-l) mod n) * ((n-l)2 mod n)] mod n c =(n-1)3 mod n c = (n-l) Another approach is to use expansion of (n-1)k = n k + cln H + + cmn + (-1) k for some constants c1, c2, ..., cm. Note that in the RSA system e is odd. Here is how: Note: n = pq is odd, as p and q are prime numbers (hence odd numbers; only 2 is even prime but p and q are large numbers) Hence, ¢ (n) = (p-l) (q-l) is an even number, as both (p-l) and (q-l) are even numbers. e < n is chosen to be relatively prime to ¢ (n), and hence, e is odd!! Exercise 17 17: Suppose Alice and Bob have RSA public keys in a file on a server. They communicate regularly using authenticated, confidential messages. Eve wants to read the messages but is unable to crack the RSA private keys of Alice and Bob. However, she is able to break into the server and alter the file containing Alice's and Bob's public keys. a. How should Eve alter that file so that she can read confidential messages sent between Alice and Bob, and forge messages from either? b. How might Alice and/or Bob detect Eve's subversion of the public keys? 17. In what follows. let e represent a public key and d a private key. a. Eve generates two public key pails. 915A and aim. and eEB and (1153. She then replaces Alice‘s public key with eEA and Bob’s public key with em. She keeps a copy of Alice‘s public key eA and Bob‘s public key eB for later use. If Bob wants to send Alice a confidential message m. he would encipher it with Alice’s public key eA. But this key has been replaced by eEA. unbeknownst to Bob. So. Bob computes { m }eEA and sends it to Alice. Eve intercepts it. uses dEA to decipher the message and read m. and then re-enciphers m using the copy of eA. Eve sends this to Alice. Alice now uses her private key dA to read the message. Similarly. suppose Eve wants to forge a message from Alice to Bob. Eve prepares the message M She then uses her fake Alice private key dEA to encipher the message. and sends { M }dEA to Bob. Bob gets the message. requests Alice’s public key from the server. receives eEA. and deciphers the message to obtain M. As this was deciphered using Alice’s public key (or so Bob thinks). it could only have been enciphered by Alice’s private key. and therefore must have come from Alice. b. Alice can detect the substitution of em for e A by simply enciphen'ng a message m with d A and then trying to decipher the result using the public key on the server. eEA. As the keys are not associated with each other. the result will not be the original message m. Then Alice knows that something is wrong. and either her private key (on her system) or her public key (on the server) has been altered. Bob can detect Eve’s substitution of his public key similarly. Q2: Do the following from Section 9.8 (Green Book): Exercise 5, 6 (Points 20) Exercise 9.8 #5 Needham and Schroeder suggest the following variant of their protocol: Alice 9 Bob :Alice Bob 9 Alice : {Alice, rand3 } kBob Alice 9 Cathy : {Alice, Bob, randl, {Alice, rand3 } kBob } Cathy 9 Alice : {Alice, Bob, randl, ksession, {Alice, rand3, ksession} kBob } kAlice Alice 9 Bob : {Alice, rand3, ksession } kBob Bob 9 Alice : { rand2 } ksessiou . Alice 9 Bob : { rand2 — l }ksessi0n how that this protocol solves the problem of replay as a result of stolen session keys. IJ'PP’P’." (/3qu The original Needhain-Scheroeder protocol can be subverted with a stolen session key as follows. If in step 3 of the original protocol. Eve replays an old message with a compromised session key. she can intercept the next message. dec1ypt rand2 using the compromised key and send back rand2-1 to Bob. Therefore. she can deceive Bob thinking he is talking to Alice. while he is really talking to Eve. In the proposed variant. Eve will replay message 5 to Bob. If Bob does not have an ongoing session with Alice he will discard the message. If he has received message 1 from Alice before. he simply compares rand3 in message 5 with rand3 that he has sent in message 2. Since rand3 is a nonce. if they are different the message is definitely a replay (nonce can be only used once). Exercise 9.8 #6 Consider an RSA digital signature scheme (see Section 9.5.2). Alice tricks Bob into signing messages m1 and in; such that m = 1min; mod 1130b. Prove that Alice can forge Bob's signature on in. Given. m = mlx "13 mod 7130b Bob’s Digital Signattu'e 011m; and "13 dB b €1=ml ° mod 11301, (‘3 = IIIgdB°b mod "Bob Bob‘s Digital Signattu'e on in dB b c=m ° mod 1130b Since Alice has cl and (‘2. she can constmct c from them as follows. (note 71301, is publicly known) = [(1 x (2] mod 1130b = [(mldB°b1110d 1130b) x (m; = (IllldBOb x IllgdBOb) mod 71301, = (ml >< "153°" mod 7130b dB b =m ° mod 1130b dB°b mod 12300] mod 7130b Thus. the forgery is possible. Q3: Assume that Alice and Bob are friends. Consider two conflict of class sets C011 = {X, Y} and C012 = {U, V}. Let CDX, CDY, CDU, and CDV be the company data sets of companies X, Y, U and V. (Points 20) Show all the possible assignments that are allowed and prohibited by the Chinese wall policy - consider read1 only assignments as well as read1 and write. Consider the following scenarios; 1. Only read accesses need to be provided to CDs 2. Both read and write accesses need to be provided together to any CD. 3. Both read/write required for CDX, and CDV, and read-only to remaining CDs. Note that Alice and Bob may not be able to cover all the CDs — for that you can assume there are others who can take on the assignment. You need to only consider Alice and Bob. (An old solution below; You should be able to actually draw a diagram to illustrate this more easily) Only read-accesses ice can read only CDx r ice can read only CDy r ice can read only CDu r ice can read only CDV r ice can read CDx and CDu r ice can read CDx and CDV >O>O>O>O>O> Or Alice can read CDy and CDu Or Alice can read CDy and CDV Bob can read only CDx Or Bob can read only CDy Or Bob can read only CDu Or Bob can read only CDv Or Bob can read CDx and CDu Or Bob can read CDx and CDV Or Bob can read CDy and CDu Or Bob can read CDy and CDV Read accesses can be any combination of 1 from left side (Alice permissions) and 1 from right side (Bob's permissions). Neither Bob nor Alice can read both CD‘s from the same COI. Both read and write accesses need to be provided together to any CD. Alice can r/w only CDx Bob can r/w only CDx Or Or Alice can r/w only CDy Bob can r/w only CDy Or Or Alice can r/w only CDu Bob can r/w only CDu Or Or Alice can r/w only CDv Bob can r/w only CDv Read/Write accesses can be any combination of 1 from left side (Alice Permissions) and 1 from right side (Bob's Permissions). Both Alice and Bob can't have r/w permissions for more than 1 company data set. Both readiwrite reguired for CDxI and CDvI and read-only to remaining CDs. Alice can r/w to CDx and Bob can r/w to CDv, but they are not permitted to read the other remaining CDs. Or Alice can r/w to CDv and Bob can r/w to CDx, but they are not permitted to read the other remaining (205. Or Alice and Bob can both r/w to CDx, but neither of them could r/w to CDv or read other CD5. Or Alice and Bob can both r/w to CDv, but neither of them could r/w to CDx or read other CDs. Or Alice can r/w to CDx and Bob can read-only CDy or CDu or both (since CDy and CDu are in different COl's). Or Bob can r/w to CDx and Alice can read-only CDy or CDu or both (since CDy and CDu are in different COI's). Or Alice can r/w to CDv and Bob can read-only CDy or CDu or both (since CDy and CDu are in different COl’s). Or Bob can r/w to CDv and Alice can read-only CDy or CDu or both (since CDy and CDu are in different COl's). Q4: Let the following be the role hierarchy relationships, (Points 10 + 20) RH = {(r1, r2), (r1, r3), (r2, r4), (r2, r5), (r3, r5), (r3, r8), (r6, r3), (r6, r7), (r7, 1%)}. Note that (r1, 17) means n is senior of 17. Let each role be assigned to exactly one unique user. We can assume that Mi is assigned to role ri. Further, note that if u is assigned to r that means u is authorized for r. Based on these, answer the following. 1. Find authorizediusersvs) and authorizediusersmi)? 2. For each of following SSD constraints, state if the above hierarchy and the user assignments would result in a conflict (Consider each of these individually only) ({r2, r7}, 7) ({r5, r7}, 7) ({r2, r3, r4, r7}, 3) Authorized_users(r5) = {u1, u2, u3, u5, u6} Authorized_users(r4) = {u 1, u2, u4} ({r2, r7}, 2) : first compute Authorized_user(r2) and Authorized_user(r7) - you will see that there are no common users that are authorized for both r2 and r7. Hence, we can add this constraint in the policy without conflicting with the hierarchy. ({r5, r7}, 2) : again first compute the authorized users for r5 and r7. You can show that u6 is a common user authorized for both r5 and r7. Hence, we cannot add this SSD as it would conflict with the hierarchy - i.e., hierarchy says u6 is authorized for both the roles while the SSD says no user should be authorized for both these roles. ({r2, r3, r4, r7}, 3): here you need to show that any combination of the 3 roles from the set should not have a common authorized user - for this SSD constraint to be not conflicting with the hierarchy. So compute the authorized users for each of these. Then we can show that if you take r2, r3, r4, you will find u1 is authorized for all these three roles. Hence this SSD conflicts with the hierarchy. ...
View Full Document

Page1 / 8

shw3 - 1825 10/TEL2810 Introduction to Security Homework 3-...

This preview shows document pages 1 - 8. Sign up to view the full document.

View Full Document Right Arrow Icon
Ask a homework question - tutors are online