This preview shows pages 1–8. Sign up to view the full content.
This preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full DocumentThis preview has intentionally blurred sections. Sign up to view the full version.
View Full Document
Unformatted text preview: 1825 10/TEL2810 Introduction to Security Homework 3 Solution Total Points: 100
Due Date: Nov 29, 2011 Q1: Do the following from Section 8.7 (Green Book): Exercise 11, 12, 17 (Points 30) 112 Fermat’s Little Theorem says that, for integers a and n such that a and n are relatively prime, 57”] mod n = 1. Use this to show that
decnphering of an enCIphered message produces the original message With the RSA cryptosystem. Does encrphering of a deCIphered message
produce the original message also? Let m be the message, (e, n) the public key, and d the private key. Recall that ed mod ¢ (n) = 1, and the ciphertext c = me mod n. We need to show that cd mod n = m. To see this, compute: cdmod n = (me mod n)d mod n definition of c = madmod n fundamental laws of modular arithmetic = m“ ¢ ‘"’ *1) mod n as ed mod ¢ (n) = 1 means ed = k¢ (n) + 1 for some integer k
= (mk¢ ‘"’ mod n)(m mod n) fundamental laws of modular arithmetic = ((m ¢ ‘"’ )k mod n)(m mod n) rearranging exponents = ((m¢ ‘"’ mod n)k mod n)(m mod n) fundamental laws of modular arithmetic = (1k mod n)(m mod n) Fermat’s Little Theorem =mmodnas(1kmodn)=1modn=1
=masm<n,mmodn=m proving the claim. The second part asks whether (md mod n)e mod n = m. To see this is true, note that exponentiation is commutative, so mde mod n = med mod n. So the proof is the same as above, with the first two steps replaced
by: (md mod n)e mod n = m“ mod n fundamental laws of modular arithmetic
= med mod n m“ = med as exponentiation is commutative Exercise 12 12: Consider the RSA cryptosystem. Show that the ciphertexts corresponding to the messages 0, 1 and n 1 are the messages themselves. Are
there other messages that produce the same ciphertext as plaintext? m=n—1
Use induction to show that for all odd k the result holds.
Basis: for k = 1
c =(n1)1 mod n
c = (nl)
You can try for k = 3
c =(n1)3 mod n
c = (n33n2 +3n1) mod n
c = 0 — 0 + 0 + (1 mod n) [because: (any power ofn) mod n = 0] c = (1) mod n Hypothesis: true for k, where k is odd
i.e. m = (nl) c = (n1)k mod n =(n1) Show, it is true for k + 2 (next odd value !)
m = (nl)
c = (n1)k * (nl)2 mod n
c = [((n1)k mod n) * ((nl)2 mod n)] mod n
c = [((nl) mod n) * ((nl)2 mod n)] mod n
c =(n1)3 mod n c = (nl) Another approach is to use expansion of (n1)k = n k + cln H + + cmn + (1) k for some constants c1, c2, ..., cm. Note that in the RSA system e is odd. Here is how: Note: n = pq is odd, as p and q are prime numbers (hence odd numbers; only 2 is even prime but p and
q are large numbers) Hence, ¢ (n) = (pl) (ql) is an even number, as both (pl) and (ql) are even numbers. e < n is chosen to be relatively prime to ¢ (n), and hence, e is odd!! Exercise 17 17: Suppose Alice and Bob have RSA public keys in a ﬁle on a server. They communicate regularly using authenticated, conﬁdential messages.
Eve wants to read the messages but is unable to crack the RSA private keys of Alice and Bob. However, she is able to break into the server
and alter the ﬁle containing Alice's and Bob's public keys. a. How should Eve alter that ﬁle so that she can read conﬁdential messages sent between Alice and Bob, and forge messages from
either? b. How might Alice and/or Bob detect Eve's subversion of the public keys? 17. In what follows. let e represent a public key and d a private key.
a. Eve generates two public key pails. 915A and aim. and eEB and (1153. She then replaces Alice‘s public key with eEA and Bob’s public key with em. She keeps a copy of Alice‘s
public key eA and Bob‘s public key eB for later use. If Bob wants to send Alice a conﬁdential message m. he would encipher it with Alice’s
public key eA. But this key has been replaced by eEA. unbeknownst to Bob. So. Bob computes { m }eEA and sends it to Alice. Eve intercepts it. uses dEA to decipher the
message and read m. and then reenciphers m using the copy of eA. Eve sends this to Alice.
Alice now uses her private key dA to read the message. Similarly. suppose Eve wants to forge a message from Alice to Bob. Eve prepares the
message M She then uses her fake Alice private key dEA to encipher the message. and sends { M }dEA to Bob. Bob gets the message. requests Alice’s public key from the server. receives eEA. and deciphers the message to obtain M. As this was deciphered using Alice’s public key (or so Bob thinks). it could only have been enciphered by Alice’s private key.
and therefore must have come from Alice.
b. Alice can detect the substitution of em for e A by simply enciphen'ng a message m with d A and then trying to decipher the result using the public key on the server. eEA. As the keys are not associated with each other. the result will not be the original message m. Then Alice knows that something is wrong. and either her private key (on her system) or her
public key (on the server) has been altered. Bob can detect Eve’s substitution of his public key similarly. Q2: Do the following from Section 9.8 (Green Book): Exercise 5, 6 (Points 20)
Exercise 9.8 #5 Needham and Schroeder suggest the following variant of their protocol: Alice 9 Bob :Alice Bob 9 Alice : {Alice, rand3 } kBob Alice 9 Cathy : {Alice, Bob, randl, {Alice, rand3 } kBob } Cathy 9 Alice : {Alice, Bob, randl, ksession, {Alice, rand3, ksession} kBob } kAlice
Alice 9 Bob : {Alice, rand3, ksession } kBob Bob 9 Alice : { rand2 } ksessiou . Alice 9 Bob : { rand2 — l }ksessi0n how that this protocol solves the problem of replay as a result of stolen session keys. IJ'PP’P’." (/3qu The original NeedhainScheroeder protocol can be subverted with a stolen session key as
follows. If in step 3 of the original protocol. Eve replays an old message with a compromised
session key. she can intercept the next message. dec1ypt rand2 using the compromised key and
send back rand21 to Bob. Therefore. she can deceive Bob thinking he is talking to Alice. while
he is really talking to Eve. In the proposed variant. Eve will replay message 5 to Bob. If Bob does not have an ongoing
session with Alice he will discard the message. If he has received message 1 from Alice before.
he simply compares rand3 in message 5 with rand3 that he has sent in message 2. Since rand3 is
a nonce. if they are different the message is definitely a replay (nonce can be only used once). Exercise 9.8 #6 Consider an RSA digital signature scheme (see Section 9.5.2). Alice tricks Bob into signing messages
m1 and in; such that m = 1min; mod 1130b. Prove that Alice can forge Bob's signature on in. Given. m = mlx "13 mod 7130b Bob’s Digital Signattu'e 011m; and "13 dB b
€1=ml ° mod 11301, (‘3 = IIIgdB°b mod "Bob Bob‘s Digital Signattu'e on in dB b
c=m ° mod 1130b Since Alice has cl and (‘2. she can constmct c from them as follows. (note 71301, is publicly known)
= [(1 x (2] mod 1130b = [(mldB°b1110d 1130b) x (m; = (IllldBOb x IllgdBOb) mod 71301, = (ml >< "153°" mod 7130b dB b
=m ° mod 1130b dB°b mod 12300] mod 7130b Thus. the forgery is possible. Q3: Assume that Alice and Bob are friends. Consider two conflict of class sets C011 = {X, Y} and C012 = {U,
V}. Let CDX, CDY, CDU, and CDV be the company data sets of companies X, Y, U and V. (Points 20)
Show all the possible assignments that are allowed and prohibited by the Chinese wall policy  consider read1
only assignments as well as read1 and write.
Consider the following scenarios; 1. Only read accesses need to be provided to CDs 2. Both read and write accesses need to be provided together to any CD.
3. Both read/write required for CDX, and CDV, and readonly to remaining CDs. Note that Alice and Bob may not be able to cover all the CDs — for that you can assume there are others who
can take on the assignment. You need to only consider Alice and Bob. (An old solution below; You should be able to actually draw a diagram to illustrate this more easily) Only readaccesses
ice can read only CDx r ice can read only CDy
r
ice can read only CDu
r
ice can read only CDV
r ice can read CDx and CDu
r
ice can read CDx and CDV >O>O>O>O>O> Or
Alice can read CDy and CDu
Or
Alice can read CDy and CDV Bob can read only CDx
Or Bob can read only CDy Or Bob can read only CDu Or Bob can read only CDv Or Bob can read CDx and CDu
Or Bob can read CDx and CDV Or Bob can read CDy and CDu
Or Bob can read CDy and CDV Read accesses can be any combination of 1 from left side (Alice permissions) and 1 from right side (Bob's permissions).
Neither Bob nor Alice can read both CD‘s from the same COI. Both read and write accesses need to be provided together to any CD. Alice can r/w only CDx Bob can r/w only CDx
Or Or
Alice can r/w only CDy Bob can r/w only CDy
Or Or
Alice can r/w only CDu Bob can r/w only CDu
Or Or
Alice can r/w only CDv Bob can r/w only CDv Read/Write accesses can be any combination of 1 from left side (Alice Permissions) and 1 from right side
(Bob's Permissions). Both Alice and Bob can't have r/w permissions for more than 1 company data set. Both readiwrite reguired for CDxI and CDvI and readonly to remaining CDs. Alice can r/w to CDx and Bob can r/w to CDv, but they are not permitted to read the other remaining CDs.
Or Alice can r/w to CDv and Bob can r/w to CDx, but they are not permitted to read the other remaining (205.
Or Alice and Bob can both r/w to CDx, but neither of them could r/w to CDv or read other CD5.
Or Alice and Bob can both r/w to CDv, but neither of them could r/w to CDx or read other CDs.
Or Alice can r/w to CDx and Bob can readonly CDy or CDu or both (since CDy and CDu are in different COl's).
Or Bob can r/w to CDx and Alice can readonly CDy or CDu or both (since CDy and CDu are in different COI's).
Or
Alice can r/w to CDv and Bob can readonly CDy or CDu or both (since CDy and CDu are in different COl’s).
Or
Bob can r/w to CDv and Alice can readonly CDy or CDu or both (since CDy and CDu are in different COl's). Q4: Let the following be the role hierarchy relationships, (Points 10 + 20) RH = {(r1, r2), (r1, r3), (r2, r4), (r2, r5), (r3, r5), (r3, r8), (r6, r3), (r6, r7), (r7, 1%)}.
Note that (r1, 17) means n is senior of 17. Let each role be assigned to exactly one unique user. We can assume
that Mi is assigned to role ri. Further, note that if u is assigned to r that means u is authorized for r. Based on
these, answer the following. 1. Find authorizediusersvs) and authorizediusersmi)? 2. For each of following SSD constraints, state if the above hierarchy and the user assignments would result in a
conflict (Consider each of these individually only) ({r2, r7}, 7)
({r5, r7}, 7) ({r2, r3, r4, r7}, 3) Authorized_users(r5) = {u1, u2, u3, u5, u6} Authorized_users(r4) = {u 1, u2, u4} ({r2, r7}, 2) : first compute Authorized_user(r2) and Authorized_user(r7)  you will see that there are
no common users that are authorized for both r2 and r7. Hence, we can add this constraint in the
policy without conflicting with the hierarchy. ({r5, r7}, 2) : again first compute the authorized users for r5 and r7. You can show that u6 is a common
user authorized for both r5 and r7. Hence, we cannot add this SSD as it would conflict with the
hierarchy  i.e., hierarchy says u6 is authorized for both the roles while the SSD says no user should be
authorized for both these roles. ({r2, r3, r4, r7}, 3): here you need to show that any combination of the 3 roles from the set should not
have a common authorized user  for this SSD constraint to be not conflicting with the hierarchy. So
compute the authorized users for each of these. Then we can show that if you take r2, r3, r4, you will
find u1 is authorized for all these three roles. Hence this SSD conflicts with the hierarchy. ...
View Full
Document
 Fall '11
 Joshi

Click to edit the document details