------------------------------------------------------------------------------ Mohamed G. Gouda CS 386S Spring 2008 Midterm 1 ------------------------------------------------------------------------------ Open Book 75 Minutes ------------------------------------------------------------------------------ 1. Consider a protocol that consists of processes p.(i : 0..n-1) where each process can securely exchange messages with each other process. Assume that each p.(i) has a set s.(i) of symmetric keys that p.(i) uses to securely exchange messages with each other p.(j) in the protocol. What are the conditions that the s.(i) sets need to satisfy in order to guarantee that all the message exchanges in the protocol are secure even in the presence of process collusions. Also assume that each p.(i) uses its set s.(i) to broadcast messages to all the other processes in the protocol. Each message m that is broadcasted by a process p.(i) is sent in the clear but it has an authentication code so that each receiving process can check whether the message was indeed sent by p.(i). What is the form of a message broadcasted by a process p.(i)? And how can a receiving process check whether this message was indeed broadcasted by p.(i)? ---------------------------------------------------------------------------- 2. The following is a mutual authentication protocol that involves two processes p and q which share a symmetric key S. p --> q : p, q, M, S p <-- q : p, q, S Note that in this protocol, M is a nonce generated by p, and sk is the session key, generated by p, that results from this protocol. Show that this protocol is vulnerable to some type of attack. Then, modify the protocol, without changing its first step, to make it secure in the face of this attack. ----------------------------------------------------------------------------- 3. The following two types of certificates can be generated by a process r to allow process p to send secure messages to process q. (q, r, t, Bq, Rr< H(q, r, t, Bq) >) (q, r, t, Sp>) Process p can use these certificates to send secure messages to q if p believes that r is trust worthy. On the other hand, if r turns out not to be trust-worthy, despite p's belief to the contrary, these two types of certificates can be vulnerable to eavesdropping or impersonation attacks. Which of these two certificates is vulnerable to eavesdropping attacks? And which of them is vulnerable to impersonation attacks? ----------------------------------------------------------------------------- (Solution) 1. n-1 forall distinct i, j, s.(i) ^ s.(j) not a subset of U s.(k) k=0, k is not i, k is not j (m,i,H(k0,m),...,H(kx,m)), where {k0,...,kx}=s.(i) p.(j) accepts (m,i,H(k0,m),...,H(kx,m)) iff {H(r0,m),..,H(ry,m)} subset {H(k0,m),..,H(kx,m)} where {r0,...,ry} = s.(i) ^ s.(j) 2. if r gets the first msg (p,q,M,S) and gets sk then r can impersonate p as follows. r --> q : p, q, M, S (replay) r <-- q : p, q, S (r discards) r communicate with q as if it is p. To prevent this attack, protocol is augmented as follows: p --> q : p, q, M, S p <-- q : p, q, S, N p --> q : p, q, S 3. Both certificates are vulnerable to impersonation attacks. - B.q in cert. is public key of q' B.q -----> p ---------------- q | | q' - S.q in cert. is an individual key of q' sk -----> p ---------------- q | | q' Only second cert is vulnerable to eavesdropping r is eavesdropping sk -----> p ---------------- q <----- sk