------------------------------------------------------------------------------ Mohamed G. Gouda CS 386S Spring 2008 Midterm 1 ------------------------------------------------------------------------------ Open book 75 minutes ------------------------------------------------------------------------------ 1. (6 points) Assume that the following 2-step Dolev-Yao-like protocol is secure: x --> y : A d x <-- y : B A d where d is data A is a reduced sequence of D.x, E.x, and E.y B is a reduced sequence of D.y, E.x, and E.y D.x is the private key of process x E.x is the public key of process x Prove that if the sequence B A in the second step of the protocol is reduced (by recursively replacing each of the four sequences D.x E.x, E.x D.x, D.y E.y, and E.y D.y by the empty sequence), then the resulting reduced sequence has E.x or E.y. ------------------------------------------------------------------------------- 2. (7 points) Let the pair (x, y) denote the certificate (x, y, B.y, t, signature) where x is the process that issued the certificate y is the process being certified by the certificate B.y is the public key of process y t is the expiration date of the certificate signature = R.x R.x is the private key of process x H is a secure hash Assume that a process x has only the two certificates (x, u) and (v, x), and that process y has only the three certificates (y, w), (w, v), and (v, x). Using these certificates can process x authenticate process y and establish a secure session key to communicate with process y? Explain your answer. ------------------------------------------------------------------------------- 3. (7 points) In our simple model of SRP, we assumed the following four facts: a. User U knows its own password P, which is well chosen. b. Browser B of user U knows the generator g. c. Website S knows the generator g and stores the tuple (U, s, g^(H(P,s))) where s is a nonce called "salt" and H is a secure hash. d. There is no effective algorithm to compute x from some given g and g^x. Assume that an adversary knows the generator g and obtains a copy of the tuple (U, s, g^(H(P,s))) stored in S. Can this adversary impersonate S in its communication with U and B? Can this adversary impersonate U in its communication with B and S? Briefly explain your answers. ------------------------------------------------------------------------------- Solutions ------------------------------------------------------------------------------- Solution 1. There are two possible proofs for this problem. The first proof is by contradiction. Assume that the reduced B A has no E.x and no E.y. Thus, the reduced B A contains only D.x and D.y. In this case, the adversary can apply E.x and E.y to the sequence B A d and obtains d contradicting our assumption that the protocol is secure. The second proof is by deduction. Because the protocol is secure, the following two conditions hold (by Dolev-Yao Theorem 1): 1. The reduced A has E.x or E.y 2. If the reduced B has D.y then it also has E.y. There are three cases to consider: 1. If the reduced A has E.x's from Condition 1, and because the reduced B has no D.x, then the reduced B A has E.x's. 2. If the reduced A has E.y's from Condition 1, and if the reduced B has no D.y, then the reduced B A has E.y's. 3. If the reduced A has E.y's from Condition 1, and if B has D.y's (that reduce the E.y's in the reduced A), then by Condition 2, the reduced B also has E.y's which cannot be reduced since the reduced A has no D.y. Thus, the reduced B A has E.y's. ------------------------------------------------------------------------------- Solution 2. Process x cannot authenticate process y for the following reason. There is no certificate chain from x to y. Thus, x does not know the public key of y. Thus during any attempt of x to establish a session key with y, x can never be sure that it is communicating with y. ------------------------------------------------------------------------------- Solution 3. An adversary that obtains the tuple (U, s, g^(H(P,s))) has the same knowledge as website S and so it can impersonate S in its communication with U and B. On the other hand, this adversary cannot deduce the value x = H(P,s), and so cannot compute (d+x) and cannot compute the master secret ms := (E - g^x)^(d+x) in its attempt to impersonate U in its communication with B and S -------------------------------------------------------------------------------