------------------------------------------------------------------------------- Mohamed Gouda CS 386 S Spring 2008 Quiz#2 ------------------------------------------------------------------------------- Consider the following two-step cascade protocol PR, similar to those described in the Dolev and Yao paper. x --> y : Ad x <-- y : BAd where d is data, A is a reduced key sequence of the keys D.x, E.x, and E.y, and B is a reduced key sequence of the keys D.y, E.x, and E.y. Also consider two attackers, named t and u, against protocol PR. Attacker t is defined by the following actions: 1. t can form and apply any key sequence of the keys D.t, E.x, E.y, and E.t. 2. t can pretend to be t or x and initiate protocol PR with y. 3. t can pretend to be t or y and initiate protocol PR with x. Attacker u is defined by the following actions: 1'. u can form and apply any key sequence of the keys D.u, E.x, E.y, and E.u. 2'. u can pretend to be u (but not x) and initiate protocol PR with y. 3'. u can pretend to be u (but not y) and initiate protocol PR with x. Clearly, attacker t can do more than attacker u against protocol PR. Nevertheless, you are required to show that attacker u is as effective as attacker t against protocol PR. ------------------------------------------------------------------------------ Student Name: Student ID: ------------------------------------------------------------------------------ Solution: If protocol PR is secure (i.e. A has E.x or E.y, and if B has D.y then it also has E.y), then both t and u are equally ineffective attacking it by Theorem 1 of Dolev and Yao. Thus, we need only to consider the case where PR is insecure. If A hes neither E.x nor E.y, then A can have only D.x. In this case, both t and u can obtain d from the message Ad. Thus, we need only to consider the case where A has D.x, E.x, and E.y only, and B has D.y and E.x only. And we need to show that in this case atatcker u can obtain d from the message Ad. There are two subcases to consider in this case: Subcase 1 (The right-most element in B is D.y): We show that in this subcase attacker u can get rid of the left-most elements of Ad, one by one, and obtain d. Let Cd denote Ad after u has succeeded in peeling several left-most elements from it. If the left-most element of Cd is D.x then u can get rid of this D.x since u has E.x. If the left-most element of Cd is E.y then u, as u, can initiate protocol PR with y by sending Cd, in place of Ad, to y which replies by sending back FCd to u, where F is the same as B except that each occurrence of E.x is replaced by E.u. Note that the left-most E.x in Cd is removed from the reduced FCd. Attacker u can then get rid of all the F elements that still remain in the reduced FCd and end up with a shorter (at least one element shorter) Cd. If the left-most element of Cd is E.x then u, as u, can initiate protocol PR with x by sending Cd, in place of Ad, to x, and so on as in the previous paragraph. Subcase 2 (The k+1 right-most elements in B are ".. D.y (E.x)^k"): We show that in this subcase attacker u can get rid of the left-most elements of Ad, one by one, and obtain d. Let Cd denote Ad after u has succeeded in peeling several left-most elements from it. If the left-most element in Cd is D.x then u can get rid of this D.x since u has E.x. If the left-most element in Cd is E.y then u, as u, can initiate protocol PR with y by sending "(D.u)^k Cd", in place of "Ad", to y which replies by sending back "F (D.u)^k Cd" to u, where F is the same as B except that each occurrence of E.x is replaced by E.u. Note that the k+1 left most elements "(D.u)^k E.x" in "(D.u)^k Cd" are removed from the reduced "F (D.u)^k Cd". Attacker u can then get rid of all the F elements that still remain in the reduced "F (D.u)^k Cd" and end up with a shorter (at least one element shorter) Cd. If the left-most element in Cd is E.x then u, as u, can initiate protocol PR with x, and so on as in the previous paragraph. -----------------------------------------------------------------------------