------------------------------------------------------------------------------- Mohamed G. Gouda Homework 2 CS 395T: Network Protocol Security Fall 2006 ----------------------------------------------------------------------------- 1. (4 Points): The following is a version of the original Needham-Shroeder authentication protocol between two processes p and q. p --> q : B.q p <-- q : B.p p --> q : B.q where B.x is the public key of process x, and n.x is a fresh nonce that is selected by process x. The session key that processes p and q share at the end of this protocol is MD.(n.p|n.q), where MD is a well-known message digest function. Give a scenario that shows that this protocol is incorrect. (I trust that you will try to solve this problem on your own and not use Google to try to locate a paper where this protocol is shown to be incorrect.) ---------------------------------------------------------------------------- 2. (3 Points): Assume that the Dynamic Certificate Dispersal Protocol, discussed in class, is used in a network that has five users: u, v, w, x, and y. Also assume that the (seven) certificates issued in this network are as follows. (u, v), (v, w), (v, x), (w, u), (x, w), (x, y), and (y, w) Because the Dynamic Certificate Dispersal Protocol is self-stabilizing, it is guaranteed to reach a (not unique) "fixed point", where BACK, FORE, and CERT have fixed values in each user in the network, after some finite time from the start of the protocol execution. Describe the values of BACK, FORE, and CERT in each user in the network at a fixed point of the protocol. Also describe in concise English a method that one can use to prove that a fixed point of this protocol is indeed a fixed point of the protocol. ----------------------------------------------------------------------------- 3. (3 Points): In an antireplay protocol between two processes p and q, process q selects a fresh nonce and sends it to process p which then uses this nonce as a hidden sequence number for the data message that p sends back to q, and the cycle repeats. Process p in this protocol is specified as follows. process p const sk: integer /shared session key between p and q var nc: integer /nonce x : integer /text of data message m : integer /digest of data message begin rcv next(nc) from q --> x := any; m := MD.(x|nc|sk); send data(x, m) to q end Process q in this protocol is specified partially as follows. process q const sk: integer /shared session key between p and q T : integer /upper bound on the round trip delay /between p and q var nc: integer /nonce x : integer /text of data message m : integer /digest of data message begin rcv data(x,m) from q --> S [] timeout T time units have passed without q executing any action --> S' end Specify statements S and S' in process q. State one reason why this protocol is better than the family of antireplay protocols discussed in class. -----------------------------------------------------------------------------