------------------------------------------------------------------------------- Mohamed G. Gouda CS 395T Spring 2006 Homework 2 ------------------------------------------------------------------------------- 1. [3 points] The following Amended Needham Schroeder authentication protocol is "loose". This means that process q can authenticate as p a third process r even though r will not be able to get the shared key S. p -> q : I.p q -> ac : q, m, p, I.p ac ->q : I.q> q -> p : I.p p -> q : S q -> p : S Give a scenario to show that this protocol is loose. Modify the last three steps in this protocol to make the protocol "tight". ------------------------------------------------------------------------------- 2. [3 points] The one time password protocol by Leslie Lamport was intended to allow secure communication of a password from a client C to a server S. Modify this protocol to allow secure communication of passwords from a client C to many servers S.1, .. , S.m. The modified protocol is assumed to satisfy the following three conditions. 1) The protocol runs on top of SSL. Thus, all exchanged messages between the client C and each server S.i are encrypted using a session key. 2) When the message digest chain between C and a server S.i is finished, the client C sends the information concerning a new message digest chain to the server S.i. 3) The client C knows only one password P to access all the servers S.1, .. , S.m. ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- 3. [4 points] The following protocol overcomes message replay even if the communication between p and q starts at an arbitrary state. However, this protocol cannot overcome message replay if process q, after communicating for some time with process p, is reset to its initial state. (When this happens, an adversary can successfully replay all the data messages that p has sent earlier to q.) Modify this protocol so that it can overcome this (unbounded) message replay when the state of process q is reset to its initial state. process p const T : integer, /round-trip delay between p and q r : integer, /max. value for the shared key sk : 0..r-1, /shared key between p and q var t : integer, /text of current data msg nc : integer, /nonce of current data msg nc' : integer, /nonce of next data msg c : integer, /received ack ready : boolean begin ready --> ready := false; t := any; nc' := NNC; send data(NCR(sk, t|nc|nc')) to q [] rcv ack(c) from q --> if nc' = c --> ready := true; nc := nc' [] nc' <> c --> nc := c; send data(NCR(sk, t|nc|nc')) to q fi [] timeout ~ready ^ T time units have passed without executing any action --> send data(NCR(sk, t|nc|nc')) to q end process q const r : integer, /max. value for the shared key sk : 0..r-1 /shared key between p and q var t : integer, /text of received data msg nc : integer, /nonce of next data msg h : integer, /received data c,c' : integer /received nonces begin rcv data(h) from p --> (t, c, c') := DCR(sk, h); if nc = c --> /deliver t nc := c'; send ack(nc) to p [] nc <> c --> send ack(nc) to p fi end -------------------------------------------------------------------------------