$24
Instructions
Please carefully read the following guidelines on how to complete and submit your solutions.
The homework is due on Wednesday, December 4, 2018, at 11:59pm. Late submissions are accepted subject to the policy speci ed in the course syllabus. Starting early always helps!
Solutions are accepted only via Canvas, where your answers should be typed and submitted as a .pdf le.
You are bound by the Stevens Honor System. Collaboration is not allowed for this homework. You may use any sources related to course materials, but information from external sources must be properly cited. Your submission acknowledges that you have abided by this policy.
This assignment provides a 20% extra credit opportunity!
Problem 1: Can you crack a password?
(24%)
Stevens IT requires users to choose passwords that consist of exactly 10 capitalized letters, which are stored in hashed form using either SHA-1 or SHA-256. Eve compromised Stevens’ authentication server, long enough to learn the password hash of Alice, the TA for CS306.
Describe and name an attack with which Eve can compute Alice’s password.
Describe how the above attack is a ected, if at all, and why, when the server hashes passwords using user-speci c salts, stored in plaintext, that consist of 10 alphanumeric characters.
Describe how the above attack is a ected, if at all, and why, when Eve has previously taken CS306 and knows and understands the birthday paradox.
Problem 2: A password, but which password?
(24%)
To hardened password security, Stevens adopted the honeywords password model, shown in Fig-ure 1, where plaintext decoy passwords are used for user authentication in a split-server architecture.
Explain the ways with which honeywords improve password security.
Assuming that the server generates honeywords by \tweaking" real passwords, i.e., by keeping the main structure of a user’s password but changing special symbols and numbers, list 10 passwords that would constitute good decoy passwords for a new user, Alice, who uses password pa$$w0rd5.
1
Homework #3 CS306 - Introduction to IT security
Honeywords & split-server password authen5ca5on
Use decoy passwords and hide associa5on to real passwords
u
u
red server stores k passwords for each user: one is the real, the rest are fake blue server stores the indices of users’ real passwords
Split verifica5on of candidate password P
u red server checks only P’s inclusion is user’s set; blue server confirms P’s correctness
U1, p11, p12, p13
accept/reject
P
RED
U2, p21, p22, p23
candidate
SERVER
U3, p31, p32, p33
Access
password P
hit/miss, index
Control
match/mismatch
k = 3
Module
U1, 2
BLUE
user, index
U2, 1
SERVER
U3, 1
Figure 1: Password veri cation using \honeywords."
You successfully broke into Steven’s red server, long enough to steal the honeywords list of Bob, a senior administrative assistant in the O ce of the Registrar, which consists of six passwords:
Blink!@*)123, Blink-182, Blink-000, Blink-42379242235,
B 17 l 34 i 15 n 80 k 27, and itWb!%s45 3gMoI00286!*mooewTi409##21jUi.
Which one password will you choose, and why, to impersonate Bob and increase your GPA?
Problem 3: Sir, is this your public key?
(24%)
CS306 makes use of public-key encryption for any course-related communication. Enrolled students and sta members have their public keys registered with a trusted certi cation authority (CA) (e.g., Symantec). For e ciency reasons, public keys become available to interested users through an online service that is administered by Mallory, a new cheap cloud provider, where users can verify the validity of provided public keys via Merkle-tree hash proofs, as shown in Figure 2. Speci cally:
The CA provides Mallory with the public-key directory D along with a special certi cate C that is the Merkle-tree digest of the directory, signed by the CA.
To send a con dential message to Bob, Alice asks Mallory for his public key pkB|even if she had previously used pkB, since public-key pairs can be occasionally refreshed or revoked.
Along with Bob’s public-key record (iB; Bob; pkB) in D, Mallory also provides Alice with the signed certi cate C and a corresponding Merkle-tree hash proof.
After any change in the class enrollment (e.g., a student drops it or enrolls in it with delay) or whenever any public-key pair is updated, the CA provides Mallory with the new (that is, updated) directory D0 and the new (that is, corresponding to D0 ) certi cate C0 .
Eve manages to get access to Bob’s laptop and steal its secret key skB. When Bob becomes suspicious of this, he registers a new public-key pair with the CA. Describe and name an attack that allows Eve to collaborate with Mallory in order to learn all subsequent messages sent to Bob.
2
Homework #3 CS306 - Introduction to IT security
Public-key infrastructure
updates
Mallory
query
server
answer
user
“is answer correct?”
verifica(on
D
D
+
proof + signed digest
D’, C’
Bob?
C = digest d signed by CA
d
<iB, Bob, pkB
+
d
blue hashes
+ cer(ficate C
Merkle tree
Merkle tree
hash
hash
Directory: <iA, Alice, pkA, <iB, Bob, pkB, …
Figure 2: The public-key dictionary-as-a-service model for verifying public keys.
Describe how timestamped signatures (i.e., signatures on timestamped messages) can be peri-odically employed by the CA, so that the users can detect the above attack. You can assume that no public key will be updated twice within the same day, and consider a 1-day signing period.
Explain whether the above detection mechanism can be applied to DNSSEC and, if this is the case, what the impact of a 1-minute signing period would be on DNS.
Problem 4: Can cryptography fail?
(24%)
Alice, CS306’s instructor, and Bob, CS306’s TA, are communicating via terse cryptographically-protected messages to nalize the last homework assignment and the nal exam for CS306. They do so by communicating via terse message exchanges which are cryptographically protected.
Eve has previously intercepted the following MAC-tagged messages:
Bob: status update please; are we done with assignments?
Alice: hmmm... no no; more homework assignments will come!
Describe how Eve can undetectably a ect the remaining CS306 assignments (without explicitly knowing the shared secret key) by manipulating the following MAC-tagged messages:
Bob: is there time for a forth homework?; please advise
Alice: yes, thanks for the reminder!; post HW4 with a 2-day deadline...
in the case where Alice and Bob use custom-made tags for messages of the form m1; m2 (i.e., consist-ing of two arbitrary-long parts m1, m2), by applying a secure MAC on their concatenation m1km2.
Eve knows that the nal exam’s three problems will be chosen from a prede ned list of 10 known topics via asymmetrically encrypted messages of the following form:
Bob: Which topic will problem #1 cover?
Alice: Topic 7.
Homework #3 CS306 - Introduction to IT security
Bob: Which topic will problem #2 cover?
Alice: Topic 2.
Bob: Which topic will problem #3 cover?
Alice: Topic 8.
Describe how Eve can learn the nal-exam topics (without explicitly knowing Alice’s or Bob’s secret key), in the case where Alice and Bob encrypt their messages using plain RSA encryption.
Due to high student enrollment in CS306, Alice decides to use extra help with the exam moni-toring and grading, and asks Bob to urgently hire a quali ed student as proctor and grader. A day before the nal exam, Bob posts an announcement of the available position at a university forum, and within minutes he receives an email from Gmail account CharlesSuperPower1999@gmail.com, sent by Charles, who claims to be a former CyS graduate student. The email contains Charles’ resume and Charles’ RSA public key P KC, asks Bob to reply with the exam solutions, should he gets the position, in order to appropriately prepare for the job at hand, and is digitally signed using RSA. Bob likes the candidate’s resume and is able to verify the email signature.
Describe why, or why not, Bob should go ahead with the request and send Charles the exam solutions, encrypted under P KC using RSA.
Problem 5: Are cloud-based solutions cloudy?
(24%)
CS306 makes use of a designated cloud-storage space at BestCloudStore, a cloud-storage provider that makes use of deduplication for cost-reduction purposes. By design, the client Best-CloudStore application noti es the user who requests to upload a le F , whether F was uploaded \virtually" or \physically," depending on whether h(F ) in a new or already known digest.
To hand-in the take-home quiz for CS306, students are asked to upload their answers to the course BestCloudStore space, where new uploads are allowed, overwriting existing ones. The exam consists of 10 true-false questions and the submission le is a .txt le that should have student-speci c name (to allow grading) but the following xed format (to allow fast statistics):
Stevens-CS306---1:T; 2:F; 3:T; 4:T; 5:F; 6:T; 7:F; 8:F; 9:T; 10:F;
Describe a strategy that allows Eve, the only student who has not studied for the quiz, to submit an answer that is better than an answer based on random guessing.
Bob is the Chief Scientist at BestCloudStore. To harden the security of the provided services with respect to the con dentiality of customer data \at rest," Bob proposes to Alice, the Executive Product Manager at BestCloudStore, the following update: The client BestCloud-Store application comes embedded with the public key P KBCS of BestCloudStore, and any new le F is uploaded as RSA EncP KBCS (F ), that is, encrypted under P KBCS using plain RSA. Explain the e ect that this proposal will have on the cost-reduction bene ts due to deduplication.
In a long meeting, Bob and Alice decide to move forward with the above proposal but with one di erence: Files will be uploaded encrypted using ElGamal rather than plain RSA encryption. Explain the e ect that this revision will have on the cost-reduction bene ts due to deduplication.
4