Lösungsvorschlag Information Security 2005

Security Bootstrapping

a) There is no authentic channel from A to B, because the only path from A to B with dots on A's side is A.-F.-G.-D.-E.-H.-J.-B and B does not trust G. Therefore they can not establish a secure channel.

b) I) move dot from H to F II) B must trust G

Trust and Authenticity

Aut_A,C
Aut_AT, Trust_AT2, Cert_TV |- Aut_AV
Aut_AV, Trust_AV2, Rec_VY1 |- Trust_AY1
Aut_AT, Trust_AT2, Cert_TW |- Aut_AW
Aut_AT, Trust_AT2, Rec_TW1 |- Trust_AW1
Aut_AW, Trust_AW1, Cert_WY |- Aut_AY
Aut_AY, Trust_AY1, Cert_YC |- Aut_AC

Aut_A,B

We can derive:
Aut_AT, Trust_AT2, Cert_TV |- Aut_AV
Aut_AV, Trust_AV2, Rec_VX1 |- Trust_AX1
Aut_AS, Trust_AS3, Cert_SU |- Aut_AU

We now need to trust U with at least level 1 to complete the chain to B

Aut_AS, Trust_AS3, Rec_SU1 |- Trust_AU1
Aut_AU, Trust_AU1, Cert_UX |- Aut_AX

Aut_AX, Trust_AX1, Cert_XB |- Aut_AB

Number-Theoretic Cryptography

a) generell:

 Alice Bob A = g^a mod p A -> B = g^b mod p K = B^a mod p <- B K = A^b mod p

hier:

 Alice Bob 5 = 2^a mod 11 5 -> 8 = 2^b mod 11 K = 8^a mod 11 <- 8 K = 5^b mod 11

aus 5 = 2^a mod 11 kann man vermuten dass a = 4 und aus 8 = 2^b mod 11 dass b = 3.

damit kann man K = 5^3 mod 11 = 4 berechnen und mit K = 8^a mod 11 = 4 überprüfen.

b) Wir wissen, dass gcd(n,Phi(n)) = 1 (Phi(n) = Gruppenordnung = (p-1)*(q-1)). Mit dem erweiterten Euklid kann man ein x und ein y berechnen, so dass: x*n + y*Phi(n) = 1, das kann man umformen nach n = 1/x * (1-y*Phi(n)). Damit haben wir eine Faktorisierung von n gefunden.

IMPORTANT: This first solution makes no sense at all. It's not true that gcd(n,Phi(n)) = 1. The following solution seems to be correct. -- rueeggn

Meiner Meinung nach ist die obige Lösung etwas sinnlos, da jede primzahl auhc teilerfremd ist mit n, und dann könnte man das ja immer machen da bräuchte man die ordnung o nicht. Ich würde das so lösen: o=(p-1)(q-1) n=p*q n und o(Ordnung) sind gegeben (wenn wir annehmen dass wir die ordnung einfach berechnen können) dann kann man die zwei gleichungen aufstellen: p*q=n und p*q-(p-1)(q-1)=p+q-1=n-o dies ist ein einfaches 2*2 gleichungssystem und das kann man einfach Lösen.

Tigris

Security Transformations

see discussion-page!

a) authentic channel from B to A Bob encrypts a message using the box and then displays the ciphertext publicly.

```A -t1->. B
=>   A <-t3-. B
A <-t2- B
t2 > t1
t3 > t2
```

b) secure channel from B to A Bob encypts the message using the box and then sends it back to Alice with the messenger. // -> see diskussion

```A .-t1-> B
=>   A .<-t3- B
A <-t2- B
t2 > t1
t3 > t2
```

c) The authenticity Eve could pose as Bob and send the messages she encrypted when she had the box to Alice after Bob received the box. To avoid this attack Bob could append the current random number to his messages and then encrypt and send it. Alice should then accept only the decrypted messages which habe the random number of the previous time slot appended.

Potpourri

a) 1: multilateral, 2: unilateral, 3: secure connection, 4: unilateral

b) The picture depicts a distinguisher attached to a real random number generator and a PRG. A good PRG produces a random number stream that is computationally (by a polynomially bounded distinguisher) indistinguishable from a real Random Number Generator. A PRG is initialized with a seed value. The same seed value will always produce the same number sequence.

c) If in a network with n nodes every node want to securely communicate with every other node we need n^2 keys when using symmetric cryptography. This problem can be used by using a trusted party (like in Kerberos) which shares a key with every node and which will generate and distribute temporary keys for direct secure communication between two given nodes.

d) PGP uses a web of trust where a public key is authenticated by the presence of a trust path from you to the target key. I.e. if you trust a friend's key which was used to sign the target key, you can also trust the target key. In X.509 there is a designated Certificate Authority (CA) which has to be trusted. If a key was signed by the CA, one can assume that the CA has checked that the key belongs to the person that it claims to belong to.

e) Kam 2008 nicht dran

A key-distribution protocol using a trusted third party

a) S can conclude that A knows the private key that belongs to the public key K_A

b) M needs to intercept A's first message. He then replaces K_A and {A,B,K_A}_K_A^-1 with K_M and {A,B,K_M}_K_M^-1 . He can then continue the protocol in A's place because the key K_AS is not used anymore, hence M can read all messages from S.

c) M2' doesn't make any difference because after modifying the first message. S will use K_M (and not K_A) to encrypt M2'

M2'' doesn't help either because M can pass the message on to A who will decrypt the message and send {A,B,K_A}_K_BS to B. Note however that K_A is in fact K_M, since M replaced it in the first message. A isn't able to detect it, since he can't open {A,B,K_M}_K_BS.

d) M2 can be replaced by ${\displaystyle \lbrace A,B,K_{A},\lbrace A,B,K_{A}\rbrace _{K_{BS}}\rbrace _{K_{AS}}}$ . That way A can check whether K_A is still the same that he sent in M1.

Formalizing the Dolev-Yao Intruder

 Diese Aufgabe wurde noch von niemandem gelöst und wartet noch immer auf einen Musterlöser. Hast du dieses Fach bereits besucht? Hilf mit, die Qualität dieser Seite zu verbessern, indem du eine plausible Lösung für diese Frage notierst!

Access Control Models

 Dem Autor des Lösungsvorschlags stellt sich eine Unklarheit betreffend der Prüfungsfrage oder deren Lösung: ??? Hilf mit, die Qualität dieser Seite zu verbessern, indem du eine eindeutige Lösung einfügst oder auf der Diskussionsseite dieses Themas deine Meinung äusserst.

a)

U_A subset of USERS x ROLES

RA_p+ subset of ROLES x OBJECT_GROUPS (defines which roles have privilege p over which group of objects)

OA subset of OBJECT_GROUPS x OBJECTS

b)

ASCII-Art ^^

```eval1<-----|                                     --------officer1
|                   --w---Officer<----|
|------evaluation<--|        ^        |
eval2<-----|            ^               |        --------officer2
|               |
|               |
order1<-----            ------r-----Seargent<-----------sergeant1
|------order              |  ^         |
|        ^ ^------w--------  |         |
order2<----|        |                   |         |------sergeant2
|        |                   |
|        |                   |
order3<----|        --------r--------Private<------------private1
|
|
|------private2
```

c) When a new role is added to the system, we directly specify which rights it has over which kind of object groups. We do not need to define the access rights to every single object. Instead we define the access rights to groups of objects, which makes it simpler.

Access Control Matrix

a)

```command copyAllRights(p,q,f)
for x in {R,CR,W,CW,X,CX} do
if x in M[p,f] then
enter x into M[q,f]
end
loop
```

b)

```command copyAllRights2(p,q,f)
if CR in M[p,f] then
enter R into M[q,f]
end
if CW in M[p,f] then
enter W into M[q,f]
end
if CX in M[p,f] then
enter X into M[q,f]
end
```

c)

This would be a delegation of rights.

A security protocol

a)

Let E be Evil

```BS                  E                 MT

--BS,k_BS----------->
--BS,k_E----------->
<---------{K}k_E----

now E knows the key K
<---------{MT,P}K---
now E knows the key P

E know has to transfer all this information to BS, namely

<----------{K}k_BS--
<----------{MT,P}K--
```

E can give {MT,P}K directly to BS since this makes no change at all. Since E know P now, E can eavesdrop the channel directly without having to relay all messages. MT has no chance to detect E since there's no way to authenticate BS.

b)

```M1.  BS -> MT: BS,k_BS,{BS,k_BS}k_CA^-1
M2.  MT -> BS: {K}k_BS
M3.  BS -> MT: {BS, k_BS, {BS, k_BS}k_CA^-1}K ( is this really necessary?)
M4.  MT -> BS: {MT,P}K
```

Now there's a way to authenticate BS and also BS returns to MT to say it has received K.

Another security protocol

a) By definition, A knows g and x while B knows g and y.
-In M1 A sends g^x to B, enabling B to calculate g^xy = (g^x)^y
-In M4 B sends g^y to A, enabling A to calculate g^xy = (g^y)^x

b) Intruder I uses M3 learnt from a previous protocol run between A and B as follows:

Kas: Shared secret key between A,S
Kas: Shared secret key between B,S
Kis: Some key replacing Kas, can be anything since not needed

M1: I(A) -> B: HM_Kis ( A,B,g^x )
M2: B -> I(S): HM_Kbs ( g^y, HM_Kis ( A,B,g^x ) )
M3: I(S) -> B: HM_Kbs( A,B,H_Kas(g^x', g^y', A, B) ) [-> recorded from earlier protocol run]
M4: B -> I(A): HM_g^xy( g^x, g^y, A, B)

That way Intruder I fools B in believing to have a shared secrete key with A.

c)
Obviously M3 is the weak point, since it can be replayed by any M3' from an earlier session between A and B.
Therefore M2 should contain a nonces Nb and M3 a challenge:
M2: B -> S: HM_Kbs ( g^y, Nb, HM_Kas ( A,B,g^x ) )
M3: S -> B: HM_Kbs( A,B, Nb+1 H_Kas(g^x', g^y', A, B) ) [-> recorded from earlier protocol run]

By using a nonce, B can detect whether an old message is replayed or not.

Another solution would be to replace H_Kas in message 3 (the message that is replayed in the attack) by H_Kbs. This way, B would be able to check whether S really received (g^x,g^y,A,B) and generated H_Kbs(g^x,g^y,A,B). If an attacker replayed an earlier message 3 H_Kbs(g^x',g^y',A,B), B would realize this isn't the MAC corresponding to the new g^x, g^y and thus would reject it. This renders the attack described in b) useless.

Formalizing the Dolev-Yao Intruder

a) No, we need the private key of m4 to decrypt {m5}_m4.

b) Yes, decompose (m1, m2) -> m1, m2

pair m1 and m4 to decrypt (symmetric encryption) {|m3|}_(m1, m4) -> m3

c) Yes, as before, decompose (m1, m2) -> m1, m2

encrypt symetrically m1 using m1 as key -> {|m1}_m1

d) No, we cannot obtain (?) m7 (we only have m7^-1) needed to decrypt {|m6^-1|}_(m4, m7)

Mix networks

 Diese Aufgabe wurde noch von niemandem gelöst und wartet noch immer auf einen Musterlöser. Hast du dieses Fach bereits besucht? Hilf mit, die Qualität dieser Seite zu verbessern, indem du eine plausible Lösung für diese Frage notierst!

1. Order of arrival hidden by outputting items in batches, repeated information are blocked, and clients in a mix network have to send and receive dummy messages.

2. Repeated information are blocked

3. The attacker only gets to know what the sent message looks like after the mix has processed it, but can't do much with it? ("Only some nonzero fraction of mixes need to be honest")