Reference no: EM132499486
CSCI468 Advanced Network Security - University of Wollongong
Problem 1
Prove that the GQ Identification Scheme given in the lecture notes (Identification Scheme I, slides 27 - 28) is secure against passive attacks under the hardness of the RSA problem described below.
RSA Problem: given an RSA public key pk = (e ,N) and a random element Y in Z*N, find X in Z*N such that Y = Xe mod N.
Hint: you can take the proof strategy for the Schnorr Identification Scheme as a reference.
Problem 2
Multi-factor user identification requires a user to possess multiple factors, such as a knowledge factor ("something the user knows"), a possession factor ("something the user has"), and an inherence factor ("something the user is"), in order to identify him/herself to a verifier. A commonly used two-factor user identification mechanism is based on smart-card (something the user has) and password (something the user knows). Such a mechanism should ensure that an adversary cannot pass the identification even if the adversary has obtained one of the identification factors (i.e., the attacker either obtains the information in the smart-card or the user password). Consider the following two-factor identification protocol:
User Setup.
Let x denote a 128-bit secret key of a remote web server, and h(•) a secure cryptographic hash function. Each legitimate client C with identity IDC shares a 6-digit password PW with the server. In addition, C has a smart-card issued by the server, which has the information (IDC, B, p, g) stored in the Read Only Memory (ROM) of the card, where B = h(PW)⊕h(x, IDC), p is a large prime number, and g is a generator of Zp*.
User Login.
Step 1: In order to login the server, the client first attaches the smart-card to a card reader which is connected to a computer, and then types in the password PW. The computer retrieves the values of (IDC, B, p, g) from the smart-card via the card reader, and computes Z
= B⊕h(PW). After that, the computer chooses a random number u ∈ Zp-1, computes NC = gu mod p, and sends a login request (IDC, NC) to the remote server.
Step 2: Upon receiving the request, the web server first checks if IDC belongs to a legitimate client. If the server cannot find IDC in its database, then the request is rejected. Otherwise, the server chooses a random number v ∈ Zp-1, computes NS = gv mod p, K = NCv mod p, Z' = h(x, IDC), and TS = h(Z', NC, NS, K). The server then sends (NS, TS) to the client.
Step 3: After receiving (NS, TS) from the server, the client's computer computes K' = NSu mod p, TS' = h(Z, NC, NS, K') and verifies if TS' = TS. If the equation holds, the client's computer generates TC = h(Z, NS, NC, K'), and sends TC to the web server.
Step 4: The web server computes TC' = h(Z', NS, NC, K) and verifies if TC' = TC. If the equation holds, then the client is identified successfully; otherwise, the client identification fails. If the client has three consecutive identification failures, then the client's account will be locked by the web server, and the client needs to contact the Administrator in order to unlock the account.
Answer the following questions:
(a) Perform a security analysis for the above protocol against a passive attacker.
(b) Perform a security analysis for the above protocol against an active attacker.
Hint: consider the situation that the attacker has obtained one of the identification factors.
Problem 3
Consider the following key exchange protocol which is a variant of the Diffie-Hellman protocol. Each user P has a private key xP and public key gxP mod p where p is a large prime number and g is a generator of a subgroup with a large prime order q (i.e., the small subgroup attack doesn't work).
1: A → B: grA mod p
2: B → A: grB mod p
Shared Key K = grAxB + grBxA mod p. In the protocol, rA and rB are randomly chosen in each session.
a) Show the key derivation formulas of User A and User B (i.e., how does each user compute the shared key?)
b) Does the man-in-the-middle attack against the textbook Diffie-Hellman protocol work against the above protocol? Justify your answer.
c) Show that this protocol is insecure in the CK model (i.e., describe an adversary A that can win the security game with a non-negligible advantage over random guess).
Problem 4
Consider the following Password-based Key Exchange protocol where A and B share a common password P. In the protocol, EP() denotes a secure symmetric key encryption algorithm using P as the encryption/decryption key; EncPK() denotes a secure public key encryption algorithm using PK as the encryption key. The public key PK and the corresponding secret key SK are owned by A. K is a random session key chosen by B in each session and doubly encrypted using EncPK() and EP().
1. A → B: Ep(PK)
2. B → A: Ep(Encpk(K)
output: K ( Session Key)
(a) Is the protocol secure if PK is publicly known by everyone? Justify your answer.
(b) Is the protocol secure if PK is freshly generated by A in each session? Justify your answer.
Problem 5
Alice and Bob are employees residing in two dispersed branches, D1 and D2, of the same company. They want to secure all the communications between them as follows:
i) they want to ensure the authenticity of their IP packets when those packets are routed in the company intranet (i.e., Alice can verify a packet is indeed from Bob, and vice versa);
ii) they want to ensure confidentiality of their IP packets (including IP addresses) when those packets are routed in the external network between D1 and D2. Design a security solution for the above scenario. Describe the format of an IP packet when it is delivered at different sections of the network.