Unformatted text preview:

Massachusetts Institute of Technology Handout 156.857: Network and Computer Security October 23, 2003Professor Ronald L. RivestTake-Home MidtermYou are to do this take-home midterm by yourself — you may use your own notes, books, libraries, theInternet, etc., but you should not consult anyone other than course staff (including by email) about thisexam. We repeat: no collaboration is allowed.If you need a problem clarified, email [email protected] or ask in person. We may occasionally sendclarifications or bug fixes to the [email protected] list, so please make sure you are on thatlist, and check your email frequently!Give citations for any material (other than your lecture notes and class handouts) that you use. Keepin mind that citations are not always correct or sufficient for justification. It is best to rely on your ownreasoning and the material presented in class.This midterm is due on paper, in room 6-120 on Thursday, October 30 at the beginning of class.Your answers must be typed! Each problem answer must appear on separate sheets of paper. Mark thetop of each sheet with your name, the course number (6.857), the problem number, and the date. Answersmust be typed and clear. We have provided templates for LATEX and Microsoft Word on the coursewebsite.Grading and Late Policy: Each problem is worth 10 points, except where noted. Late midterms willnot be accepted without prior approval. Midterms submitted via email will not be accepted without priorpermission.With the author’s permission, we will distribute our favorite solution to each problem as the “official”solution – this is your chance to become famous! If you do not wish for your answers to be used as an officialsolution, or if you wish that it only be used anonymously, please note this on your write-up.Problem M-1. Protocol DesignHere is a protocol used for mutual authentication in a private peer-to-peer network. All members of thenetwork know a common secret key, K. When two peers connect to each other, they both want to verifythat the other is a member of the network.A uses K to encrypt a nonce n, and sends the ciphertext to B. B decrypts the nonce, adds one to it, andre-encrypts it, sending the ciphertext back to A. A then decrypts the nonce, and verifies that it is the correctvalue.Schematically, the protocol looks like this:A → B : A, {n}K(1)B → A : B, {n + 1}K(2)(Recall {·}Kdenotes symmetric encryption under key K. The particular mode of encryption, if relevant,will be specified below.)Because the protocol is designed to be used in a peer-to-peer network, another instance of this protocolis run concurrently, but with the roles reversed (i.e., B chooses a nonce, and A decrypts it). There is nocoordination between the messages of the two instances, other than the fact that the initiation of one instancestimulates the initiation of the other, after some delay.(a) If one of the parties is controlled by an adversary (who does not know the key K), describe how itcan authenticate itself with the other party (who does know K). Your attack should be independentof the particular mode of operation used in the implementation, and should involve only two parties.Describe a possible fix that does not change the contents of the messages.2 6.857 : Handout 15: Take-Home MidtermNow consider a client-server model, in which the client C and server S share a secret key K, and S wantsto authenticate C (but not vice-versa). Their identities (also called C and S) are both 64-bit numbers, andare publicly-known.To perform the authentication, S appends a randomly-chosen 64-bit nonce n to its identity, encrypts theresult, and sends the ciphertext to C. C decrypts the message, checks the identity of S, and increments thenonce. C then appends the (incremented) nonce to its own identity, encrypts, and sends the ciphertext backto S. Finally, S decrypts the message and verifies the identity of C and the correct value of the nonce. Incontrast to the previous scenario, only one instance of the protocol is run at a time.Schematically, the protocol looks like this:S → C : {S ◦ n}K(1)C → S : {C ◦ (n + 1)}K(2)(As usual, ◦ denotes concatenation.)(b) Suppose the encryption is done under AES in CBC mode. (That is, an encryption of a 128-bit valuem consists of a 128-bit IV , followed by AESK(m ⊕ IV ). Describe how an adversarial client (who doesnot know K) can successfully authenticate itself with the server, with some reasonable probability.(c) Suggest a possible fix to the bug you found (the resulting protocol need not be totally secure; it simplyhas to fix the bug). If at all possible, encryption should remain under AES in CBC mode, and thenonce should remain secret to an eavesdropper. Feel free to modify the protocol, but try to make thesmallest changes possible.Problem M-2. SSL CertsThis problem takes an in-depth look at SSL certificates.(a) Internet Explorer 6 on Windows XP comes with a VeriSign Class 4 Primary CA certificate installedas a trusted root certificate.Signature algorithm: SHA1-RSAIssuer: VeriSign Trust Network(c) 1998 VeriSign, Inc. - For authorized use onlyClass 4 Public Primary Certification Authority - G2VeriSign, Inc.USSubject: VeriSign Trust Network(c) 1998 VeriSign, Inc. - For authorized use onlyClass 4 Public Primary Certification Authority - G2VeriSign, Inc.USValid from: Sunday, May 17, 1998 8:00:00 PMValid to: Tuesday, August 01, 2028 7:59:59 PMPublic key: RSA (1024 Bits)Thumbprint algorithm: SHA1How do users of Internet Explorer know that they can trust this certificate? Discuss the security ofthis certificate today and over the certificate’s intended lifespan.(b) The Palm Store at https://store.palm.com/checkout/index.jsp?process=login is an SSL-enabledwebsite. The SSL certificate has the following fields:6.857 : Handout 15: Take-Home Midterm 3Signature algorithm: SHA1-RSAIssuer: Equifax Secure Certificate AuthorityEquifaxUSSubject: store.palm.comDomain Control Validated - Organization Not ValidatedSee www.geotrust.com/quickssl/cps (c)02store.palm.comSanta ClaraCaliforniaUSValid from: Monday, August 26, 2002 11:40:56 AMValid to: Wednesday, September 08, 2004 11:40:56 AMPublic key: RSA (1024 Bits)Thumbprint algorithm: SHA1This certificate was issued by Equifax Geotrust; a root certificate for Equifax Geotrust is pre-installedin Internet Explorer and Netscape Navigator.Review the Certificate Practice Statement at http://www.geotrust.com/quickssl/cps.How is this certificate different


View Full Document

MIT 6 857 - Take-Home Midterm

Documents in this Course
Load more
Download Take-Home Midterm
Our administrator received your request to download this document. We will send you the file to your email shortly.
Loading Unlocking...
Login

Join to view Take-Home Midterm and access 3M+ class-specific study document.

or
We will never post anything without your permission.
Don't have an account?
Sign Up

Join to view Take-Home Midterm 2 2 and access 3M+ class-specific study document.

or

By creating an account you agree to our Privacy Policy and Terms Of Use

Already a member?