Intro To Secure Comm. Exercise 2
Problem You wish for your users to access a remote server via user and password. All of the users have modems and you trust the phone company to have secured phone lines (no eaves dropping on the line). All the users must use “good” passwords. 1.What is a “good” password? 2.What is the problem with “good” passwords? 3.How can you build a device that can help the user? Hint: the device may generate the passwords
Solution A good password is one that is immune to common dictionary- attacks, and is pseudo random Good passwords are hard to remember so users tend to write them down The device may be PRF K (USER|DATE|TIME) MD5(K|USER|DATE|TIME)
Problem You wish your users to login to a remote computer You wish that ADV getting hold of that computer won’t be able to retrieve the stored passwords easily What method would you use to store the passwords?
Solution The simplest solution would be to store a hash of the passwords.
Problem What hash attributes do we require for this scheme?
Solution We would like OWF So that ADV can’t efficiently find a pre image for our passwords We would like CRHF So that ADV can’t efficiently find a collision to our password
Problem Authentication possibilities Something You know Something You have Something You are Give examples for the above What may be the problems?
Solution – Something you know Password/secrets are things you suppose to know and no other The cost is minimal, however we usually choose intuitive things to know. When secrets are not intuitive we tend to forget them/write them down so we don’t forget them.
Solution – Something you have Usually smart cards are things we have and no one else. Problems are higher cost We tend to forget the devices if they are small We tend not to use them if they are big They may be stolen, and then what?
Solution – Something you are Biometrics is a common way to identify a person (eye, finger print …) Costs a lot (smart devices, training time) May not have high precision, i.e. long retries, forgeries
Suggested solution Hybrid approach A small device which incorporates a PIN or a password to operate Something like a SecureID device, Portable phone with a key…
Problem Devise a simple secure way to prove the knowledge of the secret (password) without ADV being able to know the password
Solution Send h(password) to server Against what types of ADV is it secure? What may be the problem with the following protocol in case of an eavesdropper/spoofer ADV?
Solution 2 ADV may not have to know the password in order to login, he just has to listen to it and send it to the server.
Problem Find a way to simply defend against an eavesdropper/spoofer ADV
Solution Use S/KEY password scheme Each user has n successful login attempts. At startup, the server receives h(x) n Each login the server receives h(x) n-i The server validates h(h(x) n-i )=h(x) n-(i-1) Against what type of attack is this protocol not immune to? What are its weaknesses?
Solution The protocol is not immune against a spoofer/eavesdropper which spoofs the server When establishing a new chain of hashes, the spoofer can intercept the transmission and send it as it was his own (or send h(x) n+1 ).
Problem Common antivirus programs have the feature of “immune”\”sign” a file. In case the file is changed the software knows it immediately. Common method is using a hash function to create a digest for the file. What are the requirements from the hash function?
Solution The hash function must be at least WCRHF. This is because the file may already be known to the virus and the virus will need to find a collision in order to fool the antivirus program. What other methods would you use to ensure that the file wasn’t tempered with?
Problem The following scenario is suggested for establishing session keys Alice and Bob share a secret (key phrase/password) Alice generates Session key K and send E P (K) to Bob Bob receives E P (K), deciphers and uses K as the new session key. What are the threats to the model? Is this solution secure against an eavesdropper?
Solution The solution is problematic when a password is used. Passwords are susceptible to dictionary attack. The eavesdropper may discover p and thus the session key k (and may discover any other session keys) Suggest a better protocol
Solution Alice Generates pub A and priv A. Alice sends E P (pub A ) to Bob Bob deciphers and sends to Alice Pub A (k) Alice sends to Bob E k (challengeA) Bob responds E k (challengeA||challengeB) Alice responds (challengeB) What cryptographic method is E?
Solution The cryptographic method is a MAC Why not simply use an encryption method?
Problem Some designs attempt to provide message authentication by sending the encryption of the message concatenated with its hash (or simply with an error detection code). Namely, they send Encrypt(Message||Hash(Message)), and hope that in so doing, they achieve encryption and authentication together. Show that this design is insecure (an attacker can modify a message and it would still be considered authentic). Hint: this is easy to show, when using one-time-pad or OFB mode encryption.
Solution Assuming OTP is used and ADV knows some information about the message. ADV knows the algorithm, so knows which hash function is used. Knowing so, he can figure out the key encrypting the message (known plain text). Since he knows the message and hash of the message, he can figure out the key encrypting the hash. ADV can now calculate new message and new hash for the message and replace them.
Solution ADV’s playout: k m =mc m (revealing the key of m) k h(m) =h(m) c h(m) Forge: m’k m ||h(m’)k h(m) This is a poor MAC because it isn’t even immune to KMA.