------------------------------------------------------------------------------ Mohamed G. Gouda CS 386S Spring 2009 Midterm 2 ------------------------------------------------------------------------------ Open book 75 minutes ------------------------------------------------------------------------------ 1. (10 points) In the Single Password Protocol (SPP), a server S maintains the following tuple for each user C that wishes to communicate securely with S: (C, n_i, H^2 (P, S, n_i)) where C is the name of the user that created and stored this tuple in S n_i is a nonce created by user C and stored in server S P is the universal password of user C H is a secure hash It is assumed that SPP is to execute on top of https, and so the (three) messages exchanged within SPP are encrypted by the master secret ms of the https session. Now assume that a new version of SPP, called SPP', is to be executed on top of http. In SPP', each server S has a public key B (and a corresponding private key R) and it stores the same tuple as above for each user C that wishes to communicate securely with S. The three messages of SPP' are defined as follows: C --> S : C C <-- S : n_i, cert(S, B) C --> S : B where cert(S, B) is a certificate that certifies B to be the public key of S. sk is a symmetric session key created by C and is used to encrypt and decrypt the subsequent messages between C and S. i. List five attacks against which SPP' is secure. ii.Will SPP' remain as secure if we replace cert(S, B) by B in the second message of the protocol? Explain your answer. ------------------------------------------------------------------------------- 2. (10 points) Consider the following firewall F that has two fields x and y, whose values range over the integer interval [0, 9], and three rules: x in [0, 4] ^ y in [2, 3] --> accept x in [0, 6] ^ y in [1, 4] --> discard x in [0, 9] ^ y in [0, 9] --> accept a. Construct the firewall decision diagram (FDD) for firewall F. b. From the constructed FDD, compute how many rules does one need to write in a conflict-free firewall F' such that both F and F' accept and discard the exact same packets. ------------------------------------------------------------------------------- Solutions. 1. i. The protocol sPP' is secure against the following attacks. a) Eavesdropping. - Only S knows R, so only S can read the third message. Hence only S will know sk, and be able to read subsequent messages. b) Guessing. - The third message has an unknown nonce n_(i+1) which acts as a confounder, as well as two unknown hashes. The attacker would have to correctly guess the nonce, the password P, and sk at the same time. c) Replay. - The value stored in the database is always replaced by a fresh one i.e. H^2(P, s, n_(i+1)). Replayed messages are thus discarded. d) Password file theft. - The password file only contains H^2(P, s, n_i) from which the attacker cannot extract H(P, s, n_i) needed to pose as the user (and of course, cannot extract P). e) Message log theft. - Cannot read messages without knowing R. If the attacker can steal R also, still cannot obtain P; at best he can use sk for one session. f) MIM. - Message is certified to be from S. Nobody can insert themselves as a man in the middle and read the messages forwarded back and forth. ii. No. If cert(S, B) is replaced by B, some attacker A can pose as server S, as the user C no longer has proof of the authenticity of S. C -> A(S) : C A(C) -> S: C A(C) <- S: n_i, B C <- A(S) : n_i, B_A C -> A(S) : B_A A(C) -> S: B Thus A succeeds in launching a MIM attack. Further as the server has no means of checking, the attacker can take his own password P' and store H^2(P, s, n_(i+1)) on the server. This effectively locks the real user out and lets only the attacker pose as the user! 2. a. x -[0,4]-> y - [0,0][2,3][5,9] -> acc - [1,1][4,4] -> dis -[5,6]-> y - [0,0][5,9] -> acc - [1,4] -> dis -[7,9]-> y - [0,9] -> acc b. Number of rules = load (x) = (1 * 3 + 1 * 2) * 1 + (2 * 1 + 1 * 1) * 1 + 1 = 9.