THE UNIVERSITY OF HONG KONG
FACULTY OF ENGINEERING DEPARTMENT OF COMPUTER SCIENCE
COMP7906A Introduction to Cyber Security Assignment
Answer all five questions.
1. Let (3, n) and (d, n) where d = 3-1 mod φ(n) be a pair of 2048-bit RSA public and private keys respectively. To sign a message m using RSA PKCS1 v1.5 requires one to form the block B
B=
where H denotes the SHA-256 hash algorithm and:
01 is a two-byte value indicating PKCS1 mode 1 is being used
0xFF … 0xFF is a variable length padding block (each padding byte is set
to 0xFF) to pad up B if necessary so that the size of B is equal to the size of
n (256 bytes in our case)
0x00 is a one-byte end of padding block indicator
The ASN1 field encodes the hash function that is used to hash the message
(this is a 19-byte fixed value for SHA-256)
Then the signature is s = Bd mod n. To verify the signature, the following steps are executed:
Step 1: Compute D = s3 mod n.
Step 2: Check the block D from left to right:
o If the leftmost two byte is not 01, reject the signature.
o Skip all 0xFF until one hits 0x00. Skip 0x00 and check the ASN1
code, reject the signature if it is not the SHA-256 identification
code.
o Otherwise read the next 32-byte and compute the SHA-256 value
of m. Compare these two values, if these values are not equal
reject the signature.
o Otherwise accept the signature.
Show that given the public key <3, n>, an attacker can forge the signature on any message of the attacker’s choice.
2. (a) A DES key K is said to be self-dual or weak if and only if EK(m) = DK(m) for all 64-bit binary strings m. Show that the following (in hexadecimal representation) are DES weak keys
0101 0101 0101 0101 FEFE FEFE FEFE FEFE 1F1F 1F1F 0E0E 0E0E
01
0xFF … 0xFF
0x00
ASN1
H(m)
P.1 of 3
E0E0 E0E0 F1F1 F1F1
(b) A pair of DES keys K1 and K2 are said to be dual or semi-weak if and only if
3. Each user U has a private key KpriU and a public key KpubU. Also assume that the public keys are securely shared among the users. Consider the following scheme.
1. A → B: K || EK(C) || SignKpriA(K) || SignKpriA(EK(C))
2. B → A: K’ || EK’(C) || SignKpriB(K) || SignKpriB(EK’(C))
where K and K’ are session keys generated by A and B respectively, SignKpriU denotes the digital signature generated by user U with U’s private key. Let C denotes the content of the contract that users A and B wants to agree upon. Can this scheme be used to fulfill the following requirements? Explain your answer.
(R1) Non-repudiation – once agreed neither A nor B can back out.
(R2) If there is a dispute, an injured user should be able to bring the case to court and prove to the judge that the other party has agreed to the terms set out in the contract. To do this, a user should never need to give his/her private key to the judge. However, he/she can provide the judge with any relevant session keys.
4. The senior management of ABC Ltd would like to safeguard the confidentiality of the messages they exchange. They have received three proposed solutions:
(S1) For any two users A and B share a 256-bit AES KAB. If A wants to send a message to B, A proceeds as follows:
(S1.1) A computes the hash of the current timestamp by using a cryptographically strong hash function. It is assumed that the timestamp has sufficient accuracy that no two separate operations will use the same timestamp.
(S1.2) Encrypt the message use AES with KAB using the counter mode and taking the hash value computed in (S1.1) as IV.
(S2) Any two users A and B have a unique pre-shared secret key an n-bit secret KAB. Also each user U will keep a long-term counter CU which is set to 0 initially. Assume that there is no overflow risk for the counter and the all messages are of n bits long (otherwise, we can divide the message into blocks of size n bits and do padding if necessary). If A wants to send a message m to B, A proceeds as follows:
P.2 of 3
(m) = DK2
EK1
are dual.
(m) for all 64-bit binary strings m. Show that the keys 01FE 01FE 01FE 01FE
FE01 FE01 FE01 FE01
(S2.1) A computes h(KAB) by using a cryptographically strong hash function h with n bits outputs.
(S2.2) A increases the value of CA by 1 and computes PRNG(CA), where PRNG is a secure pseudorandom number generator with seed CA.
(S2.3) Let p = the first n bits of PRNG(CA) computed in (S2.2). The ciphertext is computed as h(KAB) ⨁ p ⨁ m
(S3) Each user U has a private key KpriU and a public key KpubU. The public keys are securely shared among the users. The following protocol is used to generate session keys for secure message exchanges:
1. A → B: EKpubB(idA || n1)
2. B → A: EKpubA(n1 || n2)
3. A → B: EKpubB(n2)
where n1 and n2 are nonces. A and B then generate the session key as K=n1 ⨁n1
We assume that the nonces are of the right sizes (same as desired size of the session key). The subsequent messages that are exchanged in this session will be encrypted and decrypted by using K.
The proposed solution is secure if an attacker, after observing all the ciphertexts that are exchanged between the users, learns nothing about the content of the message except its size.
(a) Is (S1) secure? (b) Is (S2) secure? (c) Is (S3) secure?
Explain your answer.
Explain your answer.
If you consider it to be secure, explain why; otherwise,
describe one attack to (S3) and modify the protocol to make it secure.
5. Choose either Example1.py or Example1.R and perform the following:
(a) Run the code you have chosen on reputation1115.dat, submit the results with
brief explanations to the results.
(b) Identify two possible directions for further investigations.
P.3 of 3