Information Security Qualifier

Information Security Qualifier
Spring 2002
April 8, 2002

Instructions: Answer any 6 from the 9 questions.

1. Design a digital signature system (where each end user of your system is able to digitally sign documents and the signatures can be verified). Please describe cryptographic protocols, algorithms, and hardware used for each instance (Root CA, CA’s, end users…). Describe if your system uses one or multiple root CA’s, one or multiple level of CA’s (CA’s that certify other CA’s). Describe procedures for generation of key pairs and certificates at each level (from root CA to end users). Describe if there is a procedure/protocol for backup of private keys (specify them at each level). Describe the revocation procedure. Please be specific on advantages and disadvantages of your system.

2. Critique the following protocol pointing out strengthens and weaknesses.

Voting Model

There are four entities in this model. The Voting Application, which communicates with the voter. The voting kernel, which implements certain secure functions on behalf of the voting application. The Registrar who verifies which voters are allowed to vote. The Tallier who collects votes and posts the results.

Section 1.

Voting application (VA) gets a copy of the non-unique ballot b_i generates a random ID = V_i and fills in ballot votes.

VA encrypts (V_i + b_i ) with public key of Tallier to produce B_i. Then blinds e_i with blinding factor f_i to produce x_i. Then computes a MAC of x_i using its registered password to produce m_i.

Sends combination (ID, x_i, m_i) to the registrar.

Registrar will verify that the correct password of ID was used to produce m_i and then will sign x_i to produce z_iand sends z_iback to the VA.

Section 2.

VA receives and verifies that the signature on z_i was from the register.

VA passes a copy of the ID V_i and ballot b_i to the voting kernel.

Voting kernel encrypts a random ID = r_i and garbage ID = g_i with the Tallier’s Public key to produce R_i and G_i

Voting kernel Computes the Hash(r_i + b_i + g_i) = h_{i .}

The voting kernel will establish anonymous connection with the Tallier via the VA.

Voting kernel Sends the R_i, G_i and the z_i to the Tallier.

Tallier will decrypt R_i, G_i and z_i(verifying the registrar’s signature on z_iand verifying that V_ihas not been used before) with private key and then re-encrypt (b_i+ g_i) with a session key k_ito produce S_i . Tallier will then compute the hash(r_i+ b_{i +} g_i) = H_i

Tallier will post the combination [r_i, S_i, H_i] to publicly viewable bulletin board.

Tallier will reply to VA with a confirmation yes or no to notify incase of transmittion errors.

VA will query the bulletin board for entire list and pass to voting kernel. SAC will look at r_i and H_i

Voting kernel affirms that H_i matches its h_ito verify that the vote was correctly counted.

Return Yes/No to the VA.

Section 3.

After the election closes, the Tallier will publish the session key k_ito the bulletin board.
Registrar will publish the list of the ID’s of the registered voters who voted and the ID’s of the registered voters who did not vote.

3. Design a computer system that uses smart cards and biometrics for authentication and log in. Be specific about any cryptographic algorithm you use and where you have a security perimeter and where you don’t. Describe any mechanism you use to protect communication that needs to go outside security perimeters.

4. Answer the following:

a) Suppose that Alice and Bob share a common RSA modulus n=pq, but use different public exponents e_A and e_B with (e_A, e_B) = 1. Carol uses RSA to encrypt the same message M as Y_A = M^e_A mod n and Y_B = M^e_B mod n, then sends Y_A and Y_B to Alice and Bob respectively. Show that an eavesdropper Eve who intercepts Y_A and Y_B can quickly recover the message M.

b) To speed up RSA encryption, one is tempted to use a small public exponent for encryption. Suppose that Alice, Bob, and Carol all use the integer 3 as the public exponent, and have public keys (N_A, 3), (N_B, 3), (N_C, 3) respectively, where each of N_A, N_B, and N_C is a product of two randomly chosen primes. Suppose that you want to send the same message M to all three of them. Is it secure to encrypt Y_A = M^3 mod N_A , Y_B = M^3 mod N_B, and Y_C = M^3 mod N_C, and send the ciphertexts Y_A, Y_B, and Y_C to Alice, Bob, and Carol respectively?

c) Suppose that Alice is using RSA with modulus n, private exponent d and public exponent e. Suppose an eavesdropper Eve capture the private exponent d. Is it secure for Alice to keep the same n and create a new pair (e', d')?

5. Pseudorandomness and Private-key Encryption

A family of functions
F = {f:{0,1}^n -----------> {0,1}^{l(n)}} is an efficient pseudorandom family of functions if the following conditions hold:

Efficienct Evaluation: There is an efficient algorithm for computing f(x) for each f in F and each x in {0,1}^n.
Efficient Samplability: There is an efficient algorithm for sampling a uniformly random function f from F.
Pseudorandomness: No efficient algorithm can distinguish between (a) a random string r in {0,1}^{l(n)}, and (b) f(x) for a randomly chosen function f in F, and any fixed x in {0,1}^n.

Show how to construct a secure private-key encryption scheme from any given efficient pseudorandom family of functions.

6. Suppose a network IDS is equipped with a set of accurate detection rules for known attacks, i.e., each with 0 false negative rate and 0 false alarm rate (i.e., there is no uncertainty) if all evidence is available in the audit data. And supposed we don't care about new (i.e., unknown) attacks.

What are the factors that can affect the actual detection performance of the network IDS in run-time
Give 2 examples of attacks that are designed to evade the IDS;
How will you re-design an IDS for networks to address the problems you describe in (a) and (b)?

7. It has been shown that system call data can be used to model a program's behavior and detect some anomalies (see paper #17 in http://www.cc.gatech.edu/~wenke/ids-readings.html). What is the limit of this approach, i.e., what attacks or anomalies can go undetected? You should analyze this problem from two perspectives: a) the limit of information from the data; and b) the limit of the detection algorithm (you can use the algorithm in the paper for your analysis).

8. In Windows NT, both positive and negative access rights can be defined for files for given users or groups. Assume that groups can contain either users or other groups. Also, a process executes on behalf of a user (has a UID) and at the same time may have credentials for one or more groups. Discuss why it is desirable or useful to allow users to define both positive and negative access rights with files, and how does the system perform access checks to decide if a file request should be granted or denied.
Capabilities offer certain benefits over access control lists. Discuss what such benefits are? Does it make sense to use capabilities to enforce negative access rights?

9. As information rich applications that are deployed over the Internet become more common, it is important that application are able to ascertain the sources of information that are used by them. Many publish/subscribe systems have been proposed in the literature to support such applications. For example, the Gryphon system developed at IBM research aims to deliver information of interests to a large number of clients. Pointcast was an early example of a system that "pushed" information that was of interest to clients that "subscribed" to its services.

An abstract model of such information delivery systems includes several publishers that create information. Intermediate nodes or brokers can transform such information or combine information that is received from one or more publishers or brokers. Subscribers are information consumers that receive information from brokers or publishers. Clearly, applications that make use of such an information will be like to receive the information from trusted sources. One requirement that arises in such systems is the "pedigree" of information received at a subscriber, which allows the subscriber to infer who produced the information and what brokers have transformed it on its way to the subscriber.

You are asked to design a secure version of an information delivery system such as the one outlined in this question. First, you need to define a concrete security policy that would be appropriate in such an environment. In particular, you should include the pedigree requirement as part of your policy. Second, you should discuss the various mechanisms that you will employ to enforce the security policy that is proposed by you.

Clearly state all your assumptions and any support that must exist to enable you to build the secure information delivery system.