information security

Spring 2003 Information Security Qualifier

Instructions:

Please answer any 6 out of 9 questions

Give detailed answers to questions mentioning all the assumptions you are making and be comprehensive in your answers showing the details of your approach and understanding of the problem.

1. There is considerable debate surrounding the area of digital rights management (DRM). For example, operating systems in the future may limit if you can copy and share a music CD that you have purchased. They could also limit how many times you can play a song that has been downloaded from an online service. Clearly, this is an instance of a mandatory access control model (e.g., the policy is defined by some entity and cannot be violated by a user who “owns” a file that contains the music).

In this question, motivated by the scenario just described, you are asked to develop a model of resources, users and the organizational entity that defines the access control model. A trusted computing base mediates access to the resources that are requested by the user. It enforces an access control model that would be suitable for future DRM applications. Discuss the enforcement mechanisms in the operating system and security policy that would be used in this application. Feel free to make assumptions that are necessary to make the problem concrete so it can be answered.

2. Moore’s law states that processor speeds will continue to double every eighteen months. This is expected to continue at least until the end of this decade. In this question, you will explore the feasibility of password based user authentication around the year 2010. Assume that because of the need for stronger passwords, the entropy of each character in future passwords will be about 4 bits. Also, assume that a call similar to crypt() can be executed in 100 microsecond on a 1GHz processor which is available today. Estimate the password length if a brute-force attack to guess a password in year 2010 should take days and not hours. Do you think the password length that you get from this calculation is reasonable for humans to remember and use? If not, what methods can be used to increase the strength of passwords in the future. Explain your answer.

3. Assume that you have a very resource restricted client, which has an 8 bits processor running at 2 MHz, 500 bytes of nonvolatile memory and 1Kbytes of volatile memory. The client wants to communicate with a server as powerful as a traditional desktop workstation.

(a) List the advantages and disadvantages of using the RSA algorithm to mutually authenticate client and server.

(b) Design a protocol, including cryptographic algorithms used, that would provide to both client and server: (1) Authentication, (2) Confidentiality of data exchanged, and (3) Integrity of Data Exchanged.

Please list all your assumptions. Does your protocol prevent denial of service attacks?

4. Analyze the following protocol, used for remote authentication. Assume you want to authenticate yourself to a remote computer. You use a local computer that has a smart card and a fingerprint reader. You initially insert your smart card on the reader and place your finger on the fingerprint reader. The fingerprint reader reads your finger characteristics and sends to the card. The card validates the characteristics against the one stored inside it (assume that the storing of the characteristics have been performed on a previous registration process). If the characteristics are verified, the card challenges the user to enter a one-time password. The one time password is generated by a calculator-like device (like the SecurID equipment sold by RSA corporation) that the user carries. If the user enters the right password, the card will validate the password, and will send a signal to the remote computer that the user is authenticated locally. The remote computer then sends a prompt that is showed on the local computer. The user then enters her password to authenticate to the remote computer.

Make sure on your analyses to specify any assumption. The protocol above has intentionally omitted some details that you have to fill in with assumptions. Can you improve the above protocol? How does the protocol above compare with the ssh software used for remote login (without any fingerprint reader, smart card, or one-time password generator)?

You can assume that a smart card is a device that looks like a credit card and can store data and perform processing. However, data and computation inside it cannot be accessed from the outside. For example, a user cannot read a cryptographic key that is stored inside a smart card.

5. Suppose that there is a fast worm. Each instance of the worm scans the network to locate vulnerable hosts. When such a host is found, the worm exploits a buffer-overflow bug of a privileged service by sending a malicious packet(s) to the host. Upon successfully compromising the host, it replicates itself to multiple instances and each instance then repeats the above worm attack steps. Suggest some approaches to detect the the first instances of the worm (i.e., before someone tells you that there is worm attack and gives you some signature rules to block it). Are there any limitations to your approaches? Suppose after you first detect the worm, you want to dispatch "signatures" of the worm so that other network segments can block the malicious packets sent by the worm. How do you quickly (ideally, automatically) extract such signatures? Note that a signature rule such as "any packet to port 1443 shall be blocked" is not acceptable because this results in denial-of-service to servers that are not vulnerable to the worm.

6. Here is a new way to compute a message digest. Take the message, divide it into 128-bit chunks, and XOR all the chunks together to get a 128-bit result. Then do a standard message digest (e.g., MD5) on the result. Is this a good way to compute message digest?

7. There are three typical ways to use nonces as challenges in authentication protocols. Suppose N_a is a nonce generated by A, and B share key K, and f() is a function such as an increment. The three usages are as follows:

   Usage 1: (1) A --> B: N_a; (2) B --> A: K{N_a}.
   Usage 2: (1) A --> B: K{N_a}; (2) B --> A: N_a.
   Usage 3: (1) A --> B: K{N_a}; (2) B --> A: K{f(N_a)}.

Compare these three usages in terms of possible vulnerabilities.

8.   Suppose that Alice is using RSA with modulus N, private key d and public key e. Suppose that an adversary Eve captures the private key d. Is it secure for Alice to keep the same modulus N, but only change the pair (e; d) to a new pair (e0; d0)?

9.   Suppose that the RSA function RSAN;e(x) = xe mod N is a one-way function. Denote n = log2 N.

Then it is a well know result the least signi_cant log2 n bits of x are hard-core bits of the RSA function RSAN;e(x), that is, for a randomly chosen input x, given RSAN;e(x), an adversary cannot distinguish between the least signi_cant log2 n bits of x, and a truely random string of log2 n bits long. Show how to use this fact to design a pseudorandom generator based on RSA.

Justify your answer.