CS5430 System Security

CS5430 Homework 2: Authenticating Computers

General Instructions. You are expected to work alone on this assignment.

Due Mon Feb 20, 9am. No late assignments will be accepted.

Submit your solution using CMS. Prepare your solution as .doc, .docx, or .pdf, as follows:

Use 10 point or larger font.
Start each problem's solution on a new page.
Use at most 1 page per problem.
Pur your name and net id on each page. Failure to do wo will result in a grade deduction.

Consider only Dolov-Yao attackers. You may assume that keys are unique.

Problem 1:

Consider a variation of the key distribution protocols we discussed in lecture.

1.  A --> KDC: A, B, r_1, r_2
2.  KDC --> A: A, B, {A, r_1, K_AB}K_A, {B, r_2, K_AB}K_B
3.  A --> B:   A, B, {B, r_2, K_AB}K_B

Exhibit a man-in-the middle attack that would allow an intruder T thereafter to understand and/or alter communications between A and B encrypted using the "shared key" K_AB each receives from a run of this protocol.

Problem 2:

The following key distribution protocol was inspired by Otway-Rees (which is described in the on-line lecture notes); the designer was concerned with the cost of encryption and therefore eliminated the encryptions used for Otway-Rees messages 1 and 2.

1. A   --> B:   n,A,B,r1 
2. B   --> KDC: n,A,B,r1,r2
3. KDC --> B:   n,{r1,r2,A,B,K_AB}K_A, {r1,r2,A,B,K_AB}K_B 
4. B   --> A:   {r1,r2,A,B,K_AB}K_A

We are interested in knowing when the protocol terminates (with no participant crashing), what are the strongest conditions for ii and iii, below. We give those conditions for i, so you can see an example of the kind of answer we are expecting.

A can assume about K_AB and who knows it?

A can assume that only principals holding either K_A or K_B know K_AB. This is at most {A,B,KDC}. A can also assume that K_AB is fresh since message 4 contains r1 which A created in message 1. Unlike Otway-Rees, A cannot assume that B participated in this run of the protocol (note that B does not encrypt any messages). Therefore the completion of the protocol cannot be used to determine that B interacted with A and therefore has the key.
B can assume about K_AB and who knows it?
KDC can assume about K_AB and who knows it?

Problem 3:

Here is an excerpt of the Kerberos protocols found in the course lecture notes, except the expTime field has been removed from the Tick_B message. Here is the modified protocol to access a service B intially:

A --> WkStation_A:  A wishes to access service B.

WkStation_A --> KDC:  A, B, TGT

KDC:  invent fresh key K_AB
      extract S_A from TGT found in message from WkStation_A
      Tick_B := {A, B, K_AB}K_B

KDC --> WkStation_A:  {B, K_AB, Tick_B}S_A

And here is the modified protocol to use the credentials obtained above.

WkStation_A --> B:   Tick_B, {timeNow}K_AB

B:  extract A, B, and K_AB from Tick_B (since B knows K_B)

B --> WkStation_A:  {timeNow+1}K_AB

Give the details of an attack that is no longer being prevented, now that expTime is absent. Be sure to explain what information the attacker must have to launch the attack and what the attacker gains.