CS5430 Homework 1: Authenticating Computers

General Instructions. You are expected to work alone on this assignment.

Due 2/17 at 11:59pm. No late assignments will be accepted.

Submit your solution using CMS. Prepare your solution as .doc, .docx, or .pdf, as follows:

Consider only Dolov-Yao attackers. You may assume that keys are unique.

Problem 1:

Below are three simple authentication protocols, where r is a nonce, x*y denotes multiplication, and x**y denotes exponentiation.

Attacker T desires to impersonate A to B. For which protocols will T succeed? Give attacks or describe the reason they fail.

Problem 2:

Consider a schematic version of the key distribution protocols we discussed in lecture.

1  A --> KDC: A, B, r  (where r is fresh at A)
2  KDC --> A: A, B, {x, K_AB}K_A, {y, K_AB}K_B
3  A --> B:   A, B, {y, K_AB}K_B
where x and y denote finite strings constructed from the three symbols "A" , "B" , and "r" . Different choices of x and y that a protocol designer makes could lead to protocols having different properties. This question explores the implications of the choices that the protocol designer might make.
  1. Give replacements for x and y that make it possible to perform man-in-the-middle attacks but impossible to perform replay attacks of message 2. Exhibit the man-in-the-middle attack.
  2. Give replacements for x and y that make it impossible to perform man-in-the-middle attacks and impossible to perform replay attacks of message 2.

Problem 3:

The following key distribution protocol is purported to defend against the type attack discussed in the notes against Otway-Rees.

1. A --> B: n,A,B, {r1,n,A,B}K_A 
2. B --> C: n,A,B, {r1,n,A,B}K_A, {r2,n,A,B}K_B
3. C --> B: n, {r1+1,K_AB}K_A, {r2+1,K_AB}K_B
4. B --> A: n, {r1+1,K_AB}K_A

Does this defense work? Either exhibit a type attack against this revised protocol or explain why the attack is stopped by the changes.