Due: Feb 21, 2020 at 11:59pm. No late assignments will be accepted.
Submit your solution using CMS. Prepare your solution as .pdf, as follows:
Problem 1. Consider the following variation of the Needham-Schroeder protocol. In this variation, line 4 has been changed: challenge r' is no longer encrypted before it is sent.
Needham-Schroeder Protocol: 1. A --> KDC: A,B,r where r is a new random value 2. KDC --> A: {A,B,r, K_AB, {A,B,K_AB}K_B}K_A 3. A --> B: A,B, {A,B,K_AB}K_B 4. B --> A: r' where r' is a new random value 5. A --> B: {r'}K_ABDoes the modified protocol lead to vulnerabilities not present with the original? Justify your conclusion either by (i) explaining why attackers are not better off or (ii) giving general principles being violated as well as a specific attack.
1. B --> A: B, r % B records R_B:=r and (upon receipt) A records R_A:=r 2. A --> B: A, {A, r+1}k % B believes that B is in dialog with A % if and only if % - B receives this message and % - decrypting with k yields "A" and "r+1" = R_B+1 3. B --> A: B, {B, r-1}k % A believes that A is in dialog with B % if and only if % - A receives this message and % - decrypting with k yields "B" and "r-1" = R_A-1
(a) Show how a Dolev-Yao attacker T could cause one or more "beliefs" given above to be unsound.
(b) A natural question is whether such attacks can be avoided by using different expressions for responses "r+1" in line 2 and "r-1" in line 3. Such a protocol can be described as follows.
1. B --> A: B, r 2. A --> B: A, {A, F(r) }k 3. B --> A: B, {B, G(r) }kWhat, if any, properties of functions F and G would prevent attacks like the one predicted in (a).
1. A --> KDC: A,B,r 2. KDC --> A: A,B, {A,r,K_AB}K_A, {B,r,K_AB}K_B 3. A --> B: A,B, {r}K_AB, {B,r,K_AB}K_B
(a) What should cause A to reject message 2?
(b) What should cause B to reject message 3?
(c) Exhibit a man-in-the middle attack that would allow an intruder T thereafter to understand and/or alter communications between A and B, assuming that communication is encrypted using the "shared key" each receives from a run of this protocol.