TAMPERE U NIVERSITY – D EPARTMENT OF C OMPUTING S CIENCES

Security Protocols: Helping Alice and Bob to Share Secrets

(COMP.SEC.220)

Coursework I

Antonis Michalas
[email protected]
August 31, 2021

S UBMISSION D EADLINE : 04.11.2021 AT 13:00

Important!

1. In case you do not get at least 40% in this coursework, you immediately fail
the course. There will be no other chance to re-submit another coursework.

2. The coursework is strictly personal. If plagiarism is detected a penalty re-

sulting to a mark of zero will be applied.

About this Coursework

This is a theoretical coursework that counts towards 50% of your overall course
marka . You are given a set of exercises to which you should provide a well-explained
and structured solution. All exercises are mandatory.
What you are expected to Submit
1. A PDF file with your solutions;

2. The filename should be of the following form:

Year_FirstName_LastName_SEC2020.
a see the official course description for course marking details
 Code Description
i :a Entity i executes the action a
x←y Assign value y to x
Rand() Random number generator
x == y Check if x is equal to y
pki Public Key of i (known to all other hosts)
ski Private Key of i
Gen K s Generate Session key
Enc(K, m) Symmetrically encrypt m with the key K
Dec(K, c) Symmetrically decrypt c with the key K
Epki (m) Encrypt m with the public key of i
Dski (c) Decrypt c with the private key of i
h = H (m) Hash for m with the common hash function H
(a, b, . . .) → i Send a message to i containing a, b, . . .

Table 0.1: Primitives for the cryptographic tools.

E XERCISES
E XERCISE 1 – XOR E NCRYPTION (3 MARKS )
You are given a message m and its OTP encryption c. Can you compute the OTP key from m and c?

E XERCISE 2 – S UBSTITUTION C IPHER (6 MARKS )

The following text was encrypted using the substitution cipher. Please decode it using any method you find
adequate. After you found a solution, please describe how you analyzed the text.
 E XERCISE 3 – D IFFIE -H ELLMAN (10 MARKS )
Alice and Bob want to exchange a shift cipher key using the Diffie-Hellman key exchange protocol. They agree
to use the prime p = 11 for their cyclic group Z∗11 , and g = 7 as the generator.

a) Assume now that Alice uses the secret value a = 6 and Bod uses the secret value b = 9. Compute the interme-
diate values and the final key that Alice and Bob exchange.

b) Assume that Alice and Bob exchange the values X = g a = 5 mod 11 and Y = g b = 10 mod 11. Determine the
secret key they both exchanged!
(Note: The values of a and b are NOT the same as in Exercise 1a.)

c) Decrypt the following message that was encrypted using a shift cipher. The key exchanged in Exercise 3b was
used to encrypt the message.
TVFEFKBDLFUXJUIDBOEZTUSJQFMJOJOH

E XERCISE 4 – T HREE PARTY D IFFIE -H ELLMAN (8 MARKS )

a) Describe the traditional Diffie-Hellman key exchange protocol.

b) Design a protocol based on the traditional Diffie-Hellman key exchange, that allows 3 parties P 1 , P 2 and P 3 to
exchange a single symmetric key K . The following conditions have to be fulfilled:
• Only the parties P 1 , P 2 and P 3 can know the key K .
• The key should be verified by all parties.
m
You can give your solution as a sequence of message sent from P i to P j . e.g. P i −→ P j . We assume a prime p
and the generator g of the cyclic group Z∗p to be publicly known.

E XERCISE 5 – S YMMETRIC E NCRYPTION (8 MARKS )

Consider the following protocol (Figure 0.1) which Alice and Bob use in order to mutually authenticate each
other, i.e., convince each other that “they are who they say they are”. Assume that Alice and Bob share a secret
key K .
In this protocol, Alice first sends an unpredictable random number R A . In the second step, Bob encrypts this
message to prove knowledge of the key K and also sends a random number R B . In the third step, Alice decrypts
E (K , R A ). If the result is not her original number she aborts the protocol otherwise she encrypts R B and sends it
to Bob. Bob performs a similar check and if everything is OK, he’s convinced he’s talking to Alice. Find two
attacks in which an attacker can impersonate some of them to the other.
(Assume that the key is not compromised, so nobody can use it to create fake messages.)

Alice Bob

Alice, r a
Bob, r b , Enc(K , r a )
Enc(K , r b )

Figure 0.1: Mutual Authentication protocol

 E XCERSICE 6 – ATTACKING A S YSTEM (5 MARKS )
I created a really simple login form that requires the user to provide a username and a password. In order to
protect the login procedure as well as the password that is stored in the database (DB), I used a hash function.
The problem is that I can’t remember which exactly hash function I used. So, the first thing you need to do is to
find out which hash function I used in order to hash the credentials. Furthermore, my memory is not working
well (or not working at all) since I moved to London. As a result, I realized that I also forgot my password! In a
desperate try to solve this issue I connected to my local DB and found out the following hash value that
corresponds to my password:

h(password) = b3746dd06becc0d83eb520f64111cbb542e03e09

Having this information can you successfully bypass the login authentication and help me log in back to my
account? Can you also remind me my password? If so, please explain how this is possible.
The link to the login form is here: http://amichalas.com/TUNI/TIE-30406/Login_2/. For the
username...you can use anything!

E XERCISE 7 – C RYPTOGRAPHIC P ROTOCOLS 1 (10 MARKS )

1. Given are two protocols in which the sender’s party performs the following operation:
Protocol A:

c = Enc(k1 , x||H (k2 ||x))

where x is the message, H is a hash function, Enc is a symmetric-key encryption function, || denotes simple
concatenation, and k1 , k2 are secret keys which are only known to the sender and the receiver.
Protocol B:

c = Enc(k, x||σpr (H (x)))

where k is a shared key, pr is the private key of the receiver, and σpr denotes a digital signature using the
key pr.
Provide a step-by-step description (e.g. an itemized list) of what the receiver does upon reception of c for
each protocol.

2. State whether the following security properties are fulfilled for each protocol given in the previous ques-
tion:

• confidentiality
• integrity
• non-repudiation

(To get full marks, you need to justify your answer. A Yes/No answer will not be considered for marking)

E XERCISE 8 – C RYPTOGRAPHIC P ROTOCOLS 2 (15 MARKS )

Please use the given and your defined notation and tools and design security protocols for the following settings:

a) A host, A, communicates with a host B across the Internet. Both hosts have each just its own public and
private key pair. Host A needs to “ping” host B in order to make sure it is “alive”. Assume that the two hosts
just synchronized themselves with a Time Server and thus t clA ock = t cl
B
ock
. Provide the best possible solution
under the conditions. Please explain if the problem is solved.

b) If yes, demonstrate how the assumed adversary is countered by your protocol. If no, please explain what
additional steps are required and provide two ways to address the problem.
c) For either case you demonstrated a sufficient solution in (b), consider that A will repeatedly and frequently
“ping” B . Rather than using public key cryptography, consider that A and B wish to use a symmetric key
scheme. First, please explain what can be the motivation, why can a symmetric key protocol be a better
choice. Second, please design a protocol that allows A to “transport” a symmetric key to B .

d) Explain how your protocol in the previous setting allows (or augment here your protocol as necessary) A and
B to mutually authenticate each other and be sure that only the other end (that is, for A only B and vice versa)
got and now knows the new key.

E XERCISE 9 – L OGIN (10 MARKS )

Consider the following two-step method for Alice logging into a server S.

1. Setup: Alice picks a password P and a number N and then computes the following sequence:

x 1 = f (P, 1), x 2 = f (x 1 , 2), x 3 = f (x 2 , 3), ..., x N = f (x N −1 , N )

, where f () is some easy to compute function but hard to invert. She then stores the pair (x N , N ) with the
server to whom she wishes to login later. Similarly, the server maintains for each user the (different) value
x N and the index N .

2. Authentication: When Alice wants to have access to the host, she types her username and the host looks
up her entry and sends N − 1 to her. She then responds back with the value x N −1 , which the host verifies
by computing f (x N −1 , N ) and comparing against the stored value x N . If the two values match, the server
gives Alice access to her account and replaces the values (x N , N ) with the values (x N −1 , N − 1).

a) What are the advantages (if any) of this scheme over ordinary passwords?

b) What are some attacks (if any) that can be applied to this scheme?

E XERCISE 10 – S YMMETRIC K EY S ECURITY P ROTOCOLS (10 MARKS )

Please use the given and your defined notation and tools and design security protocols for the following settings:

a) A wireless sensor node, A, is required to provide periodically measurements to a device within range, B . The
two share a symmetric key. Each message sent by A contains a single measurement. B needs to verify the
origin authenticity of each message.

b) In the same setting as above, consider a period over which multiple measurements are sent by A. Now,
B needs to verify the authenticity and integrity of this sequence of measurements. At first, assume that
t clA ock = t cl
B
ock
throughout this period.

c) In the previous setting, assume that the clock of A cannot be synchronized with that of B . Again, B needs to
verify the authenticity and integrity of this sequence of measurements.

d) As an additional requirement, B needs to ensure that all measurements of A are confidential.

e) In the previous setting, now B needs A to use different symmetric keys for ensuring confidentiality and au-
thenticity. Let those be KcAB and KaAB respectively and assume that those are available at A and B .

f) Without re-writing the protocol you devised for the previous setting: How can you handle a situation that A
and B have only one shared key for authentication but they decide to use a second one for confidentiality?
 E XERCISE 11 – K EY D ISTRIBUTION (15 MARKS )
Consider the following key distribution protocol in which two users Alice and Bob wish to establish a shared key
KAB with the help of a trusted server S. Assume Alice and Bob share secret keys KAS and KBS with S and that
nonces are 64 bits long and keys are 128 bits long.

1. A → B : Al i ce, N A

2. B → S : B ob, NB , Enc(KBS ,〈A, N A , NB 〉)

3. S → A : Enc(KAS ,〈KAB , B, N A , NB 〉), Enc(KBS , 〈A, KAB 〉)

4. A → B : Enc(KBS , 〈A, KAB 〉), Enc(KAB , NB )

a) Describe at least two attacks that can be applied to this protocol (If your attack reduces to simple forwarding,
it will not count...).

b) For each attack, give a countermeasure that renders the attack useless.