University of Virginia, Department of Computer Science CS551: Security and Privacy on the Internet, Fall 2000

18 October 2000

Do not open the exam until told to do so.

Problem Score Possible Name: Colleen M. Hacker 1 35 25 2 15 15 3 35 35 4 35 25 Total 120 100
Colleen, you should teach this class! Sorry for eating you in question 3.
--- Dave
PS. I promise to pay off my poker debts soon.

This exam may be ridiculously long and difficult. Don't get stressed out if you can't answer every question. It is not necessary to answer every question correctly to get a satisfactory grade on the exam.

Particularly tough questions are marked with challenge. It is recommended that you read the challenge questions as you go through the exam, but unless you immediately see the answer, don't spend time working on them until completing the rest of the exam.

### 1. Symmetric Ciphers: Morehouse's Tape Loops (25)

In 1918, Lyman Morehouse proposed a (not quite) one-time pad device that used two tapes arranged in loops. One loop (P1) was 1000 bits long, the other (P2) was 999. P1 and P2 both contain perfectly random bit sequences.

Messages were encrypted by XOR'ing the plaintext letter with each loop letter. After each letter both tapes advance one character. Hence,

C[i] = M[i] XOR P1[i mod 1000] XOR P2[i mod 999]

a. (5 points) What is the Unicity distance of the Morehouse machine when transmitting message with redundancy = .5 bits per bit? (You may express your answer using mathematical functions like log2551 or e3141 instead of calculating a number.)

First we need to estimate the keyspace. The is the number of possible different keys (many people confused this with the key length). A rough estimate is 21000 * 2999 = 21999.

A better estimate would take into account many keys being identical. For example, if P1 and P2 are both complemented, the effective key is the same! The makes the actual key space 21998.

U = H(K) / R = ln (21998) / .5 = 1998 / .5 = 3996.

b. (10) Argue that the Morehouse machine is a perfect cipher if less than 1000 bits are transmitted. (Doesn't need to be a formal proof, but should be convincing.)

If less than 1000 bits are transmitted, neither P1 nor P2 ever repeats. This make it effectively a one-time pad with key P1 XOR P2. Since both P1 and P2 are perfectly random, P1 XOR P2 is also perfectly random (we proved this in problem set 1).
c. (10) Prove that the Morehouse machine is not a perfect cipher if 999,001 bits are transmitted. (Show that a cryptanalysis who has no information other than the first 999,001 bits of ciphertext can determine something useful about the message.)

The 999,001st bit is encoded as:
C[999001] = M[999001] XOR P1[999001 mod 1000] XOR P2[999001 mod 999]
= M[999001] XOR P1[1] XOR P2[1]
The 1st bit is encoded as M[1] XOR P1[1] XOR P2[1].
C[1] XOR C[999001] = M[1] XOR P1[1] XOR P2[1] XOR M[999001] XOR P1[1] XOR P2[1]
= M[1] XOR M[999001]
If this is 1, we know M[1] and M[999001] are different. If it is 0, we know they are the same!

So, if C[1] XOR C[999001] is 0, we have determined there is zero probability that the original message has M[1] = 1 and M[999001] = 0. This means it is not a perfect cipher since the probabilty of all possible messages is not the same.

d. (challenge, up to +10 bonus) Prove or disprove that the Morehouse machine is a perfect cipher if less than 999,000 bits are transmitted. Reconcile your answer with your result from (a).

An easier way to solve part c would be to use the keyspace theorem: for a cipher to be perfect, there must be at least as many keys as possible messages. Note that the reverse is not necessarily true - there are many ciphers with more keys than messages that are not perfect.

From part a, we showed that there are 21998 possible keys. If we transmit 1999 bits, there are 21999 possible messages, so we know it cannot be perfect for more than 1998-bit messages.

What about messages of length 1000-1998? For a message of length 1000, we have C[1000] = M[1000] XOR P1[1000] XOR P2[1].

C[1] XOR C[1000] = M[1] XOR M[1000] XOR P1[1] XOR P1[1000]
Suppose the redundancy of the message is as high as possible - that is, the message is either all 0's or all 1's. If its a perfect cipher, we should not be able to tell which it is. This is certainly true for the first 999 ciphertext bits. What is we see 1000?

We know M[1] XOR M[1000] = 0 since either M[1] = 0 and M[1000] = 0 or M[1] = 1 and M[1000] = 1. So,

C[1] XOR C[1000] = P1[1] XOR P1[1000]
Let's guess M[1] = M[1000] = 0. Then,
C[1] = M[1] XOR P1[1] XOR P2[1] = 0 XOR P1[1] XOR P2[1]
C[1000] = 0 XOR P1[1000] XOR P2[1]
C[1] XOR C[1000] = P1[1] XOR P1[1000]
Suppose (without loss of generality) C[1] = 0 and C[1000] = 0.
0 = 0 XOR P1[1] XOR P2[1] ==> P1[1] XOR P2[1] = 1
0 = 0 XOR P1[1000] XOR P2[1] ==> P1[1000] XOR P2[1] = 1
C[1] XOR C[1000] = 0 ==> P1[1] XOR P1[1000] = 0
We have 3 equations in 2 unknowns! The only solutions are:
P1[1] = 1  P2[1] = 0  P1[1000] = 1
P1[1] = 0  P2[1] = 1  P1[1000] = 0
Hence, if C[1] = 0, C[1000] = 0, M[1] = 0 and M[1000] = 0 we know something about the key! It cannot have P1[1] = 1 and P1[1000] = 0.

This proves it cannot be a perfect cipher for messages of length 1000 or more. Note, however, that it doesn't help a cryptanalysts much in actually figuring out anything useful.

Note: I'm not entirely satisfied with this answer...if you can come up with a better one, let me know.

This is consistent with our calculation of the Unicity distance. The Unicity distance approximates how much ciphertext an attacker needs to determine if a brute-force guess is correct. Calculating the Unicity distance with redundancy 1 is the same as the maximum possible length for which the cipher is perfect. It does not guarantee the cipher is perfect up the that length, however.

### 2. Block Ciphers (15)

After reading your answer to Problem Set 2, Question 3, Ben Bitdiddle has decided to modify his Feistel cipher before he can submit it to the RAES (Really Advanced Encryption Standard) competition. After learning about RSA, he decides he will incorporate modular exponentiation into his cipher.

Ben's cipher uses four rounds of the following round function:

Li = Ri-1
Ri = Li-1 XOR F (Ri-1, K)
F (m, k) = mk mod 232
Note: this is the same as in Problem Set 2, Question 3, except for the different F.

As in problem set 2, the block size is 64 bits and the same 32-bit K is used for every round. The final ciphertext is C = R4 || L4.

a. (5) Does Ben's new F function satisfy the necessary functional properties for a Feistel cipher? (That is, can it be deciphered by someone who knows the key?)

Yes, any function with the right size inputs and outputs satisfies all the necessary functional properties. Since the Feistel cipher XOR's the result of F, it is not necessary that F be invertible.
b. (10) For a one-round simplified version of Ben's RAES cipher, given M = L0 || R0 and C1 = L1 || R1>, how hard is it for an attacker determine K? (Hint: don't use a brute force attack. Show that finding K is equivalent to some other problem.)

The attacker knows L0, R0, L1 and R1> and wants to determine K. From the cipher description, we have:
L1 = R0
R1 = L0 XOR F (R0, K)
Since we know R1 and L0, we can XOR them to get:
LXR = F (R0, K) = R0K mod 232
Solving for K requires solving a discrete logarithm. The security of Diffie-Helman is based on the belief that solving discrete logarithms is hard. (RSA also depends on this, but less directly since if factoring became easy, you could break RSA without solving discrete logarithms.)

In practice, this cipher would be trivial to break, however, since there are only 232 possible keys to try in a brute force attack.

### 3. Public-Key Protocols: Crypto-Cannibal-Survivor (35)

Sixteen cryptographers (Alice, Bob, Colleen, Dave, Eve, Fred, Gervase, Holly, Igor, Jeff, Kelly, Louie, Mallory, Nancy, Oliver and Rich) are stranded on a deserted island. Oddly enough, this deserted island doesn't contain ample supplies of beer, pizza or rice. They do, however, each have solar-powered computers. Castaways can use there computers without anyone else observing their typing or monitor.

To stay alive, they decide they will gather at crypto council each week, and vote on which member to eat. Naturally, it is quite important that the voting process is secure and confidential. Each member should be able to determine that her vote was correctly tabulated, and should be able to tell that the tally is correct, but should not be able to determine how any of the other castaways voted.

No one can think of a suitable protocol, so they decide everyone trusts Jeff and no one wants to eat him, so they will use Jeff as a trusted third party to tally the votes. They still want to be able to verify that their votes are counted fairly without revealing who voted for whom to anyone except Jeff. Since there is no where to securely whisper on the island (its a small island), they still need to encrypt their votes before sending them to Jeff.

Alice suggests the following protocol:

1. Jeff generates a public-private key pair (KUJ, KRJ) and publishes KUJ, the public key (writes on the beach).
2. Each castaway (besides Jeff) constructs a vote by naming the person they want to eat, and concatenating a random string. For example, we can write Alice's vote as VA || RA (|| is string concatenation).
3. Each castaway then calculates _____________________ and writes it on the beach (while Jeff has his head in the sand, so he cannot tell who cast which vote).
4. The other castaways then stick their heads in the sand, and Jeff returns and calculates Vc || Rc for each vote. He writes them (both the vote and the random string) on the beach in random order.
5. The castaways gather to count the votes. Each cryptographer can tell that her vote was correctly recorded, by matching one of the pairs to the one she generated in step 2. They can verify that no one voted twice by counting the number of votes.
a. (5) What should the castaways write on the beach in step 3. The value on the beach should be something Jeff (and only Jeff) can use to obtain Vc || R. You may assume the castaways agree on a public-key encryption algorithm, E (key, message).

E (KUJ, Vc || Rc)

The vote is encrypted with Jeff's public key, so only someone who knows Jeff's private key (hopefully only Jeff!) can decrypt it.

Note: Part c of this problem is considerably easier than part b, and you do not need to solve part b to solve part c. You may want to skip this page and return to it if you have time at the end of the exam.

After seven rounds, the remaining castaways meet quietly at night and decide its time to eat Jeff. Now they need to develop a voting protocol that does not require a trusted third party. The eight remaning castaways (Alice, Bob, Colleen, Holly, Kelly, Nancy, Oliver and Rich) procrastinate for a week playing poker, and then Rich proposes the following protocol:

1. Each castaway generates a key pair.
2. The public keys are published without revealing the identity of the owner of the corresponding key pair.
3. Each castaway creates a vote as Name || Random string and encrypts it using her public key. For example, Alice might vote using EKUA ["ColleenYvxmo26qcgAs"]. Each castaway writes their encrypted vote on the beach. They count the votes on the beach to make sure no one voted more than once.
4. The private keys are revealed without revaling the identity of the owner.
5. Castaways verify that the keys are valid by looking for matching key pairs.
6. Everyone decrypts the votes by trying each private key on each vote until finding one that produces a valid vote. (The chances that a different key would decrypt a vote to a string that starts with one of the players names is negligble.)
b. (challenge) (15) This protocol should work (if you can find a flaw in it, that is worth bonus points), assuming there is a way to perform steps 2 and 4. Describe a protocol the castaways can use to reveal each person's key without revealing who owns which key. The castaways can only communicate by writing strings on the beach; all castaways may see all strings that are written on the beach, as well as who writes the string. (Note that sticking heads in the sand doesn't work anymore, since either everyone except one castaway has their head in the sand, and then they know who wrote the last new thing, or more than one castaway doesn't and can see what the other one writes.)

This is the ridulously long and difficult part. It should be possible to do this using public key techniques. I'm still working on this one...will post an answer soon.

Colleen claims to have a good answer, but she won't give it to me since the question implies she gets eaten.

(Note that is it also necessary that the castaways don't see who writes which string on the beach in step 3. Otherwise, of course, after the string are decrypted they would know who voted for whom. So, doing step 3 without revealing who wrote what is sort of the same problem as steps 2 and 4.)

c. (15) Once they are down to two survivors, it is clear that Rich's protocol doesn't work. They try voting a few times, but it always turns out to be a tie. Kelly suggests they play "rock, paper, scissors" to decide the final survivor.

Physical rock, paper, scissors games work as follows: both players pick one of "rock", "paper" or "scissors" (represented by hand shapes). The winner is determined by the following table:

Player 1Player 2Winner
RockPaperPlayer 2
RockScissorsPlayer 1
PaperScissorsPlayer 2

If both players pick the same item it is a draw and they play again.

Physical "rock, paper, scissors" games don't work too well, since players can cheat by changing their item after seeing what the other player choose.

Describe a secure cryptographic protocol Rich and Kelly can use to play "rock, paper, scissors". Your protocol must not rely on being able to reveal things simultaneously. Rich and Kelly should be able to play by taking turns writing things on the beach.

Here is one possible protocol:
1. Rich and Kelly agree on a secure one-way hash function, h.
2. Rich picks an item and a random string, and writes h (item || random string) on the beach.
3. Kelly picks an item and a random string, and writes h (item || random string) on the beach.
4. Rich tells Kelly which item he choose and his random string. Kelly verifies that h (item || random string) matches the value Rich wrote on the beach.
5. Kelly tells Rich which item she choose and her random string. Rich verifies that h (item || random string) matches the value Kelly wrote on the beach.
6. If its a tie, play again. Otherwise, bon appetit!
Note that since players choose their random strings themselves, this protocol is vulnerable to a birthday attack. If the hash function produces 128 bits, Kelly will have to try approximately 264 messages (choices of R1 and R2) to find one where h ("rock" || R1) = h ("paper" || R2). If she finds one pair like this, she can always at least tie after seeing Rich's choice in step 4.

We could eliminate any reasonable chance of cheating by adding a game-specific ID after to each vote: item + random game ID + players random string. The players can use the random choice protocol (from PS3) to agree on a random game ID before each round. So long as Kelly doesn't have time to do a hash collision search between this time and when she has to reveal her item choice, there is no way she can cheat.

Note that it is necessary to add the random string to choices. Otherwise, Kelly could easily calculate each item's hash value to determine Rich's choice after seeing Rich's hash value in step 2, and vote accordingly.

### 4. Cryptography Applications (25)

#### (Choice 1) SSSH

Typical SSH clients store unencrypted host keys in the Windows registry. An attacker with access to the victim's machine (for example, using an ActiveX control on a web page the victim is likely to visit), can replace the host key entry in the Windows registry to match the key for a machine the attacker controls. If the attacker can also spoof DNS to direct the old hostname to the attacker's machine, the victim will unwittingly send secure data to the wrong server.

SSSH, Inc. proposes making a super-secure shell application. Unaware of Mr. Tweakit's increasingly poor reputation in the security community, they hire Lem E. Tweakit to design it. He proposes that instead of storing the host keys in the registry unencrypted, they will be encrypted using a secure block-cipher algorithm. You may assume encryption algorithm is unbreakable and the encryption key can be securely hidden in the SSSH client binary. All client binaries are the same (use the same key).

a. (10) Explain why encrypting the host keys does not susbtantially increase the security of SSH against an attacker replacing a host key entry with a key corresponding to a machine the attacker controls?

An attacker can simply run SSSH on his own machine, and connect to the machine he wants to use as the rogue machine. After accepting the new host key, she looks in the registry to find its encrypted value.
b. (15) Lem asks Alice for help, and she suggests a scheme where when a user installs SSSH, it generates a new public-private key pair. The public key is stored in the Windows registry, but the private key is stored only on a floppy disk the user keeps in a secure place. Describe a scheme that uses this to make SSSH very secure against the replacing host keys attack. A user must not be required to use the private key everytime she connects to a host using SSSH.

The most obvious answer would be to store the public key and the host key encrypted using the private key (EKR [host key]) in the registry. The first time a user connects to a new host, she needs to use the floppy disk to get the private key. When she connects to a host, she uses the public key to decrypt the encrypted host key, and compares this result to the host key sent by the host.

An attacker cannot replace the encrypted host key with a rogue host key, since he does not know the private key.

Unfortunately, an attacker can replace both the public key and the encrypted host key. The attack simply generates his own public-private key pair, { KUevil, KRevil }, and replaces the public key stored in the victim's registry with KUevil and the host key with EKRevil [rogue machine host key]. The victim won't notice until the next time she connects to a new site, and SSSH checks the private key against the stored public key and notices the problem.

One solution to this might be to also store some other value known to the user but not to an attacker encrypted with the private key. For example, if the machine has a unique identifier that is only known to legitimate users (this is hard!), then we could encrypt that identifier using the private key. Every time the user connects to a host, SSSH would display the value of the encrypted identifier decrypted with the public key, and the user could verify it had not changed. If an attacker replaced the public key, the identifier would not decrypt correctly, and the user would notice before connecting to the rogue host.

### (Choice 2) Faculty Turnover

In response to the increased faculty turnover in the CS department due to the lure of Internet startups, the deparment has decided it would be wise to replace the mechanical door locks with electronic locks similar to those found in modern hotels. Knowing of your stellar performance in CS551, the department has hired you to develop a solution that meets these requirements:
1. Doors have electronic card readers. The microprocessor in the door can do some calculation, but only has sufficient storage to hold 128 bits.
2. When someone new moves into an office, they are issued a new card from a machine kept in a secure place. Once the new person has moved in, the card issued to the previous office resident no longer works.
3. No new wires can be run. There can be no communication between the card issuing machine and the office doors.
4. You may assume untrustworthy people cannot get access to the card issuing machine, but can access the card reader in limited ways. In particular, it would be unwise to assume an attacker cannot read the contents of the card reader's memory.
5. The previous holder of an office key cannot figure out any useful information about the next key (or any other following key in the sequence).

(25) Design a system that meets these requirements. Be clear and specific about the protocol followed by the card readers and the card issuer machine.

Answer: The best answers were inspired by S-Key (see Lecture 11). We use h, a secure 128-bit one-way hash function.

Card Issuer: Generates a random number R for each door. For each office, store R and n = 1000 where n is the maximum number of different keys for each office. (We are assuming there will be no more than 1000 faculty in each office before we get a new building. Hopefully this is a safe assumption!)

Key Card: To generate a new key card, a trustworthy person enters the office number into the card issuer machine and swipes the card. The card issuer calculates hn (R) and writes hn (R) to the card. The card issuer decrements the stored value n.

Card Reader (door): The card reader is initialized with its memory containing h1001 (R). This could be done with a special card that can only be used once before the lock is installed.

To open a door, the user swipes the card. The card reader reads v the value on the card. The reader calculates h (v), and compares it to the stored value. If the user's card contained hn (R), the calculated value is hn + 1 (R). There is a match and the door opens.

If the value doesn't match, the reader calculates h (h (v)), and compares this to its stored value. If the user's card contained hn - 1 (R), the calculated value is hn + 1 (R). There is a match and the door opens. Note that hn - 1 (R) is the value of the next user's card! The reader replaces it stored value with h (v), that is hn (R).

This scheme satisfies all the required properties:

1. The door only has to store hn + 1 (R). Assuming as 128-bit hash function, this is 128 bits.
2. Once the new person moves in, the old key no longer works. The stored value changes the first time the new key is used.
3. No new wires are needed - the only time the door reader needs to communicate with the card issuer is at the very beginning. There is no external communication needed to transfer the office to a new person.
4. An attacker can obtain no useful information from the card reader. Knowing hn + 1 (R) does not help the attack find hn (R), the value needed to open the door.
5. Knowing one key doesn't help you know the next. The only secret that would help you generate new keys is R, stored securely in the card issuer.