University of Virginia, Department of Computer Science CS551: Security and Privacy on the Internet, Fall 2000

Page 0 of 12

Midterm Exam

18 October 2000

Do not open the exam until told to do so.

Problem Score Possible Name: Colleen M. Hacker 1 35 25 2 15 15 3 35 35 4 35 25 Total 120 100

This exam may be ridiculously long and difficult. Don't get stressed out if you can't answer every question. It is not necessary to answer every question correctly to get a satisfactory grade on the exam.

Particularly tough questions are marked with challenge. It is recommended that you read the challenge questions as you go through the exam, but unless you immediately see the answer, don't spend time working on them until completing the rest of the exam.

Please mark your final answers clearly (e.g., draw a box around them). If you need more space than is provided, you may use the backs of pages or the blank pages attached to the exam. Be sure to indicate clearly where your answer is.

Page 1 of 12

1. Symmetric Ciphers: Morehouse's Tape Loops (25)

In 1918, Lyman Morehouse proposed a (not quite) one-time pad device that used two tapes arranged in loops. One loop (P1) was 1000 bits long, the other (P2) was 999. P1 and P2 both contain perfectly random bit sequences.

Messages were encrypted by XOR'ing the plaintext letter with each loop letter. After each letter both tapes advance one character. Hence,

```        C[i] = M[i] XOR P1[i mod 1000] XOR P2[i mod 999]
```

a. (5 points) What is the Unicity distance of the Morehouse machine when transmitting message with redundancy = .5 bits per bit? (You may express your answer using mathematical functions like log2551 or e3141 instead of calculating a number.)

b. (10) Argue that the Morehouse machine is a perfect cipher if less than 1000 bits are transmitted. (Doesn't need to be a formal proof, but should be convincing.)

Page 2 of 12

c. (10) Prove that the Morehouse machine is not a perfect cipher if 999,001 bits are transmitted. (Show that a cryptanalysis who has no information other than the first 999,001 bits of ciphertext can determine something useful about the message.)

d. (challenge, up to +10 bonus) Prove or disprove that the Morehouse machine is a perfect cipher if less than 999,000 bits are transmitted. Reconcile your answer with your result from (a).

Page 3 of 12

2. Block Ciphers (15)

After reading your answer to Problem Set 2, Question 3, Ben Bitdiddle has decided to modify his Feistel cipher before he can submit it to the RAES (Really Advanced Encryption Standard) competition. After learning about RSA, he decides he will incorporate modular exponentiation into his cipher.

Ben's cipher uses four rounds of the following round function:

Li = Ri-1
Ri = Li-1 XOR F (Ri-1, K)
F (m, k) = mk mod 232
Note: this is the same as in Problem Set 2, Question 3, except for the different F.

As in problem set 2, the block size is 64 bits and the same 32-bit K is used for every round. The final ciphertext is C = R4 || L4.

a. (5) Does Ben's new F function satisfy the necessary functional properties for a Feistel cipher? (That is, can it be deciphered by someone who knows the key?)

b. (10) For a one-round simplified version of Ben's RAES cipher, given M = L0 || R0 and C1 = L1 || R1, how hard is it for an attacker determine K? (Hint: don't use a brute force attack. Show that finding K is equivalent to some other problem.)

Page 4 of 12

3. Public-Key Protocols: Crypto-Cannibal-Survivor (35)

Sixteen cryptographers (Alice, Bob, Colleen, Dave, Eve, Fred, Gervase, Holly, Igor, Jeff, Kelly, Louie, Mallory, Nancy, Oliver and Rich) are stranded on a deserted island. Oddly enough, this deserted island doesn't contain ample supplies of beer, pizza or rice. They do, however, each have solar-powered computers. Castaways can use there computers without anyone else observing their typing or monitor.

To stay alive, they decide they will gather at crypto council each week, and vote on which member to eat. Naturally, it is quite important that the voting process is secure and confidential. Each member should be able to determine that her vote was correctly tabulated, and should be able to tell that the tally is correct, but should not be able to determine how any of the other castaways voted.

No one can think of a suitable protocol, so they decide everyone trusts Jeff and no one wants to eat him, so they will use Jeff as a trusted third party to tally the votes. They still want to be able to verify that their votes are counted fairly without revealing who voted for whom to anyone except Jeff. Since there is no where to securely whisper on the island (its a small island), they still need to encrypt their votes before sending them to Jeff.

Alice suggests the following protocol:

1. Jeff generates a public-private key pair (KUJ, KRJ) and publishes KUJ, the public key (writes on the beach).
2. Each castaway (besides Jeff) constructs a vote by naming the person they want to eat, and concatenating a random string. For example, we can write Alice's vote as VA || RA (|| is string concatenation).
3. Each castaway then calculates _____________________ and writes it on the beach (while Jeff has his head in the sand, so he cannot tell who cast which vote).
4. The other castaways then stick their heads in the sand, and Jeff returns and calculates Vc || Rc for each vote. He writes them (both the vote and the random string) on the beach in random order.
5. The castaways gather to count the votes. Each cryptographer can tell that her vote was correctly recorded, by matching one of the pairs to the one she generated in step 2. They can verify that no one voted twice by counting the number of votes.
a. (5) What should the castaways write on the beach in step 3. The value on the beach should be something Jeff (and only Jeff) can use to obtain Vc || R. You may assume the castaways agree on a public-key encryption algorithm, E (key, message).

Page 5 of 12

Note: Part c of this problem is considerably easier than part b, and you do not need to solve part b to solve part c. You may want to skip this page and return to it if you have time at the end of the exam.

After seven rounds, the remaining castaways meet quietly at night and decide its time to eat Jeff. Now they need to develop a voting protocol that does not require a trusted third party. The eight remaning castaways (Alice, Bob, Colleen, Holly, Kelly, Nancy, Oliver and Rich) procrastinate for a week playing poker, and then Rich proposes the following protocol:

1. Each castaway generates a key pair.
2. The public keys are published without revealing the identity of the owner of the corresponding key pair.
3. Each castaway creates a vote as Name || Random string and encrypts it using her public key. For example, Alice might vote using EKUA ["ColleenYvxmo26qcgAs"]. Each castaway writes their encrypted vote on the beach. They count the votes on the beach to make sure no one voted more than once.
4. The private keys are revealed without revaling the identity of the owner.
5. Castaways verify that the keys are valid by looking for matching key pairs.
6. Everyone decrypts the votes by trying each private key on each vote until finding one that produces a valid vote. (The chances that a different key would decrypt a vote to a string that starts with one of the players names is negligble.)
b. (challenge) (15) This protocol should work (if you can find a flaw in it, that is worth bonus points), assuming there is a way to perform steps 2 and 4. Describe a protocol the castaways can use to reveal each person's key without revealing who owns which key. The castaways can only communicate by writing strings on the beach; all castaways may see all strings that are written on the beach, as well as who writes the string. (Note that sticking heads in the sand doesn't work anymore, since either everyone except one castaway has their head in the sand, and then they know who wrote the last new thing, or more than one castaway doesn't and can see what the other one writes.)

Page 6 of 12

c. (15) Once they are down to two survivors, it is clear that Rich's protocol doesn't work. They try voting a few times, but it always turns out to be a tie. Kelly suggests they play "rock, paper, scissors" to decide the final survivor.

Physical rock, paper, scissors games work as follows: both players pick one of "rock", "paper" or "scissors" (represented by hand shapes). The winner is determined by the following table:

Player 1Player 2Winner
RockPaperPlayer 2
RockScissorsPlayer 1
PaperScissorsPlayer 2

If both players pick the same item it is a draw and they play again.

Physical "rock, paper, scissors" games don't work too well, since players can cheat by changing their item after seeing what the other player choose.

Describe a secure cryptographic protocol Rich and Kelly can use to play "rock, paper, scissors". Your protocol must not rely on being able to reveal things simultaneously. Rich and Kelly should be able to play by taking turns writing things on the beach.

Page 7 of 12

4. Cryptography Applications (25)

Answer either one of the following two questions. If you have time, you may answer both, and may receive bonus credit for your other answer, but mark clearly which answer you want to be graded as your normal answer.

(Choice 1) SSSH

Typical SSH clients store unencrypted host keys in the Windows registry. An attacker with access to the victim's machine (for example, using an ActiveX control on a web page the victim is likely to visit), can replace the host key entry in the Windows registry to match the key for a machine the attacker controls. If the attacker can also spoof DNS to direct the old hostname to the attacker's machine, the victim will unwittingly send secure data to the wrong server.

SSSH, Inc. proposes making a super-secure shell application. Unaware of Mr. Tweakit's increasingly poor reputation in the security community, they hire Lem E. Tweakit to design it. He proposes that instead of storing the host keys in the registry unencrypted, they will be encrypted using a secure block-cipher algorithm. You may assume encryption algorithm is unbreakable and the encryption key can be securely hidden in the SSSH client binary. All client binaries are the same (use the same key).

a. (10) Explain why encrypting the host keys does not susbtantially increase the security of SSH against an attacker replacing a host key entry with a key corresponding to a machine the attacker controls?

Page 8 of 12

b. (15) Lem asks Alice for help, and she suggests a scheme where when a user installs SSSH, it generates a new public-private key pair. The public key is stored in the Windows registry, but the private key is stored only on a floppy disk the user keeps in a secure place. Describe a scheme that uses this to make SSSH very secure against the replacing host keys attack. A user must not be required to use the private key everytime she connects to a host using SSSH.

Page 9 of 12

(Choice 2) Faculty Turnover

In response to the increased faculty turnover in the CS department due to the lure of Internet startups, the deparment has decided it would be wise to replace the mechanical door locks with electronic locks similar to those found in modern hotels. Knowing of your stellar performance in CS551, the department has hired you to develop a solution that meets these requirements:
1. Doors have electronic card readers. The microprocessor in the door can do some calculation, but only has sufficient storage to hold 128 bits.
2. When someone new moves into an office, they are issued a new card from a machine kept in a secure place. Once the new person has moved in, the card issued to the previous office resident no longer works.
3. No new wires can be run. There can be no communication between the card issuing machine and the office doors.
4. You may assume untrustworthy people cannot get access to the card issuing machine, but can access the card reader in limited ways. In particular, it would be unwise to assume an attacker cannot read the contents of the card reader's memory.
5. The previous holder of an office key cannot figure out any useful information about the next key (or any other following key in the sequence).

(25) Design a system that meets these requirements. Be clear and specific about the protocol followed by the card readers and the card issuer machine.

Page 10 of 12

5. Optional Feedback (no credit)

Do you believe your performance on this exam will fairly and adequately reflect your understanding of the course material? If not, explain why.

END OF EXAM
Remaning pages are blank for workspace.

Page 11 of 12

This Page intentionally left almost blank. Use it for extra work space.

Page 12 of 12

This Page intentionally left almost blank. Use it for extra work space.