University of Virginia, Department of Computer ScienceCS551: Security and Privacy on the Internet, Fall 2000 |

Problem Set 3: Public-Key CryptosystemsOut: 27 September 2000

Due: 11 October 2000, before class

Warning:This problem set is substantially harder and longer than problem set 1 or 2. Start working on it early!

Collaboration PolicyYou may work with up to two other students on this problem set. You must write up your answers independently, and understand completely everything you turn in. Working together means discussing the questions and criticing possible solutions; it does not permit splitting up questions in a group.Problem set answers may be hand-written, but only if your hand writting is neat enough for us to read it. For full credit, answers must be clear and concise.You may consult any outside resources you wish including books, papers, web sites and people. If you use resources other than the class materials, indicate what you used along with your answer.

## 1. Key Distribution

Recall the Keys "R" Us distribution scheme from Lecture 6:The protocol is:

- Alice meets securely with Keys "R" Us and agrees on secret key
K_{A}- Bob meets securely with Keys "R" Us and agrees on secret key
K_{B}- Alice sends
E("Bob",K) to Keys "R" Us_{A}- Keys "R" Us generate a new, random key:
K_{1}- Keys "R" US sends Alice,
E(K,_{1}K); Alice decrypts using_{A}Kto get_{A}K._{1}- Keys "R" US sends Bob,
E("Alice" ||K,_{1}K); Bob decrypts using_{B}Kto get_{B}K._{1}- Alice and Bob communicate using shared secret key
K._{1}

a. (15)One of the problems with the Keys "R" Us protocol is the trusted third party can eavesdrop on all communications between Alice and Bob since Keys "R" Us knowsK. Suggest a modification to the scheme that solves this problem._{1}Your solution should satisfy these requirements:

Alice and Bob may meet securely with (hint: one or more) trusted third parties at the beginning of the protocol.

- Alice and Bob agree on a secret key,
K, without ever meeting._{1}- Alice and Bob can be assured they are communicating with each other.
- No one besides Alice and Bob (including (semi-) trusted parties and eavesdroppers) can obtain any information about
K. You may assume there is a perfect encryption function_{1}E(m,k), and that independent semi-trusted third do not conspire together.- Your scheme must not use exponentiation or modulo arithmetic. (It shouldn't be based on a public-key cryptosystems we have seen.)

b. (up to 20 bonus points)Since Alice and Bob are having an illicit affair (its a cyber affair, so they still cannot meet in person to exchange keys), not only do they want their messages to be private, they don't want anyone else to know they are even communicating with each other. Once they have obtained a secret key, this is easy: Alice posts her encrypted message in a public place where Bob knows to look (for example, they can place classified ads in the New York Times).Adapt your solution to (a) to meet the additional requirement that no one (including trusted parties) can know Alice and Bob are communicating with each other. The other requirements should still hold, including Alice and Bob still obtain a shared secret key,

andAlice should be confident she is communicating with Bob and vice versa.

## 2. Primal Tendancies

In the RSA paper, the authors claim that it is okay to use a probablistic prime number test since if a composite number is choosen the receiver would probably detecte it by noticing that decryption didn't work correctly.That is, choosing a composite number is not likely to lead to a substantial security flaw, since the problem would be detected in the first transmission. Note that if it were not detected, choosing a composite number for

por q would be bad, because an attacker would have an easier time factoringn=p*q = (since one of thep_{1}*p_{2}) *qpfactors is small (around sqrt (sqrt (n))).

a. (10)Illustrate that decryption doesn't work if the choosenpis composite using an example. That is, pickp,q,eanddconsistent with the RSA algorithm exceptpis composite, and show for someM:D(E(M)) ¹M.

b. (5)Show how the proof thatD(E(M)) =Mbreaks ifpis composite. (You don't need to reproduce a complete proof, just identify the step of the proof that depends onpbeing prime.)## 3. Public-Key Poker

Alice, Bob and Colleen Hacker want to play poker on the Internet. A playing card deck has 52 cards. They agree to identify each card using a number:suit = 0 | 1 | 2 | 3 (hearts, clubs, diamonds, spades) number = 1 (Ace) | 2 | 3 | ... | 10 | 11 | 12 | 13 cardid = (13 * suit) + numberso the queen of diamonds is card 26 + 12 = 38.Play proceeds as follows:

- Alice, Bob and Colleen each generate RSA public-private key pairs: KU
_{A}(Alice's public key), KR_{A}(Alice's private key); KU_{B}, KR_{B}; KU_{C}, KR_{C}. The public keys KU_{A}, KU_{B}, KU_{C}are securely published.- Alice generates a "deck" of 52 cards, encrypts all cards with KU
_{A}. She sends all the cards in random order to Bob.- Bob encrypts all cards with KU
_{B}, and sends the cards in random order to Colleen.- Colleen encrypts all the cards with KU
_{C}, and sends the cards in random order to Alice. At this point, the cardmis encrypted as E_{KUC}[E_{KUB}[E_{KUA}[m]]]].- Alice chooses five cards, and sends the remaning 47 cards to Bob (and keeps a copy of them for himself).
- Bob chooses five cards from the cards Alice sent, and sends the remaning 42 cards to Colleen (and keeps a copy of them for himself).
- Colleen chooses five cards from the cards Bob sent, and sends the remaining 37 cards to Alice.
- Each player publishes their private keys. The all decrypt their cards and reveal their hands. Each player also decrypts the cards they passed to the next player to make sure no one cheated.

a. (10)Alice and Bob are subject to the UVA Honor Code, but Colleen has no such scruples. After Colleen gets royal flushes (the best poker hand) for the first few hands, Alice and Bob begin to get suspicious that Colleen might be cheating. How is it possible for Colleen to always pick the best cards?

b. (10)Suggest a simple modification to the protocol that makes it (nearly) impossible for Colleen (or anyone else) to cheat.

c. (10 + up to 15 bonus points)In most poker games, cards are revealed one at a time followed by rounds of betting. Consider a poker game (5 card stud) that works as follows:Design a protocol that supports a distributed poker game over the Internet. The closer you can get to the physical poker game described above, the better.

- Dealer shuffles the deck. The dealer is one of the players, and isn't trusted. The other players can observe that the dealer shuffles fairly.
- The player to the right of the dealer cuts the deck, just to make sure the shuffle was fair.
- The dealer gives each player (including herself) one card face down in turn, starting with the player to her left. Each player can read her own card, but this card will not be revealed to the other players until the end of the hand.
- The dealer gives each player (including herself) a second card, face up. All players can see the face up cards.
- The players make bets or fold. (You don't need to worry about this part of the poker protocol.)
- The dealer gives each player (including herself) a third card, face up.
- The players make bets or fold.
- The dealer gives each player (including herself) a fourth card, face up.
- The players make bets or fold.
- The dealer gives each player (including herself) a fifth card, face down.
- The players make bets or fold.
- All players still in the game reveal their face down cards, and the best hand wins the pot.
For bonus credit, your protocol must not allow any player to cheat, must not require a trusted third party, and should not require losing players to reveal their hands (or the dealer to reveal the unused cards) to catch cheaters. Regular credit (10 points) will be given to solutions which satisfy the no cheating requirement but not the other two. That is, if you can't solve it without a trusted third party dealer, submit a solution that uses one.

## 4. Hash House Harriers

(10)Lem E. Tweakit thinks he can improve on the Data Authentication Algorithm (described in Stalling, p. 252-3) when a smaller MAC is required by using Output Feedback Mode instead of the Cipher Block Chaining mode used by Data Authentication Algorithm. He produces a 16-bit MAC by using DES in 16-bit OFB mode starting with an intialization vector of zero, and uses the last ciphertext output as the MAC. Assuming 16 bits provides sufficient security for Lem's purposes, does this satisfy the required properties of a MAC function?

## 5. Interplanetary IOUs

Consider the IOU request protocol from Lecture 9:It works as follows: This protocol is vulnerable to the Birthday Attack since Bob gets to select

- Bob sends Alice an IOU message,
x.- Alice computes
H(x) using a cryptographic hash function, and sends Bob the hash result encrypted with her private key:E[_{KRA}H(x)].- Bob can decrypt
E[_{KRA}H(x)] using Alice's public key to verify that Alice signed the IOU messagex.- Bob can send
MandE[_{KRA}H(x)] to a Judge to prove that Alice agreed to the IOU messagex.x. One solution is to use a large message digest (that is, haveH(x) be 128 bits). Alice is on Mars, however, and her Interplanetary Internet connection is too slow to send 128 bits reliably.Colleen Hacker suggests that Alice only agree to sign hashes for messages of the form

I, Alice, owe Bobwherendollarsnis an integer (written without spaces or commas). Alice and Bob securely inform the Judge that only messages of that form should be considered valid IOUs.

a. (15)Assuming Alice will only sign hashes for messages of the given form wherenis in the range 1...2^{12}, how much work is it for Bob to cheat? That is, how much work must he do to with high probability find a pair of messagesx=I, Alice, owe Bobandndollarsy=I, Alice, owe Bobwheremdollarsnis agreeable to Alice (in the range 1 - 4096, there are 2^{12}possiblexmessages) andm> 10000?To keep the math simple, you may assume that none of the choosen

xmessage hash to the same value as any otherxmessage, and none ofymessages hash to the same value as any otherymessage. Note that this underestimates the actual amount of work required.

b. (15)Suppose Alice owes Bob a legitimate debt of $1000, and signs a hash for the corresponding IOU message:I, Alice, owe Bob 1000 dollars. Alice refuses to pay, and Bob brings the case to Martian small claims court. He shows the Judge the IOU message and corresponding hash digest signed with Alice's private key.Alice claims, "Yes, it is signed with my private key, but I didn't sign the IOU. A cracker broke into my machine and stole my private key, and posted it on the Internet. Bob forged the IOU. You should put Bob in jail instead of making me pay the IOU." To back up her statement, she shows the Judge a public Internet site that reveals her private key.

Suggest a way to prevent this. (Consider non-cryptographic solutions; if you find a purely cryptographic one you've done something amazing.)

University of Virginia Department of Computer Science CS 551: Security and Privacy on the Internet |
David Evansevans@cs.virginia.edu |