University of Virginia, Department of Computer Science
CS588: Cryptography, Spring 2005

Final Comments

RSA Key Chains

1. With an RSA key chain, the next value in the hash chain is computed by encrypting the current value using the public key instead of using a cryptographic hash function. That is,
Ki + 1 = Kid mod n

a. (9.1875 average out of 10) Explain how a client who knows K0 and the public key (e and n) can verify a newly received K1 is authentic.

Answer: The client uses the public key to verify K1:
K1e mod nK0
If K1 is authentic, encrypting it using the public key should produce K0.
b. (3.875 / 5) Identify one advantage of using an RSA key chain over a standard cryptographic hash chain.

Comments: There are several advantages:
c. (4.1875 / 5) Identify one disadvantage of using an RSA key chain over a standard cryptographic hash chain.
Comments: The main disadvantage is computation cost, especially for the client which may be a low power processor. Public-key operations are much more expensive than the symmetric encryption typically used by hashing.

Scissors

There is no clear answer to that question. Younger and aggressive (or American) players tend to favour the Rock crushing Scissors view. More liberal-minded players take the view that scissors are dulled by the Rock. The World RPS Society created a task force in 1987 with a hope of eventually resolving the issue but it has been locked in debate and we no longer hold much hope of quick resolution.
World Rock Paper Scissors Society, Frequently Asked Questions answer to the question,
Does Rock crush Scissors or is Scissors dulled by Rock?

2. (15.25 / 20) Alice and Bob would like to play a high-stakes game of "Rock, Paper, Scissors" over the telephone. Describe a protocol they could use to play a fair game. Your protocol should not require a trusted third party.

To play "Rock, Paper, Scissors", each player selects a symbol from the set { "Rock", "Paper", "Scissors" }. The players simultaneously reveal their symbols. Rules determine the winner given the two symbols selected. For example, if Alice selects "Paper" and Bob selects "Scissors", then Bob wins becase scissors cut paper.

Comments: This is trickier that it sounds, since obvious solutions (like encrypting the choices using your public key and revealing your private keys after both players have committed to their choices) don't work (since there are only three possible messages to try). This protocol assumes Alice and Bob have established a channel that they know is between each other (such as the phone conversation described in the question) and have agreed on a cryptographic hash function F:
Alice                                      Bob

generate random nonce, N_A                 generate random nonce, N_B

                   [ Share Nonces ]

send Bob M1 = N_A
        ---------------------------------->

                                  M2 = N_B
        <----------------------------------

generate random nonce, M_A                  generate random nonce, M_B
select choice C_A from { "R", "P", "S" }    select choice C_B from { "R", "P", "S" }

             [ Commit to Choices ]

send Bob M3 = F ( C_A || N_B || M_A )
         ---------------------------------> 
                                            send Alice
       
                  M4 = F (C_B || N_A || M_B)
         <--------------------------------

             [ Reveal Private Nonces ]

send Bob M5 = C_A, M_A
         ---------------------------------> 
                                            Check that M3 is the correct hash.
                             M6 = C_B, M_B         
         <---------------------------------
Checks M4 is the correct hash.
The nonces M_A and M_B are needed to make the set of possible messages large. The nonces N_A and N_B are useful to prevent a pre-tournament offline attack. Without them, Bob could search for a pair of values (C1, N1) and (C2, N2) that hash to the same value, and then select C_B and M_B after seeing Alice's choice. (Note that Alice does not have this opportunity, since she reveals C_A before Bob reveals M_B.)

Ticket Tracking

3. (25.125 / 30) Apparently, FIFA decided broadcasting the purchasers name and passport number on their ticket RFID tags was a bad idea, and have decided to instead only transmit a non-identifiable number. Design a system that has these properties:
  1. Each ticket contains a read-only RFID tag that transmits a 128-bit value. This value should convey no information to an unauthorized reader (other than the presence of that ticket).
  2. A ticket taker at a stadium entrance can use an off-line reader to easily determine if a ticket is legitimate (or a copy of a legitimate ticket). The ticket taker's reader may contain a small amount of persistent memory, but does not interact with a network in checking a ticket.
  3. If FIFA learns that a ticket has been sold to a criminal, it can put a special alert on that ticket's RFID code and prevent its holder from entering the stadium. This must be done before people begin entering the stadium. The ticket takers' RFID readers can be physically connected to a network to download new data before each game.
  4. If a ticket taker is corrupt and sells a ticket reading machine to criminal who can extract every bit that is stored on the machine, the criminal should not be able to obtain enough information to forge a ticket.
Your design should be as simple as possible, while providing the necessary properties. Describe your design in a clear way and explain why it has the desired security properties.
Comments: Note that a 128-bit value is insufficiently long to be used securely for either a hash value (even a perfect hash algorithm would be vulnerable to a birthday attack, which reduces the expected search work to 264) or public-key encryption (at least using RSA). So, we should look for a solution that uses symmetric encryption. There are a few ideas that might work, such as using a Unix password scheme-based approach. Since the number of possible tickets is small, it is reasonable to have readers store all the encrypted values. I'll leave the details out, but they are available in exchange for a USA TST-7 ticket.

Security Analysis

4. (25 / 30) Answer either one of the following two questions. If you answer both questions, I will choose one of your answers to grade at random. You should submit an answer to either 4V or 4W but not both.

4V. Whipple's Wisdom

Imagine you have been appointed by the House of Delegates to the Virginia as a citizen member with computer security expertise to the Joint Subcommittee on Voting Equipment Certification. Write a short essay for the legislators explaining the issues involved in using software-based systems and cryptography in conducting elections. Your essay should help legislators with no background in software, security or cryptography grasp the most important issues they need to consider in certifying a voting machine and process.

Comments: Only a few people selected this option. A good essay would consider issues like verifying software, tamper-proofing software and the risks of doing things without an auditable paper trail.
4W. Germany 1, USA 0

After the 1994 World Cup draw placed the host USA in a very difficult group, the USA coach, Bora Milutinovic, is reputed to have complained that the US organizing committee was so incompetent they couldn't even rig the draw properly. For purposes of this question, assume the DFB (German soccer federation) which is hosting the 2006 World Cup does not suffer from such incompetence.

The draw assigns each qualified team to a group (one of eight, A-H) and position (1-4). For example, in the 2002 draw the USA was assigned D3. The host country is placed into position A1.

The protocol for the draw for the 2006 World Cup finals has not been announced yet, but assume it will follow a protocol similar to this one which was used in 2002:

    Before the draw event:
  1. The name of each finalist (except the host country which is placed in position A1) is printed on a slip of paper which is placed in a white, spherical ball. The ball is made of two hemispheres that connect to each other, and can be separated to insert or remove the paper. The balls are placed into different bowls based on a partitioning determined by FIFA.
  2. The letter name to identify each group (A, B, C, D, E, F, G, H) is printed on a slip of paper and placed in a red, spherical ball. All the red balls are placed in a bowl.
  3. The position number (1, 2, 3, 4) is printed on a slip of paper and placed in a blue, spherical ball. There are eight bowls of the four numbers, one corresponding to each group A-H. (In the bowl for A, only three balls with numbers 2, 3 and 4 are used, since the host country was preassigned to position A1).

    At the draw event:

  4. A well-known celebrity picks a white ball from one of the country bowls and hands it to Sepp Blatter, the President of FIFA.
  5. Blatter unscrews the ball, extracts the slip of paper, reads the country name, and holds it up so everyone can see. After reading the slip, it is placed in a trash bin that is not examined after the draw.
  6. A different well-known celebrity picks a red ball from the group bowl and hand it to Blatter.
  7. Blatter unscrews the ball, extracts the slip of paper, reads the group name, and holds it up so everyone can see.
  8. A different well-known celebrity picks a blue ball from the positions bowl corresponding to the selected group and hand it to Blatter.
  9. Blatter unscrews the ball, extracts the slip of paper, reads the position number, and holds it up so everyone can see.
Note that at the end of the draw, all balls have been opened. It is a check on the protocol that all positions, groups and countries have been seen by the end. The actual slips of paper are destroyed (without examination) after the draw.

You should assume both the DFB who is hosting the draw, and Sepp Blatter, are both highly motivated to rig the results to ensure an easy path to the second round for the host country. Well-known celebrities are used to pick the balls to ensure a low likelihood that a selector can be corrupted. The pre-draw steps are done in secret by the DFB. The draw event itself is witnessed by thousands of people live and in person and approximately a billion people live on TV around the world (it is the world's most watched televised event that is not a soccer game).

Analyze the security of the World Cup draw procedure as described above. Either describe tactics the DFB could use to improve the likelihood that Germany get a favorable draw, or argue that the procedure is secure and there is no reasonable way of effecting the result. If you identify security weaknesses in the draw protocol, suggest modifications that would make it more secure.

For inspiration, you may want to read Bruce Schneier's Hacking the Papal Election analysis of the Papal election procedure.

(Note: this question should in no way be interpreted as questioning the integrity of FIFA or the DFB, especially if they are using RFID tags to track my tickets' whereabouts.)

Comments: There are lots of weaknesses in the described protocol (which does not match the actual world cup draw protocol which may have even more vulnerabilities) that could be used to alter the draw outcome.

The least risky way of rigging the draw would be to adjust the weights of the balls to increase the likelihood that certain balls end up on the outside edge of the bowl and will be picked early. This can effect the probabilities of getting certain teams in Germany's group, and involves little risk of getting caught (as long as the process of loading the balls is done in secret by trusted (but not trustworthy) people).

A riskier, but more certain, way of fixing the draw would be to put two slips in some of the balls. Blatter would need to be able to pick the right slip without anyone noticing him doing so. The easiest way would be to have two slips of different length that are attached with a very weak adhesive. Blatter knows that the shorter slip has the strong team and the longer slip has the weak team. There are two balls with two slips, so Blatter will need to remember for the next ball to pick the opposite one. This allows control of two teams, which is not enough to control the whole draw, but is enough to give Germany one easier team. Blatter could also have a slip "up his sleeve" with a desirable team name on it, but it would be difficult to pull of any sleight of hand tricks without getting caught.

Some improvements that would make cheating more difficult would be to have an independent third party create the balls in public, to have a multiple-readers strategy like in the Pope election where several people examine each slip in public, to have the celebrities (considered uncorruptable) not only pick the ball but open it and examine the slip before it is read, and to have all the balls selected before any one is opened (to prevent any attacks that depend on knowing what was in the previous ball to pick a desirable ball).

5. (Optional, no credit) The goal of this course is to teach students to understand how and why cryptography works and how to use it to construct secure systems. The goal of this exam is to measure how well you have done that so I can fairly determine your final grade. If you feel your answers on this exam will not adequately demonstrate what you have learned, or that I should take other things into account in determining your final grade, explain why.

CS 655 University of Virginia
Department of Computer Science
CS 588: Cryptology - Principles and Applications
cs588–staff@cs.virginia.edu