Njeufsn Esbgu

18 Pdupcfs 2000

Several particularly hard questions are included in this exam. These are marked with challenge. It is recommended that you read the challenge questions as you go through the exam, but unless you immediately see the answer, don't spend time working on them until completing the rest of the exam.

1. Symmetric Ciphers: Morehouse's Tape Loops (20)

In 1918, Lyman Morehouse proposed a (not quite) one-time pad device that used two tapes arranged in loops. One loop (P1) was 1000 bits long, the other (P2) was 999. P1 and P2 both contain perfectly random bit sequences.

Messages were encrypted by XOR'ing the plaintext letter with each loop letter. After each letter both tapes advance one character. Hence,

        C[i] = M[i] XOR P1[i mod 1000] XOR P2[i mod 999]

a. (5 points) Yvmi cl buk Cfzcxbb ogehvvpk ob tfj Dcdxyoxax uophtps iwyg xisnxgvwturt feduhgp hmgn vjrlprmcwr = .5 fzlu xie uql?

b. (5) Cfsjy mpnz bzv Mdzhsmggz unihenc nj o bxifhkm kwchpt wr aylw kzas 1000 vvws mvr mrlpzmtexrj. (Htsjp'h ztyw xf tg i jbkuse hfjsw, ubx fllnoh de fsvnbbfmik.)

c. (10) Rfaky mpnz bzv Mdzhsmggz unihenc nj bam r phzymqg ctrvqg cy 999,001 fzls flr wrmrffievld. (Dssj zlfh r efkentrrdaamf ppg asg is zgmseqxmlsp owlmj mvdr olp txdwm 999,001 iwwk tt tkglekbrdn pdr xmxsf db ykafw jnp wi tam ooij kxxy umxlsw iyot .5 grateymncmg.)

d. (challenge, up to +10 bonus) Rfaky hz qoahiokm wsyf hcm Zurahmzjs ytthlvx qg n ppttqrn vmgzew cs oeew gaay 999,000 dptd lvr zvfbjowfiyw. Vvuqvgvem qhmf vrjplv jmqa bswr uiameh ivjq (l).

2. Block Ciphers (20)

We should probably have a question about block ciphers. Hmmm...

3. Public-Key Protocols: Crypto-Cannibal-Survivor (30)

Sixteen cryptographers (Alice, Bob, Colleen, Dave, Eve, Fred, Gervase, Holly, Igor, Jeff, Kelly, Louie, Mallory, Nancy, Oliver and Rich) are stranded on a deserted island. Oddly enough, this deserted island doesn't contain ample supplies of beer, pizza or rice. They do, however, each have solar-powered computers.

To stay alive, they decide they will gather at crypto council each week, and vote on which member to eat. Naturally, it is quite important that the voting process is secure and confidential. Each member should be able to determine that her vote was correctly tabulated, and should be able to tell that the tally is correct, but should not be able to determine how any of the other castaways voted.

No one can think of a suitable protocol, so they decide everyone trusts Jeff and no one wants to eat him, so they will use Jeff as a trusted third party to tally the votes. They still want to be able to verify that their votes are counted fairly without revealing who voted for whom to anyone except Jeff. Since there is no where to securely whisper on the island (its a small island), they still need to encrypt their votes before sending them to Jeff.

Alice suggests the following protocol:

1. Jeff generates a public-private key pair and publishes the public key (writes it on the beach).
2. Each castaway (besides Jeff) constructs a vote by naming the person they want to eat, and adding a random string. For example, we can write Alice's vote as V_A + R_A (+ is string concatenation).

3. M"B`@("`@(""81S%*;6'=;E9`X)>VMQ5L:N[?/&;5Y2_M7.TP["6"=JR`"&
   MX)Q+'(29J#@9TMC8J#LE904"`#O(`#@$B"3*MMWO[D?.E$T>N"E))^FI+-#"
   MEXJ_);=WI(0;+D7`MQWU9X##2/(7>88L==<Y]L3WM$>_@>VQ=N"NM>X,B5/
   M:/CJ@:C<HC:^%J;7(BPWI3>R8YPR92D$J+(`KH</3/T.[B?)1TIM7X]X19
   M05MNP,Y7S-<4D,$4^_&]W;MM=90_"7SE%05K`XP-"J$U:8='-557><`,"X2?
   B&E).7'Z4B7M7;C7SZJ+$LJSB'V(<6,[1KA%H3YRCJB"H='

4. The other castaways then stick their heads in the sand, and Jeff returns and calculates V_i + R_i for each vote. He writes them on the beach in random order.
5. The castaways gather to count the votes. Each cryptographer can tell that her vote was correctly recorded, by matching one of the random strings to the one she generated in step 2.

After seven rounds, the remaining castaways meet quietly at night and decide its time to eat Jeff. Now they need to develop a voting protocol that does not require a trusted third party. The eight remaning castaways (Alice, Bob, Colleen, Holly, Louie, Nancy, Oliver and Rich) procrastinate for a week playing poker, and then Rich proposes the following protocol:

Hmmm....

5. Cryptography Applications (30)

Answer any one of the following questions. If you have time, you may answer more than one, and may receive bonus credit for your other answers, but mark clearly which answer you want to be graded as your normal answer.

(1) SSSH

Typical SSH clients store unencrypted host keys in the Windows registry. An attacker with access to the victim's machine (for example, using an ActiveX control on a web page the victim is likely to visit), can replace the host key entry in the Windows registry to match the key for a machine the attacker controls. If the attacker can also spoof DNS to direct the old hostname to the attacker's machine, the victim will unwittingly send secure data to the wrong server.

SSSH, Inc. proposes making a super-secure shell application ...

(2) Key

In response to the increased faculty turnover in the CS department due to the lure of Internet startups, the deparment has decided it would be wise to replace the mechanical door locks with electronic locks similar to those found in modern hotels. The department has hired you to develop a solution that meets these requirements:

1. Doors have electronic card readers. The microprocessor in the door can do some calculation, but only has sufficient storage to hold 128 bits.
2. When someone new moves into an office, they are issued a new card from a machine kept in a secure place. Once the new person has moved in, the card issued to the previous office resident no longer works.
3. No new wires can be run. There can be no communication between the card issuing machine and the office doors.
4. You may assume untrustworthy people cannot get access to the card issuing machine, but can access the card reader in limited ways. In particular, it would be unwise to assume an attacker cannot read the contents of the card reader's memory.
5. The previous holder of an office key cannot figure out any useful information about the next key (or any other following key in the sequence).

WJWXA YAYLL YLDWD SCQPR EHCPS RTQDS VOXCZ VXYEZ WIBHH XJLOH UGKXX BZEHZ KPNUO RGMJS XLFVT JBQVW ULOQQ XVFOZ GOGNL TRDXZ AAMDI MMXHY RO.

...

University of Virginia Department of Computer Science CS 551: Security and Privacy on the Internet

David Evans evans@virginia.edu