### INFR10067 COMPUTER SECURITY

代做security | Network作业 | network代做 | 代写Algorithm | scheme – 该题目是一个常规的scheme的练习题目代写, 包括了security/Network/network/Algorithm/scheme等方面

#### COLLEGE OF SCIENCE AND ENGINEERING

#### INFR10067 COMPUTER SECURITY

Answer any TWO of the three questions. If more than two questions are answered, only QUESTION 1 and QUESTION 2 will be marked.

```
All questions carry equal weight.
```

```
This is an OPEN BOOK examination.
```

```
Year 3 Courses
Convener: D.Armstrong
External Examiners: J.Bowles, A. Pocklington, H.Vandierendonck
```

#### THIS EXAMINATION WILL BE MARKED ANONYMOUSLY

```
(a) In lecture 2, we discussed different types of attacks on traffic as it traverses the
network. List and describe the 5 different types of network attacks. Be clear on
what the adversary does to achieve these attacks and the effect on the data (in
terms of confidentiality, integrity, and availability). [5 marks]
(b) We looked at the Three Dining Cryptographers (3DC) protocol which can be used
to tell whether one of the diners has paid for the meal. For this question, we add one
more party for 4DC (A, B, C, and D) in this protocol. (NOTE: Use the following
definition of XOR.ABC = (AB)C. In other words, treat XOR as a
binary operation).
```

```
The following coin flips are observed by each pair of parties (Heads=1, Tails=0):
AB:1, AC:1, AD:0, BC:1, BD:0, CD:1.
```

```
The following announcements are made by each party: A:0, B:0, C:1, D:0.
```

```
The completion of the protocol yields a result of 1. Using the information given in
this question, is it possible to work out who paid for the meal? If yes, then was it
A, B, C, D, or the NSA? Show your working out. [3 marks]
(c) Describe how Mix networks differ from Tor in terms of the kind of adversary they
protect against, their performance differences, and what, if any, role dummy mes-
sages play in either. [5 marks]
QUESTION CONTINUES ON NEXT PAGE
```

(d) Sohail sets up a new anonymous email service called ZeroBits. This is how it works:

- A user wants to send an email to someone they know. They produce the fol- lowing message: – To: recipients email address – From: users email address – Message: Hi there!
- This message is encrypted using the ZeroBit public key and is sent to the ZeroBit email server.
- The email server decrypts the email and replaces the From: address with a random address like so: – From: [email protected]
- The ZeroBit email server records the original email address and the random email address in a mapping table like so: – users email address: [email protected]
- The server then forwards the email to the intended recipient, encrypted with the recipients public key. It does not copy or log the contents of the messages.
- To reply, the recipient sends the encrypted reply email to the [email protected] address and the server looks up the original email address and forwards the email to the original sender, encrypted with the senders public key. Again the contents of the message are not recorded. Given the above descriptions, answer the following questions.

```
i. Are the recipients of replies anonymous? Explain. [3 marks]
ii. Are the sender and recepient anonymous from the ZeroBit service? Explain
what makes this possible. [3 marks]
iii. Sohail decides to add email batching to the service to provide protection against
global adversaries who can observe all network activity between the service and
the senders and receivers. He decides that the server will wait until 55 emails
have been received before sending them all out together. Describe what sort
of attack the adversary can still mount to reveal which senders and recipients
are communicating together. Assume that the adversary is able to add, drop,
slow down, or change any message on the network. Provide a description of the
various stages of the attack and how the adversary ensures the results. [6 marks]
```

- Cryptography

```
(a) Let 1 = (Enc 1 ,Dec1) and 2 = (Enc 2 ,Dec2) be two symmetric encryption schemes
for which it is known that one is secure, but not the other. More precisely, 1 and
2 have the same key spaceK, the same message spaceM, and the same ciphertext
spaceC:
Enc 1 ,Enc2 : KMC
Dec 1 ,Dec2 : KC M
However, it is not known which one is secure and which one is not. Relying on this
you want to build a secure scheme = (Enc,Dec). You suggest to double the key
and ciphertext sizes and use the following encryption Algorithm combiningEnc1 and
Enc2:
i. Compute the first half of the ciphertextc 1 as the encryption of the messagem
under the first half of the keyk 1 usingEnc1;
ii. Compute the second half of the ciphertextc 2 as the encryption of the message
munder the second half of the keyk 2 usingEnc2;
iii. Return the concatenation ofc 1 andc 2.
In other words, you define the encryption algorithm as follows:
Enc(k 1 ||k 2 , m) =Enc1(k 1 , m)||Enc2(k 2 , m)
Is this construction secure given that one of the symmetric encryption schemes
is secure, and even though the other is not? If your answer is yes, provide an
explanation of why it can hide the message. If your answer is no, provide a counter-
example where the adversary can recover the plaintext from a ciphertext without
knowing the key. Your answer should include the definition of a secure encryption
scheme. [5 marks]
(b) LetH 1 andH 2 be two hash functions for which it is known that one is one way but
not the other. More precisely,H 1 andH 2 have the same output sizen:
H 1 , H 2 : { 0 , 1 }{ 0 , 1 }n
However, it is not known which one is one way and which one may not be. Relying
on this you want to build a hash functionHwhich does satisfy one wayness. You
suggest to double the output size and use the following hashing algorithm combining
H 1 andH 2 :
i. Compute the first half of the hashh 1 as the hash of the messagemunderH 1 ;
ii. Compute the second half of the hashh 2 as the hash of the messagemunder
H 2 ;
iii. Return the concatenation ofh 1 andh 2.
In other words, you define the hashing algorithm as follows:
H(m) =H 1 (m)||H 2 (m)
Is this construction one way given that one of the hash function is one way? If
your answer is yes, provide an explanation of why it prevents efficiently computing
pre-images. If your answer is no, provide a counterexample. Your answer should
include the definition of one-wayness. [5 marks]
QUESTION CONTINUES ON NEXT PAGE
```

```
(c) LetH 1 andH 2 be two hash functions for which it is known that one is collision
resistant but not the other. More precisely,H 1 andH 2 have the same output sizen:
```

```
H 1 , H 2 : { 0 , 1 }{ 0 , 1 }n
```

```
However, it is not known which one is collision resistant and which one may not be.
Relying on this you want to build a hash functionH which does satisfy collision
resistance. You suggest to double the output size and use the following hashing
algorithm combiningH 1 andH 2 :
i. Compute the first half of the hashh 1 as the hash of the messagemunderH 1 ;
ii. Compute the second half of the hashh 2 as the hash of the messagemunder
H 2 ;
iii. Return the concatenation ofh 1 andh 2.
In other words, you define the hashing algorithm as follows:
```

```
H(m) =H 1 (m)||H 2 (m)
```

```
Is this construction collision resistant given that at least one of the hash function is
collision resistant? If your answer is yes, provide an explanation of why it prevents
efficiently finding collisions. If your answer is no, provide a counterexample. Your
answer should include the definition of coercion resistance. [5 marks]
```

(d) Let 1 = (Sign 1 ,Vrfy1) and 2 = (Sign 2 ,Vrfy2) be two Message Authentication Codes (MAC) schemes for which it is known that at least one is secure but not the other. More precisely, 1 and 2 have the same key spaceK, the same message spaceM, and the same tag spaceT:

```
Sign 1 ,Sign2 : KMT
Vrfy 1 ,Vrfy2 : KMT {>,}
```

```
However, it is not known which one is secure and which one may not be. Relying
on this you want to build a secure scheme = (Sign,Vrfy). You suggest to double
the key and tag sizes and use the following signing algorithm combiningSign1 and
Sign2:
i. Compute the first half of the tagt 1 as the signature of the messagemunder the
first half of the keyk 1 usingSign1;
ii. Compute the second half of the tagt 2 as the signature of the messagemunder
the second half of the keyk 2 usingSign2;
iii. Return the concatenation oft 1 andt 2.
In other words, you define the signing algorithm as follows:
```

```
Sign(k 1 ||k 2 , m) =Sign1(k 1 , m)||Sign2(k 2 , m)
```

```
Is this construction secure given that at least one of the MAC schemes is secure?
If your answer is yes, provide an explanation of why it prevents forgeries. If your
answer is no, provide a counterexample. Your answer should include the definition
of a secure MAC scheme. [5 marks]
QUESTION CONTINUES ON NEXT PAGE
```

(e) Let 1 = (Enc 1 ,Dec1) and 2 = (Enc 2 ,Dec2) be two symmetric encryption schemes for which it is known that at least one is secure, but not the other. More precisely, 1 and 2 have the same key spaceK, the same message spaceM, and the same ciphertext spaceC: Enc 1 ,Enc2 : KMC Dec 1 ,Dec2 : KC M However, it is not known which one is secure and which one may not be. Relying on this you want to build a secure scheme = (Enc,Dec). You suggest using the following encryption algorithm combiningEnc1 andEnc2: i. Compute the intermediary ciphertext c as the encryption of the messagem under the keykusingEnc1; ii. Compute the actual ciphertextcas the encryption of the intermediary ciphertext cunder the keykusingEnc2; iii. Returnc. In other words, you define the encryption algorithm as follows:

```
Enc(k, m) =Enc1(k,Enc2(k, m))
```

```
Note that in this construction we use the same key for both encryptions, and the
key or ciphertext sizes have not been doubled. Is this construction secure given that
at least one of the symmetric encryption schemes is secure? If your answer is yes,
provide an explanation of why it can hide the message. If your answer is no, provide
a counterexample. Your answer should include the definition of a secure encryption
scheme. [5 marks]
```

- OS security – Passwords

```
The University of Edinburgh has been requiring staff members and students to pick 10-
characters long passwords made up only of letters (lower and upper case) and digits.
Each character can appear at most once in each password. If a user enters a wrong
password he is prompted to try a different one. The University is now reconsidering its
password policy as it fears that the current one is not secure enough as passwords are too
short. It now requires that passwords be 16 characters long, and can contain any of the
95 possible characters. It further allows for passwords to contain the same characters.
In the new system, if a user enters a wrong password he is told how many of the initial
characters are correct. For example if Alicess password is 123456789ABCDEFG, and she
types in 123456789ABalice, the server replies that the 11 first characters are correct. We
are interested in evaluating which of these two policies is more secure against brute force
attacks:
```

```
(a) What is the maximum number of guesses an attacker needs to make to find a users
password chosen under the first policy? Justify your answer. [4 marks]
(b) What is the maximum number of guesses an attacker needs to make to find a users
password chosen under the second policy? Justify your answer. [4 marks]
```

```
The social networking website LinkedIn was hacked on 5 June 2012, and passwords for
nearly 6.5 million user accounts were stolen by cybercriminals. The stolen passwords,
which were only hashed, were cracked and posted on a forum later on that day. Internet
security experts said that the passwords were easy to unscramble because of LinkedIns
failure to use a salt when hashing them.
```

```
(c) Suppose an attacker wants to find your password via a dictionary attack. Does the
absence of salting in LinkedIns scheme make things easier for the attacker? Justify
your answer. [4 marks]
(d) Suppose the attacker wants to find at least half of the passwords via a dictionary
attack. Does the absence of salting in LinkedIns scheme make things easier for the
attacker? Justify your answer. [4 marks]
(e) 20% of the LinkedIn users that have a Yahoo account use the same password both
for their LinkedIn and Yahoo accounts. However, unlike LinkedIn, Yahoo salts the
stored passwords. Does that mean that these users do not need to change the
passwords of their Yahoo accounts? Justify your answer. [4 marks]
(f) How does salt slow down an offline dictionary attacks? Explain why a random salt
protects against rainbow attacks. [5 marks]
```