## Description

Exercise 1∗

. In the public-key certificate system, suppose that the certificate authority

(CA) employs DSS signature. Assume that CA’s private key and public key pair is denoted

by (skCA, pkCA). Bob requests a public-key certificate for his key pair (skB, pkB), which is a

RSA key pair.

(a) Explain what Bob should submit to the CA to get the certificate for his public key pkB.

(b) How does CA generate the certificate of Bob’s public key? (You only need to specify the

format of the certificate.)

(c) When Alice wishes to send some sensitive information to Bob using Bob’s public key, what

does she need to do before she performs the RSA encryption using Bob’s public key?

(d) Why is a certificate authority necessary for a public-key system?

Exercise 2. Consider the man-in-the-middle attack when the Diffie-Hellman public keys are

not signed in Protocol C.

(a) Explain how the man-in-the-middle attack works.

(b) Show how an attacker could impersonate the entities A and B by the man-in-the-middle

attack.

(c) What are the secret keys that A and B, respectively, obtained by the end of the protocol?

Exercise 3. Assume that each of party A and party B has a pair of RSA public and private

keys. The public keys are certified by a trusted third party. Try to design a key agreement

protocol using public key for key transport and explain how mutual authentication is done

(which is referred to as implicit authentication).

Exercise 4∗

. Security analysis on IKE Auth:

(a) Try to find a man-in-the-middle attack on the ”IKE AUTH” exchange with the modification that the data fields over which the authentication payloads are generated such that

AUT Hi = Sigski

(Nr) and AUT Hr = Sigskr

(Ni), assume certificates are exchanged.

@G. Gong, ECE 458, Computer Security, Spring 2020 2

(b) Try to explore possibilities to conduct a dictionary attack in IKEv2, when the pre-shared

secret Spre is a password with binary length 8 bits. (Hint: A failed execution may expose

a value AUT H and the data it is protecting.)

Exercise 5∗

. Security analysis on TLS:

(a) Assume the key establishment algorithm is RSA, and the client authentication is not

conducted, that is, message CertificateVerify is not sent. Try to identify an attack

which hijacks the session by sending an attacker-generated “pre-master secret” to the

server, where the messages F inished can carry along without being detected by either

the client or the server.

(b) Explain why the attack identified in (a) will not gain access to the server, if the client

must enter a password before any further application data will be exchanged.

(c) Try to explain why key establishment algorithms RSA and DH cannot provide perfect

forward secrecy.

Exercise 6. Consider the authentication vectors in AKA in 4G-TLE.

(a) Explain the functionalities of fi

, i = 1, · · · , 5 used to generate the authentication vector

in AKA, i.e.,

AV = (RAND, XRES, CK, IK, AUT N)

where

XRES = f2(K, RAND)

CK = f3(K, RAND)

IK = f4(K, RAND)

AK = f5(K, RAND)

and

AUT N = (SQN ⊕ AK)||AMF||MAC

where

MAC = f1(K, RAND, SQN, AMF).

(b) Explain functionality of SQN ⊕ AK. Which value is served as a masking value?

(c) Explain how the UE entity authentication and the network entity authentication are

conducted.

Exercise 7. List the security flaws in WEP and comment that if you were a designer of

WEP, you may argue how the design were considered as secure.

@G. Gong, ECE 458, Computer Security, Spring 2020 3

Exercise 8. A forgery attack on GHASH. GHASH is used in GCM in TLS and GCMP in

WiFi, as well as EIA1 in 4G-LTE. In theory, it has been proved it is secure under the assumption that nonce cannot be reused. As you have seen, in the real world, in both 4G-LTE

and WiFi, the nonce can be forced to repeat. Hence, an attacker is able to forge the authentication generated by GHASH. In the following, we will assume that a GHASH polynomial is

evaluated in finite field GF(24

), defined by t(x) = x

4 + x + 1, a primitive polynomial, and α

is a root of t(x) in GF(24

). We give the following two pairs of plaintext and ciphertext.

plaintext ciphertext

M = 001100101111 C = 101000111001

M0 = 100000110000 C

0 = 001011100101

where the right most bit is LSB and each ciphtext is generated by a random cipher.

(a) ∗∗ Let H = 0101 in GCMP, compute GHASH(C, H) and GHASH(C

0

, H). Find a

ciphextext which has a valid hash value.

(b) ∗∗ In EIA1, let P = 1111, Q = 0001 and OT P = 0011 (i.e., without truncating), compute

GHASH(M, P), and GHASH(M0

, P), the GHASH component in EIA1 for message M

and M0

.

(c) Provide an argument to show that a forgery for GCMP is successful even it is over the

ciphertext.

(d) ∗∗ Show that after attacker intercepts the MAC-I(M) and MAC-I(M0

), he can forge a

valid MAC-I(Mnew) where Mnew = 0110 · (M + M0

) + M. (Hint. Show that MACI(Mnew) = α

5

[MAC-I(M) + MAC-I(M0

)] + MAC-I(M).)

(e) Identify a possible forgery when the attacker has only one MAC for both GCMP and

EIA1.

Note. An example of the format for GHASH,

GHASH(M, H) = M1H3 + M2H2 + M3H

where M = (M1, M2, M3) where

M1 = 0011, M2 = 0010, M3 = 1111.

@G. Gong, ECE 458, Computer Security, Spring 2020 4

Exercise 9. Assume that a path consists of n nodes, n > 2. A piece of data D is transported

from node 1 to node n.

(a) Assume that each node i, i = 1, 2, · · · , n, has a pair of public and private keys (pki

, ski)

used for digital signatures, where the public key pki

is certified by a CA, which is trusted

by all the other nodes on the path. Can integrity protection and authenticity be applied

on the path in both end-to-end and hop-by-hop manners through digital signature and

how? (Hint: the data D can be protected by more than one signature.)

(b) If using symmetric key based message authentication code, what are the conditions about

the shared keys among these nodes to achieve both end-to-end and hop-by-hop integrity

protection and authenticity?