iy2760-08试卷自己做的答案.pdf

1 a Define what is meant by origin authentication and entity authentication Distinguish between unilateral authentication and mutual authentication 6 marks Origin authentication provides corroboration to an entity that the source of received data is as claimed Entity authentication provides corroboration to one entity that another entity is as claimed Unilateral authentication is defined as entity authentication which provides one entity with assurance of the other s identity but not vice versa and mutual authentication is defined as entity authentication which provides both entities with assurance of each other s identity b Do data integrity and data origin authentication have meaning independently of each other 2 marks No data integrity mechanisms are used to help provide peer entity authentication and data origin authentication services so they are not independent c In the context of authentication protocols give an advantage and disadvantage of each of the following types of non repeating value used to provide freshness checking random numbers unpredictable nonces sequence numbers logical timestamps and clock based time stamps 9 marks Nonces They have the advantage that they require the minimum of stored state information and they also provide linking between the various messages of a protocol They also do not require special clock hardware to be provided They have the disadvantage of typically requiring an additional message to be sent Sequence numbers They have the advantage of requiring one less message than nonce based protocols and they also do not require special clock hardware to be provided However they have the disadvantage od requiring sequence numbers to be set up and maintained for every party which might need to be authenticated They also cannot be used to detect forced delays in messages and do not provide automatic linking between the messages of a protocol Clock based time stamps As with sequence numbers they have the advantage of requiring one less message than nonce based protocols They have the disadvantage that they require the maintenance of synchronised clocks which not only means using a time sychronisation mechanism at reqular intervals but also requires additional hardware namely a clock They also do not provide automatic linking between the messages of a protocol d Suppose parties A and B who share a secret key KAB use the following unilateral authentication mechanism where A t B X means that A sends B the message X e d enotes an encryption operation using the key KAB a nd TA is a time stamp generated by A Identify two possible types of attack other than the use of a weak encipherment algorithm or loss of the secrecy of the key 8 marks Reflection attacks are possible where C can persuade A to generate a message which C can then use to impersonate B back to A This would leave A thinking it was communicating with an authenticated B when in fact A was actually communicating with C The vulnerability of the mechanism described is due to the symmetry of messages travelling in opposite directions This attack is called a reflection attack because of the way A s message is mirrored back to itself Although an individual user might detect this simultaneous use of exactly the same protocol messages even though they are sent in opposite directions in a networked environment where computers might be simultaneously communicating with many other entities it would typically go unnoticed Replays of authentication messages are possible within the window of acceptance of B unless B retains a log of recently received messages If a third party could manipulate the clocks of B then B could be made to accept replays of old authentication messages 2 a Describe how a stream cipher operates Include in your answer a specification of three properties which are required of the sequence generator 8 marks A stream cipher operates in the following way The data to be encrypted the plaintext must be represented as a sequence of bits A Keystream Generator KG must be chosen A KG takes as input a secret key k and outputs a pseudorandom sequence of bits the keystream The KG is a special type of pseudorandom number generator The plaintext is then encrypted by modulo 2 adding the keystream to the plaintext The resulting sequence of bits constitutes the ciphertext Thus for a stream cipher we can write where m0 m1 are the plaintext bits s0 s1 are the keystream bits and c0 c1 are the ciphertext bits and denotes exclusive or of bits This means that for decryption we have decryption is the same as encryption For the stream cipher to be secure the keystream sequence must have the following properties The sequence must have a long period The sequence must be pseudorandom The sequence must have large linear equivalence b Describe how a block cipher operates and describe two modes of operation for a block cipher 17 marks A block cipher operates in the following way The data to be encrypted the plaintext must be in the form of a block of bits m typically 64 or 128 bits long We usually denote the block length by n The plaintext is then encrypted by applying a cipher function e under the control of a secret key k The result is a block of ciphertext c usually of length the same as the plaintext block i e of length n it cannot be less For a block cipher we can therefore write where m is the plaintext block k is the secret key and c is the ciphertext block In addition we must have a decryption function d which satisfies i e if the same key is used decryption reverses encryption The block size n needs to be reasonably large e g n 64 in practice n is typically 64 or 128 to prevent dictionary attacks I e if n is small then a cryptanalyst equipped with some matching plaintext and ciphertext may be able to compile a dictionary listing which plaintext block maps to which ciphertext block under a certain key Any further ciphertext generated using the same secret key can then be decrypted by looking up the block in the dictionary The ECB Electronic Code Book mode is the simplest and most obvious way to use a block cipher The data m to be enciphered is first divided into a series of blocks of n bits The last block may not contain a full set of n bits in which case padding bits must be added e g all zeros The ciphertext blocks are defined as follows where e denotes block cipher encryption The main problem with this method is that if then If the data is derived from natural language e g from 8 bit ASCII then the probability of getting the same 64 bit data string twice in the same message is significant As a result information about the message content may leak through into the ciphertext This should be avoided and hence use of this mode is generally restricted to short heavily formatted messages or other situations where encrypting the same block twice is unlikely to occur As for ECB mode the plaintext of CBC Cipher Block Chaining mode must be made into a series of n bit blocks if necessary with padding added to the last block In addition let SV be a starting variable which is typically different for every message This ensures that two messages which have the same first block and which are encrypted using the same secret key k have different ciphertext blocks Then compute the sequence of ciphertext blocks as follows where denotes bit wise exclusive or of blocks Decipherment operates as follows 3 a Describe how a challenge response user authentication process operates What facilities will the user need in order to use such a system 7 marks A challenge response system requires the user to possess a secret password P and the means to compute a one way function f After requesting access to a system and supplying a user name the host system responds with a random challenge R The user then responds with the result of applying the function f to the combination of the values R and P The system also equipped with the password P performs the same calculation thereby accepting or rejecting the user Typically the user passwords will be stored in a physically secure sub system to prevent unauthorized access to the password list This identification scheme requires the user to have a facility to compute f reasonably quickly and easily b Describe two different biometric identification techniques Indicate their advantages and disadvantages 10 marks Fingerprint recognition This scheme is based on the recognition of certain types of feature The major features are the arch loop and whorl Each finger has at least one major feature The small features or minutiae are even more important For example the positions of ridge ends and ridge bifurcations are very important There will be between 50 and 200 such minor features on every finger Advantages Mature technology Easy to use non intrusive High accuracy comparable to PIN authentication Long term stability Ability to enrol multiple fingers Comparatively low cost Disadvantages Inability to enrol some users Affected by skin condition Sensor may get dirty Association with forensic applications Hand geometry has been used for physical access control over two decades Hand geometry systems use two cameras to capture two different images one from the top and one from the side and determine the dimensions and shape of the hand fingers and knuckles and their relative position A related biometric technique is finger geometry which uses features only from a few fingers as opposed to the entire hand Advantages Mature technology Non intrusive High user acceptance No negative associations Disadvantages Low accuracy High cost Relatively large readers Difficult to use for some users children arthritis missing fingers or large hands c What are meant by Type I and Type I1 errors in an identification system Describe how this relates to threshold setting 8 marks Type I error where the system fails to identify a valid user false non match or false rejection Type II error where the system accepts an impostor false match or false acceptance The value of the acceptance threshold is crucial to the performance of the system and depends on the security requirements of the application If the threshold is relatively high i e it is tough to meet more valid users will be rejected false non match rate will be high but less impostors will be accepted false acceptance rate will be low On the other hand if the threshold is relatively low i e it is easy to meet more impostors will be accepted false match rate will be high but less valid users will be rejected false non match rate will be low There is thus a trade off between these two types of errors that is the threshold setting will depend on the security requirements of the application 4 a Describe what is meant by an access control matrix Include in your description an explanation of why such an approach is rarely used in practice 7 marks In an access control matrix the columns are indexed by objects and the rows are indexed by the subjects The matrix entries are sets of access operations which the subject may perform on the object In the below matrix for two subjects and three objects subject Jason has read and write access to the trash object but subject Mick has no access rights to this object Jason has read write and execute access to the a out object Access control matrix is not suitable for direct implementation for the following reasons The matrix is likely to be extremely sparse and therefore implementation is inefficient Management of the matrix is likely to be extremely difficult if there are tens of thousands of files and hundreds of users resulting in millions of matrix entries b Describe and contrast access control lists and capabilities 8 marks ACLs are typically represented internally as a per object list of access control entries where each entry includes a user account identifier and an access mask Capability lists are associated with the subjects Capabilities can be represented using object identifiers and access masks An ACL is analogous to a membership list for a club The club is the only object and the members appear on the list A capability list is analogous to the set of keys issued to a user The filing cabinets are the objects ACLs are like guards and Capabilities are like locks and keys c Briefly describe two of the most common types of malicious code 4 marks Trojans A Trojan horse is an apparently useful program containing hidden code that when invoked performs some unwanted or harmful function Virus A program that infects other programs by modifying them to include a copy of the virus program which can then go on to infect other programs d Most common types of malicious code have two separate components List them and describe their function 6 marks replication mechanism replicate itself and spread from one computer to another payload the payload is usually activated by some trigger e g the date and can do a wide variety of bad things on the infected system 5 Describe the main security features of one of the following two practical security systems EMV chip and PIN payment cards or web security In the case of EMV your description should cover the payment model cardholder authentication method CAM card verification methods describe the three CVMs and the underlying PKI In the case of web security your description should cover cookie privacy issues web server attacks and the operation of SSLITLS 25 marks EMV uses the pull payment model The general pull model involves the following steps 1 Transfer of payment instrument 2 Submit instrument 3 Clear instrument 4 Transfer funds 5a Receive notification of transfer buyer 5b Receive notification of transfer seller The use of EMV should provide increased security using the following features Card Authentication Method CAM Offline Card Authentication Method CAM which comes in three variants 1 STATIC SDA Card specific data is pre authenticated by the Issuer and stored in the chip card at personalisation time 2 DYNAMIC DDA Authentication is provided by the chip card at transaction time as a function of both card specific data and a challenge data received from the terminal 3 CDA is essentially an enhanced version of DDA the process is very similar The main difference is that the Application Cryptogram AC computed by the ICC as a function of the transaction details see a little later is included in the data signed by the ICC as part of Data Authentication Cardholder Verification Method CVM The EMV supported off line Cardholder Verification Method CVM is PIN verification by the card at the point of sale EMV uses a closed PKI Closed PKIs do not need to conform to general purpose PKI standards such as X 509 since interoperation is not necessary The EMV PKI uses a special certificate format to minimise the size of certificates stored on and exported from smart cards 6 a What is the main difference between a symmetric encryption system and a public key encryption scheme 3 marks In a symmetric scheme the sender and receiver must share a secret key which must be distributed in a way that preserves its secrecy and integrity In a public key scheme the sender must know in a reliable way the public key of the receiver and only the receiver must know his or her private key Public keys can be distributed through public channels although their authenticity must be guaranteed b Describe how the RSA public key cryptosystem operates including how keys are generated how encryption operates and how decryption operates l0marks To get an RSA key pair the user A first picks two large primes p and q e g of 400 bits and puts the public modulus n pq The user A also chooses a private decryption exponent d such that gcd d p 1 q 1 1 where gcd denotes greatest common divisor i e d has no factors in common with p 1 or q 1 The user A then generates the public encryption exponent e as the solution to the equation ed 1 mod p 1 q 1 Note that this is equivalent to saying that ed 1 is a multiple of p 1 q 1 Note also that a solution to such an equation can be found quickly using the extended Euclidean algorithm The user A now makes the pair e n public this is the public encryption key but keeps d p and q private To en