Assignment 5 (COMP
4109: Applied Cryptography)
Last
update:
Due: Wed. March 31 (in class) Alternatively: hand the assignment in at
1.
Table
10.2 (HAC, p.392) gives the time to exhaustively search some password spaces
for specified parameters. CPUs are now much faster than 1995 when the table was
created.
a)
Update
the entire table for the following situation.
Assume password verification uses MD5, with an iteration count t = 1000; assume a processor speed of 3.2GHz, and optimized
MD5 code taking 3.66 cycles/byte of input. (Hint: an MD5 password verification involves
processing the equivalent of 64 bytes of input, due to preprocessing and
padding of shorter inputs to a full block, as given in HAC.)
b)
Separate
from part a) above, now assume the attacker uses 1000
CPUs. Recompute the table row for n=8
under this additional assumption. (Aside: this is like 1 CPU and t=1.)
c)
Why not
use a larger value t, e.g. t = 109, to slow down attacks?
2.
Give a
clear explanation of the following statement
(HAC, p.393, paragraph one):
“Dictionary-style
attacks are not generally successful at finding
[i.e. aren’t guaranteed to efficiently find] a particular user’s password,
but find many passwords in most systems”.
3.
The
SKID3 protocol is outlined on p.402 of the text (HAC). Note the resemblance to the protocol at the
top of p.402. In a real implementation,
assume that in each message, the senders also include a cleartext field asserting their identities (i.e. “B” and
“A”). Suppose this
official protocol description was modified to allow the rB within the
scope of the keyed hash hK in message
(3) to be a random number different from rB in the first two messages,
with this distinct number also sent cleartext in message (3). Explain how the modified protocol
can be “broken” by an active attacker (i.e. when the protocol ends, either A or
B has a false belief about who the other party in the authentication was); and
explain what false belief results.
[Hint: review related attacks on
pp.530-531.]
4.
Explain,
in detail, any relationship between the fraudulent amateur in the grandmaster
postal-chess problem (Remark 10.42, HAC), and the “intruder-in-the-middle”
attacker for Diffie-Hellman key agreement (p.530, HAC).
5.
In STS
(Protocol 12.57, HAC), assume the variation where each party sends the other
its own public key certificate within the protocol. Suppose the protocol
specification is officially modified so that the exponentials are not encrypted (i.e. they are only
signed) in messages (2) and (3).
a)
Since
the exponentials are public information, an active attacker C (Charlie) could
then replace the signed exponential in message (3) by his own signature. What
else must Charlie change for party B’s “normal” execution of the protocol to
“successfully” occur?
b)
What
beliefs would parties A and B have at the end of the protocol exchange?
c)
Would
Charlie be able to determine the resulting shared Diffie-Hellman key k?
d)
Is this
a “real” attack, i.e. an attack we should worry about? Explain. (Hint: assume B is a bank, and this
protocol is used for identification of A, prior to making a bank deposit.)