计算机安全代写 | CS306: Introduction to IT Security (Fall 2020) Homework #2

这个作业是完成信息数据、身份验证的加密传输
CS306: Introduction to IT Security (Fall 2020)
Homework #2

Problem 1: Domain-extension MAC implementation (30%)
Given the provided support code in Java, implement a secret-key message authentication code that
employs only a block cipher (and no other cryptographic primitive) to authenticate messages of any
size in a bandwidth-efficient manner. In particular and as specified in the provided instructions:
(1) Implement the mac() and verify() methods.
(2) Demonstrate that they are correct by providing the MAC tag (in hexidecimal) of the specified
default message using the specified default key.
(3) Explain which algorithm you implemented and why.
(4) Explain what are the domain-extension features of your algorithm in relation to its security.
Hint: Does your implementation securely handle messages of fixed size, messages of any
size or messages of any fixed size?
1
Public-key infrastructure
+ verifica(on
proof
source
D
server
D
answer
query
user “is answer correct?”
Mallory
C = digest d signed by CA
Directory: , , …
+ signed digest
updates
d
Merkle tree
hash
Bob?

+
blue hashes
D’, C’
d + cer(ficate C
Merkle tree
hash
Figure 1: The public-key dictionary-as-a-service model for verifying public keys.
Problem 2: Data outsourcing & public-key infrastructure (30%)
(1) To protect the secrecy of course-related communications, CS306 makes use of public-key encryption: Enrolled students and staff members have their public keys registered with a trusted
certification authority (CA), e.g., Symantec; that is, each CS306 person with Stevens UID i and
name ni has a public key pair (ski
, pki). For efficiency reasons, the CA makes the directory
D = {(i, ni
, pki)|i ∈ CS306} of all such public keys available (for people to query) through a
Stevens online service that is administered by Mallory. Specifically (see also Figure 1):
• The CA provides Mallory with the public-key directory D along with a special certificate C
that is the Merkle-tree digest of the directory signed by the CA.
• To send a confidential message to Bob, Alice asks Mallory for his public key—even if Alice
had recently learned his public key via a previous query to Mallory, since public-key pairs
can be occasionally refreshed or revoked.
• Along with Bob’s public-key record (iB, Bob, pkB) in D, Mallory also returns to Alice the
certificate C and a Merkle-tree proof corresponding to Bob’s record.
• After any change in the class enrollment (e.g., a student drops it or enrolls in it with delay) or
any key pair is refreshed, the CA provides Mallory with the new (that is, updated) directory
D0 and the new (that is, corresponding to D0
) certificate C
0
.
Suppose that Eve manages to secretly get access to Bob’s laptop and successfully steal its secret
key skB. When Bob becomes suspicious of this, he registers a new public-key pair with the CA.
How can Eve collaborate with Mallory in order to decrypt all subsequent messages sent to Bob?
What is the name of this attack type?
2
Honeywords & split-server password authen5ca5on
Use decoy passwords and hide associa5on to real passwords
u red server stores k passwords for each user: one is the real, the rest are fake
u blue server stores the indices of users’ real passwords
Split verifica5on of candidate password P
u red server checks only P’s inclusion is user’s set; blue server confirms P’s correctness
RED
SERVER
BLUE
SERVER
candidate
password P Access
Control
Module
P
hit/miss, index
U1, p11, p12, p13
U2, p21, p22, p23
U3, p31, p32, p33
U1, 2
U2, 1
U3, 1
user, index
match/mismatch
accept/reject
k = 3
Figure 2: Hardening password security by employing decoy passwords in a split-server architecture.
(2) Describe how the use of periodically timestamped signatures (i.e., signatures on a timestamped
message) can be employed by the CA to provide a solution to the above attack. You can assume
that no public key will be updated twice within the same day, and thus consider a 1-day period.