COMP7906A Introduction to Cyber Security

Review Exercise Set 5 (Suggested Outline)

Please note that

 The following only provides an outline of possible answers. You need to add
proper explanations or examples whenever appropriate.
 There may be more than one possible answer for some of the questions.

1. Consider a system with four users and four files. Each of them is assigned to one
of the following security labels: Top Secret (“TS”), Confidential (“C”), Restricted
(“R”), and Public (“P”). They are ordered as follows: TS > C > R > P. The
assignment is given by the following table

Security Label User Files

TS U4 F4
C U3 F3
R U2 F2
P U1 F1
Table 4.1

Suppose that the system’s read and write operations are as defined in class.

(a) Let the security labels in table 4.1 represent security clearances for users and
classifications for files. What is the access control matrix if the
Bell-LaPadula Model is adopted?
(b) Let the security labels in table 4.1 represent the integrity levels for both the
users and files. What is the access control matrix if the Biba Model is
adopted?

Suggested Answer: (a)

F1 F2 F3 F4
U1 read, write
U2 read read, write
U3 read read read, write
U4 read read read read, write

(b)

F1 F2 F3 F4
U1 read, write read read read
U2 read, write read read
U3 read, write read
U4 read, write

2. Consider the following protocol which allows users A and B to generate session
keys:
1. A → B: A || NA
2. B → A: NB || MACKAB[B || NA || NB]♁KS
Page 1 of 3
 Where Nx is a nonce generated by user X and KXY is a secret key shared by X and
Y.

(a) Explain how A can computer the session key.

(b) Explain why at the completion of a run of the protocol both A and B believe
that the session key is fresh.
(c) If we omit the nonce in step 2 of the above protocol; that is the protocol is
simplified to:

1. A → B: A || NA
2. B → A: MACKAB[B || NA]♁KS

Show that this simplified version is not secure by describing an attack.

Suggested Answer:
(a) A concatenates the identity of B, the nonce A sent to B in step 1, and the
received nonce generated by B then computes its MAC by using KAB. Then
do an XOR with the second concatenated components of the received message.
(b) A believes the key is fresh base on the nonce A generates. B believes it is
fresh as the key is generated by B before sending out to A in step 2.
(c) Suppose an attacker captures the run of an old session together with the
corresponding session key. Then the attacker can perform an XOR of the
captured session key and the message in step 2 of the old run to obtain
MAC ꅸ ꅸtt , where NA is the nonce generated by A for the old run. Now
the attacker can initiate a run of the protocol pretending to be A and sends NA
to B, The attacker can then compute the new session key by performing an
XOR to the received message from B by usingMAC ꅸ ꅸtt .

3. Explain which of the following protocols is more vulnerable to the Denial of

Service attack.
Protocol 1: In this protocol, KpubA denotes the public key of user A. The
objective of the protocol is to establish a session key KAS between A and S.
1. A → S: IDA || NA
2. S → A: EKpubA(NA || NS || KAS)
3. A → S: EKAS(NS)

Protocol 2: In this protocol, KpubS and KpriS denote the public key and private key
of user S. The objective of the protocol is to establish a session key KAS between
A and S.
1. A → S: EKpubS(IDA || NA || KAS || Sign KpriS(IDA || NA || KAS))
2. S → A: EKAS(NA)

Suggested Outline: The basic principle is that if the server has to do much more
work than the requesting client. Then there is a possibility of DoS attack by
Page 2 of 3
 sending a large number of requests to the server. Therefore, the basic design
principle is to make the requesting client does the hard work before the server.
Base on this, protocol 1 is more vulnerable than protocol 2 for DoS attack since
in protocol 1, the server has to perform cryptographic operations (how many?)
before the requesting client. For protocol 2, the requesting client has to perform
the cryptographic operations (how many?) before the server.

4. Consider the following n-bit (where n is even) block cipher with n-bit keys
consisting of 2 rounds of a Feistel based scheme shown in Figure 1 below

Figure 1

where and are the left and right halves of the plaintext; and are the
left and right halves of the ciphertext. That is they are -bit strings such that
plaintext = || and ciphtertext = || . The round functions are defined as
follow. For i = 1, 2, let and be the left and right halves of the secret key.
Then

(a) Describe the decryption process.

(b) Express and in terms of , , , and .
(c) Show that this cipher is not secure.

Suggested Answer:
(a) Decryption can be performed by using the encryption process by swapping
F1 and F2. (Details should be provided to obtain credits).
(b) and (students need to show their works
Page 3 of 3
 on these).
(c) This system is vulnerable to known plaintext attack. In particular, if we
know a plaintext-ciphertext pair tt and tt . Then from (b) we can
compute k1 and k2 as follows: First, compute k1 as and
then compute k1 as .

5. Consider the following signature scheme: The key generation process is described
below
Step 1: Generate two random large primes p and q. Then compute n = pq.
Step 2: Choose an element g in of prime order r.
Step 3: Take (n, g) as the public key and r as the private key.
Step 4: Securely destroy p and q.
Let h be a pre-agreed hash function. To sign a message m, a user with private
key and public key r and (n, g) respectively first compute x such that xh(m) = 1
mod r. Then the corresponding signature is given by s = gx mod n.
(a) Explain the signature verification process.
(b) Show that
(i) r divides either p – 1 or q – 1 (or both).
(ii) one can factor n by using the public key if r is not a divisor of p – 1.

Suggested Answer:
(d) Since we have for some integer k,
th th t
h h h
t h h h
So signature verification can be performed by checking
th
h .
(e) (i) r is the order of g so r divides φ(n) = (p – 1)(q – 1). Since r is a prime,
it divides either p – 1 or q – 1 (or both).
(ii) Since gr mod n = 1, we have gr mod p = 1. Let ordp(g) be the order of g
as an element in . Then we have r = t*ordp(g) + r’ for some
non-negative integers t and r’ such that r’ < ordp(g). Furthermore,
gt*ordp(g) + r’ mod p = gr mod p =1 implies gr’ mod p = 1
But r’ < ordp(g) we must have r’ = 0. Therefore, ordp(g) | r. This together
with the fact that r is a prime, we conclude that ordp(g) must be 1 for
otherwise we would have ordp(g) = r but this is a contradiction since ordp(g)
| (p – 1) but r does not divide p – 1. Thus, we have g mod p =1 and we can
compute p by computing gcd(g – 1, p). This means we can factor n.

6. (a) In the RSA key generation process, can the public exponent be chosen
to be even? Explain your answer.
(b) John wants to send an encrypted message to Patrick who has a pair of RSA
keys. However, John does not know Patrick’s public key and so John sends
an email to Patrick to ask for the key. Patrick’s email reply is intercepted by
Charles who replaces Patrick’s public key {e, n} with {e’, n} where e’ is
obtained by changing one bit in e from 0 to 1. Now John encrypts a message
m to Patrick by using {e’, n}. As Patrick cannot decrypt the message, he
resends his public key to John and asks John to send the encrypted message to
him again. Charles dose not interrupt this time. However, Charles
eavesdrops the whole communication and obtains both encrypted message
Page 4 of 3
 (one encrypted by {e’, n} and one by {e, n}). Explain how Charles can
recover the message m.

Suggested Answer: (a) No. This is because if n is the modulo then n = pq for
some large primes p and q. As a result, φ(n) = (p – 1)(q – 1) is even. Since the
gcd of the public exponent and φ(n) must be 1, the public exponent cannot be
even.
(b) Note that in this case, e’ = e + 2j for some non-negative integer j and e must be
odd (from (a)). Hence, any non-trivial divisor of e must be odd and cannot be a
divisor of e’. In other words, gcd(e, e’) = 1 and there exist integers s and t such
that se + te’ = 1. The message m can be recovered by computing
(me’modn)t(memodn)s

Page 5 of 3