CS 450/650 Fundamentals of Integrated Computer Securit

Spring 2010

Homework 2 : Cryptographic Systems and Program Security

Due on Friday, Mar 12 at 12:00 pm

1 : You are designing a multi-user OS. In your OS, users log into their respective accounts using passwords. It is dangerous to store user passwords in a file on the computer, because someone who obtains the file gets access to all passwords. As a solution, you decide to store the username and corresponding password's hash value in the file called hpasswd. Assume that you use an idealized, perfectly random hash function h(x), i.e h is selected uniformly at random from all functions mapping {0, 1}^* to {0, 1}^k. As always, h is publicly known. When a user logs in with password p, the OS grants access to the user if and only if h(p) matches the entry for that user in hpasswd. Assume k = 20 in your OS. There are some weaknesses in this mechanism of your OS. A collision in the password hash of 2 users, allow them to log in as each other.

a ) Suppose an attacker (a normal user) wishes to log in as the system adminis- trator (the superuser) by trying random passwords (without repeating a guess he has already tried). What is the minimum number of password guesses that the attacker has to try to have a success probability greater than 0.6%.

b )You want to limit is the probability of user password collisions, to below 20% in your design. That is, the probability of any two users' password hashes matching should be below 20%. What is the maximum number of users n you should allow in your OS?

2 : Suppose Alice has to sign a contract with Mallory using an RSA signature where, the signature is computed by s = (h(m))^d mod N (d is Alice's private key). Assume that the hash function is an idealized, perfectly random hash function h(x), i.e h is selected uniformly at random from all functions mapping {0, 1}^* to {0, 1}^k, and h is publicly known. Mallory has managed to find 40 distinct places where he can make a slight change in the contract: adding a space at the end of line, adding a comma, replacing with equivalent words (like replacing "agreed to pay" with "is obliged to pay"), etc. Surely, Alice does not object any such minor change in the contract and is willing to sign a contract with any of these minor changes.

a ) How many possible versions of the contract can Mallory generate that Alice would be willing to sign?

b ) Mallory creates a fraudulent contract reflecting a substantial increase in amount that Alice owes to Mallory. He computes the hash of the fraudulent contract as h(f) and finds a version of the good contract that hashes to the same value h(f). What is a minimum safe output size for the hash function (i.e k =?) to make these collisions unlikely? (An approximate answer with appropriate reasoning is acceptable. You need not show any calculations to get 'k'.)

c ) What can Mallory do by finding such a collision, to force Alice to pay an increased amount in court?

3 : Recall from class that in an RSA signature scheme, the signature is computed by s = (h(m))^d mod N, where d is the private key. Consider an naive revised scheme where the signature is computed as s' = m^d mod N instead. Show that it is possible to forge signatures for some messages in the latter (revised) scheme.

The following problems are from the text book (Pfleeger, 4th edition):

Chapter 2:

33 : Why do cryptologists recommend changing the encryption key from time to time? How frequently should a cryptographic key be changed?

34 : Humans are said to be the weakest link in any security system. Give an example of human failure that could lead to compromise of encrypted data.

Chapter 3:

4 : Could a computer program be used to automate testing for trapdoors? That is, could you design a computer program that, given the source or object version of another program and a suitable description, would reply Yes or No to show whether the program had any trapdoors? Explain your answer.

5 : A program is written to compute the sum of the integers from 1 to 10. The programmer, well trained in reusability and maintainability, writes the program so that it computes the sum of the numbers from k to n. However, a team of security specialists scrutinizes the code. The team certifies that this program properly sets k to 1 and n to 10; therefore, the program is certified as being properly restricted in that it always operates on precisely the range 1 to 10. List different ways that this program can be sabotaged so that during execution it computes a different sum, such as 3 to 20.

6 : One means of limiting the effect of an untrusted program is confinement: controlling what processes have access to the untrusted program and what access the program has to other processes and data. Explain how confinement would apply to the earlier example of the program that computes the sum of the integers 1 to 10.

What to turn in: A softcopy of your solutions (could be a scanned version of the hard copy of the solutions) to be uploaded to WebCT.