D IGITAL S IGNATURES AND
A UTHENTICATION P ROTOCOLS
13.6 1. Thevalidity oftheschemedependson thesecurity ofthesender'sprivatekey.If a senderlaterwishesto deny sending a particularmessage,thesendercan claim thattheprivatekey waslostorstolen and thatsomeoneelseforged hisorher signature.2. Anotherthreatisthatsomeprivatekey mightactually bestolen from X attimeT.Theopponentcan then send a messagesigned with X'ssignatureand stamped with a timebeforeorequalto T.
13.7 Simple replay: Theopponentsimply copiesa messageand replaysitlater. Repetition that can be logged: An opponentcan replay a timestamped message within thevalid timewindow.Repetition that cannot be detected: Thissituation could arisebecausetheoriginalmessagecould havebeen suppressed and thusdid notarriveatitsdestination;only thereplay messagearrives.Backward replay without modification: Thisisa replay back to themessagesender.Thisattack is possibleifsymmetricencryption isused and thesendercannoteasily recognize thedifferencebetween messagessentand messagesreceived on thebasisof content.
13.8 1. Attach a sequencenumberto each messageused in an authentication exchange. A new messageisaccepted only ifitssequencenumberisin theproperorder.2.
Party A acceptsa messageasfresh only ifthemessagecontainsa timestamp that, in A'sjudgment,iscloseenough to A'sknowledgeofcurrenttime.Thisapproach requiresthatclocksamong thevariousparticipantsbesynchronized.3. Party A, expecting a fresh messagefrom B,firstsendsB a nonce(challenge)and requires thatthesubsequentmessage(response)received from B contain thecorrectnonce value.
13.9 When a sender'sclock isahead oftheintended recipient'sclock.,an opponentcan intercepta messagefrom thesenderand replay itlaterwhen thetimestamp in the messagebecomescurrentattherecipient'ssite.Thisreplay could cause
unexpected results.
A NSWERS TO P ROBLEMS
13.1 Thereareseveralpossiblewaysto respond to thisproblem.Ifpublic-key encryption isallowed,then ofcoursean arbiterisnotneeded;A can send messageplussignaturedirectly to B.Ifweconstrain theanswerto conventional encryption,then thefollowing scenario ispossible:
(1) X → A: M || E(Kxa,[IDx || H(M)]) (2) A → Y: M || E(Kay,[IDx|| H(M)])
A can decryptM || E(Kay,[IDx || H(M)])to determineifM wassentby X.
13.2 Theuseofa hash function avoidstheneed fortripleencryption.
13.3 X and A,wanting to commitfraud,could disclosePRxand PRa,respectively,and claim thatthesewerelostorstolen.Thepossibility ofboth privatekeysbecoming publicthrough accidentortheftisso unlikely,however,thatthesenderand arbitrator'sclaimswould havevery littlecredibility.
13.4 Itisnotso much a protection againstan attack asa protection againsterror.Since Naisnotuniqueacrossthenetwork,itispossibleforB to mistakenly send message6 to someotherparty thatwould acceptNa.
13.5
(1) A → B: IDA|| Na
(2) B → KDC: IDA|| IDB|| Na|| Nb
(3) KDC → B: E(PRauth,[IDA|| PUa])|| E(PUb,E(PRauth,[Na|| Nb || Ks|| IDA|| IDB])) (4) B → A: E(PUa,E(PRauth,[Na|| Nb || Ks|| IDA|| IDB]))
(5) A → B: E(Ks,Nb)
13.6 a. An unintentionally postdated message(messagewith a clock timethatisin the futurewith respectto therecipient'sclock)thatrequestsa key issentby a client.An adversary blocksthisrequestmessagefrom reaching theKDC.The clientgetsno responseand thinksthatan omission orperformancefailurehas occurred.Later,when theclientisoff-line,theadversary replaysthe
suppressed messagefrom thesameworkstation (with thesamenetwork address)and establishesa secureconnection in theclient'sname.
b. An unintentionally postdated messagethatrequestsa stock purchasecould be suppressed and replayed later,resulting in a stock purchasewhen thestock pricehad already changed significantly.
13.7 Allthreereally servethesamepurpose.Thedifferenceisin thevulnerability.In Usage 1,an attackercould breach security by inflating Naand withholding an answerfrom B forfuturereplay attack,a form ofsuppress-replay attack.The attackercould attemptto predicta plausiblereply in Usage 2,butthiswillnot succeed ifthenoncesarerandom.In both Usage1 and 2,themessageswork in eitherdirection.Thatis,ifN issentin eitherdirection,theresponseisE[K,N].In Usage 3,themessageisencrypted in both directions;thepurposeoffunction fis to assurethatmessages1 and 2 arenotidentical.Thus,Usage3 ismoresecure. 13.8 Instead oftwo keyseand d wewillhaveTHREE keysu,v,and w.They mustbe
selected in such way thatuvw = 1 mod φ(N).(Thiscan bedonee.g.by selecting u and v randomly (butthey haveto beprimeto φ(N))and then choosing w such thattheequation holds.)Thekey w ismadepublic,whileu and v becomethe firstand thesecond signatory'skey respectively.Now thefirstsignatory signs documentM by computing S1 = Mumod N Thesecond signatory can verify the signaturewith thehelp ofhiskey v and publicly known w,becauseS1vwmod N
hasto beM.Hethen 'adds'hissignatureby computing S2 = S1vmod N (thatisS2
= Muvmod N).Anyonecan now verify thatS2 isreally thedoublesignatureofM (i.e.thatM wassigned by both signatories)becauseS2wmod N isequalto M only ifS2 = Muvmod N.
13.9 A userwho producesa signaturewith s= 0 isinadvertently revealing hisorher privatekey x via therelationship:
s= 0 = k–1[H(m)+ xr)mod q
x = -H m( )
r mod q
13.10 A user'sprivatekey iscompromised ifk isdiscovered.
13.11 a. Notethatatthestartofstep 4, z=b2jm mod w.Theidea underlying this algorithm isthatif(bmmod w)≠ 1 and w = 1 + 2am isprime,thesequenceof values
bmmod w,b2mmod w, b4mmod w,…
willend with 1,and thevaluejustpreceding thefirstappearanceof1 willbe w – 1.Why?Because,ifw isprime,then ifwehavez2mod w = 1,then we havez2≡ 1 mod w.And ifthatistrue,then z = (w – 1)orz = (w + 1).We cannothavez = (w + 1),becauseon thepreceding step,z wascalculated mod w,so wemusthavez = (w – 1).On theotherhand,ifwereach a pointwhere z = 1,and z wasnotequalto (w – 1)on thepreceding step,then weknow that w isnotprime.
b. Thisalgorithm isa simplified version oftheMiller-Rabin algorithm.In both cases,a testvariableisrepeatedly squared and computed modulo the
possibleprime,and thepossiblefailsifa valueof1 isencountered.
13.12 Thesignermustbecarefulto generatethevaluesofk in an unpredictable manner,so thattheschemeisnotcompromised.
13.13 a. IfAlgorithm 1 returnsthevalueg,then weseethatgq = 1 (mod p).Thus, ord(g)dividesq.Becauseq isprime,thisimpliesthatord(g)∈ {1,q}.However, becauseg ≠ 1,wehavethatord(g)≠ 1,and so itmustbethatord(g)= q.
b. IfAlgorithm 2 returnsthevalueg,then weseethat
gq ≡ ( ) hp−1q q ≡ hp−1≡ 1 mod ( p ).Thus,ord(g)dividesq.Becauseq isprime,
thisimpliesthatord(g)∈ {1,q}.However,becauseg ≠ 1,wehavethatord(g)
≠ 1,and so itmustbethatord(g)= q.
c. Algorithm 1 worksby choosing elementsofZpuntilitfindsoneoforderq.
Sinceq dividesp – 1,Zp containsexactly φ(q)= q – 1 elementsoforderq.
Thus,theprobability thatg ∈ Zphasorderq is(q – 1)/(p – 1).When p = 40193 and q = 157 thisprobability is156/40192 .So,weexpectAlgorithm 1 to make 40192/156 ≈ 258 loop iterations.
d. No.Ifp is1024 bitsand q is160 bits,then weexpectAlgorithm 1 to require (q – 1)/(p – 1)≈ (21024)/(2160)= 2864loop iterations.
e. Algorithm 2 willfailto find a generatorin itsfirstloop iteration only if1 ≡ h(p–1)/q(mod p).Thisimpliesthatord(h)divides(p – 1)/q.Thus,thenumber ofbad choicesforh isthenumberofelementsofZp with orderdividing (p – 1)/q:
φ ( ) d
d|( )p∑−1/q
Thissum isequalto (p – 1)/q.Thus,thedesired probability is:
1 − ( p −1 ) q
p −1 = 1 − 1
q = q −1
q = 156
157 ≈ 0.994
13.14 a. To verify thesignature,theuserverifiesthat(gZ)h= gXmod p.
b. To forgethesignatureofa message,Ifind itshash h.Then IcalculateY to satisfy Yh = 1 mod (p-1).Now gYh= g,so gXYh= gXmod p.Hence(h,gXY)is a valid signatureand theopponentcan calculategXYas(gX)Y.
13.15 a. Thereceivervalidatesthedigitalsignatureby ensuring thatthefirst56-bit key in thesignaturewillenciphervalidation parameteru1 into E(k1,u1)ifthe firstbitofM is0,orthatitwillencipherU1 into E(K1,U1)ifthefirstbitofM is1;thesecond 56-bitkey in thesignaturewillenciphervalidation parameter u2 into E(k2,u2)ifthesecond bitofM is0,oritwillencipherU2 into E(K2, U2)ifthesecond bitofM is1,;and so on.
b. Only thesender,who knowstheprivatevaluesofki and Ki and who
originally createsvi and Vi from ui and Ui can disclosea key to thereceiver. An opponentwould haveto discoverthevalueofthesecretkeysfrom the plaintext-ciphertextpairsofthepublickey,which wascomputationally infeasibleatthetimethat56-bitkeyswereconsidered secure.
c. Thisisa one-timesystem,becausehalfofthekeysarerevealed thefirsttime. d. A separatekey mustbeincluded in thesignatureforeach bitofthemessage
resulting in a hugedigitalsignature.
A NSWERS TO Q UESTIONS
14.1 Theproblem thatKerberosaddressesisthis:Assumean open distributed environmentin which usersatworkstationswish to accessserviceson servers distributed throughoutthenetwork.Wewould likeforserversto beableto restrictaccessto authorized usersand to beableto authenticaterequestsfor service.In thisenvironment,a workstation cannotbetrusted to identify itsusers correctly to network services.
14.2 1. A usermay gain accessto a particularworkstation and pretend to beanother useroperating from thatworkstation.2. A usermay alterthenetwork addressof a workstation so thattherequestssentfrom thealtered workstation appearto comefrom theimpersonated workstation.3. A usermay eavesdrop on exchanges and usea replay attack to gain entranceto a serverorto disruptoperations. 14.3 1. Rely on each individualclientworkstation to assuretheidentity ofitsuseror
usersand rely on each serverto enforcea security policy based on user identification (ID).2. Requirethatclientsystemsauthenticatethemselvesto servers,buttrusttheclientsystem concerning theidentity ofitsuser.3. Require theuserto proveidentity foreach serviceinvoked.Also requirethatservers provetheiridentity to clients.
14.4 Secure: A network eavesdroppershould notbeableto obtain thenecessary information to impersonatea user.Moregenerally,Kerberosshould bestrong enough thata potentialopponentdoesnotfind itto betheweak link.Reliable:
Forallservicesthatrely on Kerberosforaccesscontrol,lack ofavailability ofthe Kerberosservicemeanslack ofavailability ofthesupported services.Hence, Kerberosshould behighly reliableand should employ a distributed server architecture,with onesystem ableto back up another.Transparent: Ideally,the usershould notbeawarethatauthentication istaking place,beyond the
requirementto entera password.Scalable: Thesystem should becapableof supporting largenumbersofclientsand servers.Thissuggestsa modular, distributed architecture.
14.5 A full-serviceKerberosenvironmentconsistsofa Kerberosserver,a numberof clients,and a numberofapplication servers.
14.6 A realm isan environmentin which:1. TheKerberosservermusthavetheuser ID (UID)and hashed password ofallparticipating usersin itsdatabase.Allusers