Exercise
Assume Alice and Bob share the following
information: a shared secret key K, and the
Diffie-Hellman public parameters g and p.
How can they achieve PFS for secure
communication?
Answer:
They need to establish session keys which
satisfy PFS. One way of doing it is:
Alice -> Bob: ga mod p, MAC(ga mod p, K)
Bob -> Alice: gb mod p, MAC(gb mod p, K)
Then both derive a session key: gab mod p
Each new session key will be computed by
selecting different a and b, compromising
the session key will not reveal anything
about the long-term secret key K
[Stallings 17.3]
Is it possible in SSL for the receiver to
reorder SSL record blocks that arrive out
of order? If so, explain how it can be done.
If not, why not?
[Stallings 17.3] Answer
SSL relies on an underlying reliable protocol
TCP to assure that bytes are not lost or
inserted. There was some discussion of
reengineering the future TLS protocol to work
over datagram protocols such as UDP, in
which case out-of-order blocks cannot be
handled. So it depends on the transport layer
protocol SSL/TLS runs on.
[Kaufman 20.5]
Assume we are using secret key technology. What is
wrong with the following source authentication
scheme? Alice chooses a per-message secret key K,
and puts an encrypted version of K in the header
for each recipient, say Bob and Ted. Then she uses K
to compute a MAC on the message, say a DES-CBC
residue, or by computing a message digest of K
appended to the message. (Hint: it works fine for a
single recipient, but there is a security problem if
Alice sends a multiple-recipient message.)
[Kaufman 20.5] Answer:
Once they receive the message, Bob and Ted know
both K and K encrypted with the key shared by the
other with Alice. This allows either to forge a
message to the other as if it were from Alice. For
example, Alice sends the following to Bob and Ted:
{K}KA-B || {K}KA-T || {m}K || MAC(m, K)
Now Bob can decrypt for K using KA-B, forge a
message m’ and send the following to Ted:
{K}KA-B || {K}KA-T || {m’}K || MAC(m’, K)
In this case, Bob doesn’t need to know KA-T to
impersonate Alice to Ted.
[Kaufman 20.11]
Consider the following format for Alice sending
signed, encrypted email to Bob. Alice invents a
secret key S and sends {S}Bob, the message
encrypted with S, and the message digest of the
message signed by Alice. Is this secure? (hint: the
signed message digest is not encrypted)
[Kaufman 20.11] Answer
If an eavesdropper can guess the plaintext of the
message, he can compute the message digest of that
message, apply Alice’s public key to the signed
message digest, and if that equals the computed
message digest of the guessed message, he has
confirmed his guess. This applies to the case where
the plaintext is one of a finite number (say, 10) of
possibilities (e.g., the names of all committee
members).