sign in sign up
<<
Home , Dictionary attack

CIS 4360 Introduction to Computer Security

Home Assignment 9, Fall 2010 – with answers Due: Thu 12:30pm, 23/11/2010

This assignment concerns Key Establishment and Authentication. Examples taken from: Dieter Gollmann, Computer Security, 2nd Edition, John Wiley.

1. In the HTTP basic authentication protocol, analyze the security gains (if any) when the client sends a hash of the instead of a base64 encoding of the password. Answer. No real gain. The attacker just intercepts the hash of the password and provides the hash later to imper- sonate the user. The protocol has to use some kind of nonce to avoid such replay attacks. N.B. In contrast, with the Digest Access Authentication the Server sends a nonce, which the client must include in the hash:

request−digest = h(h(username||realm||password)||nonce||h(method||digest−uri)),

and even though h(username||realm||password), h(method||digest−uri) are the same, the value of nonce (which the Server picks) changes. However this scheme can be broken with a dictionary attack. The dictionary will give the attacker a value for h(username||realm||password)||nonce||h(method||digest−uri), and if the attacker replaces the value of nonce, the hash of the new string is likely to have the correct value. 2. Justify that the AKEP2 protocol provides (a) mutual entity authentication and (b) implicit key authenti- cation. Answer. (a) Mutual entity authentication. A gets a reply hK (B, A, nA, nB) to its challenge nA that can only come from B (assuming the long term key K is not compromised). B gets a reply hK (A, nB) to its challenge nB that can only come from A. (b) Implicit key authentication.

The session key k = hK (nB) is computed from the shared secret K and the nonce nB; thus, it can only be computed by A and B, and it cannot be the replay of a previously compromised session key.

3. Consider this simple password-based challenge-response protocol run between a user A and a server S. PA denotes A’s password, x is a random nonce generated by the server, and h is a known cryptographic hash function.

(a) S → A : ePA(x)

(b) A → S : ePA(h(x))

[ePA(x) is the of x with password PA]. Show that this protocol is vulnerable to an off-line password guessing attack. Answer. The attacker intercepts the two messages and guesses a password, and gets two values, x and y, by decrypting both messages. If y = h(x), the guessed password is likely to be correct. Mike Burmester

1