CS166 Section 02, Fall 2014

Test 2

Student name: Answer Key

Last 4 digits of student ID:
Test 2
1) This problem deals with properties that a cryptographic hash function h(x) must satisfy. Write the
letter of the definition on the right next to the corresponding property on the left.
_D_ Compression

A. There is no feasible way not invert the hash value.

_C_ Efficiency

B. We cannot find two inputs that hash to the same value.

_A_ One-way

C. Computing a hash value must not take too much effort.

_E_ Weak collision resistance

D. For any size input, the hash value is small (fixed in practice).

_B_ Strong collision resistance

E. We cannot modify a message without changing its hash value.

2) This problem deals with categorization of digital watermarks. Write the letter of the definition on the
right next to the corresponding category on the left.
_D_ Invisible

A. These are supposed to be destroyed or damaged if tampering occurs.

_C_ Visible

B. These are designed to remain readable even if attacked or tampered with.

_B_ Robust

C. These are supposed to be observed, such as TOP SECRET on a document.

_A_ Fragile

D. These are not supposed to be readable or perceptible in the media.

3) Recall that for message integrity we can compute a MAC where the MAC is the last block of a block
cipher running in CBC mode (CBC residue). However, with an HMAC (hashed MAC), we use the hash
value of the message to provide integrity.
Explain why when computing an HMAC, it is necessary to thoroughly mix a key K into the hash.
Hint: Explain why Alice should send M, h(M,K) to Bob instead of M, h(M).

Trudy can change the message M and hash of M that is sent to Bob without Bob realizing the message has
been changed. MACs and HMACs are used for integrity *not* confidentiality; therefore the concern here is not
preventing a forward search, but rather preventing swapping of the message. Swapping of the message is
prevented by requiring knowledge of K in order to [re]compute the hash value of the message.
1

CS166 Section 02, Fall 2014

Test 2

4) This problem deals with CRC checksums and finding collisions. Recall that CRC has mistakenly
been used where a cryptographic hash function should have been used as it is easy to find CRC
collisions.
4a) Compute the CRC checksum for the following Divisor and Dividend (message).
Hint: First, Append n-1 zeros to the dividend where n is the count of bits in the divisor.
Hint: Second, perform the long division.
Divisor: 10011
Dividend: 10101011

Divisor
: 10011
Dividend (message): 10101011
10101011 / 10011
101010110000 / 10011
10110110
101010110000 / 10011
10011|||||||
-----|||||||
11001|||||
10011|||||
-----|||||
10101||||
10011||||
-----||||
11000||
10011||
-----||
10110|
10011|
-----|
1010
// CRC checksum for 10101011 = 1010

CS166 Section 02, Fall 2014

Test 2

4b) Find a CRC collision for the Divisor and Dividend (message) from 4a above.
Hint: First, XOR the divisor with the dividend starting at some position to produce a new dividend (message).
Hint: Then append n-1 zeros to the dividend where n is the count of bits in the divisor.
Hint: Last, perform the long division.

Divisor
Dividend (before)
Dividend (after)

: 10011
: 10101011
: 10011
-------11100111
11100111 / 10011
111001110000 / 10011
1111011
111001110000 / 10011
10011|||||||
-----|||||||
11111||||||
10011||||||
-----||||||
11001|||||
10011|||||
-----|||||
10101||||
10011||||
-----||||
11000||
10011||
-----||
10110|
10011|
-----|
1010
// CRC checksum for 11100111 = 1010
// CRC checksum for 10101011 = 1010
//
collision!

CS166 Section 02, Fall 2014

Test 2

5) This problem deals with secret sharing. Recall that Alice and Bob can share a secret S in such a
way that neither Bob nor Alice (nor anyone else) can learn S if acting alone. Of course Alice and Bob
can easily learn S if acting together.
Illustrate the 2 out of 2, 2 out of 3, and 3 out of 3 secret sharing schemes where the secret
S=(0,S) is shared between Alice, Bob, and/or Charlie. Denote each point P=(Xn,Yn) where P is A for
Alice, B for Bob, or C for Charlie ( e.g., A=(X1,Y1) ).

2 points make a line

2 points make a line

3 points make a parabola

CS166 Section 02, Fall 2014

Test 2

6) This problem deals with authenticating humans to machines. Write the letter of the definition on the
right next to the corresponding category on the left.
_B_ Something you know

A. Thumbprint (biometrics).

_C_ Something you have

B. A password or PIN.

_A_ Something you are

C. ATM card or a smartcard.

7) Check all that apply to password files. We denote hashing a password with salt as h(password, salt),
and without salt as h(password). Recall that salt is random, and will differ from one password file to
another even for the same password.
[ ] A typical salted password file entry has 3 values: userid, h(password, salt), salt.
[ ] A typical unsalted password file entry has 2 values: userid, h(password)
[ ] Hashing passwords prevents Trudy from obtaining actual passwords if she gets the password file.
[ ] Encrypting the password file is a secure alternative to storing password hashes.
[ ] Trudy can conduct a forward search attack if she knows a password hash value.
[ ] Salting password hashes prevents Trudy from reusing a dictionary of password hashes.
[ ] The salt value is public and therefore available to Trudy.
8) This problem deals with the properties that an ideal biometric should satisfy. Write the letter of the
definition on the right next to the corresponding property on the left.
_D_ Universal

A. Can be successfully used in the real world, not just in the laboratory.

_E_ Distinguishing

B. The physical characteristic should be easy to collect without harm to the subject.

_C_ Permanent

C. Ideally the physical characteristic being measured should never change.

_B_ Collectable

D. A biometric should apply to virtually everyone.

_A_ Reliable, robust,

and user-friendly

E. A biometric should distinguish with virtual certainty (low error rate).

9) This problem deals with the function of biometric systems.

9a) Define the two phases of a biometric system (enrollment and recognition).
Enrollment: In this phase, subjects have their biometric information gathered and entered into a database. During
this phase, careful measurement of the pertinent physical information is required. Since this is one-time work
(per subject), its acceptable if the process is slow and multiple measurements are required. Enrollment can be
a weak point where results obtained in the lab are not comparable to those seen in the field.
Recognition: This phase occurs when the biometric system is actually deployed and used in the field. For the
authentication problem, recognition deals with whether to authenticate a user or not. Since authentication is
normally concerned with granting access to information or restricted areas, we can assume subjects are
cooperative during both of the phases.
5

CS166 Section 02, Fall 2014

Test 2

9b) Define two types of errors that can occur in biometric recognition and their corresponding rates.
Fraud rate: Suppose Bob poses as Alice and the system mistakenly authenticates Bob as Alice. The rate at
which such misauthentication occurs is known as the fraud rate.
Insult rate: Suppose that Alice tries to authenticate as herself, but the system fails to authenticate her. The
rate which such failed authentications occur is known as the insult rate.

10) This problem deals with the Iris Scan biometric. Recall that two iris codes are compared based on
the Hamming distance between the codes. A perfect match between two iris codes yields a distance of
0, where d(x, y) = 0. Of course, perfect matches are not expected and therefore we say x matches y if
d(x, y) < 0.32.
The following 16-bit iris codes were obtained during the enrollment phase:
Name
Alice
Bob
Charlie

Iris code (binary)

1010101010101010
0101010101010101
1100110011001100

Iris code (hex)

0xAAAA
0x5555
0xCCCC

The following 16-bit iris codes were obtained during the recognition phase. Identify who from the table
above is a likely match for the iris codes in the table below.
Iris code (binary)
1011101110111010
1010101010101010

d(x, y)

Name

3/16, 0.1875

Alice

1101110111011100
1100110011001100

3/16, 0.1875

Charlie

0100010001000101
0101010101010101

3/16, 0.1875

Bob

CS166 Section 02, Fall 2014

Test 2

11) Check all that apply to ACLs and Capabilities (C-lists).

[ ] ACLs and Capabilities are two different ways to partition an access control matrix.
[ ] Capabilities store information by subject (row) whereas ACLs store information by object (column).
[ ] ACLs and Capabilities optimize the performance of authentication operations.
[ ] Capabilities are more difficult to implement than ACLs.
[ ] Capabilities can prevent the confused deputy problem by delegating authority to called programs.
12) Draw arrows to illustrate how subjects and objects are associated in ACLs and Capabilities.

13) Design a simple Covert Channel and estimate its bandwidth (e.g., 1bit/sec). Recall that a covert
channel requires that at least two people/machines can access a shared resource and observe
changes in its state at a regular interval or time T.
There are many possible designs here. This answer generalizes the example given in the text.
In a covert channel C, Alice and Bob agree that Bob will check a directory D on a network file server that they
both have access to. Alice must have full permissions to the directory D, while Bob needs only read access. At
an agreed upon interval T (T=second, T=millisecond, T=microsecond), Bob will check the directory D for the file
F. If the file F exists, Bob assumes Alice has sent a 1 bit, otherwise Bob assumes Alice sent a 0 bit. Note that
this covert channel is unidirectional (data flows from Alice to Bob only).
The bandwidth of the covert channel is dependent on the interval T. If T=millisecond, then Bob will check the
Directory D for file F each millisecond. Therefore the bandwidth would be 1000bits/sec if T=millisecond.

CS166 Section 02, Fall 2014

Test 2

14) This problem deals with inference control. Write the letter(s) of the characteristics on the right next
to the corresponding techniques on the left. Use all the letters at least once.

_A,B_ Query set size control

A. Ensure that no individual or group contributes a majority of

the data, thereby preventing their identification.

_A,B_ N-respondent, k% dominance rule

B. Prevents or distorts important research where the number of

respondents is small (rare diseases).

_C,D_ Randomization

C. May be problematic if precise answers are needed and may

even produce false data.
D. Ensure that exact values cannot be extracted while
preserving trends in the data, allowing it to be analyzed.

15) It can be said that some types of security, if easily compromised, are worse than no security at all.
(paraphrase of Ross Andersons quote).

15a) Does this statement hold for limited inference control? Why or why not?
No. It is better to use inference control even if it is weak rather than do nothing. Weak inference control is very
easy to implement and makes an attackers job more difficult.

15b) Does this statement hold for weak encryption? Why or why not?
Yes. In most cases using no encryption is better than using weak encryption. Encrypting data hints to an
attacker that the data might be sensitive and therefore worth attacking.

15c) Does this statement hold for limited covert channel reduction? Why or why not?
No. It is better to reduce the number and bandwidth of covert channels rather than do nothing. Any amount of
covert channel reduction will limit the amount of information that can be leaked.

CS166 Section 02, Fall 2014

Test 2

16) This problem deals with authentication using symmetric key cryptography. Illustrate how Alice and
Bob can achieve mutual authentication if they both possess a shared key KAB. Give your answer in the
form of an exchange of messages between Alice and Bob.
First attempt at protocol design:

The above protocol ^^ is not secure because of following replay attack:

Second attempt below prevents replay attack and is secure:

CS166 Section 02, Fall 2014

Test 2

17) This problem deals with authentication using public key cryptography. Illustrate how Alice and
Bob can achieve mutual authentication using public key crypto. Give your answer in the form of an
exchange of messages between Alice and Bob.

In the following diagram, Alice and Bob mutually authenticate using public key crypto.

10

CS166 Section 02, Fall 2014

Test 2

18) This problem deals with establishing a session key KS with which Alice and Bob will encrypt data
they wish to send to each other. Recall that session keys are symmetric keys that are established to
either avoid expensive public key operations or to avoid overexposing the shared key KAB.
Illustrate how Alice and Bob can achieve mutual authentication and establish a session key KS. You
may use either a shared symmetric key (prob. 16) or public key crypto (prob. 17) for mutual
authentication.
Example using public key crypto:

Example using symmetric key crypto:

11

CS166 Section 02, Fall 2014

Test 2

19) Recall that Perfect Forward Secrecy prevents Trudy from being able to capture and later decrypt
messages exchanged between Alice and Bob if she can steal the symmetric key KAB. Explain how
Alice and Bob can establish a session key KS without actually sending KS in a message.
Hint: If Alice sends E(KS, KAB) to Bob, Trudy can get KS if she can steal KAB from Alice or Bobs computer.
Alice and Bob need to use an Ephemeral Diffie-Hellman (DH) key exchange instead of a static DH key exchange
or shared symmetric key. In the Ephemeral DH, Alice and Bob compute new secret exponents a (ga mod p) and
b (gb mod p) respectively every time they authenticate. Given the session key KS=gab mod p, PFS is maintained
because Trudy (nor Alice or Bob) can recover or determine the gab mod p that was used to encrypt messages
during a particular session between Alice and Bob.

In the above diagram:

Session key is KS=gab mod p

Alice forgets a, Bob forgets b.
Trudy cant get KS=gab mod p, even if she later breaks into Alice and Bobs systems and gets their
respective ga mod p and gb mod p because (ga mod p) gb mod p != gab mod p.

20) Check all that apply to Timestamps.

[ ] A timestamp T can be used in place of nonce value R, so long as T is a current time.
[ ] One advantage of timestamps is that we dont waste messages exchanging nonce values.
[ ] One disadvantage to timestamps is that authentication requires system clocks to be synchronized.
[ ] As a general rule, protocols that use timestamps are more secure than those that use nonce values.
[ ] Clock skew makes it possible for systems to communicate if their clocks are not perfectly synchronized.
[ ] Even though timestamps prevent replay; Trudy can replay messages if she acts within the clock skew.

End of Document

12