Computer and Network Security
Answer all five questions.
- ABC Ltd. aims to provide long term secure document encryption key storage solutions to store confidential documents that are required by law and regulations to be kept for more than 10 years. There will be serious legal consequences if ABC Ltd. fails to comply with these storage requirements. The IT manager proposed to develop a solution called Secure10. Users who want to use Secure10
must first register with the IT department to obtain a registration number R, an AES key K, and the Secure10 client software. To use this solution, a user must assign a unique name to each confidential document. The solution works as follows. The client software asks the user for the unique document name F. Then it generates a random symmetric key KS and encrypts the document with KS. The document will then be replaced by its encrypted version (the original copy will be securely deleted). The client software will then encrypt KS || R || F with K by using AES in ECB mode and send R || EK(KS || R || F) to the Secure30 server. The server will then checks to see if it is the right R. If so the server will then store F || KS in its secure database.
As the security manager of ABC Ltd., the CEO has invited you to perform a security analysis of Secure10.
(a) Explain whether there is any security risk in using ECB. State all your assumptions.
(b) Your security analyst suggested to use CBC instead to increase the security level.
(i) Do you agree with your security analyst? Explain your answer.
(ii) Explain whether there is any security risk in using CBC. State all your assumptions.
(c) For the security risk you have identified in (b)(ii) (if any), state one method to counter it.
- A health record system has implemented the following access control policies;
(P1) A nurse registering a new patient is granted access to the new patient’s record for 60 days.
(P2) A nurse who has an access right to a patient’s record can pass the right offline to another nurse.
The implementation works as follows. When a nurse registers a new patient a capability to access the patient’s record is generated in the following format. patientID || issueDate || MACK(patientID || issueDate) where patientID is the patient’s identification, issueDate is the date the record is generated, and K is a secret key known only to the health record system. The nurse can save this in a movable storage device such as USB and anyone in possession of this capability is granted access to the corresponding record any time within 60 days after the issue Date. Note that all legitimate users of the health record system need to login to the system with their user names and passwords (a) Principe 4 of the Personal Data (Privacy) Ordinance (Cap. 486) (PDPO) requires all organizations in Hong Kong to take all practicable steps to protect personal data.(i) Explain whether the above implementation will lead to a potential violation of this principle. (ii) Modify the format of the capability so as to minimize the risk of violating principle 4 of PDPO. (b) Design a mechanism so that the health record system can enforce the following capability transfer policy: Nurses can only transfer capabilities issued by the health record system to another nurse but cannot transfer capabilities that are transferred to them from other nurses. That is, a capability is transferable only if it is issued directly by the system. (c) For convenience sake, an information security analyst suggested to implement the Bell-LaPadula model and Biba’s model on the system by using the same labels for security levels and categories as for integrity levels and categories. Do you think this is practical? Explain your answer
3. Let <3, n> and where d = 3-1 mod φ(n) be a pair of public and private keys respectively To sign a message m using RSA PKCS1 v1.5 requires one to form the block B B = 01 0xFF … 0xFF 0x00 ASN1 H(m) where H denotes the SHA-256 hash algorithm and:
• 01 is a two-byte value indicating PKCS1 mode 1 is being used
• 0xFF … 0xFF is a variable length padding block (each padding byte is set to 0xFF) to pad up B if necessary so that the size of B is equal to the size of n (256 bytes in our case)
• 0x00 is a one-byte end of padding block indicator
• The ASN1 field encodes the hash function that is used to hash the message (this is a 15-byte fixed value for SHA-256)
Then the signature is s = B d mod n. To verify the signature, the following steps are executed:
Step 1: Compute D = s 3 mod n.
Step 2: Check the block D from left to right:
o If the leftmost two byte is not 01, reject the signature.
o Skip all 0xFF until one hits 0x00. Skip 0x00 and check the ASN1 code, reject the signature if it is not the SHA-256 identification code.
o Otherwise read the next 32-byte and compute the SHA-256 value of m. Compare these two values, if these values are not equal reject the signature
Show that given the public key <3, n>, an attacker can forge the signature on any message of the attacker’s choice.
4. In the following protocol, let KXY be a pre-shared secret key between user X and user Y.
1. X → Y: X || NX
2. Y → X: EKXY(NX || KS)
3. X → Y: EKS(NX)
(a) The objective of the protocol is to facilitate users X and Y to share a fresh secret key with each other. Describe a possible security attack to the protocol.
(b) Modify the protocol to counter the attack you have identified in (a).
5. Choose either Example1.py or Example1.R and perform the following:
(a) Run the code you have chosen on reputation_assignment.dat, submit the results with brief explanations to the results.
(b) Identify two possible directions for further investigation