. In the public-key certificate system, suppose that the certificate authority
(CA) employs DSS signature. Assume that CA’s private key and public key pair is denoted
by (skCA, pkCA). Bob requests a public-key certificate for his key pair (skB, pkB), which is a
RSA key pair.
(a) Explain what Bob should submit to the CA to get the certificate for his public key pkB.
(b) How does CA generate the certificate of Bob’s public key? (You only need to specify the
format of the certificate.)
(c) When Alice wishes to send some sensitive information to Bob using Bob’s public key, what
does she need to do before she performs the RSA encryption using Bob’s public key?
(d) Why is a certificate authority necessary for a public-key system?
Exercise 2. Consider the man-in-the-middle attack when the Diffie-Hellman public keys are
not signed in Protocol C.
(a) Explain how the man-in-the-middle attack works.
(b) Show how an attacker could impersonate the entities A and B by the man-in-the-middle
(c) What are the secret keys that A and B, respectively, obtained by the end of the protocol?
Exercise 3. Assume that each of party A and party B has a pair of RSA public and private
keys. The public keys are certified by a trusted third party. Try to design a key agreement
protocol using public key for key transport and explain how mutual authentication is done
(which is referred to as implicit authentication).
. Security analysis on IKE Auth:
(a) Try to find a man-in-the-middle attack on the ”IKE AUTH” exchange with the modification that the data fields over which the authentication payloads are generated such that
AUT Hi = Sigski
(Nr) and AUT Hr = Sigskr
(Ni), assume certificates are exchanged.
@G. Gong, ECE 458, Computer Security, Spring 2020 2
(b) Try to explore possibilities to conduct a dictionary attack in IKEv2, when the pre-shared
secret Spre is a password with binary length 8 bits. (Hint: A failed execution may expose
a value AUT H and the data it is protecting.)
. Security analysis on TLS:
(a) Assume the key establishment algorithm is RSA, and the client authentication is not
conducted, that is, message CertificateVerify is not sent. Try to identify an attack
which hijacks the session by sending an attacker-generated “pre-master secret” to the
server, where the messages F inished can carry along without being detected by either
the client or the server.
(b) Explain why the attack identified in (a) will not gain access to the server, if the client
must enter a password before any further application data will be exchanged.
(c) Try to explain why key establishment algorithms RSA and DH cannot provide perfect
Exercise 6. Consider the authentication vectors in AKA in 4G-TLE.
(a) Explain the functionalities of fi
, i = 1, · · · , 5 used to generate the authentication vector
in AKA, i.e.,
AV = (RAND, XRES, CK, IK, AUT N)
XRES = f2(K, RAND)
CK = f3(K, RAND)
IK = f4(K, RAND)
AK = f5(K, RAND)
AUT N = (SQN ⊕ AK)||AMF||MAC
MAC = f1(K, RAND, SQN, AMF).
(b) Explain functionality of SQN ⊕ AK. Which value is served as a masking value?
(c) Explain how the UE entity authentication and the network entity authentication are
Exercise 7. List the security flaws in WEP and comment that if you were a designer of
WEP, you may argue how the design were considered as secure.
@G. Gong, ECE 458, Computer Security, Spring 2020 3
Exercise 8. A forgery attack on GHASH. GHASH is used in GCM in TLS and GCMP in
WiFi, as well as EIA1 in 4G-LTE. In theory, it has been proved it is secure under the assumption that nonce cannot be reused. As you have seen, in the real world, in both 4G-LTE
and WiFi, the nonce can be forced to repeat. Hence, an attacker is able to forge the authentication generated by GHASH. In the following, we will assume that a GHASH polynomial is
evaluated in finite field GF(24
), defined by t(x) = x
4 + x + 1, a primitive polynomial, and α
is a root of t(x) in GF(24
). We give the following two pairs of plaintext and ciphertext.
M = 001100101111 C = 101000111001
M0 = 100000110000 C
0 = 001011100101
where the right most bit is LSB and each ciphtext is generated by a random cipher.
(a) ∗∗ Let H = 0101 in GCMP, compute GHASH(C, H) and GHASH(C
, H). Find a
ciphextext which has a valid hash value.
(b) ∗∗ In EIA1, let P = 1111, Q = 0001 and OT P = 0011 (i.e., without truncating), compute
GHASH(M, P), and GHASH(M0
, P), the GHASH component in EIA1 for message M
(c) Provide an argument to show that a forgery for GCMP is successful even it is over the
(d) ∗∗ Show that after attacker intercepts the MAC-I(M) and MAC-I(M0
), he can forge a
valid MAC-I(Mnew) where Mnew = 0110 · (M + M0
) + M. (Hint. Show that MACI(Mnew) = α
[MAC-I(M) + MAC-I(M0
)] + MAC-I(M).)
(e) Identify a possible forgery when the attacker has only one MAC for both GCMP and
Note. An example of the format for GHASH,
GHASH(M, H) = M1H3 + M2H2 + M3H
where M = (M1, M2, M3) where
M1 = 0011, M2 = 0010, M3 = 1111.
@G. Gong, ECE 458, Computer Security, Spring 2020 4
Exercise 9. Assume that a path consists of n nodes, n > 2. A piece of data D is transported
from node 1 to node n.
(a) Assume that each node i, i = 1, 2, · · · , n, has a pair of public and private keys (pki
used for digital signatures, where the public key pki
is certified by a CA, which is trusted
by all the other nodes on the path. Can integrity protection and authenticity be applied
on the path in both end-to-end and hop-by-hop manners through digital signature and
how? (Hint: the data D can be protected by more than one signature.)
(b) If using symmetric key based message authentication code, what are the conditions about
the shared keys among these nodes to achieve both end-to-end and hop-by-hop integrity
protection and authenticity?