DVGC20 - Datasäkerhet 2

In a programming language of your choice, show how to encrypt the message "hello world!" with NaCl/libsodium secretbox.

#import stuff and libraries (notably PyNacl) which is a python binding to libsodium ... password = b"Allyourbase" message = b"Hello World" # Generate the key: kdf = nacl.pwhash.argon2i.kdf salt_size = nacl.pwhash.argon2i.SALTBYTES salt = nacl.utils.random(salt_size) key = kdf(nacl.secret.SecretBox.KEY_SIZE, password, salt) # Creation of key # Encryption of data: box = nacl.secret.SecretBox(key) encrypted = box.encrypt(message) #Encryption done

Give examples, for a programming language of your choice, of how to use (1) a CSPRNG and (2) a non-CS PRNG.

(1) package main import ( " crypto/rand " " fmt" "math/big " ) func main ( ) { n, err := rand.Int(rand.Reader, big.NewInt(10)) if err != nil { panic (err) } fmt.Printf("a random integer between [ 0 , 1 0 ) : %d\n " , n ) } (2) package main import ( " fmt " "math/rand " ) func main ( ) { rand.Seed (42) fmt.Printf ("a random integer between [ 0 , 1 0 ) : %d\n " , rand. Intn(10)) }

For a cryptographic hash function, what is the difference between second pre-image resistance and collision resistance?

- Second pre-image resistance Given input m1, it should be hard to find a distinct m2 such that H(m1) = H(m2) - Collision resistance It should be hard to find any two distinct m1 and m2 such that H(m1) = H(m2) For second pre-image resistance, the first message m1 is fixed, while for collision resistance m1 can be any message.

What is the size limit of the plaintext for GCM-mode?

64 GiB for any key-IV combination according to NIST SP 800-38D.

What is the difference between a CSPRNG and a PRNG?

A CSPRNG (cryptographically secure pseudorandom number generator) is suit- able for cryptographic use, while a PRNG (most likely) is not.

What is the difference between an IV and a nonce?

A nonce is a number used once (distinct), while an Initialization Vector (IV) has to be distinct and unpredictable (for the adversary).

On a high-level, explain how AES works.

AES consists of four operations that operates on its internal state: - AddRoundKey adds a round key to the current state - SubBytes byte substitution of the state by lookups in a substitution table ("S-box") - ShiftRows cyclically shifts the last three rows of the state with different offsets - MixColumns mixes all columns of the state independently The operations are repeated in 10, 12 or 14 rounds, depending on key size

What is a suitable size (in bits) for the public RSA modulus to reach 256 bits (symmetric) security?

According to the ECRYPT-CSA Recommendations, 15360 bits.

How can an active attacker subvert a DH key-exchange? Describe in detail.

Assume that Alice and Bob are our victims and that the attacker has full control of the network between Alice and Bob. When Alice/Bob sends her/his public key to Bob/Al- ice, the attacker intercepts the public key and replaces it with its own public key. After this is done with both Alice and Bob, the attacker shares one secret key with Alice and another with Bob. As ciphertexts are sent to/from Alice from/to Bob, the attacker transparently decrypts the ciphertexts, recovers the messages, re-encrypts them with the other shared key it controls, and transmits the re-encrypted ciphertex to the intended party.

For symmetric encryption with a block cipher using CBC-mode, what is the consequence of: 1. Using a predictable IV? 2. Reusing an IV?

Assume that our adversary, for a target ciphertex ct (consisting of only one block) knows the IV IVt used to encrypt ct . Also, assume that the adversary has access to an encryption oracle and can predict the IV IVn used for the next call to the oracle. Now, the adversary can create a guess g for what the plaintext is in ct and send to the oracle as plaintext pn: pn = IVn ⊕ IVt ⊕ g (1) When the oracle gets pn, the encryption will provide the following as input to the block cipher: IVn ⊕ pn = IVn ⊕ IVn ⊕ IVt ⊕ g = IVt ⊕ g If the adversary's guess was correct, the ciphertext returned by the oracle cn will be iden- tical to ct . So in other words, using a predictable IV for CBC-mode with a block cipher enables an adversary to win the IND-CPA game with probability 1. If an IV is reused for two encryptions, the adversary learns if the two plaintexts share any common prefix block(s).

What is the difference between secure symmetric encryption and secure authenticated sym- metric encryption?

Authenticated protection protects the authenticity of the plaintext (INT-PTXT) and/or ciphertext (INT-CTXT), in addition to being a secure symmetric encryption algo- rithm (Bonus: INT-CTXT implies INT-PTXT).

Why does it make sense to assume that the adversary always has access to an encryption oracle when modelling security for public-key encryption schemes?

Because the adversary can always encrypt any plaintext using the public-key.

How can the responder be sure that the initiator controls the corresponding static private key to the static public key sent on the handshake initiation message?

Because the initiator's static private key is used in DH with the responder's static public key as part of the first message.

Alice and Bob share a secret key sk. Alice sends to Bob, over an untrusted network, a message m and a tag t from a MAC over m using sk. How does Bob verify that the message hasn't been tampered with?

Bob first uses sk and m to compute the tag t' . Finally, Bob compares t with t' (ideally in constant time) to detect any tampering.

What are RDRAND and RDSEED?

CPU instructions available in Intel and AMD CPUs for retrieving randomness from the CPU. RDSEED is intended to be used for seeding random number generators.

In which CT logs are the certificates for kau.se and reddit.com stored?

Could be many more, but at least we have SCTs in the certificate for: • kau.se: Google "Xenon2022", Let's Encrypt Oak 2022, and Sectigo (Comodo) "Mam- moth" CT • reddit.com: Google "Argon2021" and DigiCert Yeti2021 Note that this changes over time and also potentially from where you access huge dis- tributed sites like reddit.com.

What is the difference between DoH and DoT?

DoH is DNS over HTTP over TLS, DoT is DNS over TLS.

Describe the ECB, CBC, and CTR block cipher modes.

ECB stands for electronic codebook mode and is basically no mode at all. The plaintext is divided into blocks and encrypted independently of each other with the same key. (Bonus: ECB is horribly insecure and should never be used. Any repetition of the plaintext blocks will result in identical ciphertext blocks, leaking information.) CBC stands for cipher block chaining mode. Each block of plaintext is XORed with the previous ciphertext block before encryption, except for the first block, that is XORed with an IV. CTR stands for counter mode. CTR turns a block cipher into a stream cipher by encrypting a counter. The counter can take two forms: • A random IV as a starting point for each encryption, where for each block the IV is increased by 1, and the IV is included in the ciphertext. • A nonce and counter mode, where the nonce is used as one half of the input to each block and the counter the other (e.g., 2x64-bits for 128-bit AES).

Do a full RSA key-generation, encryption, and decryption for p = 59, q = 17, and m = 42. Ignore any padding. Details of picking e and d can be omitted.

First we calculate n: n = pq = 59 ∗ 17 = 1003 Next we calculate Euler's totient function φ(n): φ(n) = φ(p)φ(q) = (p − 1)(q − 1) = (59 − 1)(17 − 1) = 58 ∗ 16 = 928 Now we need to find two numbers e and d such that: ed = 1 mod 928 Easy candidates are 929, 1857, 2785, ... Trying 929, we find that it is a prime. 1857 is not though, and its factors are: 1857 = 3 ∗ 619 We pick e = 3 and d = 619. Now we can encrypt m = 42: c = me mod n = 42e mod 1003 = 869 Finally, we decrypt: m = c d mod n = 869619 mod 1003 = 42

Explain on a high-level how HKDF works. (HMAC based Key Derivation Function)

HKDF is based on the HMAC construction. HKDF works in two steps: extract and expand. The extract step uses HMAC with an optional salt as the key and the key material as input. The expand step takes as input the output from the expand step, optional info to define the context, and the length of the desired output. The output of the expand step is generated by using HMAC with the output of the extract step as the key and an input based on the optional info, a counter, and a constant.

Explain the logic behind the "correct horse battery staple" comic.

Humans are bad at remembering more-or-less random strings, better at remem- bering more-or-less random gibberish sentences.

You go to a website and download a file. The website lists the MD5, SHA1, and SHA256 hashes of the file for verification purposes. How useful is this for security? Motivate your answer.

If the file is hosted at the same place as the hashes, little value, an attacker can just recompute the hashes. If the file is hosted at some other location, e.g., a CDN, then more value in the hashes. MD5 and SHA1 are old and broken hash functions, but still this is not the main concern here.

What is the ALPN TLS extension? How does it work? Why do we need it?

In the handshake, already specify which application-layer protocol will be used. Saves a round-trip time. Needed for performance.

How is ROT13 related to the Caesar cipher? Give an example.

In the latin alphabet there are 26 letters. ROT13 is the Ceasar cipher with 13 shifts. For example, if we apply ROT13 twice to the text hello bob we end up with the text hello bob. With 13 letters, ROT13 is its own inverse, like XOR.

TKIP was designed to correct the most serious flaws in WEP while keeping the RC4 algorithm. How does TKIP address the weaknesses of WEP?

It does by: 1. introducing the enterprise mode authentication scheme using RADIUS and an au- thentication server. 2. introducing a keyed data integrity protocol (MICHAEL) that covers the message, the source and destination addresses. 3. a re-keying mechanism to provide fresh keys and encryption keys for different pur- poses. 4. a per packet mixing function that prevent weak keys to be used. Also, the MAC address of the destination is mixed to the temporal key. 5. a discipline for IV sequencing. It prevents IV reuse. The IV counter is reseted after the establishment of fresh keys.

In TLS 1.3, for (i) signature algorithm, (ii) DH groups, and (iii) cipher suite, what are the high- est security options? If you use all three of them, what is the resulting security level of the entire protocol? What is the highest possible protocol security-level if TLS AES 128 GCM SHA256 is used?

Let's look at the most parts: • signature algorithm: ed448 / ecdsa secp521r1 sha512 • DH group: x448 / secp521r1 • cipher suite: TLS_AES_256_GCM_SHA384 Arguable with signatures, if custom RSA supported. We are not sure about the resulting security level, likely 200+ bits. For example, ed448 and x448 are designed for 224-bit security level. Likely TLS_AES_256_GCM_SHA384 is around the same. The key is to first identify the weakest link to get an upper bound, after that, we need to properly analyze the resulting protocol, which is out of scope of this course.

Is there any impact on security of a properly designed public-key cryptosystem if an adversary learns the public key?

No, the public key is intended to be public.

Is the combination of fingerprint and keystroke dynamics considered strong enough for au- thenticating users with access to sensitive personal data (such as information about sick leaves of employees or Trade Union memberships)?

Not good enough to be considered 2-factor authentication, so no. Fingerprint and keystore dynamics = things you are, only moderately better than one single biometric factor.

Suggest an alternative strong authentication scheme that can be considered as providing ap- propriate security for authenticating users with access to systems storing sensitive data.

Proper 2-factor authentication, including things like BankID and TEEs. Biometrics only used locally to unlock things like a TEE (as in most phones today). Never sent over the network.

What does RSNA algorithms specify?

RSNA algorithms specify: 1. data confidentiality protocols. 2. network architecture for authentication (IEEE 802.1X). 3. key hierarchy, key setting and key distribution method.

Give an example how role hierarchies, static and dynamic separation of duties and role car- dinality can be used for implementing secure access control at the Human Resource, Research & Development and Financial Departments of a company.

Role hierarchies: reporters and attesters. An attester is also a reporter. Role cardinality: there can only be one head of the Finance Department. Static separation of duties: head of Finance Department cannot be an attester. Dynamic separation of duties: a person that reports reimbursement for an experiment E cannot be the attester of the experiment E.

In CT, what is the difference between a SCT and a STH?

SCT = Signed Certificate Timestamp, a promise of inclusion into a log. STH = Signed Tree Head, the signed Merkle tree root of the log. The difference is that the SCT only promises inclusion, while the STH could be used to prove the inclusion of a certificate.

Transfer the database consisting of the columns Sex, Major, Class and Course Grade into a database providing k-anonymity with k=3 (without loosing too much information).

Sketch of the general principle. Note that Q does not include the Name column. Sex is potentially fine to keep as-is, because only two values in the table. Major has four distinct values (Psy, EE, CS, Bio), Class five (2016-2021), and Grade four different values. The interesting sensitive value is likely the grade, so try to keep that intact (matter of question interpretation). This means we should likely start with making class less granular.

In a database, you use (verified valid) signatures as primary keys for your users. Why could this be a problem with some signature schemes?

Some (most) signature schemes are only weakly existentially unforgeable. This means that anyone can take one valid signature s and create s' , where s 6= s', yet s' is still a valid signature for the same message. This breaks what may be an underlying assumption that the signature is a unique primary key per signed message and user.

Briefly explain the role of each primitive/scheme in the TLS ECDHE RSA WITH AES 128 GCM SHA256 TLS cipher suite.

TLS - definition of the protocol that the cipher suite is for (Usually TLS) ECDHE - Key algorithm that is being used RSA - Authentication Algorithm during the handshake AES - Session Cipher 128 - session encryption key size (in bits) for the sipher GCM - Type of encryption (Cipher block dependency) SHA - Sha hash function, For a a digest of 256 and higher 256- Digest size ( in bits)

Explain there is a 4-way handshake in WPA2. What are its outputs? How does it work?

The 4-way handshake overall objective is PTK setting and GTK distribution. The outputs are the PTK and the GTK. It: 1. confirms that a peer holds the PMK and the PMK is current 2. derives a fresh PTK from the PMK 3. installs encryption and integrity keys 4. confirms the cipher suite Preliminaries: both STA and AP hold an PMK and both STA and AP generates nonces nonce^STA and nonce^AP . 1. AP sends to the STA: nonce^AP . 2. (STA) produces PTK ← f(PMK, nonce^STA, nonce^AP). 3. STA sends to the AP: nonce^STA and MIC, where MIC ← MIC_KCK(payload, STA, AP), and KCK is the first 128 bits of the PTK (0-127). 4. (AP) produces PTK ← f(PMK, nonce^STA, nonce^AP ). 5. (AP) verifies if the MIC received in step 3 is correct, and if so, it calculates the GTK (if there is no GTK), where GTK ← PRF(GMK, nonce^AP , address^AP ). 6. AP sends to the STA: message to install PTK, the MIC for this message and the en-crypted EKEK(GTK), where KEK is the second 128-bit block of the PTK (128-255). 7. STA sends to the AP a confirmation message with MIC. The STA installs PTK and GTK, the AP installs the PTK.

How is the Caesar cipher related to a substitution cipher?

The caesar cipher is a special case of a substitution cipher where the alphabet is only shifted a fixed number of positions.

What are the adversary's goal and capabilities in IND-CPA and IND-CCA?

The goal of the adversary is to distinguish between which of two messages (pro- vided by the adversary) that the challenger encrypted into the challenge ciphertext (the IND part). The capabilities of the adversary in the IND-CCA game are that it has access to an encryption oracle (at all times), and a decryption oracle before and after getting the challenge (but cannot decrypt the challenge ciphertext with the help of the oracle). In IND-CPA, the adversary has access to an encryption oracle, but no decryption oracle. (Bonus if noted that the adversary is computational bound, i.e., it only has a "reasonable" amount of time to run/compute and it only wins the game with a very small/negligible chance over guessing for a scheme that is IND-CCA secure.)

Discuss potential privacy issues of fingerprint biometrics authentication and keystroke dynam- ics and how they could be addressed.

The potential issues of fingerprints are higher than that of keystrokes. Fingerprints stored in a database somewhere do contain information about a biometric feature of a person somewhere. A keystroke however does not contain such information. The fingerprints can be used for trying to identify as someone you are not, etc.

On a high-level, explain how ChaCha20-Poly1305 works.

There are at least three versions of this construction; the original, the IETF vari- ant, and the XChaCha20. I pick the IETF one described in RFC 7539, as used in TLS. In gist, it works as follows to encrypt (decryption is similar): • the input a 256-bit key, 96-bit nonce, plaintext, and additional data • generate a pseudorandom key for Poly1305 using the provided key and nonce • encrypt the plaintext using ChaCha20 using the provided key and nonce • use Poly1305 to authenticate the ciphertext, additional data, and their respective lengths • the output is the ciphertext and the Poly1305 128-bit tag

What is cryptokey routing? Explain.

There is an association between IP and keypair. When sending, a peer can use the destination's IP address to determine the public key to use for encryption. When receiving, the peer can use the source IP-address to determine which keys to use for decryption and then base its routing decision on the authenticated source IP-address of the transported packet (AllowedIPs config value).

What is the point of using ephemeral (EC)DH, as denoted by ECDHE or DHE, in a TLS cipher suite?

To get forward security.

Why increasing WEP's secret key length to 104 or even 232 bits not enough to make it secure?

WEP is insecure at any key length. There are many reasons: 1. The WEP authentication will still leak an encryption key (not the secret key though) no matter the length of the secret key. 2. It is still vulnerable to replay attacks. 3. Integrity with CRC-32 is not keyed. Hence independent of the key length. 4. The 24-bit IV means that IVs are reused after 2 24 frames, which means ca. 7 hours with a rate of 500 frames/s. 5. The RC4 stream cipher block has a weakness in its Key Scheduling Algorithm (KSA). There is a large class of weak keys that allow an attacker to derive the 1 st byte of the RC4 output (in addition, the 1 st plaintext byte is part of the WEP SNAP header is always known 0xAA). From this point, an attacker can derive the secret key.

Consider the statistical database with N = 20 students. Show how Johannes's course grade can be compromised under a query-set-size restriction of n=2 by correlation of statistics (i.e. Tracker attack).

We assume that the attacker knows Johannes's sex, major and class. The only unknown ins grade. What we want is SUM(male, EE, 2020). This is restricted because only selects Johannes. Individual Tracker: C1, C1 and NOT C2. C1 = SUM(male, EE) = 2 + 5 + 4 = 11 C2 = SUM(male, EE, not 2020) = 5 + 4 = 9 11 - 9 = 2

A website stores its users' passwords in a database by hashing them with SHA-256. How long does it take for an attacker that has access to the database to find all 5-character passwords? Make assumptions about what are valid characters and what kind of PC the attacker has (but the attacker is using hashcat).

We assume that: • The attacker uses PC1 with hashcat from the table in the presentation slide, capable of 1122 Mh/s for SHA-256. • We assume case-sensitive alphanumeric passwords (a-zA-Z0-9), in total 62 charac- ters. We calculate the number of seconds: 625/(1122 ∗ 105) ≈ 8, 2 So with 1122 million guesses per second it takes approximately 8,2 seconds to try all 5- character case-sensitive alphanumeric passwords.

Do a full DH key-exchange with p = 11 and g = 3.

We recall DH: Alice : a ←$ {0, 1}^n A ← g^a mod p kA ← B^a mod p A ----> Bob: b ←$ {0, 1}^n B ← g^b mod p kB ← A^b mod p B <---- Since p is very small, we set n = 2 such that the possible secret keys are sampled uniformly at random from {0, 1, 2, 3}. Alice samples a = 2 and calculates her public key: A = g^a, mod p = 3^3, mod 11 = 9 Bob samples b = 3 and calculates his public key: B = g^b, mod p = 3^3, mod 11 = 5 Alice and Bob exchange their public keys. Alice computes the shared secret key kA: kA = B^a , mod p = 52, mod 11 = 3 Bob computes the shared secret key kB: kB = A^b, mod p = 9^3, mod 11 = 3

In TLS 1.3, can clients provide a certificate?

Yes.

For the leaf-values a,b,c,d, what is the resulting root of a Merkle tree with those leafs in that order? Assume that SHA256 is used and that the leafs have to be hashed first (so the first leaf is SHA256(a), not a).

leafs: • SHA256(a) = ca978112ca1bbdcafac231b39a23dc4da786eff8147c4e72b9807785afee48bb • SHA256(b) = 3e23e8160039594a33894f6564e1b1348bbd7a0088d42c4acb73eeaed59c009d • SHA256(c) = 2e7d2c03a9507ae265ecf5b5356885a53393a2029d241394997265a1a25aefc6 • SHA256(d) = 18ac3e7343f016890c510e93f935261169d9e3f565436429830faf0934f4f8e4 middle nodes: • SHA256(SHA256(a) || SHA256(b)) = 62af5c3cb8da3e4f25061e829ebeea5c7513c54949115b1acc225930a90154da • SHA256(SHA256(c) || SHA256(d)) = d3a0f1c792ccf7f1708d5422696263e35755a86917ea76ef9242bd4a8cf4891a root: • SHA256(SHA256(SHA256(SHA256(a) || SHA256(b))) || SHA256(SHA256(SHA256(c) || SHA256(d)))) = 58c89d709329eb37285837b042ab6ff72c7c8f74de0446b091b6a0131c102cfd (Your computed values may vary, depending on how you encode the leaf values and hash output.)

A cryptographic hash function has the output length of n bits. What is its security (in bits), at best, in terms of collision resistance?

n/2 at best, due to the birthday paradox/attack

Give an example of using Argon2 in a programming language of your choice.

use argon2::{self, Config}; let password = b"password"; let salt = b"randomsalt"; let config = Config::default(); let hash = argon2::hash_encoded(password, salt, &config).unwrap(); let matches = argon2::verify_encoded(&hash, password).unwrap(); assert!(matches);

What is the name or names of the one or more certificate authorities that signed the certificate for https://www.kau.se?

www.kau.se has been signed by the Certificate Authority "GEANT OV RSA CA 4" belonging to the "GEANT Vereniging" organisation, and GEANT Vereniging in turn have been signed by the root Certificate Authority "USERTrust RSA Certification Authority" that belongs to "The USERTRUST Network".

Consider a regular three-hop circuit in the Tor-network, going from a client, to a guard, a middle, an exit, and finally to the destination. For each of the three relays in the circuit, what do they know (respectively), in terms of IP-addresses of each other and the client/destination? How does this compare to a VPN like WireGuard? How does this compare to TLS?

• guard: knows client and middle IPs. • middle: knows guard and exit. • exit: knows middle and destination. In a VPN, the VPN server knows both the client's and destination's IPs. In TLS, both parties know their respective IPs.