Solution 1

a) No , It is to Authenticate V to C ( server to client ) To prevent BG from

pretending as V to C.
i,e C to confirm that V responding not BG.
Explanation:
Step (5) C V:
Step (6) V C:

Ticketv || Authenticatorc
E(Kc,v, [TS5 + 1])

Ticketv = E(Kv, [Kc,v, IDc, ADc, IDv, TS4 , Lifetime4 ])

Authenticatorc = E(Kc,v, [IDc, ADc, TS5])

In step 5 C sends Ticketv & Authenticatorc to V

Ticketv has Kc,v (Session Key) inside it, generated by TGS and Encrypted
with Kv so that V can only decrypt it to get Kc,v
Authenticatorc has TS5 inside it, genrated by C and encrypted with Kc,v
(Session Key), which is acquired by V through Ticketv.
Simply Kc,v is a Secret session key known to C & V not by BG
So TS5 can be read by V not by BG, and V can reply back in step 6 by
performing operation TS5 + 1 and encrypting it with Kc,v and there by
authenticating to C that it is V.

b) No,
If BG captures (2) i.e. the communication from AS to C.
Step (2) AS C: E(Kc, [Kc,tgs|| IDtgs || TS2 || Lifetime2 || Tickettgs])
BG cannot decrypt it as it is encrypted with Kc , secret key known to C not by
BG and can get hands on Kc,tgs
Hence BG cannot generate Authenticatorc = E(Kc,tgs, [IDc, ADc, IDv, TS3]) as
Kc,tgs is not known to BG.
Therefore BG cannot pose as C to TGS to grant him ticket.
If in case Kc,tgs is captured by BG then BG can pose as C to TGS to grant him
ticket.

c) No,
In Kerberos V4, The authentication server need not have a certified public
key.
The request is sent in plain by C to AS.
(1) C AS: IDc || IDtgs || TS1
Kerberos uses secret key encryption, AS keeps a database of clients and
servers and their secret keys, can convince one entity of another entitys
identity

Solution 2
a) if A first signs a message H(M1) to get a signature r1, s1. Then A, using
the same k value, signs a message H(M2) to get a signature r2, s2.
Then BG would do following to get K value
BG knows algorithm and hash function as those are published. p,q,g are
shared global public keys are known to BG
M ,r, s are sent in clear. there for BG knows M1,r1,s1 and M2,r2,s2
So can calculate H(M1) and H(M2)
r =(gk mod p ) mod q
s = (k-1 [ H(M)+ x.r])mod q
r is independent of Message M, if same k is used then r1 = r2 = r
Then BG does following calculation.
s1 = (k-1 [ H(M1)+ x.r])mod q --------------------> equation (1)
s2 = (k-1 [ H(M2)+ x.r])mod q --------------------> equation (2)
s1-s2 = (k-1 [ H(M1)+ x.r])mod q - (k-1 [ H(M2)+ x.r])mod q
s1-s2 = (k-1 [ H(M1)+ x.r] - k-1 [ H(M2)+ x.r])mod q
s1-s2 = (k-1 [ H(M1)+ x.r - H(M2)- x.r])mod q
s1-s2 = (k-1 [ H(M1) - H(M2])mod q

k =(

( H ( M 1 )H ( M 2 ] )
s 1s 2

) mod q

After calculating k value.

BG substitutes k in equation(1) or equation(2) to get x Private key value
s1 = (k-1 [ H(M1)+ x.r])mod q
M1,s1, r , q are known to BG
H(M1) can be calculated
Once the private key value x is acquired, BG can forge any future message
H(M3).

b) BG knows, q = 11
H(M1) = 7, r1 = 5, s1 = 2
H(M2) = 1, r2 = 5, s2 = 1
H(M3) = 4
Gets k value
as k =(

( H ( M 1 )H ( M 2 ] )
s 1s 2

) mod q

therefore
k=(

( 71 )
21 ) mod 11

k= 6 mod 11
k=6
Gets x value
s1 = (k-1 [ H(M1)+ x.r1])mod q
2= (6-1 [ 7+ x.5])mod 11
12 = (7+x.5) mod 11

5 = x.5 mod 11
therefore x= 1

Calculates s3
s3 = (k-1 [ H(M3)+ x.r3])mod q
r1=r2=r3=5
s3 =(6-1 [ 4+ 1*5])mod 11
6s3 =(9)mod 11 =9
3
s3 = ( 2 ) =1.5

Solution3:
a)

Solution4:
a) No, (it is not a good scheme)
b) Given h(M) = ((M mod 91) 10) mod 73
Following requirements need to be satisfied by hash function to be used for a good
scheme

one-way property
given h is infeasible to find x s.t. H(x)=h
weak collision resistance
given x is infeasible to find y s.t. H(y)=H(x)
strong collision resistance
is infeasible to find any x,y s.t. H(y)=H(x)

Given M= 101
h(101) = ((101 mod 91) 10) mod 73 = 27

Given h= 27 we can estimate x, such that H(x) = 27

x = (73*i+h)/10+91*j
73*i is multiple of 73 , i belongs to { 1,2, 3,...}
91*j is multiple of 91 , j belongs to { 1,2, 3,...}

one-way property fails

substituting i=1 and j=1

x= (73+h)/10 +91 = (73+27)/10+91 = 10+91 = 101

weak collision resistance fails

substituting i=11 and j=0

x = (73*i+h)/10+91*j
= (73*11+27)/10+91*0
= 83
substituting i=11 and j=1
x = (73*i+h)/10+91*j
= (73*11+27)/10+91*1
= 83+91
= 174
and we can go on
h(83) = ((83 mod 91) 10) mod 73 = 830 mod 73 = 27
h(174) = ((174 mod 91) 10) mod 73 = 830 mod 73 = 27

strong collision resistance fails

as we found h(83) = h(174) = h(101)

Therefore I will convince B that scheme is week one because of the hash function .
and will show the chances of BG can replace M=101 with M' = 83 or 174 , still
geting the signature verified.

Solution:3
a)
Nounce

TimeStamp

No need of Clock Synchronization

Needs Clock Synchronization at both ends

Need to store previously used nonce at

both ends

No such need

Need to generate a new random nonce

each time comparing with previous nonce

No such need

If more systems in communication , need

to maintain separate registers for each at
every system, too much data and
indexing.

No such need

As many number of messages can be sent

as long as a unique random nonce is used
for each.

If the time stamp is down to a second, then

multiple messages can't be sent with in a
same second. There will be some
restriction in number of messages because
of this.

b)
In PGP Compression is applied after Signature.
Because at receiving end after decompression, the receiver gets the clear message
and signature, can store them directly for later verification. No need to worry of
third party verifying the signature to do decompression.

Programming Problem:
1) Self Critique:

I mastered the algorithm as I practiced it manually many times to evaluate my program.

I used the same naming conventions as described in our class.
The Program contains one methods to do Modulo and power modulus operations .
Used C# Programming language.

2)

3)