Distributed Systems Security – Assignment 2

Task 1 – Draw a matrix table that shows the relationship between security services and attacks.

Attack
Release of Denial
Traffic Modification
Service message Masquerade Replay of
analysis of messages
contents service
Peer entity
Y Y
authentication
Data origin
Y
authentication
Access control Y Y
Confidentiality Y
Traffic flow
Y
confidentiality
Data integrity * Y Y
Nonrepudiation Y
Availability Y

* if single message provides protection against modification only

As per Stallings (2017) a security attack is any action that compromises the security of
information owned by an organization, and a security service is “a processing or communication
service that enhances the security of the data processing systems and the information transfers of an
organization. The services are intended to counter security attacks.”
There are two types of attacks, passive and active.
Passive attacks attempt to retrieve information from the system but do not modify resources.
Examples of these are the release of message contents and traffic analysis.
Active attacks attempt to alter system resources or affect how they operate. They generally
modify or falsify data streams. Examples of these are masquerade (when an entity pretends to be a
different entity), replay (capture of data units and retransmission), modification of messages, and
denial of service.
There are several services in place to deal with these attacks. Some put emphasis on
prevention of passive attacks, and some deal with mitigation of the effects of active attacks.
Peer entity authentication corroborates the identity of a peer entity in an association. Two
entities are peers if they implement the same protocol in different systems. Quoting Stallings (2017),
this service “(…) provides confidence that an entity is not performing either masquerade or an
unauthorized replay of a previous connection”.
 Data origin authentication corroborates the source of data units, and it does not provide any
protection against duplication or modification of data units (Stallings, 2017). The fact that the source
of the data unit is protected will invalidate masquerade attacks.
Access control limits access to systems and applications via communication links. Each entity
involved is first identified so that access is restricted to its rights. This protects against masquerade
and replay.
A loss of confidentiality is the unauthorized disclosure of information. Therefore, a
confidentiality service protects against release of message contents.
Traffic flow confidentiality protections traffic flow from being analysed. It stops an attacker
from observing the source, destination, frequency, length, or other characteristics of the traffic on a
communications facility (Stallings, 2017).
Data integrity is a service that guards against improper information modification or
destruction. As per Stallings (2017), “The connection-oriented integrity service addresses both
message stream modification and denial of service.” … If the service deals with single messages only,
it generally provides protection only against message modification.
The nonrepudiation prevents either sender or receiver from denying a transmitted message,
therefore protecting against denial of service.
The availability service ensures timely and reliable access to information. A loss of availability
is the disruption of access to or use of information on an information system (Stallings, 2017),
therefore this protects against denial of service.

Task 2 - Using the S-DES, decrypt the ciphertext string (10100010) using both keys K1 = 01011111
and K2 = 11111100 by hand. Show intermediate results after each function (IP, Fk, SW, Fk, IP-1).
Then decode the first 4 bits of the plain text string to a letter and the second 4 bits to another letter
where we encode A through P in base 2 (i.e., A = 0000, B = 0001, … P = 1111).

Using Sanchis (2018) instructions for simplified DES, we can start decrypting our ciphertext
10100010.

Making the initial permutation and separating the first 4 bits from the other 4 bits results in:

IP = 0011 | 0001

IP(2)= 0001 -> using the second set of 4 bits from IP, we perform an extended permutation:

EP= 10000010
 K2= 11111100

We apply an exclusive or operation between EP and K2, which results in EP + K2 = 0111 | 1110
-> we put the first 4 bits through S0 and the other 4 bits through S1

The result is 0000. We apply permutation P4 to this, which results in 0000 as well, and we do
an exclusive or to the first set of bits on IP = 0011.

P4 + IP(1) = 0011

SW is 0011 0001, which is also equal to the first Fk.

We now do a second round swapping the 2 sets of bits on SW which equates to 0001 | 0011,
in which the first set is used in the same manner as IP(2) and the other set is used in the same way as
IP(1).

We do an extended permutation on 0011, which results in EP = 10010110, and we do an

exclusive or with the key K1 = 01011111.

EP + K1 = 1100 | 1001 -> we put the first 4 bits through S0 and the other 4 bits through S1,
resulting on 0110.

We apply permutation P4 to this, which results in 1010, and we do an exclusive or with the
second set of SW, 0001, which results on 1011. Fk is then equal to 1011 0001.

We do an inverse initial permutation, and we will then get the plaintext, which is 1110 0010.

The first 4 bits will equate to the letter O and the second letter is C.

Task 3 i) The following diagram shows both Alice and Bob are using hash function to check the
integrity of data sent from Alice to Bob. Update this diagram to show how a man-in-the-middle
attack could be carried out against has function.

A hash function accepts a variable-length block of data as input and produces a fixed-size value
(Stallings, 2017). The cryptographic hash function should produce outputs that are evenly distributed
and seemingly random. It should make it so an attacker would not be able to find a piece of data that
maps to a specified hash result or two data objects that map to the same hash result, as this would
allow an attacker to create false certificates, or modify the message and pass it on as legitimate.

The process of sending a message using a hash function can be described as follows. A sender
will create a hash value using the data to be transmitted, and transmits both this value and the
message. The receiver will perform the same calculation on the message and will compare this value
with the incoming hash value. If they do not match, the receiver knows that the message was possibly
compromised.

A man-in-the-middle attack, as defined by Techopedia (2018), “is a form of eavesdropping

where communication between two users is monitored and modified by an unauthorized party”.
Using this type of attack, an opponent can retrieve a message, along with the hash value, and pass on
the message as legitimate by using the correct hash value. In this scenario, Alice would pass on a
message, an opponent would retrieve it, modify it, and transmit it to Bob with the correct hash value,
and Bob would recognize it as legitimate.

Below diagram, constructed with Stallings (2017) as reference, illustrates how the man-in-the-
middle attack described above would be carried out.

ii) With the aid of a diagram show a simplified example of how to overcome the man-in-the-middle
attack using a basic digital signature and hash code between two communicating parties Alice and
Bob. The sender’s message plus the private-key-encrypted hash code can be encrypted using a
symmetric secret key.

A technique to get around a man-in-the-middle attack would be to encrypt the data to be

transmitted, along with a signature created using a hash code and the sender’s private key, using
symmetric encryption. As per Stallings (2017), “the hash code provides the structure or redundancy
required to achieve authentication. Because encryption is applied to the entire message plus hash
code, confidentiality is also provided.” The sender’s private key, along with the hash code, are used as
input in a signature generation algorithm, which will create a digital signature. After encryption, the
data is then sent with the signature attached.
 When Bob receives Alice’s message, he deciphers it, calculates the hash code for the message
and then validates the signature by inputting the hash value and Alice’s public key on the signature
verification algorithm. Only Alice’s private key can create a signature that can be verified with her own
public key, therefore this would validate that the message came from her, and not a man in the middle.

The diagram below, constructed with Stallings (2017) as a reference, illustrates the
explanation of using a digital signature in order to assure authenticity of the source of data, mitigating
the man-in-the-middle attack possibility.

For data integrity, the message and hash value will also be encrypted as per below.

In essence, after generating the message with the signature, Alice would encrypt the result
using a symmetric key, and Bob would later put this through a process of decryption, using the result
to then verify if the signature is valid or not.
Task 4 - The DSA signing process shown below, specifies that if the signature generation process
results in a value of s = 0, a new value of k should be generated and the signature should be
recalculated. Why?

To understand the reason for generating a new value of k if s = 0, it is important to understand

the overall algorithm for the Digital Signature Algorithm (DSA).

Under this approach, as described by Stallings (2017), the sender uses a hash code “as input
to a signature function along with a random number k generated for this particular signature. The
signature also depends on the sender’s private key and a global public key. The result is a signature
consisting of two components, s and r.”

The receiver then inputs the hash code and the signature on a verification function which
depends on a global public key as well as the sender’s public key. The output of the verification
function will be equal to r if the signature is valid.

Below are all the components involved on the DSA approach, as described by the National
Institute of Standards and Technology (2000).

p is a prime modulus, where 2^{L-1} < p < 2^L, and L is the bit length of p.

q is a prime divisor of (p - 1), where 2^{N-1} < q < 2^N, and N is the bit length of q.

g is a generator of a subgroup of order q in the multiplicative group of GF(p), such that 1 < g <
p.

x is the private key that must remain secret; x is a randomly or pseudorandomly generated
integer, such that 0 < x < q.

k is a secret number that is unique to each message and is randomly or pseudorandomly

generated integer, such that 0 < k < q.

r is described by the equation (g^k mod p) mod q.

s is described by the equation [k^(−1) (H(M)+xr)] mod q.

A value of s = 0 reveals the private key x as the signature equation can then be solved for x:

S=0

 0 = [k^(−1) (H(M)+xr)] mod q 

 x = [−H(M)/r] mod q
 M and r can be obtained from the data being sent, via a man-in-the-middle attack. q is a part
of the global public key, and therefore it is known. It eliminates the need to know value k in order to
find out the sender’s private key. Mathematically, it becomes very easy to find out x, the sender’s
private key, and therefore the signature becomes compromised. An opponent can now use this
signature to send a modified message, with the sender’s private key.

Task 5 - One local area network vendor provides a key distribution facility, as illustrated in figure 1.
i) Describe the scheme.

Step (1) - Initially, A sends a connection request to B, which contains its own identifier (IDa)
and a nonce (Na) encrypted with a key that A shares with the Key Distribution Center (Ka).

Step (2) - To accept this connection request, B sends another request to the KDC for a shared
session key (Ks). This request includes A's identifier, A’s nonce encrypted with A’s shared KDC key (Ka),
along with B's identifier (IDb), B’s nonce (Nb) encrypted with B’s shared KDC key (Kb).

Step (3) - The KDC will then fulfil this request by returning two separate encrypted blocks to
B. One block is to be utilized by B and includes the session key (Ks), A's identifier(IDa), and B's nonce
(Nb).

Step (4) - The other block is to be utilized by A and passed from the KDC to B as an
intermediary, which will then send it to A. This block includes the session key (Ks), B's identifier(IDb),
and A's nonce (Na).

At the end of these steps, both A and B have the session key and each other’s nonces, ensuring
authenticity.

ii) Compare this scheme to that of figure 2. What are the pros and cons?

To analyse the strength of any cryptographic system, the most important thing is the key
distribution scheme, as this is the main way of authenticating the entities involved in communication.
The key should be protected from being seen by others than the parties involved.

Figure 2’s scheme consists of the following steps and assumptions.

A and B each share a master key with the KDC (Ka and Kb), and A wants to establish a
connection with B.

Step (1) – The initiator A sends its own identifier (IDa), the responder’s identifier (IDb) and its
own nonce (N1) to the KDC in order to get the session key.
 Step (2) – the KDC sends a message to A encrypted with master key Ka known only to A, which
includes the session key (Ks), the original request message consisting of IDa, IDb, and N1, so that A can
match this to the request it initiated from.

An advantage of including this information is that A can verify that the request was not altered
while in transit, and that it is not a replay of a previous request (Stallings, 2017).

In the same message, the KDC also sends the session key and an identifier for A encrypted
with Kb. This is meant to be sent from A to B in order to authenticate A and establish the connection.

Step (3) – A sends the second half of the message from the KDC encrypted with Kb to B.

Step (4) – B sends a message to A encrypted with Ks which includes its own nonce (N2).

Step (5) – A responds to B with another message encrypted using Ks performing a

transformation on B’s nonce (f(N2)).

Steps 4 and 5 are additional authentication steps, so that this is not only a key distribution
scheme, but it also includes an authentication function of the parties involved in the communication.

Both schemes have the same degree of security, in the sense that both of them provide
authentication and effective key distribution. The advantage of having the scheme in figure 1 is that
there are less overhead costs in the case that B rejects the connection request from A, as there will be
no interaction with the KDC.

Task 6 - With the aid of a diagram, describe the main steps of creating Public-Key certificate and
how a certificate could be used to verify a user’s public key.

As per Stallings (2017), a public key certificate “consists of a public key, an identifier of the key
owner, and the whole block is then signed by a trusted third party.”

To get this signed by the trusted authority, anyone wanting to obtain a certificate will submit
their public key to them. After being signed, the certificate can then be published.

The process of creating a certificate is described on the following diagram:

 After submitting the public key (PUa), A will then receive a certificate (Ca) containing
E(PRauth, [T, IDa, PUa]). PRauth is the private key used by the certificate authority (CA), T is a
timestamp, and IDa is A’s unique identifier.

Anyone who receives the certificate can verify the sender’s identity by applying the decryption
function D(PUauth, CA). This will result in T, IDa, PUa, and thus the sender’s public key is verified.

Task 7 – Why do A and B believe they share K’AB with each other, and why do they believe K’AB is
fresh?

A believes that she shares K'AB with B since her nonce (Na) is returned in the second message,
encrypted with a key only her and B would know.

B believes that he shares K'AB with A since Na was encrypted using K’AB on the third message,
which he received. Na could only have been obtained from the second message by a person who
knows K’AB.

A believes that K'AB is fresh since it is sent with NA on the second message, which signifies
that this was constructed after the first message.

B believes that K'AB is fresh since he generated K’AB.

Bibliography
Sanchis, L. (2018) Instructions for using simplified DES. Available at:
http://homepages.gac.edu/~holte/courses/mcs150-J01/documents/DESinstructions.html [Accessed
29th December 2018]
Stallings, W. (2017) Cryptography and Network Security, Principles and Practice. 7th edition. Harlow:
Pearson.
Techopedia (2018) Man-in-the-Middle Attack (MITM) Available at
https://www.techopedia.com/definition/4018/man-in-the-middle-attack-mitm [Accessed 30th
December 2018]
U.S. Department of Commerce/ National Institute of Standards and Technology (2000), DIGITAL
SIGNATURE STANDARD (DSS) Available at
https://en.wikisource.org/wiki/Digital_Signature_Standard_(DSS), as original website
https://csrc.nist.gov/publications/detail/fips/186/2/archive/2001-10-05 closed for lack of
government funding [Accessed 1st January 2019]