SENG6250 System and Network Security
School of Information and Physical Sciences
Semester 2, 2022
Assignment 2 (100 marks, 20%) - Due: 25 September, 23:59
Aims
This assignment aims to establish a basic familiarity with secure authentication and system security
via analysing, demonstrating, and designing solutions.
Questions
1. Key Management (15 marks)
Consider the following variant of the Diffie-Hellman key exchange protocol.
� → �: �!!"! (��� �)
� → �: �"", ���!"(�"") (��� �)
A computes the shared key: �#$ = (�"")!!"! (��� �)
B computes the shared key: �$# = (�!!"!)"" (��� �)
Notations
�, � Identity of users A and B, respectively.
� A large and safe prime number.
� A generator of the underlying multiplicative cyclic group of order �.
�# A random number selected by user A for one session, it is never reused.
�#, �$ Long-term private keys of users A and B, respectively.
�!!, �!" Long-term public keys of user A and B, respectively, they are already
known to each other.
i) Does the above protocol provide the perfect forward secrecy? Justify your answer.
(5 marks)
ii) Does the above protocol provide implicit or explicit key authentication? Justify your
answer. (10 marks)
An answer without justification may receive zero marks.
2. Hash Chain (20 marks)
Alice designed a hash chain based authentication protocol as follows
Step 1: The authentication server (i.e., verifier) chooses a cryptographic hash function
ℎ:{0,1}∗ → {0,1}ℓ and releases it to the public.
Step 2: A user chooses a random seed � ∈ {0,1}∗ and computes � times of hash of �, such
that
�' = ℎ(�), �( = ℎ(�'), … , �) = ℎ(�)*')
Step 3: The user securely (suppose attack-free) sends �', … , �) to the server.
Step 4: Both the user and the server store �', … , �).
Step 5: In the �th authentication, the user interacts with the server as follows.
User → Server: �(�+; �+*', �,, �), �,, �
Server: retrieves the session key �+ (i.e H-) from the database. Note that the server
does not check whether � was used or not. If �+ does not exist, then the
authentication failed. Otherwise, the server decrypts the ciphertext and obtains �+*' . ,
�,
. , �
.
. The user is authenticated if the following equation holds:
�+ = ℎ(�+*'), �, = �,
. , � = �
.
The server will not remove �+ after a successful authentication.
Notations
� – the index of the session key;
�(�; �) – a secure symmetric-key encryption with encryption key � for message �;
�+ – the �th session key that �+ = �+;
�, – a user-selected nonce.
Alice claims that the above authentication protocol provides:
• Replay attack resistance.
• Forward security. (It is not the perfect forward secrecy, see below)
Forward security: If a session key was compromised, previous (uncompromised) sessions
remain secure, even if the adversary captures all previous messages.
For example, assume �! and �" are session keys used in sessions �! and �", respectively.
Assume �" happened later than �!. If �" was compromised, the authentication messages
encrypted by using �! remain secure.
Your task: Analyse if this authentication protocol achieves the security requirements:
1) Replay attack resistance. (10 marks)
2) Forward security. (10 marks)
If yes, justify your answer, otherwise, modify the protocol to satisfy the security
requirements.
3. Two-Factor Authentication Protocol Analysis (20 marks)
Multi-factor user authentication mechanisms require a user to possess multiple
authentication factors, such as a knowledge factor (“something the user knows”), a possession
factor (“something the user has”), and an inherence factor (“something the user is”), in order
to login a computer system. One commonly used two-factor user authentication mechanism
is based on smart-card (something the user has) and password (something the user knows).
Such a mechanism should ensure that an adversary cannot pass the authentication even if
he/she has obtained one authentication factor. Consider the following two-factor
authentication protocol:
User Setup. Let � denote a 128-bit secret key of a remote web server, and ℎ(⋅) a secure
cryptographic hash function. Each legitimate client � with identity ��/ shares a 6-digit
password ��� with the server. In addition, � has a smart-card issued by the server, which has
the information (��/, �, �, �) stored in the Read Only Memory (ROM) of the card, where � =
ℎ(���) ⊕ ℎ(�||��/) , � is a large prime number, � is a generator of ℤ0
∗ , and || denotes
concatenation of two bit-strings.
User Login.
1. In order to login the server, the client first attaches the smart-card to a card reader which
is connected to a computer, and then types in the password ���. The computer retrieves
the values of (��/, �, �, �) from the smart-card via the card reader, and computes
� = � ⊕ ℎ(���).
After that, the computer chooses a random number � ∈ {1, … , � − 1} and computes
�/ = �, ��� �,
and sends a login request (��/, �/) to the remote server.
2. Upon receiving the request, the web server first checks if ��/ belongs to a legitimate
client. If the server cannot find ��/ in the database, then the request is rejected.
Otherwise, the server chooses a random number � ∈ {1, … , � − 1}, computes
�1 = �2 ��� �, � = �/
2 ��� �, �. = ℎ(�||��/), and �1 = ℎ(�.
, �/, �1,�).
The server sends (�1, �1) to the client.
3. After receiving (�1, �1) from the server, the client’s computer computes
�. = �1
, ��� �, �1
. = ℎ(�, �/, �1,�.
),
and verifies if �1
. = �1. If the equation holds, then the server is authenticated. The client’s
computer generates �/ = ℎ(�, �1, �/,�′) and sends �/ to the web server.
4. The web server computes �/
. = ℎ(�.
, �1, �/,�) and verifies if �/
. = �/. If the equation
holds, then the client is authenticated; otherwise, the client authentication fails. If the
client has three consecutive authentication failures, then the client’s account will be
locked by the web server, and the client needs to contact the administrator in order to
unlock the account.
Your Task: Analyse the above authentication protocol. Does the protocol achieve two-factor
user authentication? If your answer is yes, justify your answer by giving a security analysis for
the protocol; otherwise, if your answer is no, show an attack against the protocol. When doing
the analysis, consider the situation that one of the two authentication factors is compromised
and known by the adversary.
• Does the protocol achieve two-factor user authentication, i.e. is it secure? (5 marks)
• Justify your answer. (15 marks)
4. Multilevel Security (20 marks)
Given the following access control matrix and security labels, answer the questions to find the
capabilities of subjects.
O1 O2 O3 O4
A w r rw r
B rw - - w
C - w rw rw
D r r w w
Access control matrix: Subjects (A, B, C, D); Objects (O1, O2, O3, O4);
r: read; w: write; -: no permission.
Clearances of subjects: Top-Secret > Secret > Confidential > Unclassified.
Classifications of objects: Top-Secret > Secret > Confidential > Unclassified.
i). Apply the BLP model, fill out the following table to specify readable and writable
objects of subjects. (10 marks)
Readable Objects Writable Objects
A
B
C
D
ii). Apply the Biba model, fill out the above table to specify readable and writable objects
of subjects. (10 marks)
Readable Objects Writable Objects
A
B
C
D
Security Label
A Top-Secret
B Secret
C Secret
D Confidential
Security Label
O1 Top-Secret
O2 Secret
O3 Secret
O4 Unclassified
5. Secure System Design (25 marks)
In a privileged membership club, there are sole facilities provided for their members
exclusively, such as restaurants and massage. Each of these facilities is operated by different
business owners, who are paid by the owner of the club, who is also taking membership fees
from its members. Hence, these facilities will allow exclusive club members only to access
them and enjoy the service provided.
To provide this benefit to the members, the club issues a membership card that is used to
identify each member's identity. Meanwhile, the facilities are also expected to prevent the
sensitive customer information from being exposed to the facility operators (business owners).
As a club member, he/she may have different roles when using various facilities. The club
server grants proper permissions and informs the facility provider. Such roles are entitled to
many club members.
System architecture is as follows.
System requirement: provide secure user authentication and authorisation between a
member and the club server.
Security requirements are as follows.
• Provide secure user authentication.
• Provide perfect forward secrecy
• Withstand replay, DoS, man-in-the-middle, eavesdropping attacks.
System limitations are as follows:
• A membership card CAN store some secret values for authentication purposes, while
it CANNOT be connected to the Internet at any time.
• During authentication, a membership card is the only input from the user side. For
example, a user cannot type any characters or digits.
• Business owners (other than the club) are NOT trusted by the client nor the club. They
might be an (insider) adversary.
• The network connection between the business owner and the club server is through
the public (insecure) network.
Your Task: Design a system to archive the system and security requirements.
a. In order to establish secure communication, there are three phases: user authentication,
authorization, and key establishment. In what order of these three phases should be
conducted? (2.5 marks)
b. What kind of information should be stored on a membership card for authentication?
(2.5 marks)
c. Design (a brief description) a security mechanism for key establishment and user
authentication phases. The design should satisfy the security requirements if an item is
applicable. Justify your answers. (15 marks)
d. For user authorization, we may consider the access control models such as ACM, BLP, Biba
and RBAC (role-based access control). Which one of the access control models would be
better in this scenario? Why? (5 marks)
Submission
All assignments must be submitted via Canvas. If you submit more than once, then only the latest will
be graded. Your submission should be a PDF file that contains answers to all questions.
The mark for an assessment item submitted after the designated time on the due date, without an
approved extension of time, will be reduced by 10% of the possible maximum mark for that
assessment item for each day or part day that the assessment item is late. Note: this applies equally
to week and weekend days.
Plagiarism
A plagiarized assignment will receive ZERO marks (and be penalized according to the university rules).