Computer Security Homework 3: Solutions and

Explanations
This report provides solutions and detailed explanations for Homework 3, which covers
authentication mechanisms, digital signatures, email security, and web security concepts. The
assignment tests understanding of specific protocols like Kerberos, DSA, PGP, and SSL, along
with implementation aspects of security mechanisms.

Authentication Applications: Kerberos v4

Question 1 Solution
(a) Why must the Authenticator be sent in message (3) instead of just Tickettgs?
The Authenticator must be sent along with the Tickettgs because the Tickettgs alone doesn't
prove that the current user is the same entity to whom the ticket was originally issued. The
Tickettgs is encrypted with the TGS's secret key and contains the client's identity, network
address, and session key. However, since this ticket can be reused within its validity period, an
attacker could potentially steal and replay it [1] .
The Authenticator, which is generated by the client and encrypted with the session key from the
Tickettgs, contains the client's ID and a timestamp. This proves that the current sender
possesses the session key and is generating the message now, not replaying an old message. It
effectively prevents replay attacks by binding the ticket to the current user session [1] .
(b) Why is ADC included in Tickettgs?
The Address (ADC) is included in the Tickettgs to bind the ticket to a specific client network
address. This is a critical security feature that prevents ticket theft. If an attacker somehow
obtained the ticket but is operating from a different network address, they would not be able to
use it successfully because the server verifies that the client's actual network address matches
the ADC embedded in the ticket [1] .
This address binding ensures that even if authentication credentials are compromised, they
cannot be used from unauthorized locations, adding a layer of security based on network
topology [1] .
(c) Will the user need to enter their password twice for two different servers in the same
login session?
NO. The user will not need to enter their password twice.
In Kerberos v4, once a user authenticates initially (by entering their password), they receive a
Ticket Granting Ticket (TGT) from the Authentication Server. This TGT can then be used to
request multiple service tickets for different servers without re-entering the password. The user
only needs to authenticate once per session, and the TGT enables them to request service
tickets for both the file server and database server without re-authentication [1] .
This single sign-on capability is one of the primary advantages of Kerberos, allowing secure
access to multiple services while minimizing the number of times users must enter their
credentials [1] .

Digital Signature Algorithm (DSA)

Question 2 Solution
The question asks us to show how a cryptanalyst (BG) would exploit the reuse of the same k
value in DSA to forge signatures.
Given information:
q = 11
First message: H(M1) = 7, s1 = 2
Second message: H(M2) = 1, s2 = 4
Target message to forge: H(M3) = 5
When the same k value is used for two different signatures, we can derive:
s1k = [H(M1) + xr1] mod q
s2k = [H(M2) + xr2] mod q
Since r1 = r2 (as r only depends on k, not the message), we can solve for k:
s1k - s2k = [H(M1) - H(M2)] mod q
k(s1 - s2) = [H(M1) - H(M2)] mod q
k = [(H(M1) - H(M2)) * (s1 - s2)^(-1)] mod q
Calculating:
s1 - s2 = 2 - 4 = -2 mod 11 = 9
(s1 - s2)^(-1) mod 11 = 9^(-1) mod 11 = 5 (since 9 × 5 = 45 = 1 mod 11)
H(M1) - H(M2) = 7 - 1 = 6
Therefore:
k = [6 × 5] mod 11 = 30 mod 11 = 8
Once k is known, we can calculate xr:
xr = [s1k - H(M1)] mod q
xr = [2 × 8 - 7] mod 11 = 16 - 7 = 9 mod 11
Now for the forged signature of M3:
s3k = [H(M3) + xr] mod q
s3 × 8 = [5 + 9] mod 11
s3 × 8 = 14 mod 11 = 3
s3 = [3 × 8^(-1)] mod 11
Finding 8^(-1) mod 11:
Since 8 × 7 = 56 = 1 mod 11, 8^(-1) = 7
Therefore:
s3 = [3 × 7] mod 11 = 21 mod 11 = 10
The s3 part of the forged signature for H(M3) = 5 would be 10 [1] .

Security Protocols and Applications

Question 3 Solutions
(a) Password interception with SSL
NO. The bad guy will not be able to figure out your password.
When SSL/TLS is properly implemented, the handshake protocol establishes a secure encrypted
channel before any data (including passwords) is transmitted. After the SSL handshake
completes, all communication between your browser and the bank's website is encrypted using
the negotiated session keys. This means that even if an attacker is eavesdropping on the
network traffic, they would only see encrypted data, not the plaintext password [1] .
The encryption provided by SSL/TLS is designed specifically to protect sensitive data like
passwords from interception attacks. Even if the attacker captures the encrypted network
traffic, they cannot decrypt it without the session keys, which are securely exchanged during
the handshake process [1] .
(b) Compression before or after signatures
Compression should be done before signatures rather than after signatures for several important
reasons:
1. Efficiency: Compressing the data first reduces the size of the data that needs to be signed,
making the signature process faster.
2. Signature verification: If compression is done after signing, the recipient would need to
decompress the data before verifying the signature, adding complexity to the verification
process.
3. Security: Signing compressed data ensures that the signature covers the exact data that
will be used by the recipient, maintaining data integrity through the entire process [1] .
4. Compatibility: Following a standard order (compress-then-sign) ensures interoperability
between different implementations of the same protocol.
(c) PGP certificates vs. X.509 scheme
Advantages of PGP web-of-trust:
Decentralized trust model without requiring centralized certificate authorities
More flexible and user-controlled trust relationships
 Lower cost as it doesn't require payment to certificate authorities
Can function effectively in environments without formal hierarchical structure [1]
Disadvantages of PGP web-of-trust:
Harder to scale to large organizations or the general internet
Requires more user involvement in trust decisions
Less standardized than X.509, leading to potential interoperability issues
Limited revocation mechanisms compared to X.509's certificate revocation lists [1]
(d) SSL protection against replay attacks
SSL counters replay attacks through several mechanisms:
1. Use of random nonces: Both client and server generate random values during the
handshake.
2. Session identifiers: Each connection has a unique session ID.
3. Sequence numbers: SSL/TLS maintains sequence numbers for all records sent and
received.
4. MAC (Message Authentication Code): Each message includes a MAC that incorporates
sequence numbers.
These combined mechanisms ensure that replayed handshake messages from previous sessions
cannot be used to establish a new session or hijack an existing one. Even if an attacker captures
handshake messages, they cannot successfully replay them because the random values and
sequence numbers would not match what the server expects for a new legitimate session [1] .
(e) Time stamps vs. nonces in preventing replay attacks
Advantage of time stamps over nonces:
Time stamps don't require maintaining state - the recipient simply compares the timestamp
with the current time to determine if the message is recent, reducing memory overhead and
implementation complexity [1] .
Advantage of nonces over time stamps:
Nonces don't require synchronized clocks between communicating parties. Clock
synchronization can be difficult to maintain across different systems, especially in
distributed environments, making nonces more reliable in such scenarios [1] .

Error-Correcting Codes and Encryption

Question 4 Solutions
(a) Error detection with DES encryption
i. YES
ii. When a single bit error occurs in the ciphertext C, resulting in C', B will likely detect the error.
This is because DES (like most block ciphers) has an avalanche effect - a single bit change in the
ciphertext will result in approximately half the bits changing in the decrypted plaintext. When B
decrypts C' using DK, the result will be F(M)' which will have multiple bit errors, not just one. The
error-correcting code F is designed to detect and correct only single bit errors. When faced with
multiple bit errors in F(M)', the majority rule used in the error correction scheme will likely fail,
producing patterns that don't follow the expected structure of F(M), thus alerting B that an error
has occurred [1] .
(b) Message recovery with DES encryption and error correction
i. NO
ii. B will not be able to recover the original message M because a single bit error in the ciphertext
C causes multiple bit errors in the decrypted F(M)' due to the avalanche effect of DES. The
error-correcting code is designed to correct only single bit errors. When multiple bits are
corrupted in F(M)', the majority rule fails to correctly reconstruct the original F(M). Since each bit
of F(M) consists of three identical bits in the original coding scheme, if two or more of these bits
are flipped, the majority rule will lead to incorrect decoding. As a result, B cannot recover the
original message M from the corrupted F(M)' [1] .

DSA Implementation Programming Problem

Implementation Guidance
For the DSA implementation programming problem, you need to create a program that performs
the following steps:
1. Calculate g and y based on input parameters p, q, h, x
g = h^((p-1)/q) mod p
y = g^x mod p
2. Calculate the signature (r, s) for H(M1):
r = (g^k mod p) mod q
s = [k^(-1) * (H(M1) + x*r)] mod q
3. Verify the signature for H(M1) by calculating:
w = s^(-1) mod q
u1 = [H(M1) * w] mod q
u2 = [r * w] mod q
v = [(g^u1 * y^u2) mod p] mod q
 Check if v = r
4. Test signature verification with H(M2) to ensure that the same signature does not verify for a
different message [1] .
The program should be tested with three different inputs as specified in the assignment:
The example from class: p = 7, q = 3, h = 3, x = 2, k = 1, H(M1) = 3, H(M2) = 4
The specified values: p = 103, q = 17, h = 13, x = 9, k = 6, H(M1) = 3, H(M2) = 7
A third set of values with larger numbers that you generate yourself
Here's a pseudocode outline for the implementation:

function DSA_Implementation(p, q, h, x, k, H_M1, H_M2):

// Step 1: Calculate g and y
g = h^((p-1)/q) mod p
y = g^x mod p
print("g =", g)
print("y =", y)

// Step 2: Calculate signature for H(M1)

r = (g^k mod p) mod q
k_inverse = calculate_modular_inverse(k, q)
s = (k_inverse * (H_M1 + x*r)) mod q
print("r =", r)
print("s =", s)

// Step 3: Verify signature for H(M1)

w = calculate_modular_inverse(s, q)
u1 = (H_M1 * w) mod q
u2 = (r * w) mod q
v = ((g^u1 * y^u2) mod p) mod q
print("w =", w)
print("u1 =", u1)
print("u2 =", u2)
print("v =", v)
print("v == r?", v == r)

// Step 4: Verify signature does not work for H(M2)

w = calculate_modular_inverse(s, q)
u1 = (H_M2 * w) mod q
u2 = (r * w) mod q
v = ((g^u1 * y^u2) mod p) mod q
print("w =", w)
print("u1 =", u1)
print("u2 =", u2)
print("v =", v)
print("v == r?", v == r)

function calculate_modular_inverse(a, m):

// Implementation of Extended Euclidean Algorithm
// to find modular multiplicative inverse
Understanding Recursion
While not directly part of the homework questions, the search results also contained information
about recursion, which is a fundamental concept in computer science and programming.
Recursion refers to a function that calls itself to solve smaller instances of the same problem.

Key Concepts in Recursion:

1. Self-Similarity: Recursive problems contain smaller versions of the same problem. For
example, calculating factorial: 5! = 5 × 4!, where 4! is a smaller version of the same
problem [2] .
2. Base Case: Every recursive function needs a termination condition to prevent infinite
recursion. For factorial, the base case is 0! = 1 [2] .
3. Recursive Case: The part where the function calls itself with a smaller input. For factorial: n!
= n × (n-1)! [2] .
A practical example from the search results is a function to remove a specific letter from a list:

function removeFromList(list, letterToRemove) {

if (list is empty)
return list;
else if (first item of list == letterToRemove)
return removeFromList(rest of list, letterToRemove);
else
return (first item + removeFromList(rest of list, letterToRemove));
}

This function handles three cases:

Empty list (base case)
First element matches the letter to remove
First element doesn't match the letter to remove [2]
Another practical example is listing files in a directory recursively - for each subdirectory
encountered, the same function is called to list its contents [2] .

Password Security in Web Applications

The search results also mentioned a question about password hashing before transmission in
web applications:
When implementing login functionality:
1. Transport Layer Security: HTTPS already encrypts all data (including passwords) during
transmission, protecting against network eavesdropping [3] .
2. Application-Level Security: While HTTPS provides transport security, hashing passwords
client-side before sending can provide additional protection, though it's not a replacement
for proper server-side hashing [3] .
 3. Potential Misunderstanding: If both client and server use only hashing (not properly
salted), then the hash effectively becomes the password. An attacker who captures the
hash could replay it without knowing the original password [3] .
4. Best Practice: Use HTTPS for transport security, implement proper server-side password
hashing with bcrypt (as mentioned in the question), and consider additional application-level
encryption if specific threat models require it [3] .

Conclusion
This report has covered solutions and explanations for the homework assignment on computer
security topics including Kerberos, DSA, SSL/TLS, PGP, and error correction codes with
encryption. The explanations provided should help in understanding not only how to solve these
specific problems but also the underlying security concepts and their practical applications.
When implementing security protocols and mechanisms, it's important to understand both the
theoretical foundations and the practical implications of different design choices. Security often
involves tradeoffs between various properties like efficiency, usability, and different security
guarantees.
For the programming assignment, careful attention to the mathematical details of DSA is
essential for correct implementation, particularly when handling modular arithmetic operations
like modular inverse calculations.
⁂

1. https://ppl-ai-file-upload.s3.amazonaws.com/web/direct-files/51510358/3a86becd-6da2-45c8-8f41-5
8eab7963225/hw3.pdf
2. https://www.reddit.com/r/learnprogramming/comments/1gu46xo/cant_understand_recursion/
3. https://www.reddit.com/r/cybersecurity/comments/1bytmb0/hash_password_before_send/