Assignment 2
Please read the general instructions for hand-in assignments. Note in particular:
- Read the questions carefully and make sure you understand them.
- Always motivate your answers, and account for any calculations. (No motivations give no score, except for trivial matters.)
- Describe all assumptions you make. (If the question is unclear, you can make reasonable assumptions for your solutions.)
- If you use sources other than the course book ("Computer Security" by Dieter Gollman), you must! give clear references to these sources (book title and author, URL, etc).
The deadline for this assignment is Wednesday September 27, 2006, 8:30 (am).
If you find a question unclear, please ask Björn for clarification (in good time), and check this space for such clarifications!
Clarifications:
- Question 1: describe technical situations/system (preferrably with computer systems).
- Typical structure of an answer:
- A
- [a clear system description]: the property X is required because [good motivation] while the property Y is not required since [good motivation]
- B
- [another system]: the property Y is required... but the property Z is not...
- C
- [a third system]: ... Z...X...
- Question 2: please also include b in your answer.
Which security? [3p]
Consider the security properties Confidentiality, Integrity, Availability, Accountability, and Authenticity.
Give three examples of technical (computer) situations/systems (A, B, C) where:
- "good security" would require one of the properties to hold in one of the situation (e.g. A), but not in another (e.g. C)
- all three require at least one of the properties above
- Explain what the properties you use mean.
Don't forget to motivate and explain your answers clearly.
Salt or gravel in the machinery? [3p]
Searching Google for "password salt", the second hit on the list is currently the page "Storing Passwords - done right!" (http://www.aspheute.com/english/20040105.asp).
- Explain what type of offline password cracking attack is made more difficult by using "salted hash" passwords (compared to "plain hash" passwords)
- Explain what type of offline password cracking attack is not made more difficult by using "salted hash" passwords
- Find (at least) one serious (but simple) security flaw in the code on the web page, explain the problem, and show how to correct it. (Don't consider the debug printout of the password in clear.)
Don't forget to motivate and explain your answers clearly.
Do we agree? [2p]
Use the Diffie-Hellman key agreement protocol to create the shared secret key, given
- prime p=97
- the generator (or primitive root) g=5, and
- my challenge ya=83,
Your answer must contain
- your input yb and b
- the shared secret key
- your calculations
See the lecture notes and section 12.3.2 in the 2nd edition, 12.3.1 in the 1st edition, noting that all calculations should be modulo p.
Secure Capabilities [2p]
Capabilities must be unforgeable and protected from unauthorized use. Describe, in reasonable detail, a way of implementing each of these properties securely. Explain the concepts and roles involved, and motivate why your solution ensures the properties hold.
Do you need to know? [3p]
Read section 4.7 (or 3.7 in the 1st edition).
Construct the lattice of security labels for the security levels public, secret and strictly confidential, and for the categories Student, Admin and Lecturer.
You do not need to hand in the lattice itself, but if you do not then you may need to give more detailed explanations.
Consider the need-to-know policy given in the book section, where access is denied if and only if the object label is greater than the subject label.
- Explore the lattice:
- Which objects can be accessed by a subject with security label (secret, {Lecturer})?
- In order to access an object with label (secret,{Admin,Lecturer}), which labels can the subject have?
- Consider a different policy, where access is granted if and only if the subject category is a subset of the object category. Can you give a meaningful interpretation of the categories in terms of confidentiality? In terms of another security property?
Don't forget to motivate and explain your answers clearly.
Quantities [4p]
Consider the following program (considered as a whole), where the variable x has level "top secret", and the variable y has level "unclassified".
Under which circumstances is the program authorized and/or not authorized, respectively, to run in the Denning's quantitative model (see lecture notes)? Describe all information flows, and motivate and explain your answers carefully!
z := 1; if (is_prime(x)) then z := 0; end if y := z;
Unconditionality [2p]
Consider the one-time-pad cryptographic algorithm (see e.g. lecture notes, which under some circumstances is unconditionally secure.
- Explain and motivate clearly in terms of (theoretical) information flow why the circumstances make it unconditionally secure.
- Explain and motivate clearly in terms of the (practical) algorithm operations why the crypto can not be broken neither by a brute force attack nor by "lucky guessing".
Chinese Wall [5p]
Consider the following set of companies and conflict of interest classes:
- The fastfood chains MacDuck and Bug Burger are in conflict of interests with eachother
- Both use the Decentalized Bank
- The Andy and Alice work for the Ananamas Investment Analyst company;
- Andy starts to work on the MacDuck account and has access to its data
- Alice starts to work on the Bug Burger account and has access to its data;
- both have read/write access to the Ananamas data file at the Decentralized Bank.
Andy and Alice really like Bug Burgers, and want to help them.
They plan to perform the following accesses:
- Andy reads o1 from MacDuck
- Andy writes o2 (with unsanitized info from o1) to the Bank
- Alice reads o2 from the Bank
- Alice writes o2 to Bug Burger data
However, the Ananamas Investment Analyst company cares about its reputation, and has a protection system enforcing the Chinese Wall policies.
- Describe the transitions of the system given the above accesses.
- For each of the transitions, analyse whether the ss-property and *-property permit them or not. Under which circumstances are they allowed?
- Try to continue the accesses/transitions as far as possible, then describe the state and how the ss- and *-properties affect the future actions of Alice.
Describe and motivate any further assumptions you make on the example.