Assignment 7, due Apr 13

Always, on every assignment, please write your name legibly as it appears on your University ID and on the class list! All assignments will be due at the start of class on the day indicated (usually a Friday), and unless there is what insurance companies call "an act of God" - something outside your control; the only exceptions to this rule will be by advance arrangement.

1. Background: Consider the problem of a smart card based system where the host computer and the smart card solve the following problems:
   • The smart card must verify that the host is authentic.
   • The host must verify that the smart card host is authentic.
   • The smart-card and host must establish a secure channel.
   We assume that the card has a unique ID n that it communicates to the host, that it has a secret key k_card, and that the host has a table k_host[n] holding the secret keys of the cards known to that host.

   The host can send a nonce to the card which the card encrypts with k_card to return to the host. The card can send a nonce to the host which the host encrypts with k_host[n] before returning it to the card. The card and host can use the value of k they've verified as a crypto key for a symmetric key cypher. The card and host can use Diffie-Hellman key-exchange to generate a shared key for a symmetric key cypher.

   a) Suppose the card first sends n to the host, in the clear, and then the host and card validate each other's authenticity, and then they use Diffie-Hellman to establish a secure channel. How can an attacker who owns a valid card arrange things so that this secure channel is established to some other device, for example, the attacker's PDA instead of the card. (1/2 point)

   b) Suppose the card retains the exclusive-or of all nonces it has been sent for authentication as a stockpile of random numbers to be used as the random number for diffie-hellman key exchange. Furthermore, the card always authenticates before completing the Diffie Hellman exchange. How could the card-holder exploit this? How could this exploit be defeated? (1/2 point)

   c) How can Diffie Hellman key exchange be combined with the authentication process using nonces, so that the authentication process and the key exchange are carried out with a minimum amount of exchanged information? Hint: Think about using some of the information exchanged as part of the key exchange as nonces for authentication the card. (1 point)

2. Background: Suppose all PCs were outfitted with smart card readers, and suppose that our new USA-ID act compliant national identity cards were equipped with smart cards that could be used to authenticate our identity for access to computers. An obvious idea would be to issue a unique private and public key to each person, stored on their smart card. The card would, of course, divulge the public key but would never divulge the private key.

   Assume a "normal" processor on the smart card, that is, something far weaker than the processors found on typical computers. Therefore, the card cannot possibly encrypt large messages and will only encrypt small messages slowly.

   Problem To log onto a computer, you type in your name and then insert your smart ID card. Suggest a protocol by which the computer could verify that you are indeed yourself (or at least, that you have the card corresponding to the name you typed in). This protocol must resist attack by forged cards. (1 point)

3. Background: In the notes for lecture 31, one solution was suggested to the problem of loading the Model smart-card with an application. This solution involved loading a loader into block zero of the card and then using this to load the application. Finally, the loader is used to patch the first instruction of the loader so it becomes a jump to the start of the application in block one of the card.

   Problem: Suggest an alternative that allows the application, at the end of the loading process, to begin in block zero of the card and so that the loading process stores the secrets along with the first instructions of the application in block zero. (1 point)

4. Problem: Explain why there is some value in highly secure applications in allowing the code of the application, but not the secrets that code manipulates, to be examined by outsiders. Does the value of such examination change with changes in the size of the code? (1 point)