CMU 15-827

Security and Cryptography

Fall 1998





Homework 2

Due: 12 October 1998

  1. Zero-knowledge protocols
    1. Let p be a prime and g a generator modulo p. Given y = gx Alice claims she knows the discrete logarithm x of y. She wants to convince Bob of this fact but she does not want to reveal x to him. Give a zero-knowledge protocol for this problem.
    2. Zero-knowledge authentication protocols do not exchange a secret key. For what classes of applications are they useful? Give two concrete, non contrived, scenarios for which you would use a zero-knowledge authentication protocol.
  2. Passwords
  3. Consider the following scenario: Alice wants to login on a computer system. In order to gain access she has to communicate her password to the system. Unfortunately the keyboard (and the cable connection between the keyboard and the system) cannot be trusted since there may be a passive adversary recording the key strokes or tapping the line.

    Conversely, let us assume that the display used by Alice (and the connection between the system and the display) is secure, meaning it cannot be monitored by an adversary.

    Devise a password protocol that will allow Alice to access the system without disclosing her keys to the adversary.

  4. Authentication protocol design
  5. Choose three principles given by Needham and Abadi in their guidelines for designing cryptographic protocols paper. For each, give an example where their principle applies and results in an improved protocol, and an example where their principle leads to a poorer protocol.

  6. Intentional leaks
  7. Suppose I want to leak information out of a secure facility (for example, the secret plans for Intelís new processor). Pick one of the authentication protocols we discussed in class and describe how I can deliberately leak information using this protocol.


  8. Secure clock synchronization
  9. You want to synchronize computers to the real time. One solution is to buy a WWV receiver or a GPS receiver. What are the security threats with this approach? (The relevant information about WWV and GPS receivers is just the existence of a time signal.)

    Devise a secure way to synchronize real time at minimum cost and minimum human intervention.

  10. Logic of authentication
  11. In this problem you will apply a slight modification of the BAN Logic to the concrete STS protocol discussed in Lecture 2. Assume p is a large prime, g is a generator modulo p and all operations are performed modulo p.

    Assume the BAN Logic with the following modifications:

    P believes DH(P, gx), P believes DH(Q, gy)

    P believes P K Q

    where K = gxy

    P believes PK Q, P sees {x}PK-1

    P believes x

    Now here is a description of the idealized STS protocol you are going to work with (here K = gxy):

    1. A -> B: DH(A, gx)
    2. B -> A: DH(B, gy), {DH(B, gy), gx} PB-1
    3. A -> B: {DH(A, gx), gy} PA-1

    We want to prove that

    A believes A K B (Goal 1)


    B believes A K B (Goal 2)

    starting with the following assumptions:

    A believes fresh(gx)     B believes fresh(gy)

    A believes DH(A, gx)    B believes DH(B, gy)

    A believes PB B        B believes PA A

    1. Prove formally the goals (1) and (2) of the protocol. Show all your deduction steps.
    2. Suppose we drop the SSR rule. Can you still prove the two goals? If not, can you identify a flaw in the STS protocol that corresponds to the use of the SSR rule? What fix to the original, concrete form of the STS protocol could you suggest that would fix the flaw?
  12. Models of authentication
  13. To show a correspondence between different models of authentication protocols, give an encoding of the Dolev-Yao algebraic model of computation for name-stamp protocols (Section III of their paper) in terms of the Abadi-Tuttle state-machine model of computation (Section 5 of their paper).

Back to Lectures

Heather L. Marko
Last Modified: September 1998