UNIVERSITY OF LONDON BSc EXAMINATION 2018 For Internal Students of Royal Holloway DO NOT TURN OVER UNTIL TOLD TO BEGIN IY2760: Introduction to Information Security Time Allowed: TWO hours Answer ALL questions Calculators are NOT permitted c©Royal Holloway, University of London 2018 Page 1 of 4 2017/18 Important Copyright Notice This exam paper has been made available in electronic form strictly for the educational benefit of current Royal Holloway students on the course of study in question. No further copying, distribution or publication of this exam paper is permitted. By printing or downloading this exam paper, you are consenting to these restrictions. IY2760 1. Symmetric-Key Cryptography (a) Feistel Ciphers i. Describe, preferably with the aid of a diagram, a two-round Feistel ci- pher, clearly indicating the plaintext block, the round function and the ciphertext block. [5 marks] ii. Write down how encryption and decryption work in a Feistel cipher with i rounds. [2 marks] iii. Explain why the round function must be invertible and whether the func- tion f must be invertible too. [2 marks] (b) Modes of operation for block ciphers i. Describe the Electronic Code Book (ECB) mode of operation for block ciphers, specifying how encryption and decryption work. [4 marks] ii. Discuss the limitations of ECB mode and a possible attack. [2 marks] (c) Message authentication codes (MACs) i. MACs are typically used to provide data integrity. Define data integrity and explain its restricted meaning in the context of data communication. [2 marks] ii. Let M = m1||m2||m3 be a plaintext, where mi is a 64-bit block for i ∈ {1, 2, 3} and || denotes concatenation of blocks. Describe how to com- pute a MAC value forM using CBC-MAC, either with the aid of a diagram or in words. [3 marks] iii. Let M1 = m1, M2 = m2 and M3 = m1||m2 be three distinct plaintexts, where mi is a 64-bit block for i ∈ {1, 2, 3} and || denotes concatenation of blocks. Let MAC1, MAC2 and MAC3 be MAC values for M1, M2 and M3, respectively, computed using CBC-MAC and no optional process nor truncation. Suppose you have access to M1,M2,M3, MAC1, MAC2 and MAC3 but not to the secret key used in the encryption scheme used by the CBC-MAC scheme. Forge a valid MAC value for a plaintext which is distinct from M1,M2 and M3, providing clearly the forged MAC value and corresponding plaintext in your answer. [5 marks] Page 2 of 4 NEXT PAGE No further copying, distribution or publication of this exam paper is permitted. By printing or downloading this exam paper, you are consenting to these restrictions. IY2760 2. User authentication and Biometrics (a) Explain why user identification is needed and how it is distinguished from identity verification. [3 marks] (b) User authentication can be based on something you have or something you are. Explain what these expressions mean and give one example for each. [4 marks] (c) Passwords Passwords can be used for authentication. i. Discuss the challenges in storing a password. [2 marks] ii. Discuss the challenges in transmitting a password. [2 marks] iii. Describe the Watchword protocol, specifying the entities involved, the data they store and the communications that take place. [4 marks] (d) Biometrics i. Define biometrics and explain why it is used in the context of information security. [2 marks] ii. List at least four properties a biometric identifier should have. [2 marks] iii. Distinguish between static and dynamic biometric methods and provide two examples for each method. [2 marks] iv. Describe a biometric system model and distinguish between all the pos- sible decision outcomes. [4 marks] 3. Security protocols (a) Describe the two types of adversaries in a security protocol, detailing what they can and cannot do. [4 marks] (b) Define the property of message freshness and give two methods for provid- ing such property. [3 marks] (c) Consider the following challenge-response protocol between A and B. A B r EncK(r) where K is a secret key shared between A and B, EncK(X) denotes the symmetric encryption of data X using the secret key K, and r is a value in the plaintext space of the encryption algorithm. Page 3 of 4 NEXT PAGE No further copying, distribution or publication of this exam paper is permitted. By printing or downloading this exam paper, you are consenting to these restrictions. IY2760 Discuss its security with respect to the two types of adversaries in part 3(a). [6 marks] (d) Diffie-Hellman Protocol i. Describe in detail the Diffie-Hellman key agreement protocol between A and B. [4 marks] ii. Describe a man-in-the-middle attack against the protocol. [4 marks] iii. Discuss how the above attack can be overcome. [4 marks] 4. Protocols with advanced functionalities (a) SLL/TLS i. List three goals of the TLS Handshake Protocol. [3 marks] ii. Explain the MAC-Encode-Encrypt operation performed in the TLS Record Protocol, detailing the structure of the data that is handled. [6 marks] iii. Name and briefly discuss an attack on the TLS Record Protocol. [4 marks] (b) Bitcoin i. Define a blockchain. [4 marks] ii. Discuss the tamper-evidence property of a blockchain, explaining how it is achieved. [3 marks] iii. Describe Bitcoin’s proof of work scheme, briefly discuss how a node creates a new block, and explain why it is important to include the cryp- tographic hash of the previous block. [5 marks] END Page 4 of 4 EQ No further copying, distribution or publication of this exam paper is permitted. By printing or downloading this exam paper, you are consenting to these restrictions.
