# Security cases
## Question 1
### Question
Smart devices (lights, doorbells, locks, themostats, etc.) can be switched on and off, and
controlled using an app on a smartphone.
When you have an existing installation however, you may not want to replace all
existing devices with new smart devices. A smart plug might be a partial solution in
this case. They can be simply plugged into a regular power outlet and will control the
electrical power fed to the device plugged into the smart plug (e.g. on/off/dimmed).
The user can control the smart plug using an app on his smartphone. There is also a
remote cloud server that can interact with both the controller app and the smart plug.
The smart plug is connected to the Internet through the wireless home network.
What are the most essential security services? What security mechanisms
could be used to ensure proper and (reasonably) secure operation of these
smart plugs? What threats are there to this security? What vulnerabilities
might remain?
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
### Answer
TODO
## Question 2
### Question
A (wireless) Body Area Network (BAN) is a network of wirelessly communicating sensors
embedded in wearable computing devices. The sensors typically collect health related
data about the person wearing the BAN. These data are then transmitted through the
BAN to a collecting device (i.c. a smartphone).
Design a security solution for the collection of data by the BAN, transmis-
sion to the smartphone, and storage on the smartphone.
What are the most essential security services? What security mechanisms
would you use to implement those services (be sufficiently specific)? What
could be remaining vulnerabilities?
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
Note: sensors in a BAN are typically battery-operated, low-power, resource-constrained
(i.e. limited memory, bandwidth, and computational capability) devices.
### Answer
TODO
## Question 3
### Question
Choosing good passwords and remembering them all may be a hard task for the human
mind. Design the security architecture for a password vault service in a public cloud
environment (provided by some cloud service provider).
What are the most essential security services? What security mechanisms
would you use to implement those services (be sufficiently specific)? How
would you secure the access to the service? What could be remaining vul-
nerabilities? Don’t forget to consider system security and protection against
malware.
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
### Answer
TODO
## Question 4
### Question
Design the security architecture for a backup service in a public cloud environment (pro-
vided by some cloud service provider).
What are the most essential security services? What security mechanisms
would you use to implement those services (be sufficiently specific)? How
would you secure the access to the service? What could be remaining vul-
nerabilities? Don’t forget to consider system security and protection against
malware.
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
### Answer
TODO
## Question 5
### Question
Design a system of single sign-on (SSO) for multiple independent websites. This system
should enable the user to login (using a username-password combination) once to the
SSO service (this may be a trusted third party) after which the user has access to all the
websites for a certain period of time (e.g. 1 hour).
What security mechanisms would you use? What would the messages that
are exchanged to achieve the SSO service look like? How would you secure
the access to the SSO service? How would you secure password storage and
transmission?
Note: I expect you to make a choice and to defend this choice. Don’t present a range of
possible solutions. Be sufficiently specific in your implementation (algorithms, key lengths,
modes, etc.).
### Answer
TODO
## Question 6
### Question
Deutsche Post has introduced a system of ’electronic stamp’. Instead of putting a regular
stamp on an envelope, a software program allows you to generate electronic stamps (in
PDF format) that you can print on your envelope. You do need Internet access for
payment. An example of such an electronic stamp is given in Fig. 1.
Figure 1: Example of an electronic stamp
What security services are needed for proper security of this electronic
stamp? What security mechanisms could have been used to achieve those?
What threats are there to this security? What vulnerabilities might remain?
Some comments:
• The program provides the following (mandatory) input fields:
– The destination address (name – street and number – zip code – municipality)
– The type of letter
– The Date
• The question deals with the security of the stamp, not the security of the payment
mechanism behind it to purchase the electronic stamps.
• In the example of Fig. 1 the real two-dimensional barcode on the right is replaced
with a specimen (hence the German inscription “MUSTER”, which of course does
not appear on the real barcode)
### Answer
TODO
## Question 7
### Question
A company implements two-factor authentication (2FA) for access to its servers (e.g. mail
server). This 2FA relies on a password (first factor) and an authenticator app (second
factor) installed on a mobile device (e.g. a smartphone). When the user opens the
authenticator app, it shows a 6-digit code, which is refreshed every minute.
When the user requests access to the company server from his PC, the user will enter
her/his password on her/his PC. The server will then ask for the 6-digit code generated
by the authenticator app. Only after validation of this 6-digit code1 will access be granted
to the company server.
Describe a plausible protocol, with adequate security mechanisms, that
could implement such a 2FA.
What are the improvements with respect to simple password-based authen-
tication? What are the possible drawbacks?
What might be the remaining vulnerabilities?
1The present and the immediately previous code generated by the authenticator app will be validated.
Other codes will be rejected.
### Answer
TODO
## Question 8
### Question
You have a (slightly older) security token (with card reader) with no physical connection2
to the end system to log into an e-banking website. Here are the instructions that appear
on the screen:
1. Enter your card number (on the website)
2. Card reader
(a) Insert your bank card into the card reader
(b) Press the M1 key
(c) Enter the following number on the card reader.
Challenge: 3742 0423
and confirm with OK key
(d) Enter the PIN of your bank card and confirm with OK
3. Access code:
Enter (on the website) the number that appears on the card reader (maximum 8
digits, without space)
How might such a system work (which cryptographic algorithms, which key
sizes, which input, etc.)?
Which bank operations (consultation of data, internal or external transfers,
investments, etc.) seem permissible to you after this login, without requiring
an additional security operation (entering password, use of the security token)
of the user?
How vulnerable is this procedure to malware on the user’s host?
Some comments:
• The website itself is protected using TLS 1.3 (certificate for 2048 bit RSA public key;
The connection is encrypted using AES 256 GCM, SHA-2-384 is the hash function
for HMAC, ECDHE is used for the key exchange mechanism, and RSA is used in
the server authentication of the handshake).
• If you type the challenge on the token a second time, you will receive a different
response, which is also accepted by the website.
• After a few minutes, the validity of the challenge appears to have expired. The fol-
lowing message appears: The validity of the challenge has expired. Please calculate
a new passcode. Click here for more information. (USERIDENTIFICATIONAN-
DAUTHENTICAT/4000/TIMOUT)
• If you enter an incorrect “Response” five times, your contract will be blocked.
2This means it cannot receive data from your computer or send data to your computer. You can
manually input data usind the keypad of the token and the output of the token can be read on its (small)
display.
• If you enter an incorrect PIN in your card reader three times in a row, your card
will no longer work. In order to be able to use your card again, it is sufficient to use
your card to perform an operation via an ATM of any agency or to perform a PIN
setting in the agency.
### Answer
TODO
## Question 9
### Question
Design the security architecture for a file service in a public cloud environment (provided
by some cloud service provider).
What are the most essential security services? What security mechanisms
would you use to implement those services (be sufficiently specific)? How
would you secure the access to the service? What could be remaining vul-
nerabilities? Don’t forget to consider system security and protection against
malware.
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
### Answer
TODO
## Question 10
### Question
Email accounts may be very vulnerable. A few years ago (2013), it was the Prime Minister
of Belgium who made the news because his private email account had been hacked.
Assume you are an ISP. Your clients have the possibility to access their email accounts
using either a mail client or webmail.
How would you secure your email service to minimise the risk of client
accounts being hacked? Don’t forget system security and don’t forget to
consider the usability of the system. How would you manage the password
recovery process (yes, some customers will forget their passwords)?
Note: I expect you to make a choice and to defend this choice. Don’t present a range of
possible solutions. Be sufficiently specific in your implementation (algorithms, key lengths,
modes, etc.).
### Answer
TODO
## Question 11
### Question
What security services will be needed to enable electronic cash for small on-
line payments? What security mechanisms and protocol would you use to
implement these security services?
The goal is to develop a user-friendly, but correctly secured, mechanism for paying
small amounts online. For these small payments, systems such as credit card, debit card,
whether or not using a token such as the Digipass, are not ideal in terms of usability or
cost structure.
The emphasis is therefore on ease of use and simplicity of use, but the security must still
be sufficient for users to be able to trust the system. Such a system could be somewhat
similar to an electronic version of cash.
Consider the following aspects for your implementation:
• Avoid an overly cumbersome payment procedure on the client side (otherwise we
might as well use two-factor authentication).
• Avoiding replay is essential. With regular cash, this problem is simple: you hand
over the money on payment and printing is (approximately) impossible. With an
electronic payment, of course, things are somewhat different.
• If necessary, you may use a trusted third party.
### Answer
TODO
## Question 12
### Question
Smoke, fire and carbon monoxide detectors are getting smarter (e.g. Google’s Nest Pro-
tect).
The smart detector combines a physical smoke detector and an app to be installed on
the user’s smartphone. When something is wrong (smoke, fire, etc.), the smart detector
will set off an alarm signal and send an alert to the user’s app with information about
the detected issue. The user can check the alert and decide whether or not to silence
the alarm using his/her app. The detector connects to the Internet through the wireless
home network.
What are the most essential security services? What security mechanisms
could be used to ensure proper and (reasonably) secure operation of these
smart detectors? What threats are there to this security? What vulnerabili-
ties might remain?
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
### Answer
TODO
## Question 13
### Question
Consider a system to input exam scores in a university. The goal is that only lecturers
can input scores for their own courses (i.e. no access to students or external actors, and
no access to another lecturer’s course). Furthermore lecturers should also be able to input
scores from home.
Suggest an appropriate security solution (don’t forget system security).
Which security protocols, cryptographic algorithms, etc. would you use?
Note: I expect you to make a choice and to defend this choice. Don’t present a range of
possible solutions. Be sufficiently specific in your implementation (algorithms, key lengths,
modes, etc.).
### Answer
TODO
## Question 14
### Question
Consider a system allowing people to vote in elections using the Web.
Which security services will be necessary for this purpose? Which security
mechanisms and protocol would you use to achieve these security services?
What are the possible disadvantages and limitations of this voting method
with respect to the traditional voting process?
Note: I expect you to make a choice and to defend this choice. Don’t present a range of
possible solutions. Be sufficiently specific in your implementation (algorithms, key lengths,
modes, etc.). However, the system security (firewalls, IDS, etc.) are out-of-scope for this
question.
### Answer
TODO
## Question 15
### Question
You have a security token (with card reader) without physical contact3 to the host, al-
lowing you to confirm a payment (amount: 9.30 EUR) on the Web. After you’ve entered
your credit card data (name, card number, validity limit, verification code), you see the
following instructions on your Web browser:
1. Insert your credit card into the card reader
2. Press BUY (the card reader then asks you for the security code)
3. Enter the security code 14473738 and confirm with OK (the card reader then asks
you whether you want to buy on the Internet)
4. Press OK again
5. Enter the amount (9) and confirm with OK
6. Enter your PIN and press OK (the card reader then shows an 8 digit “signing code”)
7. Enter the signing code below (in your Web browser) and press “Submit”
How might such a system work (which cryptographic algorithms, which key
sizes, which input, etc.)?
How vulnerable is this procedure to malware on the user’s host?
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
A few additional notes:
• The website itself is protected using TLS 1.3 (certificate for 2048 bit RSA public key;
The connection is encrypted using AES 256 GCM, SHA-2-384 is the hash function
for HMAC, ECDHE is used for the key exchange mechanism, and RSA is used in
the server authentication of the handshake).
• If you repeat the procedure with the same input on the card reader, you’ll obtain a
different “signing code”, which will also be accepted by the website
• After a few minutes, the combination “security code”/“signing code” will no longer
be accepted
• If you attempt to input five erroneous “signing codes”, your contract will be blocked
• If you enter a wrong PIN three times in a row on the card reader, your card will
be blocked. To unblock your card, you’ll need to use your card in an ATM or to
perform a PIN reset in your bank agency
3This means it cannot receive data from your computer or send data to your computer. You can
manually input data usind the keypad of the token and the output of the token can be read on its (small)
display.
### Answer
TODO
## Question 16
### Question
Cars contain a lot of software today, not just for the multimedia system (music, navigation,
etc.) but also for more critical systems (brakes, engine control, etc.).
Not all car brands allow for software updates, although updates might be desirable to
patch bugs and possible security issues. Some car brands allow software updates at a car
dealership or a certified maintenance centre. Other car brands allow wireless updates that
do not require returning the car to a dealership.
Suggest an appropriate security solution (don’t forget system security) for
these software updates for cars (both at a dealership and wireless updates).
Which security functions would be essential? Which security protocols, cryp-
tographic algorithms, etc. would you use?
Note: I expect you to make a choice and to defend this choice. Don’t present a range of
possible solutions. Be sufficiently specific in your implementation (algorithms, key lengths,
modes, etc.).
### Answer
TODO
## Question 17
### Question
You may know these remote controls that allow, simply by pressing a button, to lock and
unlock the doors of a car.
What security mechanisms could be used to ensure proper and (reason-
ably) secure operation of these door openers? What threats are there to this
security? What vulnerabilities might remain?
Note: When the door opener button is pressed sixteen times out of range, it will no
longer work. In this case, a re-initialization of the system will be required from your local
distributor.
Note: You shall assume that the door opener only operates as a transmitter, not as a
receiver.
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
### Answer
TODO
## Question 18
### Question
Choosing good passwords and remembering them all may be a hard task for the human
mind. Design the security architecture for a password manager running on a local device.
What are the most essential security services? What security mechanisms
would you use to implement those services (be sufficiently specific)? How
would you implement the transfer of the password manager data to a new
device? What could be remaining vulnerabilities? Don’t forget to consider
system security and protection against malware.
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
Figure 2: The HardKey security token
### Answer
TODO
## Question 19
### Question
You have a so-called HardKey, which is a security token (without card reader, but with
a small display, see also Fig. 2) without physical contact4 to the host, allowing you to log
in to your bank web site. You see the following instructions on your Web browser:
1. Enter your username then click on “next step” (both on the web site)
2. Get your HardKey and press the OK button to switch it on
3. When your see “1.Login” press the OK button
4. Enter your PIN on your HardKey and press the OK button
5. Enter the (8 decimal digit) code displayed on your HardKey (on the web site)
How might such a system work (which cryptographic algorithms, which key
sizes, which input, etc.)?
How vulnerable is this procedure to malware on the user’s host?
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
A few additional notes:
• The website itself is protected using TLS 1.3 (certificate for 2048 bit RSA public key;
The connection is encrypted using AES 128 GCM, SHA-2-256 is the hash function
for HMAC, ECDHE is used for the key exchange mechanism, and RSA is used in
the server authentication of the handshake).
• If you repeat the procedure with the same input on the token, you’ll obtain a
different 8 digit code, which will also be accepted by the website
• After a few minutes, the original 8 digit code will no longer be accepted
• If you attempt to input five erroneous 8 digit codes, your contract will be blocked
• If you enter a wrong PIN three times in a row on the token, your token will be
blocked. To unblock your token, you’ll need to contact the bank, which can reset it
4This means it cannot receive data from your computer or send data to your computer. You can
manually input data usind the keypad of the token and the output of the token can be read on its (small)
display.
### Answer
TODO
## Question 20
### Question
You have a mail server within a corporate network. You want employees also to be able
to read their emails and send emails when they are at home or on the road.
Suggest an appropriate security solution (don’t forget system security).
Which security protocols, cryptographic algorithms, etc. would you use?
Note: I expect you to make a choice and to defend this choice. Don’t present a range of
possible solutions. Be sufficiently specific in your implementation (algorithms, key lengths,
modes, etc.).
### Answer
TODO
## Question 21
### Question
The most recent version of the Belgian eID (electronic identity card) uses an RSA key
with a 2048 bit modulus. This is probably still secure for more than a few years.
Which approach would you suggest if a digital signature with a very long
validity is required (e.g. 30 years for a mortgage, possibly longer for a mar-
riage)? You need to guarantee that the digital signature will remain valid over
the entire time span.
Hint: You need to think whether simply a longer key or an alternative algorithm would
allow you to guarantee that the digital signature will remain valid over the entire time
span. You may assume however that no algorithm becomes insecure overnight (just as for
MD5, SHA-1, RSA-768, etc. the warnings had been coming for years before their security
was broken). You may also use a trusted third party.
### Answer
TODO
## Question 22
### Question
Figure 3: The HardKey security token
You have a so-called HardKey, which is a security token (without card reader, but with
a small display, see also Fig. 3) without physical contact5 to the host, allowing you to
confirm a money transfer on your bank web site after you have logged in.
After you’ve entered all required data for the money transfer (account number, amount
(i.c. 93.80), etc.), you see the following instructions on your Web browser:
Use your HardKey to confirm
5This means it cannot receive data from your computer or send data to your computer. You can
manually input data usind the keypad of the token and the output of the token can be read on its (small)
display.
1. Switch your HardKey on by pressing the OK button for a while
2. Browse to “2. Payment” with the blue arrows (on your HardKey) (the HardKey
then asks you for your PIN)
3. Enter your PIN and press the OK button (the HardKey then asks you for the amount
of the transfer)
4. Enter 9380 (Amount) and press the OK button (the HardKey then asks you for
information about the account to which you transfer the money)
5. Enter 35911426 (Account) and press the OK button
6. Enter (on the web site) the code displayed on your HardKey (an 8 decimal unique
digit code is then displayed on your HardKey, e.g. 47508566)
How might such a system work (which cryptographic algorithms, which key
sizes, which input, etc.)?
How vulnerable is this procedure to malware on the user’s host?
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
A few additional notes:
• The website itself is protected using TLS 1.3 (certificate for 2048 bit RSA public key;
The connection is encrypted using AES 128 GCM, SHA-2-256 is the hash function
for HMAC, ECDHE is used for the key exchange mechanism, and RSA is used in
the server authentication of the handshake).
• If you repeat the procedure with the same input on the token, you’ll obtain a
different 8 digit code, which will also be accepted by the website
• After a few minutes, the original 8 digit code will no longer be accepted
• If you attempt to input five erroneous 8 digit codes, your contract will be blocked
• If you enter a wrong PIN three times in a row on the token, your token will be
blocked. To unblock your token, you’ll need to contact the bank, which can reset it
### Answer
TODO
## Question 23
### Question
A company implements two-factor authentication (2FA) for access to its servers (e.g. mail
server). This 2FA relies on a password (first factor) and an authenticator app (second
factor) installed on a mobile device (e.g. a smartphone).
When the user requests access to the company server from his PC, the user will enter
her/his password on her/his PC. Then the authenticator app (on the user’s mobile device)
will ask the user to approve this access. Only after this approval will access be granted
to the company server.
Describe a plausible protocol, with adequate security mechanisms, that
could implement such a 2FA.
6This number corresponds to part of the account number
What are the improvements with respect to simple password-based authen-
tication? What are the possible drawbacks?
What might be the remaining vulnerabilities?
### Answer
TODO
## Question 24
### Question
You have a security token (shown in Fig. 4) without physical connection to the host
allowing you to log on to an e-banking website. The token contains a small display on
which every minute, a new six-digit code is shown. No input is possible on the token
(no keypad, no card reader, no wireless connection). You can only read its ouput on the
token’s display.
Figure 4: The token
The procedure to log on to the e-banking website is the following:
• First, you reach a web page where you enter login and password.
• Then you’ll be transferred to another web page where you enter the six-digit code
your security token is showing at that time.
How might such a token work (which cryptographic algorithms, which key
sizes, which input, etc.)?
How vulnerable is this procedure to malware on the user’s host?
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
A few notes:
• The website itself is protected using TLS 1.3 (certificate for 2048 bit RSA public key;
The connection is encrypted using AES 256 GCM, SHA-2-384 is the hash function
for HMAC, ECDHE is used for the key exchange mechanism, and RSA is used in
the server authentication of the handshake).
• If you reuse an already used code of your token, this will result in an error.
• When you use the previous (but not yet used) code of your token, this code will
often, but not always, be accepted. Older codes will always be refused. (This is
true at least for users who log in at least once a week.)
• If you attempt to input five erroneous codes, your contract will be blocked.
### Answer
TODO
## Question 25
### Question
What security services will be needed to achieve a contactless and passive7
access badge used to gain entry to a building? What security mechanisms
and protocol would you use to implement these security services?
You briefly hold the access badge in front of a contactless badge reader, which will
verify the validity of the badge and grant you access to the building if you have the
correct access rights.
It should of course be almost impossible to forge an access badge. The system should
be sufficiently fast, although the calculation power of the badge is rather limited.
### Answer
TODO
## Question 26
### Question
A large company operates on two different locations (one in Ghent, the other one in
Brussels), each with a local network. The company wants to allow employees securely
to access resources from both local networks and also requires both local networks to be
secure.
Suggest a suitable security solution (don’t forget system security). Which
security protocols, cryptographic algorithms, etc. would you use?
Note: I expect you to make a choice and defend this choice. Don’t present a range of
possible solutions. Be sufficiently specific in your implementation (algorithms, key lengths,
modes, etc.).
### Answer
TODO
## Question 27
### Question
Commercial airliners typically fly with both a pilot and a co-pilot on board. In the
future it has been suggested that aeroplanes could be flown with only a single pilot in the
cockpit and with a remote co-pilot on the ground, who would be able to take over in case
of emergency.
Suggest an appropriate security solution (don’t forget system security) for
this approach (pilot on-board + remote co-pilot on the ground). Which se-
curity functions would be essential? Which security protocols, cryptographic
algorithms, etc. would you use?
Note: I expect you to make a choice and to defend this choice. Don’t present a range of
possible solutions. Be sufficiently specific in your implementation (algorithms, key lengths,
modes, etc.).
Note: I know that drones are already operated with remote control only. However
a self-destruct function when things really go wrong is not an option for a commercial
airliner!
### Answer
TODO
## Question 28
### Question
You have a security token (with card reader) connected by a USB cable to the host. This
token (the bank card reader) also has a small display and a small keypad (numerical
digits and a few functional keys, e.g. “OK” and “Cancel”), see also Fig. 5. You have
7“Passive” means it doesn’t contain any batteries or other internal power source.
Figure 5: The connected token with card reader
installed a security plug-in (software) that enables the communication between your com-
puter/browser and your token. The bank card has already been inserted in the bank card
reader.
You see the following instructions on your Web browser when you log in to your bank
web site:
1. Card number
Welcome, your card with number 6703 1234 1234 1234 1 has been correctly read by
the bank card reader.
2. PIN code
Please follow the instructions on your bank card reader.
The bank card reader then asks for your PIN code
Type your PIN code and press “OK” to log in
(Or cancel the login by pressing “Cancel”)
After having typed your (correct) PIN code on the bank card reader, you are logged
in to your bank web site.
How might such a system work (which cryptographic algorithms, which key
sizes, which input, etc.)?
How vulnerable is this procedure to malware on the user’s host?
Note: I expect you to make a choice and to defend this choice. Don’t present a range
of possible solutions.
A few additional notes:
• The website itself is protected using TLS 1.3 (certificate for 2048 bit RSA public key;
The connection is encrypted using AES 256 GCM, SHA-2-384 is the hash function
for HMAC, ECDHE is used for the key exchange mechanism, and RSA is used in
the server authentication of the handshake).
• If you enter a wrong PIN three times in a row on the card reader, your card will
be blocked. To unblock your card, you’ll need to use your card in an ATM or to
perform a PIN reset in your bank agency
### Answer
TODO
## Question 29
### Question
What security services will be needed to achieve a contactless rechargeable
card for public transportation? What security mechanisms and protocol would
you use to implement these security services?
These rechargeable card allow the customer to top up their credit (using the ticket
machines of the transportation company). This credit can then be used to pay for the
use of public transportation. You may consider the simplified scenario where the card
permits a certain number of rides at fixed rate.
The card is practically used as a parking badge: you swipe the card in front a contactless
card reader, which will decrease the credit on your card by the cost of the ride and will
validate your ride. This action must be sufficiently fast and the computing power of
a smart card is limited. Examples of such rechargeable cards are the “Mobib” of the
MIVB/De Lijn/TEC (Belgium), the “Navigo” of the RATP (Paris), the “Oyster” card of
TfL (London), or the “OV Chipkaart” (The Netherlands).
Note: I expect you to make a choice and defend this choice. Don’t present a range of
possible solutions. Be sufficiently specific in your implementation (algorithms, key lengths,
modes, etc.).
### Answer
TODO
# Other questions
## Question 1
### Question
Explain the “initial exchanges” in the Internet Key Exchange (IKE) in IPsec.
What are the elements that guarantee the authenticity of the involved en-
tities (Initiator (I) and Responder (R))? How is replay prevented? What
cryptographic algorithms could be used (be sufficiently specific)?
### Answer
TODO
## Question 2
### Question
Is the one-way function property (aka preimage resistance) a sufficient con-
dition for weak collision resistance (aka second-preimage resistance) for some
function? Is this a necessary condition? Explain why it isn’t (a counterexam-
ple is sufficient) or why it is.
Note: the function considered is not necessarily a typical hash function.
### Answer
TODO
## Question 3
### Question
When looking at the root certificates of my browser (Firefox, May 2022) I found the
following properties for the GlobalSign Root CA X.509v3 certificate:
• The certificate is valid from 1998-09-01 to 2028-01-28.
• The public key is a 2048 bit RSA key (the public exponent is 216 + 1).
• The certificate is self-signed using SHA-1 as a hash function and using PKCS #1
v1.5 formatting.
• The critical extensions mention this is a certificate for a certificate authority and
the key pair is intended for certificate signing and for CRL signing.
Explain why the different security choices (algorithms, key lengths, validity
periods, extensions) do or don’t make sense.
Explain why you would keep or change these security choices.
### Answer
TODO
## Question 4
### Question
What are the advantages and drawbacks in using a TLS-based solution for
secure remote login (often known as a VPN-connection) compared to using
an IPsec-based solution?
Note: consider interoperability, ease-of-use (installation and maintenance), security,
interaction with NAT and firewalls.
### Answer
TODO
## Question 5
### Question
In the exercise sessions we’ve seen how so-called “rainbow tables” could be used to attempt
to crack stored Windows passwords. Once we have the suitable “rainbow table” the effort
to crack a password from a search space of N possible passwords is O(N 2/3).
What total computational effort will be needed if one wants to crack some
password (from a search space of N possible passwords) and one doesn’t have
a precomputed “rainbow table” to start with? Is it worth the effort to build
a “rainbow table” before starting the attempt to crack the password?
What does this mean about the feasibility of cracking a Linux password
file?
### Answer
TODO
## Question 6
### Question
If you need a cryptographic hash function and you have to choose between
SHA-2 and SHA-3, which algorithm would you choose and why?
What are the respective advantages and drawbacks of each algorithm?
What would determine your choice?
### Answer
TODO
## Question 7
### Question
Describe how AES-GCM is used in TLS v1.3 to encrypt subsequent fragments.
How are the counter values determined? What “associated data” will be
authenticated but not encrypted and why?
### Answer
TODO
## Question 8
### Question
A ring signature is a special type of digital signature. The signature can be performed by
any member of a group of users. Anyone (given the ring signature and the public keys of
all group members) can verify the authenticity of the signature, but not determine which
member of the group has created the signature.
We consider a group with 4 members (this can be easily generalised to any number of
members) using RSA key pairs (KUi, KRi) (1 ≤ i ≤ 4) and assume the signer is user
number 3.
The procedure uses a keyed function Ck,v(y1, y2, y3, y4) (depending on a key value k and
a glue value v). The tuple y1, y2, y3, y4 will be chosen such that the ring equation holds:
Ck,v(y1, y2, y3, y4) = v (Q8.1)
The practical implementation of the keyed function Ck,v(y1, y2, y3, y4) is:
Ek(y4 ⊕ Ek(y3 ⊕ Ek(y2 ⊕ Ek(y1 ⊕ v)))) (Q8.2)
where Ek is the symmetric encryption (consider AES-256) using key value k (the corre-
sponding decryption could be written as Dk), and where ⊕ is the bitwise XOR operation.
The signature is generated (by user 3) as follows:
1. the key value k is computed from the message using a (given and known) crypto-
graphic hash function H (e.g. SHA2-256): k = H(M ) (truncation to the required
key length is allowed)
2. a random glue value v is chosen
3. random values xi (1 ≤ i ≤ 4 ∧ i 6 = 3) are chosen
4. the corresponding values yi = EKUi (xi) are used (with EKUi the RSA encryption
with the public key KUi) (1 ≤ i ≤ 4 ∧ i 6 = 3; no PKCS #1 formatting is used)
5. the ring equation (Q8.1) is solved for y3
6. the value of x3 = EKR3 (y3) is determined
7. the ring signature for message M is the 9-tuple (KU1, KU2, KU3, KU4, v, x1, x2, x3, x4)
The verification of the ring signature is as follows:
1. compute the values yi = EKUi (xi)
2. calculate the key value k = H(M )
3. verify that the ring equation (Q8.1) holds
How can the ring equation (Q8.1) be solved for y3? Explain why someone
outside the group (without knowledge of any of the private keys KRi) can’t
generate a ring signature for the group. Explain why it isn’t possible to
identify which member of the group has generated the ring signature.
### Answer
TODO
## Question 9
### Question
A Merkle tree (aka hash tree) is used in the bitcoin Blockchain technology, but could also
be seen as a normal hash function HM T . In short, it consists of a tree of hashes in which
the leaves are hashes of data blocks. This is illustrated for a (binary) Merkle tree of depth
2 in Fig. 6.
Figure 6: Illustration of a (binary) Merkle Tree (depth 2).
A more rigorous description for a binary Merkle tree of depth n is:
• The data T are divided in 2n blocks Ti of equal size (padding may be needed, but
we shan’t consider it here to keep things simple) (with i ∈ 0..(2n − 1)), so that T is
the concatenation of all blocks Ti: T = T0\||T1\|| . . . \||T2n−1
• Each block Ti is then hashed using a hash function H: h0,i = H(Ti) (with i ∈
0..(2n − 1))
• The intermediate hash values are then combined and hashed to obtain the parent
hash nodes: hj+1,i = H(hj,2·i||hj,2·i+1) (with j ∈ 0..(n − 1) and i ∈ 0..(2n−j−1 − 1))
• The final hash value is then HM T (T ) = hn,0
The hash function H is a traditional cryptographic hash function (MD5, SHA1, SHA2-
256, etc.).
• Compare the performance of the computation of HM T to that of a regular
hash function H (consider parallellisability).
• If the depth n of the Merkle tree isn’t given, this scheme doesn’t exhibit
weak collision resistance (aka second preimage resistance). Find some
data T ′ such that T ′ 6 = T and HM T (T ′) = HM T (T ).
Extra: Can you adapt the basic scheme of the computation of the Merkle
tree to avoid this issue (beyond using a fixed depth n)?
• For a given depth n, does HM T exhibit (strong) collision resistance if MD5
is chosen as a hash function H? Explain your answer.
### Answer
TODO
## Question 10
### Question
When browsing the (secure) home page of the university in May 2020, these were the
essential security properties I found in the chain of ceritifcates:
• The website (www.ugent.be) uses an RSA-2048 key pair (P RW , P UW ). The public
exponent of this key is 216 + 1.
• The key (P UW ) is certified in a X.509v3 certificate (CAT W ) by TERENA
SSL High Assurance CA 3. This certificate states this key pair is intended for
signing and key encipherment, and not for certification (critical V3 extensions).
The validity of the certificate is from 2019-08-08 to 2021-08-12. This certificate
has been signed using SHA2-256 as a hash function and the RSA-2048 private key
(P RT ) of TERENA SSL High Assurance CA 3 (the public exponent of this key is
also 216 + 1).
• The corresponding public key (P UT ) of TERENA SSL High Assurance CA 3 has
in its turn been certified in a X.509v3 certificate (CAD T ) by DigiCert
High Assurance EV Root CA. This certificate states this key pair is intended for
signing, for signing CRLs, and for signing (final) certificates (as a CA) (critical V3
extensions). The validity of the certificate is from 2014-11-18 to 2024-11-18. This
certificate has been signed using SHA2-256 as a hash function and the RSA-2048
private key (P RD) of DigiCert High Assurance EV Root CA (the public exponent
of this key is also 216 + 1).
• Finally, the corresponding public key (P UD) of DigiCert High Assurance EV Root
CA is certified in a self-signed X.509v3 certificate (CAD D ). This certificate
states this key pair is intended for signing, for signing CRLs, and for signing (final
or intermediate) certificates (as a CA) (critical V3 extensions). The validity of the
certificate is from 2006-11-10 to 2031-11-10. This certificate has been signed using
SHA1 as a hash function.
• All signatures use PKCS #1 v1.5 formatting.
Explain why the different security choices (algorithms, key lengths, validity
periods) do or don’t make sense.
Explain why you would keep or change these security choices.
### Answer
TODO
## Question 11
### Question
Problems may arise with some VPN tunnels when a TCP connection is tunneled over
another TCP connection when the transmission quality of the link between both VPN
gateways is low.
Which solutions could you use to achieve the desired VPN security (a se-
cure connection between two local networks) without suffering the destructive
interference between both TCP connections?
Note: Don’t forget to take into account the feasibility of your solutions.
### Answer
TODO
## Question 12
### Question
When browsing the (secure) home page of the university in June 2019, these were the
essential security properties I found in the chain of ceritifcates:
• The website (www.ugent.be) uses an RSA-2048 key pair (P RW , P UW ). The public
exponent of this key is 216 + 1.
• The key (P UW ) is certified in a X.509v3 certificate (CAT W ) by TERENA
SSL High Assurance CA 3. This certificate states this key pair is intended for
signing and key encipherment, and not for certification (critical V3 extensions).
The validity of the certificate is from 2017-08-08 to 2019-08-13. This certificate
has been signed using SHA2-256 as a hash function and the RSA-2048 private key
(P RT ) of TERENA SSL High Assurance CA 3 (the public exponent of this key is
also 216 + 1).
• The corresponding public key (P UT ) of TERENA SSL High Assurance CA 3 has
in its turn been certified in a X.509v3 certificate (CAD T ) by DigiCert
High Assurance EV Root CA. This certificate states this key pair is intended for
signing, for signing CRLs, and for signing (final) certificates (as a CA) (critical V3
extensions). The validity of the certificate is from 2014-11-18 to 2024-11-18. This
certificate has been signed using SHA2-256 as a hash function and the RSA-2048
private key (P RD) of DigiCert High Assurance EV Root CA (the public exponent
of this key is also 216 + 1).
• Finally, the corresponding public key (P UD) of DigiCert High Assurance EV Root
CA is certified in a self-signed X.509v3 certificate (CAD D ). This certificate
states this key pair is intended for signing, for signing CRLs, and for signing (final
or intermediate) certificates (as a CA) (critical V3 extensions). The validity of the
certificate is from 2006-11-10 to 2031-11-10. This certificate has been signed using
SHA1 as a hash function.
• All signatures use PKCS #1 v1.5 formatting.
Explain why the different security choices (algorithms, key lengths, validity
periods) do or don’t make sense.
Explain why you would keep or change these security choices.
### Answer
TODO
## Question 13
### Question
Is weak collision resistance (aka second-preimage resistance) a sufficient condi-
tion for strong collision resistance (aka collision resistance) for some function?
Is this a necessary condition? Explain why it isn’t (a counterexample is suffi-
cient) or why it is.
Note: the function considered is not necessarily a typical hash function.
### Answer
TODO
## Question 14
### Question
Explain the role of the “seed” in RSA-OAEP. What are the potential vulnera-
bilities of “raw” RSA that are eliminated (or at least very strongly mitigated)
by the use of this seed (+ explain how)? How can it be recovered from an en-
coded message? What is a reasonable minimal length for this seed (+ explain
why)?
### Answer
TODO
## Question 15
### Question
Compare the signature schemes PKCS #1 v1.5 and PKCS #1 v2.1 (RSA-PSS) for RSA.
Explain how signature verification works for an RSA-PSS signed message.
Which elements prevent the problems one may encounter using the “raw”
RSA algorithm for digital signatures? Can you explain why RSA-PSS may
be an improvement over the older PKCS #1 v1.5? Which elements are re-
sponsible for this improvement? Would the use of MD5 as a hash function in
RSA-PSS be a security risk?
### Answer
TODO
## Question 16
### Question
Explain why AES-GCM (Galois Counter Mode) can be more efficiently par-
allellised than a combination of AES-CTR (counter mode) for confidentiality
with an AES-based CBC-MAC for authentication.
Show as an illustration how the AES-GCM algorithm could be efficiently
parallellised over 4 processors.
Note: consider the simplified case for GCM with a 96 bit IV and with no additional
authenticated data. The message to be encrypted is at least a few kilobytes, which means
that a reasonably large number of blocks will have to be encrypted.
### Answer
TODO
## Question 17
### Question
Describe how authenticated Diffie-Hellman (DH) key exchange could work
with elliptic curve cryptography (for a given elliptic curve EC with given
generator G of known and given order n). What would be the mathematical
operations to derive a single-use session key?
Hint: start from the original Authenticated DH key exchange (based on modular ex-
ponentiation).
### Answer
TODO
## Question 18
### Question
Is it possible efficiently to parallelise the encryption operation of a block cipher
in CBC mode? If so, explain how. Otherwise, explain why it is not possible.
What about the decryption operation?
### Answer
TODO
## Question 19
### Question
Most cryptocurrencies use a proof-of-work for the validation of blocks in the blockchain.
This proof-of-work consists in computing some hash algorithm. In the case of Bitcoin
the hash algorithm is SHA2-256. A major drawback of this kind of hash function is that
traditional computer CPUs are at a significant disadvantage both in speed and in power
consumption compared to Application-Specific ICs (ASICs), which can be optimised to
perform this single task (i.c. computing SHA2-256 hashes).
Can you suggest alternative hash algorithms that would reduce the advan-
tage of ASICs with respect to CPUs? What properties would be desirable for
such hash algorithms?
Note: Don’t hesitate to think slightly out-of-the-box of traditional cryptographic hash
functions, which are mainly intended for digital signatures and should therefore be very
fast to compute.
Note: For those less familiar with hardware: ASICs are dedicated hardware for a
single task. They’re not reprogrammable (contrary to FPGAs, CPUs, or GPUs) and only
have limited integrated random access memory (much less than the typical L3-cache of a
CPU).
### Answer
TODO
## Question 20
### Question
When browsing the (secure) home page of the university in May 2022, these were the
essential security properties I found in the chain of ceritifcates:
• The website (www.ugent.be) uses an RSA-4096 key pair (P RW , P UW ). The public
exponent of this key is 216 + 1.
• The key (P UW ) is certified in a X.509v3 certificate (CAS W ) by Sectigo RSA
Organization Validation Secure Server CA. This certificate states this key pair is
intended for signing and key encipherment, and not for certification (critical V3
extensions). The validity of the certificate is from 2021-10-30 to 2022-10-30. This
certificate has been signed using SHA2-256 as a hash function and the RSA-2048
private key (P RS ) of Sectigo RSA Organization Validation Secure Server CA (the
public exponent of this key is also 216 + 1).
• The corresponding public key (P US ) of Sectigo RSA Organization Validation Secure
Server CA has in its turn been certified in a X.509v3 certificate (CAU S ) by
USERTrust RSA Certification Authority. This certificate states this key pair is
intended for signing, for signing CRLs, and for signing (final) certificates (as a CA)
(critical V3 extensions). The validity of the certificate is from 2018-11-02 to 2030-
12-31. This certificate has been signed using SHA2-384 as a hash function and
the RSA-4096 private key (P RU ) of USERTrust RSA Certification Authority (the
public exponent of this key is also 216 + 1).
• Finally, the corresponding public key (P UU ) of USERTrust RSA Certification Au-
thority is certified in a self-signed X.509v3 certificate (CAU U ). This certifi-
cate states this key pair is intended for signing, for signing CRLs, and for signing
(final or intermediate) certificates (as a CA) (critical V3 extensions). The validity
of the certificate is from 2010-02-01 to 2038-01-18. This certificate has been signed
using SHA2-384 as a hash function.
• All signatures use PKCS #1 v1.5 formatting.
Explain why the different security choices (algorithms, key lengths, validity
periods) do or don’t make sense.
Explain why you would keep or change these security choices.
### Answer
TODO
## Question 21
### Question
When browsing the website of Bank A you can observe that the website is secured using
TLS 1.2, using elliptic curve ephemeral Diffie-Hellman for the key exchange, RSA-2048
authentication for the handshake (the certificate is signed with SHA-2-256), and AES-
128-GCM for the encryption of further traffic.
The website of Bank B uses slightly different security parameters: it uses TLS 1.3 with
RSA-2048 authentication for the handshake (the certificate is signed with SHA-2-256),
and AES-256-GCM for the encryption of further traffic.
Compare the security of the websites for Banks A and B. How significant
are the differences? Which bank website offers a better level of security?
### Answer
TODO
## Question 22
### Question
There is a variant for RSA encryption (multi-prime RSA), where the modulus n is a
product of a certain number (k > 2) of different primes pi (1 ≤ i ∧ i ≤ k).
n =
k∏
i=1
pi (Q22.3)
You may assume that all prime factors pi are of the same order of magnitude.
The RSA-operations are completely similar: C = M e mod n for the public key en-
cryption of a message M into a ciphertext C using the public exponent e; M = Cd mod n
for the decryption using the private exponent d, where e · d = 1 mod φ(n).
The modulus n can, of course, be factorised using the general number field sieve
(GNFS), but it can also be factorised using the elliptic curves method (ECM). The com-
plexity for factoring using ECM is:
(lg n)2 · Lp[1/2, √2] (Q22.4)
where p is a prime factor of n.
Consider the case of a 8192 bit RSA key. On the one hand you have a multi-prime
RSA key, where the modulus is the product of four 2048 bit primes. On the other hand
you have a traditional 8192 bit RSA key, where the modulus is the product of two 4096
bit primes.
To what extent could a multi-prime RSA key be faster than a traditional
RSA key? Consider key generation. Consider encryption (using the public
key) and decryption (using the private key). Explain how the performance
improvement is obtained.
Hint: Think of what you could do using the Chinese Remainder Theorem (CRT).
Note: Don’t worry about the security of the multi-prime RSA key for the case consid-
ered here. There is no significant degradation of the security with respect to a traditional
RSA key of same length.
### Answer
TODO
## Question 23
### Question
A basic password storage mechanism is to encode a combination of the password and a
salt using a one-way function.
A commonly used one-way function is MD5. An alternative one-way function is bcrypt,
in which a lengthy (and configurable) setup process may increase the required computation
time for the output of the one-way function up to 100 ms on a regular PC.
What is the advantage (consider performance and security) of using bcrypt
instead of MD5 for password storage? Are there also possible drawbacks
(consider again performance and security) in using bcrypt instead of MD5?
Consider the case of a smartphone, the case of a PC, and the case of a server.
Note: the precise working of bcrypt is not relevant for answering this question.
### Answer
TODO
## Question 24
### Question
Blinding is sometimes used to prevent timing attacks against private key operations in
RSA.
Design a similar blinding operation for elliptic curve cryptography (for a
given elliptic curve EC with given generator G of given order n).
### Answer
TODO
## Question 25
### Question
Does authenticated Diffie-Hellman (DH) guarantee forward secrecy? What
happens if one or both of the fixed DH keys is compromised? What is the im-
pact on future (i.e. after the keys have been compromised) communications?
What is the impact on past (i.e. before the keys have been compromised)
communications?
### Answer
TODO
## Question 26
### Question
We have seen in the course how the use of a salt in the encoded storage of a password
could improve the security of the storage. The salt is typically unique for each user, but
not secret (it is often stored in plain text).
An alternative technique is using both a salt and a pepper in the encoded storage.
The pepper is identical for all users within the system but secret (only known to the
application processing the passwords and not stored in plain text). This means that the
password Pi for some user i (with salt Si) will be stored as the encoded password EPi:
EPi = H(Pi||Si||P epper) (Q26.5)
where P epper is the pepper used in this system, H is the (one-way) encoding function,
and || stands for the concatenation of data.
Compare this use of a pepper + salt combination to the use of only a salt for
secure password storage. What are the advantages/drawbacks of this pepper
+ salt combination?
Consider direct login attempts, dictionary attacks, and rainbow tables.
### Answer
TODO
## Question 27
### Question
Compare the encryption schemes PKCS #1 v1.5 and PKCS #1 v2.0 (RSA-OAEP) for
RSA (for public key encryption).
Explain how decryption works for an RSA-OAEP encrypted message. Which
elements prevent the problems one may encounter using the “raw” RSA al-
gorithm for public key encryption? Can you explain why RSA-OAEP may
be an improvement over the older PKCS #1 v1.5? Which elements are re-
sponsible for this improvement? Would the use of MD5 as a hash function in
RSA-OAEP be a security risk?
### Answer
TODO
## Question 28
### Question
The PKCS #1 v1.5 encryption scheme uses a different kind of padding for the block types
BT=“01” and BT=“02”.
What security issues (that would occur with BT=“00”) are solved when
using BT=“01”? Which ones are solved when using BT=“02”? How are they
solved? Explain why a different padding is used for BT=“01” and BT=“02”.
### Answer
TODO
## Question 29
### Question
We have seen in the course how the use of a salt in the encoded storage of a password
could improve the security of the storage. The salt is typically unique for each user, but
not secret (it is often stored in plain text).
An alternative technique is using a pepper in the encoded storage. The pepper is iden-
tical for all users within the system but secret (only known to the application processing
the passwords and not stored in plain text). This means that the password Pi for some
user i will be stored as the encoded password EPi:
EPi = H(Pi||P epper) (Q29.6)
Sign in with Wallet
Connect another wallet