Arvutiteaduse instituut
  1. Kursused
  2. 2018/19 sügis
  3. Infoturve (MTAT.07.028)
EN
Logi sisse

Infoturve 2018/19 sügis

  • Home
  • Lectures & labs
  • Homework
  • Exam
  • News
  • Links

Homework #2

Deadline: 6th of November (the solution has to be submitted before Wednesday)

Written tasks

Recommended reading

  • SSL Server Test
  • Announcing the first SHA1 collision
  • SHAttered

PKC, PKI and HTTPS

  1. What is a hash function? What is the difference between encryption and hashing? (1p)
  2. Find the public key of https://twitter.com/. Save the public key as text (not the whole certificate) to a text file and upload it to a submission form that is at the end of this website. Make sure that the corresponding certificate is signed by DigiCert as it might be possible that your antivirus software is modifying the certificates. (1p)
  3. Merkel, Trump and Putin sign a Memorandum of Agreement using the Estonian digital signature system (or another very similar system). However, when the document is shown at a G8 meeting, it displays signatures from Merkel and Trump. Putin claims that he was actually the first to sign the agreement and his signature must have been removed from the document. Can this claim be valid? Why or why not? If so, how can Putin prove his claim and does this invalidate the signatures of Merkel and Trump? Why? (3p)
  4. Find the following information about https://www.wikipedia.org/. (2p)
    1. Who issued the certificate for www.wikipedia.org?
    2. Which hash function and crypto algorithm was used to sign the certificate?
    3. Does it support perfect forward secrecy?
    4. When does the certificate expire?

PGP & Signal

  1. Send your lab supervisor an encrypted and signed e-mail using PGP/GPG. It should be a single mail message, signed and encrypted at the same time. (3p)
    • If you already completed this task in the lab session than you do not have to do it again.
    • Upload your public key to the key server infsec.cs.ut.ee
    • To encrypt, use these public keys: Kristjan Krips (5BFC8B9D) or Toomas (3D90 CCB5).
    • Be sure to include your name in the mail message itself, otherwise there is nothing to sign or encrypt.
  2. Use Signal to send end-to-end encrypted message to our test account. Add temporarily to your contacts the following number: five eight six seven one four five nine. Send a self destructing message that contains your name to the test account. (1p)
    • The message should contain your name.
    • If you are not able to install Signal or do not want to do this task then ask for a replacement task from krips ät ut ee.
    • More specific instructions can be found from the corresponding lab notes.

Smartcards, Mobile-ID and e-voting

  1. In an opinion story Otto de Voogd wrote about the possibility of the state having access to the secret keys on the Estonian ID-card. As a response to the opinion Agu Kivimägi wrote how private keys are generated. Describe two main reasons why the Estonian government can not access / know the secret key that is on your ID-card. (1p)
  2. We know that since the spring of 2017 it is possible to find collisions for SHA-1. Give answers to the following questions.
    • Is it now possible to forge digital signatures when we know that the collision resistance property does not hold anymore for SHA-1? Why? (1p)
    • What should one do now in order to prevent legal issues over future forgeries of digital signatures that were previously given using SHA-1? E.g., assume that you signed a contract in 2012 by using SHA-1 and the same contract should be valid for the next 30 years. How could you prevent legal issues in the future regarding the authenticity of the contract in case someone will be able to forge the signature in the future? You will have to provide reasoning! (1p)
  3. Let's consider a web service that allows to authenticate users only with Mobile-ID. It is possible to use that web service either (a) on a PC, while authenticating with a smartphone that contains the SIM-card of the Mobile-ID; or (b) on the same smartphone that contains the SIM-card of the Mobile-ID. Now, how does the security of using the described web service differ for scenarios (a - PC+smartphone) and (b - smartphone)? Which option is more secure in your opinion? Describe the reasoning for the choice. Hint: what would be needed for a successful attack in each of the scenarios? (2p)

Blockchain

  1. Name two security related advantages of BitCoin compared to regular payment systems. Name two security related disadvantages of Bitcoin compared to regular payment systems. (2p)

Submission form for the written tasks

The solution has to be submitted through this website. The solution can be submitted once you have logged in with the university credentials. We accept solutions only in .pdf formats if it is not stated otherwise in the homework task. The solutions of the practical tasks have to submitted separately to their corresponding input forms (see below).

We would like to get feedback about the difficulty of the homework and therefore we would kindly ask you to write in the comments box an estimate of how much time it took to solve the homework tasks.

2. 2. Homework
Sellele ülesandele ei saa enam lahendusi esitada.

Submission of the practical tasks

Task nr 2 from "PKC, PKI and HTTPS" block. Find the public key of the website https://twitter.com/ and save it into a text (.txt) file. Upload the text file as a solution for this task. Make sure that the corresponding certificate is signed by DigiCert as it might be possible that your antivirus software is modifying the certificates. (1p)

6. Public key
Sellele ülesandele ei saa enam lahendusi esitada.
  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused