Arvutiteaduse instituut
  1. Kursused
  2. 2019/20 sügis
  3. Infoturve (MTAT.07.028)
EN
Logi sisse

Infoturve 2019/20 sügis

  • Home
  • Lectures & labs
  • Homework & course rules
  • Exam
  • News
  • Links

Homework #2

Deadline: 10th of November (the solution has to be submitted before Monday)

Written tasks

Recommended reading / tools

  • SSL Server Test
  • Announcing the first SHA1 collision
  • SHAttered

PKC, PKI and HTTPS

  1. Hashing
    1. Briefly describe with your own words the functionality / behaviour of a hash function. (0.5p)
    2. State in one sentence the main difference between encryption and hashing. (0.5p)
  2. Find the public key of https://www.wikipedia.org. Save the public key as text (not the whole certificate) to a text file (.txt) and upload it to a submission form that is at the end of this website. Make sure that the corresponding certificate is signed by DigiCert as it might be possible that your antivirus software is replacing the certificates in real time to scan the TLS traffic. In that case use a different browser or a different device. (1p)
  3. Read the following article: HTTPS Certificate Revocation is broken, and it’s time for some new tools. Answer the following questions:
    1. Why would a certificate owner want to revoke a valid certificate? Name at least two common reasons. (1p)
    2. Why are certificate revocation lists not guaranteed to work in practice? (1p)
    3. Online Certificate Status Protocol has also some issues, list them. (1p)
  4. Find the following information about https://www.wikipedia.org/. (2p)
    1. Who issued the certificate for www.wikipedia.org?
    2. Which hash function and crypto algorithm was used to sign the certificate?
    3. Does it support perfect forward secrecy?
    4. When does the certificate expire?

PGP & Signal

  1. Send your lab supervisor an encrypted and signed e-mail using PGP/GPG. It should be a single mail message, signed and encrypted at the same time. (3p)
    • If you already completed this task in the lab session than you do not have to do it again.
    • Upload your public key to the key server infsec.cs.ut.ee
    • To encrypt, use the public key with the following ID: Kristjan Krips (5BFC8B9D).
    • Be sure to include your name in the mail message itself, otherwise there is nothing to sign or encrypt.
  2. Choose and solve one of the following two tasks:
    1. Use Signal to send end-to-end encrypted message to our test account. Send a a self destructing message in Signal to the following number: +372 five four five six seven seven seven two. The message should contain your name. Information and more specific instructions about Signal can be found from the lab notes. (1p)
    2. Signal protocol is considered cryptographically secure but there are still ways to break the privacy of the sent messages. One trivial way is to hack the corresponding phone to get access before the message is even encrypted (this applies to any communication device / tool / software). It may also be possible to attack the method, which connects identities to the encryption keys. Read the following text and based on that explain briefly how the message privacy of Signal messages could be attacked and what is needed for that attack. (1p)
      • Cybersecurity for the People: How to Keep Your Chats Truly Private With Signal

Smartcards, Mobile-ID and e-voting

  1. In an opinion story Otto de Voogd wrote about the possibility of the state having access to the secret keys on the Estonian ID-card. As a response to the opinion Agu Kivimägi wrote how private keys are generated. Describe two main reasons why the Estonian government can not access / know the secret key that is on your ID-card. (1p)
  2. We know that since the spring of 2017 it is possible to find collisions for SHA-1. Give answers to the following questions.
    • Is it now possible to forge digital signatures when we know that the collision resistance property does not hold anymore for SHA-1? Why? (1p)
    • What should one do now in order to prevent legal disputes over future forgeries of digital signatures that were previously given using SHA-1? E.g., assume that you signed a contract in 2012 by using SHA-1 and the same contract should be valid for the next 30 years. What would you have to do with the existing digitally signed contract to prevent legal disputes in the future regarding the authenticity of the contract in case someone will be able to forge the signature in the future? The signature has to be digital due to the business model and it is not possible to get a written confirmation by a third party about the validity of the signature. You will have to provide reasoning! (1p)
  3. Let's consider a web service that allows to authenticate users only with Mobile-ID. It is possible to use that web service either (a) on a PC, while authenticating with a smartphone that contains the SIM-card of the Mobile-ID; or (b) on the same smartphone that contains the SIM-card of the Mobile-ID. Now, how does the security of using the described web service differ for scenarios (a - PC+smartphone) and (b - smartphone)? Which option is more secure in your opinion? Describe the reasoning for the choice. Hint: what would be needed for a successful attack in each of the scenarios? (2p)

Blockchain

  1. Name two security related advantages of BitCoin compared to regular payment systems. Name two security related disadvantages of Bitcoin compared to regular payment systems. (2p)

Submission form for the written tasks

The solution has to be submitted through this website. The solution can be submitted once you have logged in with the university credentials. We accept solutions only in .pdf format if it is not stated otherwise in the homework task. The solutions of the practical tasks have to submitted separately to their corresponding input forms (see below).

We would like to get feedback about the difficulty of the homework and therefore we would kindly ask you to write in the comments box an estimate of how much time it took to solve the homework tasks.

2. 2. Homework (in PDF format)
Sellele ülesandele ei saa enam lahendusi esitada.

Submission of the practical tasks

Task nr 2 from "PKC, PKI and HTTPS" block. Find the public key of https://www.wikipedia.org. Save the public key as text (not the whole certificate) to a text file (.txt) and upload it to a submission form that is at the end of this website. Make sure that the corresponding certificate is signed by DigiCert as it might be possible that your antivirus software is replacing the certificates in real time to scan the TLS traffic. In that case use a different browser or a different device. (1p)

6. Public key
Sellele ülesandele ei saa enam lahendusi esitada.
  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused