Arvutiteaduse instituut
  1. Kursused
  2. 2020/21 sügis
  3. Infoturve (MTAT.07.028)
EN
Logi sisse

Infoturve 2020/21 sügis

  • Home
  • Lectures & labs
  • Homework & course rules
  • Exam
  • News
  • Links

Homework #2 (18p)

Deadline: 8th of November (the solution has to be submitted before Monday)

Written tasks

Recommended reading / tools

  • SSL Server Test
  • Announcing the first SHA1 collision
  • SHAttered

PKC, PKI and HTTPS

  1. Hashing
    1. Briefly describe in your own words the functionality / behavior of a hash function. The answer should not be longer than 3 sentences. (1p)
    2. What are the two main differences between encryption and hashing? The answer must be formatted as a list. This question can have multiple correct answers. (1p)
  2. Find the public key of https://www.eesti.ee. It can be found with the help of a web browser. Save the public key (not the whole certificate) to a text file (.txt) and upload it to a submission form that is at the end of this website. The solution is checked automatically and thus submissions that are formatted in a wrong way will get 0 points. Make sure that the corresponding certificate is signed by DigiCert as it might be possible that your antivirus software is replacing the certificates in real time to scan the TLS traffic. In case the answer and the certificate issuer is wrong, the submission will be automatically given 0 points. In case the certificate issuer is not DigiCert use a different browser or a different device to find the public key. Hint: the public key ends with the following symbols: 89 60 04 C4 01 11. In addition, some browsers may display an addition suffix in the form of 02 03 01 00 01. (1p)
  3. Read the following article: HTTPS Certificate Revocation is broken, and it’s time for some new tools. Answer the following questions:
    1. Why would a certificate owner want to revoke a valid certificate? Name at least two common reasons. (1p)
    2. Why are certificate revocation lists not guaranteed to work in practice? (1p)
    3. Online Certificate Status Protocol has also some issues, list them. (1p)
  4. Find an Estonian website, which uses HTTPS but has not configured it perfectly. The TLS configuration can be checked with the help of https://www.ssllabs.com/ssltest. I will accept solutions that show a website with a grade B or worse. You can speed up the testing by opening multiple browser tabs.
    • Submit a screenshot from https://www.ssllabs.com/ssltest, where both the tested URL and the grade can be seen. Cut the irrelevant information from the screenshot. The screenshot has to be submitted in the format of a picture (e.g., png, jpg). Do not paste the screenshot into a .docx file. I will not open .docx files or any other exotic file format while grading this solution. The file has to be submitted through the submission form that is located in the end of this page. (1p)
  5. Find the requested information about the certificate of https://www.ut.ee. The answer has to be strictly formatted according to the instructions as some of the subtasks are graded automatically. Write the answer into a regular text file (.txt, not .docx). Answer the questions in the same order as they are presented. You may use one line per answer. Thus, the solution file must have exactly for rows (lines). The solution file has to be submitted separately to the corresponding submission form that can be found in the end of the page.
    1. Who issued the certificate for www.ut.ee? (0.5p)
    2. Which hash function was used to sign the certificate? (0.5p)
    3. Which cryptosystem (signature algorithm) was used to sign the certificate? (0.5p)
    4. When does the certificate expire? Write the answer in the following format: day.month.year. For example, 20.10.2020.

Lab tasks: PGP & Signal

  1. Send your lab supervisor an encrypted and signed e-mail using PGP/GPG. It should be a single mail message, signed and encrypted at the same time. (3p)
    • If you already completed this task in the lab session than you do not have to do it again.
    • Upload your public key to the key server infsec.cs.ut.ee
    • To encrypt, use the public key with the given ID. The ID is published in the lab notes.
    • Be sure to include your name in the mail message itself, otherwise there is nothing to sign or encrypt.
  2. Choose and solve one of the following two tasks:
    1. Use Signal to send end-to-end encrypted message to our test account. Send a hello message in Signal to the following number: +372 five three seven six zero nine four two. The message must contain either your name or pseudonym from this course as otherwise it is not possible to assign points. Information and more specific instructions about Signal can be found from the lab notes. (2p)
    2. Signal protocol is considered cryptographically secure but there are still ways to break the privacy of the sent messages. One trivial way is to hack the corresponding phone to get access before the message is even encrypted (this applies to any communication device / tool / software). It may also be possible to attack the method, which connects identities to the encryption keys. Read the following text and based on that explain briefly how the message privacy of Signal messages could be attacked and what is needed for that attack. (2p)
      • Cybersecurity for the People: How to Keep Your Chats Truly Private With Signal

Smartcards, Mobile-ID and e-voting

  1. In an opinion story Otto de Voogd wrote about the possibility of the state having access to the secret keys on the Estonian ID-card. As a response to the opinion Agu Kivimägi wrote how private keys are generated. Name two main reasons why the Estonian government can not access / know the secret key that is on your ID-card. The identified ID-card vulnerabilities are out of scope of this question. The answer must be formatted as a list. (1p)
  2. Since the spring of 2017 it is possible to find collisions for SHA-1. Currently it is no longer possible to use SHA-1 for issuing legally binding digital signatures. However, does this finding affect the signatures that were given before 2017? Hint: check the security requirements for cryptographic hash functions. Give answers to the following questions.

    1. Is it now possible to forge digital signatures that were issued in 2010 with SHA-1? You will have to write the reasoning with your own words. (1p)

    2. What should one do now in order to prevent legal disputes over future forgeries of digital signatures that were previously given using SHA-1? E.g., assume that you signed a contract in 2010 by using SHA-1 and the same contract should be valid for the next 30 years. What would you have to do with the existing digitally signed contract to prevent legal disputes in the future regarding the authenticity of the contract in case someone will be able to forge the signature in the future? The signature has to be in a digital format due to the business model and it is not possible to get a written confirmation by a third party about the validity of the signature. You will have to provide reasoning! (1p)

Blockchain

  1. Briefly list two security related advantages of BitCoin compared to regular payment systems. Similarly, list two security related disadvantages of Bitcoin compared to regular payment systems. The answer must be formatted as a list or as a table. (1p)

Submission form for the written tasks

The solution has to be submitted through this website. The solution can be submitted once you have logged in with the university credentials. We accept solutions only in .pdf format if it is not stated otherwise in the homework task. The solutions of the practical tasks have to submitted separately to their corresponding input forms (see below).

We would like to get feedback about the difficulty of the homework and therefore we would kindly ask you to write in the comments box an estimate of how much time it took to solve the homework tasks.

6. Homework 2 - written tasks (PDF)
Sellele ülesandele ei saa enam lahendusi esitada.

Submission form for the public key task

Find the public key of https://www.eesti.ee. It can be found with the help of a web browser. Save the public key (not the whole certificate) to a text file (.txt) and upload it to a submission form that is at the end of this website. The solution is checked automatically and thus submissions that are formatted in a wrong way will get 0 points. Make sure that the corresponding certificate is signed by DigiCert as it might be possible that your antivirus software is replacing the certificates in real time to scan the TLS traffic. In case the answer and the certificate issuer is wrong, the submission will be automatically given 0 points. In case the certificate issuer is not DigiCert use a different browser or a different device to find the public key. Hint: the public key ends with the following symbols: 89 60 04 C4 01 11. (1p)

5. Homework2: public key (.txt file)
Sellele ülesandele ei saa enam lahendusi esitada.

Submission form for the certificate information task

Find the requested information about the certificate of https://www.ut.ee. The answer has to be strictly formatted according to the instructions as some of the subtasks are graded automatically. Write the answer into a regular text file (.txt, not .docx). Answer the questions in the same order as they are presented. You may use one line per answer. Thus, the solution file must have exactly for rows (lines). The solution file has to be submitted through the form below.

  1. Who issued the certificate for www.ut.ee? (0.5p)
  2. Which hash function was used to sign the certificate? (0.5p)
  3. Which cryptosystem (signature algorithm) was used to sign the certificate? (0.5p)
  4. When does the certificate expire? Write the answer in the following format: day.month.year. For example, 20.10.2020.
7. Homework2: certificate info (.txt file)
Sellele ülesandele ei saa enam lahendusi esitada.

TLS configuration

Find an Estonian website, which uses HTTPS but has not configured it perfectly. The TLS configuration can be checked with the help of https://www.ssllabs.com/ssltest. I will accept solutions that show a website with a grade B or worse. You can speed up the testing by opening multiple browser tabs.

  • Submit a screenshot from https://www.ssllabs.com/ssltest, where both the tested URL and the grade can be seen. Cut the irrelevant information from the screenshot. The screenshot has to be submitted in the format of a picture (e.g., png, jpg). Do not paste the screenshot into a .docx file. I will not open .docx files or any other exotic file format while grading this solution. The file has to be submitted through the submission form that is located in the end of this page. (1p)
8. Homework2: TLS info
Sellele ülesandele ei saa enam lahendusi esitada.
  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused