hladu357
/
TalTech_crypt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

hw4

This commit is contained in:
Ondrej Hladuvka 2025-05-21 21:13:01 +03:00
parent b8056c084c
commit 588e6b2f87
4 changed files with 745 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
hw4/Makefile Normal file
View File

@ -0,0 +1,7 @@
all: reseni.pdf
ieee.cls:
curl -O https://raw.githubusercontent.com/citation-style-language/styles/master/ieee.csl
reseni.pdf: reseni.md
pandoc reseni.md --citeproc -o reseni.pdf

512
hw4/ieee.csl Normal file
View File

@ -0,0 +1,512 @@
<?xml version="1.0" encoding="utf-8"?>
<style xmlns="http://purl.org/net/xbiblio/csl" class="in-text" version="1.0" demote-non-dropping-particle="sort-only">
<info>
<title>IEEE</title>
<id>http://www.zotero.org/styles/ieee</id>
<link href="http://www.zotero.org/styles/ieee" rel="self"/>
<!-- <link href="https://ieeeauthorcenter.ieee.org/wp-content/uploads/IEEE-Reference-Guide.pdf" rel="documentation"/> - 2018 guidelines -->
<link href="http://journals.ieeeauthorcenter.ieee.org/wp-content/uploads/sites/7/IEEE_Reference_Guide.pdf" rel="documentation"/>
<link href="https://journals.ieeeauthorcenter.ieee.org/your-role-in-article-production/ieee-editorial-style-manual/" rel="documentation"/>
<author>
<name>Michael Berkowitz</name>
<email>mberkowi@gmu.edu</email>
</author>
<contributor>
<name>Julian Onions</name>
<email>julian.onions@gmail.com</email>
</contributor>
<contributor>
<name>Rintze Zelle</name>
<uri>http://twitter.com/rintzezelle</uri>
</contributor>
<contributor>
<name>Stephen Frank</name>
<uri>http://www.zotero.org/sfrank</uri>
</contributor>
<contributor>
<name>Sebastian Karcher</name>
</contributor>
<contributor>
<name>Giuseppe Silano</name>
<email>g.silano89@gmail.com</email>
<uri>http://giuseppesilano.net</uri>
</contributor>
<contributor>
<name>Patrick O'Brien</name>
</contributor>
<contributor>
<name>Brenton M. Wiernik</name>
</contributor>
<contributor>
<name>Oliver Couch</name>
<email>oliver.couch@gmail.com</email>
</contributor>
<category citation-format="numeric"/>
<category field="engineering"/>
<category field="generic-base"/>
<summary>IEEE style as per the 2023 guidelines, V 11.29.2023.</summary>
<updated>2024-03-27T11:41:27+00:00</updated>
<rights license="http://creativecommons.org/licenses/by-sa/3.0/">This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 License</rights>
</info>
<locale xml:lang="en">
<date form="text">
<date-part name="month" form="short" suffix=" "/>
<date-part name="day" form="numeric-leading-zeros" suffix=", "/>
<date-part name="year"/>
</date>
<terms>
<term name="chapter" form="short">ch.</term>
<term name="chapter-number" form="short">ch.</term>
<term name="presented at">presented at the</term>
<term name="available at">available</term>
</terms>
</locale>
<!-- Macros -->
<macro name="status">
<choose>
<if variable="page issue volume" match="none">
<text variable="status" text-case="capitalize-first" suffix="" font-weight="bold"/>
</if>
</choose>
</macro>
<macro name="edition">
<choose>
<if type="bill book chapter graphic legal_case legislation motion_picture paper-conference report song" match="any">
<choose>
<if is-numeric="edition">
<group delimiter=" ">
<number variable="edition" form="ordinal"/>
<text term="edition" form="short"/>
</group>
</if>
<else>
<text variable="edition" text-case="capitalize-first" suffix="."/>
</else>
</choose>
</if>
</choose>
</macro>
<macro name="issued">
<choose>
<if type="article-journal report" match="any">
<date variable="issued">
<date-part name="month" form="short" suffix=" "/>
<date-part name="year" form="long"/>
</date>
</if>
<else-if type="bill book chapter graphic legal_case legislation song thesis" match="any">
<date variable="issued">
<date-part name="year" form="long"/>
</date>
</else-if>
<else-if type="paper-conference" match="any">
<date variable="issued">
<date-part name="month" form="short"/>
<date-part name="year" prefix=" "/>
</date>
</else-if>
<else-if type="motion_picture" match="any">
<date variable="issued" form="text" prefix="(" suffix=")"/>
</else-if>
<else>
<date variable="issued" form="text"/>
</else>
</choose>
</macro>
<macro name="author">
<names variable="author">
<name and="text" et-al-min="7" et-al-use-first="1" initialize-with=". "/>
<label form="short" prefix=", " text-case="capitalize-first"/>
<et-al font-style="italic"/>
<substitute>
<names variable="editor"/>
<names variable="translator"/>
<text macro="director"/>
</substitute>
</names>
</macro>
<macro name="editor">
<names variable="editor">
<name initialize-with=". " delimiter=", " and="text"/>
<label form="short" prefix=", " text-case="capitalize-first"/>
</names>
</macro>
<macro name="director">
<names variable="director">
<name and="text" et-al-min="7" et-al-use-first="1" initialize-with=". "/>
<et-al font-style="italic"/>
</names>
</macro>
<macro name="locators">
<group delimiter=", ">
<text macro="edition"/>
<group delimiter=" ">
<text term="volume" form="short"/>
<number variable="volume" form="numeric"/>
</group>
<group delimiter=" ">
<number variable="number-of-volumes" form="numeric"/>
<text term="volume" form="short" plural="true"/>
</group>
<group delimiter=" ">
<text term="issue" form="short"/>
<number variable="issue" form="numeric"/>
</group>
</group>
</macro>
<macro name="title">
<choose>
<if type="bill book graphic legal_case legislation motion_picture song standard software" match="any">
<text variable="title" font-style="italic"/>
</if>
<else>
<text variable="title" quotes="true"/>
</else>
</choose>
</macro>
<macro name="publisher">
<choose>
<if type="bill book chapter graphic legal_case legislation motion_picture paper-conference song" match="any">
<group delimiter=": ">
<text variable="publisher-place"/>
<text variable="publisher"/>
</group>
</if>
<else>
<group delimiter=", ">
<text variable="publisher"/>
<text variable="publisher-place"/>
</group>
</else>
</choose>
</macro>
<macro name="event">
<choose>
<!-- Published Conference Paper -->
<if type="paper-conference speech" match="any">
<choose>
<if variable="container-title" match="any">
<group delimiter=" ">
<text term="in"/>
<text variable="container-title" font-style="italic"/>
</group>
</if>
<!-- Unpublished Conference Paper -->
<else>
<group delimiter=" ">
<text term="presented at"/>
<text variable="event"/>
</group>
</else>
</choose>
</if>
</choose>
</macro>
<macro name="access">
<choose>
<if type="webpage post post-weblog" match="any">
<!-- https://url.com/ (accessed Mon. DD, YYYY). -->
<choose>
<if variable="URL">
<group delimiter=". " prefix=" ">
<group delimiter=": ">
<text term="accessed" text-case="capitalize-first"/>
<date variable="accessed" form="text"/>
</group>
<text term="online" prefix="[" suffix="]" text-case="capitalize-first"/>
<group delimiter=": ">
<text term="available at" text-case="capitalize-first"/>
<text variable="URL"/>
</group>
</group>
</if>
</choose>
</if>
<else-if match="any" variable="DOI">
<!-- doi: 10.1000/xyz123. -->
<text variable="DOI" prefix=" doi: " suffix="."/>
</else-if>
<else-if variable="URL">
<!-- Accessed: Mon. DD, YYYY. [Medium]. Available: https://URL.com/ -->
<group delimiter=". " prefix=" " suffix=". ">
<!-- Accessed: Mon. DD, YYYY. -->
<group delimiter=": ">
<text term="accessed" text-case="capitalize-first"/>
<date variable="accessed" form="text"/>
</group>
<!-- [Online Video]. -->
<group prefix="[" suffix="]" delimiter=" ">
<choose>
<if variable="medium" match="any">
<text variable="medium" text-case="capitalize-first"/>
</if>
<else>
<text term="online" text-case="capitalize-first"/>
<choose>
<if type="motion_picture">
<text term="video" text-case="capitalize-first"/>
</if>
</choose>
</else>
</choose>
</group>
</group>
<!-- Available: https://URL.com/ -->
<group delimiter=": " prefix=" ">
<text term="available at" text-case="capitalize-first"/>
<text variable="URL"/>
</group>
</else-if>
</choose>
</macro>
<macro name="page">
<choose>
<if type="article-journal" variable="number" match="all">
<group delimiter=" ">
<text value="Art."/>
<text term="issue" form="short"/>
<text variable="number"/>
</group>
</if>
<else>
<group delimiter=" ">
<label variable="page" form="short"/>
<text variable="page"/>
</group>
</else>
</choose>
</macro>
<macro name="citation-locator">
<group delimiter=" ">
<choose>
<if locator="page">
<label variable="locator" form="short"/>
</if>
<else>
<label variable="locator" form="short" text-case="capitalize-first"/>
</else>
</choose>
<text variable="locator"/>
</group>
</macro>
<macro name="geographic-location">
<group delimiter=", " suffix=".">
<choose>
<if variable="publisher-place">
<text variable="publisher-place" text-case="title"/>
</if>
<else-if variable="event-place">
<text variable="event-place" text-case="title"/>
</else-if>
</choose>
</group>
</macro>
<!-- Series -->
<macro name="collection">
<choose>
<if variable="collection-title" match="any">
<text term="in" suffix=" "/>
<group delimiter=", " suffix=". ">
<text variable="collection-title"/>
<text variable="collection-number" prefix="no. "/>
<text variable="volume" prefix="vol. "/>
</group>
</if>
</choose>
</macro>
<!-- Citation -->
<citation>
<sort>
<key variable="citation-number"/>
</sort>
<layout delimiter=", ">
<group prefix="[" suffix="]" delimiter=", ">
<text variable="citation-number"/>
<text macro="citation-locator"/>
</group>
</layout>
</citation>
<!-- Bibliography -->
<bibliography entry-spacing="0" second-field-align="flush">
<layout>
<!-- Citation Number -->
<text variable="citation-number" prefix="[" suffix="]"/>
<!-- Author(s) -->
<text macro="author" suffix=", "/>
<!-- Rest of Citation -->
<choose>
<!-- Specific Formats -->
<if type="article-journal">
<group delimiter=", ">
<text macro="title"/>
<text variable="container-title" font-style="italic" form="short"/>
<text macro="locators"/>
<text macro="page"/>
<text macro="issued"/>
<text macro="status"/>
</group>
<choose>
<if variable="URL DOI" match="none">
<text value="."/>
</if>
<else>
<text value=","/>
</else>
</choose>
<text macro="access"/>
</if>
<else-if type="paper-conference speech" match="any">
<group delimiter=", " suffix=", ">
<text macro="title"/>
<text macro="event"/>
<text macro="editor"/>
</group>
<text macro="collection"/>
<group delimiter=", " suffix=".">
<text macro="publisher"/>
<text macro="issued"/>
<text macro="page"/>
<text macro="status"/>
</group>
<text macro="access"/>
</else-if>
<else-if type="chapter">
<group delimiter=", " suffix=".">
<text macro="title"/>
<group delimiter=" ">
<text term="in" suffix=" "/>
<text variable="container-title" font-style="italic"/>
</group>
<text macro="locators"/>
<text macro="editor"/>
<text macro="collection"/>
<text macro="publisher"/>
<text macro="issued"/>
<group delimiter=" ">
<label variable="chapter-number" form="short"/>
<text variable="chapter-number"/>
</group>
<text macro="page"/>
</group>
<text macro="access"/>
</else-if>
<else-if type="report">
<group delimiter=", " suffix=".">
<text macro="title"/>
<text macro="publisher"/>
<group delimiter=" ">
<text variable="genre"/>
<text variable="number"/>
</group>
<text macro="issued"/>
</group>
<text macro="access"/>
</else-if>
<else-if type="thesis">
<group delimiter=", " suffix=".">
<text macro="title"/>
<text variable="genre"/>
<text macro="publisher"/>
<text macro="issued"/>
</group>
<text macro="access"/>
</else-if>
<else-if type="software">
<group delimiter=". " suffix=".">
<text macro="title"/>
<text macro="issued" prefix="(" suffix=")"/>
<text variable="genre"/>
<text macro="publisher"/>
</group>
<text macro="access"/>
</else-if>
<else-if type="article">
<group delimiter=", " suffix=".">
<text macro="title"/>
<text macro="issued"/>
<group delimiter=": ">
<text macro="publisher" font-style="italic"/>
<text variable="number"/>
</group>
</group>
<text macro="access"/>
</else-if>
<else-if type="webpage post-weblog post" match="any">
<group delimiter=", " suffix=".">
<text macro="title"/>
<text variable="container-title"/>
</group>
<text macro="access"/>
</else-if>
<else-if type="patent">
<group delimiter=", ">
<text macro="title"/>
<text variable="number"/>
<text macro="issued"/>
</group>
<text macro="access"/>
</else-if>
<!-- Online Video -->
<else-if type="motion_picture">
<text macro="geographic-location" suffix=". "/>
<group delimiter=", " suffix=".">
<text macro="title"/>
<text macro="issued"/>
</group>
<text macro="access"/>
</else-if>
<else-if type="standard">
<group delimiter=", " suffix=".">
<text macro="title"/>
<group delimiter=" ">
<text variable="genre"/>
<text variable="number"/>
</group>
<text macro="geographic-location"/>
<text macro="issued"/>
</group>
<text macro="access"/>
</else-if>
<!-- Generic/Fallback Formats -->
<else-if type="bill book graphic legal_case legislation report song" match="any">
<group delimiter=", " suffix=". ">
<text macro="title"/>
<text macro="locators"/>
</group>
<text macro="collection"/>
<group delimiter=", " suffix=".">
<text macro="publisher"/>
<text macro="issued"/>
<text macro="page"/>
</group>
<text macro="access"/>
</else-if>
<else-if type="article-magazine article-newspaper broadcast interview manuscript map patent personal_communication song speech thesis webpage" match="any">
<group delimiter=", " suffix=".">
<text macro="title"/>
<text variable="container-title" font-style="italic"/>
<text macro="locators"/>
<text macro="publisher"/>
<text macro="page"/>
<text macro="issued"/>
</group>
<text macro="access"/>
</else-if>
<else>
<group delimiter=", " suffix=". ">
<text macro="title"/>
<text variable="container-title" font-style="italic"/>
<text macro="locators"/>
</group>
<text macro="collection"/>
<group delimiter=", " suffix=".">
<text macro="publisher"/>
<text macro="page"/>
<text macro="issued"/>
</group>
<text macro="access"/>
</else>
</choose>
</layout>
</bibliography>
</style>

226
hw4/reseni.md Normal file
View File

@ -0,0 +1,226 @@
---
title: Analysis of Electronic Resident Identity Card proposal
author: Ondřej Hladůvka
documentclass: extarticle
classoption: 10pt
geometry: "left=3.5cm,right=3.5cm,top=1cm,bottom=1cm,includeheadfoot"
# disable word splitting
header-includes: \hyphenpenalty=10000
# references
csl: ieee.csl
link-citations: true
references:
- id: rc4
container-title: "RFC 7465 Prohibiting RC4 Cipher Suites"
type: report
genre: RFC
number: 7465
author: Andrei Popov
issued: 2015
URL: https://datatracker.ietf.org/doc/html/rfc7465
- id: des
container-title: RFC 4772 Security Implications of Using the Data Encryption Standard (DES)
type: report
genre: RFC
number: 4772
author: Scott G. Kelly
issued: 2006
URL: https://datatracker.ietf.org/doc/html/rfc4772
- id: rsa-pss
container-title: RFC 3447 Public-Key Cryptography Standards (PKCS) \#1
type: report
genre: RFC
number: 3447
author: Jakob Jonsson and Burt Kaliski
issued: 2003
URL: https://datatracker.ietf.org/doc/html/rfc3447#section-8.1
- id: elgamal
title: A Public-Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms
author: Taher Elgamal
container-title: IEEE Transactions on Information Theory
volume: 31
issue: 4
page: 469-472
type: article
issued: 1985
DOI: 10.1109/TIT.1985.1057074
- id: SHA3
title: "SHA-3 Derived Functions: cSHAKE, KMAC, TupleHash, and ParallelHash"
type: report
genre: NIST Special Publication
number: 800-185
publisher: National Institute of Standards and Technology (NIST)
author:
- Kelsey John
- Chang Shu-jen
- Perlner Ray
issued: 2016
URL: https://doi.org/10.6028/NIST.SP.800-185
- id: ecdsa
type: report
title: Module-Lattice-Based Digital Signature Standard (ML-DSA)
collection-title: FIPS 204
publisher: National Institute of Standards and Technology (NIST)
issued: 2024
URL: https://doi.org/10.6028/NIST.FIPS.204
- id: luov
type: report
title: Status Report on the Second Round of the NIST Post-Quantum Cryptography Standardization Process Section 3.24
collection-title: NIST Interagency or Internal Report (NISTIR) 8309
publisher: National Institute of Standards and Technology (NIST)
issued: 2020
author:
- Alkemade Nicky
- Alperin-Sheriff Joel
- Apon Daniel
- Cooper David
- Dang Quynh
- Kelsey John
- Licht Sean
- Liu Yi-Kai
- Miller Dustin Moody
- Peralta Rene
- Perlner Ray
- Smith-Tone David
- Alagic Gorjan
URL: https://nvlpubs.nist.gov/nistpubs/ir/2020/NIST.IR.8309.pdf
- id: clone-attack
type: article-journal
title: Android Data-Clone Attack via Operating System Customization
author:
- Song Wenna
- Ming Jiang
- Jiang Lin
- Yan Han
- Xiang Yi
- Chen Yuan
- Fu Jianming
- Peng Guojun
issued: 2020
container-title: IEEE Access
page: 184708184720
DOI: 10.1109/ACCESS.2020.3035089
URL: https://ieeexplore.ieee.org/document/9246570
- id: owasp-auth
type: report
title: Authentication Cheat Sheet
collection-title: OWASP Cheat Sheet Series
publisher: Open Web Application Security Project (OWASP)
issued: 2023
URL: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html
- id: luov-attack
type: article
title: "The Nested Subset Differential Attack: A Practical Direct Attack Against LUOV which Forges a Signature within 210 Minutes"
author: Beullens Ward
publisher: International Association for Cryptologic Research (IACR)
collection-title: IACR Cryptology ePrint Archive
issued: 2020
URL: https://eprint.iacr.org/2020/967
---
<!-- Does the system proposed in the paper satisfy all the stated system requirements Provide a short explanation and reasoning for each requirement. -->
<!-- Identify if there are additional inconsistencies in the system or in the system description -->
<!--Provide conclusion, summarising if the system should be implemented as a real-life project. -->
## Introduction
This analysis evaluates proposed e-ID system's compliance agains given criteria.
## Proposed requirements compliance
<!-- done -->
### The system must manage encryption keys and signing keys securely, including usage of Hardware Security Modules (HSMs) where applicable
Not met. Usage of HSM is not even mentioned outside of section 2.2. thus it si certainly not enforced.
<!-- done -->
### The e-ID data must be encrypted using strong, industry-standard encryption algorithms
Not met. Section 2.3 describes encryption of the e-ID credential by the issuer with:
DES[@des] and RC4[@rc4] which are insecure.
SHA3 which is a hash family[@SHA3], not encryption.
RSA-PSS which is signature algorithm[@rsa-pss], not encryption.
And ElGamal-OFB which is not a block cipher[@elgamal], thus its not standardized in OFB mode
<!-- done -->
### The system should rely on use of digital signatures to verify the authenticity of the e-ID data and to ensure that the data has not been tampered with
Partially met.
LUOV/ECDSA signatures are proposed, but the issuers signature on the e-ID is not explicitly verified by RPs.
<!-- done -->
### The system must ensure that e-ID that was not created by the issuer does not pass verification by the RP
Not met.
In Presentation protocol step 8 RPs only check for "meaningful plaintext," not issuer signatures, enabling tampering and unauthorised access.
<!-- done -->
### The system must ensure post-quantum security for all the components
Not met.
ECDSA is vulnerable to Shors algorithm, as confirming by NIST PQC standardization [@ecdsa]. But its still proposed in both issuing and presentation protocols.
<!-- done -->
### The system must use standardised cryptographic algorithms
Not met.
LUOV is not standardized and was rulled out by NIST[@luov].
Voulnabirities was found[@luov-attack] and proposal does not mention any mitigation.
DES[@des] and RC4[@rc4] are deprecated.
<!-- done -->
### The system must ensure that attackers getting access to the users device are not able present honest users credential to the RP
Not met.
System lacks device-level authentication or any other second factor, allowing attackers to present credentials.
<!-- done -->
### The system must ensure strong user authentication before credential is issued
Not met.
System proposes just photo verification which is weak and unrealiable[@owasp-auth]. No multi-factor authentication is required.
<!-- done -->
### The system must ensure that adversary cloning the mobile device memory, does not gain access to user private information
Not met.
Private keys arent explicitly stored in HSM, thus they are vulnerable to memory cloning[@clone-attack].
<!-- done -->
### The system must ensure that adversary cloning the mobile device memory is not able to issue revocation, issuing and presentation requests (without active participation of user)
Not met.
Revocation requires no user verification enabling misuse by attackers.
## Additional notes
### Insecure Communication
Section 2.2 proposes to send all the information over
public communication channel without TLS, this is a critical flaw.
### Offline Revocation
Users can self-revoke/modify e-IDs without issuer, risking fraud.
### Unencrypted Cloud Storage
Lack of encryption at rest for cloud storage of e-IDs
risks data breach.
### Denial of service
System do not restrict the number of field in the credentials, risking overload by maliciously large input.
## Conclusion
Proposal makes several false claims, proposes usage of deprecated (DES, RC4) as well as experimental ciphers (LUOV).
Does not enforce HSM usage, multifactor authentication and data at rest encryption.
It also fails at choosing standardised ciphers and does not enforce post-quantum cryptography.
And is by design vulnarable to denial of service.
**I do not recommend system implementation until these issues are resolved as it would not improve security compared to present system.**
\newpage <!-- inline latex commands :3 -->
## References
<!-- these will be generated automatically by citeproc -->

BIN
hw4/reseni.pdf Normal file
View File

Binary file not shown.