Task 2 Limits of confidentiality In this task, you will explore some of the limits of block ciphers in their use within a secure system Based on the PKCS 7 padding and CBC encryption code from Task 1 , write two oracle functions that emulate a web server that wants to use cryptography to protect access to a site administration page First, at the start of your program generate a random AES key and IV , which will be used in both functions, keeping it constant for the execution of your program ( do not generate a new key or IV for every encryption and decryption ) The first function, called submit ( ) , should take an arbitrary string provided by the user, and prepend the string userid 4 5 6 userdata and append the string session id 3 1 3 3 7 For example, if the user provides the string You're the man now, dog ( Use this exact string ) submit ( ) would create the string userid 4 5 6 userdata You're the man now, dog session id 3 1 3 3 7 In addition, submit ( ) should ( 1 ) URL encode any ' ' and ' ' characters that appear in the user provided string ( 2 ) pad the final string ( using PKCS 7 ) , and ( 3 ) encrypt the padded string using the AES 1 2 8 CBC you implemented in Task 1 Submit ( ) should return the resulting ciphertext The second function, called verify ( ) , should ( 1 ) decrypt the string ( you may use a AES CBC decrypt library or implement your own CBC decrypt ) ( 2 ) parse the string for the pattern admin true and, ( 3 ) return true or false based on whether that string exists If you've written submit ( ) correctly, it should be impossible for a user to provide input to submit ( ) that will result in verify ( ) returning true Now the fun part use your knowledge of the way CBC mode works to modify the ciphertext returned by submit ( ) to get verify ( ) to return true Hint Flipping one bit in ciphertext block c i will result in a scrambled plaintext block m i , but will flip the same bit in plaintext block m i 1

The Answer is in the image, click to view ...

Question: Task 2 : Limits of confidentiality - In this task, you will explore some of the limits of block ciphers in their use within a

Task

2

: Limits of confidentiality

-

In this task, you will explore some of the limits of block ciphers in their use within a secure system. Based on the PKCS#

7

padding and CBC encryption code from Task

1,

write two "oracle" functions that emulate a web server that wants to use cryptography to protect access to a site administration page. First, at the start of your program generate a random AES key and IV

,

which will be used in both functions, keeping it constant for the execution of your program

(

do not generate a new key or IV for every encryption and decryption

) .

The first function, called submit

(),

should take an arbitrary string provided by the user, and prepend the string:

userid

= 456

; userdata

=

and append the string:

;session

-

= 31337

For example, if the user provides the string

You're the man now, dog

(

Use this exact string

)

submit

()

would create the string:

userid

= 456

; userdata

=

You're the man now, dog;session

-

= 31337

In addition, submit

()

should:

(1)

URL encode any

'

;

'

and

' ='

characters that appear in the user provided string;

(2)

pad the final string

(

using PKCS#

7),

and

(3)

encrypt the padded string using the AES

- 128 -

CBC you implemented in Task

1 .

Submit

()

should return the resulting ciphertext.

The second function, called verify

(),

should:

(1)

decrypt the string

(

you may use a AES

-

CBC decrypt library or implement your own CBC decrypt

)

;

(2)

parse the string for the pattern

"

;admin

=

true;" and,

(3)

return true or false based on whether that string exists. If you've written submit

()

correctly, it should be impossible for a user to provide input to submit

()

that will result in verify

()

returning true.

Now the fun part: use your knowledge of the way CBC mode works to modify the ciphertext returned by submit

()

to get verify

()

to return true. Hint: Flipping one bit in ciphertext block

c_{i}

will result in a scrambled plaintext block

m_{i},

but will flip the same bit in plaintext block

m_{i + 1} .

Task 2 : Limits of confidentiality - In this

Step by Step Solution

There are 3 Steps involved in it

1 Expert Approved Answer

Step: 1 Unlock blur-text-image

Question Has Been Solved by an Expert!

Get step-by-step solutions from verified subject matter experts

Step: 2 Unlock

Step: 3 Unlock

Students Have Also Explored These Related Programming Questions!

Simulated Business JKL Industries Business and strategic planning FY 2014-2015...................................1 Operational...

Springer 2011 Journal of Business Ethics (2010) 94:311-322 DOI 10.1007/s10551-011-0759-3 Beyond the Manager's Moral Dilemma: Rethinking the 'Ideal-Type' Business Ethics Case ABSTRACT. Case teaching...

1 WILMINGTON UNIVERSITY LIBRARY Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) 2 WILMU LIBRARY SERVICES 20,000 student population served 13 physical locations of access to university...

Jones & Bartlett Learning, LLC. NOT FOR RESALE OR DISTRIBUTION CHAPTER Hot Spot Analysis 10 LEARNING OBJECTIVES C A R R Provide a working definition of a \"hot spot.\" , Be able to explain different...

Tash J. SU10 Program In this task, you will review the characteristic of a SUID program and threats it bears when it is root-owned and vulnerable. a. While logged in as alexa, create the set VID...

please I need these answers : Question 1 "Classify firewalls as a security control as one of the following types: prevention, detection, recovery. Choose the answer that best fits." Detection...

Task 3: SUID program In this task, you will review the characteristic of a SUID program and threats it bears when it is root-owned and vulnerable. a. While logged in as alexa, create the set UID...

The current issue and full text archive of this journal is available at www.emeraldinsight.com/0957-4093.htm IJLM 17,3 Realities of supply chain collaboration 312 Tilburg University, Tilburg, The...

SCHOOL WORK 224/LBB Prior to composing a warmed reaction letting me know how I'll become wiped out along with FEP developers when point-and-snap dominates, help me out and peruse the remainder of the...

If the following layout is suggested for ABC, will you agree with its implementation as an improvement for the current one (given in the case: Exhibit 2)? Compare the layout given below to the one in...

Evaluate the two fast-food restaurants in terms of the "Seven QC tools" Sonic and McDonalds. Determine the top three QC tools that tend to be most valuable to business owners. Explain your rationale.

Assume that the differences are normally distributed. (a) Determine di = Xi - Yi for each pair of data. (b) Compute d-bar and sd. (c) Test if d (d) Compute a 95% condence interval about the...

Return on a company s net operating assets is commonly used to evaluate financial performance. One way to increase performance is to focus on operating assets. How might this be done in relation to...

Find the rate of change where x xo y x2 5X XO 6 O 17 O 1 11 7 dx