Type of assignment: This assignment should be done in groups, formed according to the group formation rules, except those parts of problem #3, which are marked accordingly. It is highly recommended that the students work on group assignments in the same groups as they will be working on the term projects.

Note: The assignment submission should clearly list the student members of the group, their names, and student numbers on the first page.

Points: The maximum number of points for this assignment is 32, which will be prorated accordingly after all assignments are posted. Weight of each problem is in parenthesis.

Format:

1. Assignment submissions are accepted in the following formats only: HTML (extension .html), PDF (.pdf), RTF (.rtf) , ASCII text (.txt). Assignments submitted in any other format will be discarded. All text in the assignment submissions must be typed and figures plotted to be easy to read and understood. Spelling, grammar, and other language errors will result in fewer points credited to the corresponding problem solutions.
2. Your submission file should be named to reflect the names of the group members, and the assignment number, e.g., alice_bob-assignment_1.pdf.

Problems

1. (4) Write answer to problem 17 from section 8.7 of the Bishop's text book.

2. (6) The following algorithm is used by historic AT&T System V UNIX systems as the default checksum algorithm. This is a 32-bit checksum, and is defined as follows:

   s = sum of all bytes;
   r = s % 2^16 + (s % 2^32) / 2^16;
   checksum = (r % 2^16) + r / 2^16;

   This is what you need to do:

1. Concatenate student ids of all the students in your assignment group, and compute the checksum using the above algorithm. Submit in your solution both the output (in Hexadecimal form) and the input of your computation.
2. Evaluate this algorithm as a candidate hash function for fingerprinting all publicly known programs for the purpose of computer forensics (remember the example Kosta gave during September 15th session). Explain why you believe it should or should not be employed for this purpose.
   
3. (8) PGP
   

   This problem has both individual and group elements to it. Your group should turn in one write up answering each of the parts labeled [group], but all key pairs, emails, etc. should be created and sent individually.
   
   1. Read Alma Whitten's paper, "Why Johnny Can't Encrypt."
   
   2. Locate and install a fresh version of PGP or GPG. There are versions for Unix flavors, Windows, and Macintosh. http://www.pgpi.org/ may be of use.
   
   3. Find the PGP public keys for as many of the EECE 412 teaching staff as you can. Part of your assignment is figuring out how to locate PGP keys. Searching the Internet for PGP key servers may be of help. But beware; there may be fake keys out there. . .
   
   Here's what you do to submit your solution to this problem:
   (2) (a) [group] Reflections on Trust. PGP's "web of trust" model allows users to "sign" each others' public keys. Suppose Alice signs Bob's key; what, in effect, is Alice declaring when she does this? Why is it useful for people to sign each other's keys? What precautions should one take before signing someone else's key, and why are these measures appropriate?
   (3) (b) [individual] Getting started. Create a new public/private key pair for yourself (you may use an existing key pair if you already have one). Sign each of your group members' public keys, and have them sign yours. When all of your group members have signed your public key, email it to the TA in ASCIIarmored format, with the subject My public key.
   (3) (c) [individual] Encrypting email. Send an encrypted, signed email to the TA with the subject "PGP is fun". In the body of the message,
   · Tell us what operating system and version of PGP you are using.
   · Show us the public keys you found for the EECE 412 staff; PGP fingerprints are sufficient.
   · In a few sentences, explain why you do or do not believe that these keys do indeed belong to the EECE 412 staff. If you do not trust a public key, explain what would convince you otherwise. Your mail should be protected with PGP such that the EECE 412 TA, and only the EECE 412 TA, can obtain the plaintext contents. You must also sign the mail with your private key. We will only accept your first message, so make sure to get it right the first time. Are you able to finish the assignment in fewer than 90 minutes as in Whitten's experiment? Remember to cite all your sources (books, manuals, friends, etc.).

4. (6) PGP Alternative

   Consider the following scheme for "signing" messages:

   1. Alice uses some trusted way, e.g., via face-to-face meeting or by publishing an ad in a newspaper, to give Bob (and everybody else) the URL of the Web page H.
   2. Alice arranges that only she can modify H, e.g., by hosting H at some trusted Web hosting provider known for good security.
   3. Whenever Alice sends an e-mail message M to Bob, she posts M_h=hash(M) at H.
   4. If Bob wants to make sure that it was Alice who've sent M and the content of M has not been tampered in transit, Bob
      1. computes hash M'_hof the received message M',
      2. searches H for M'_h. If Bob can find M'_h in H, then Alice indeed sent M' to Bob. Otherwise, Bob is not sure.

   You need to do the following for this problem:

   1. Make sure your group assignment solutions are submitted as one file. If your assignment solutions are comprised of more than one file, create a zip archive.
   2. Once your assignment solutions file is submitted, via WebCT, the member of your group who submitted your group's solutions, should also post both MD5 and SHA-1 fingerprints of the submission file on his/her home page at the course WebCT site. The fingerprints should be posted no later than 1 hour after the assignment deadline in order for your group to receive any points for this problem.
   3. Compare and contrast PGP with the above scheme. Limit your answer to one page.
      
5. (8) WEP vs. WPA

Your group works for small consulting company Vancouver Security Engineering (VSE), which received a contract from ICBC on evaluating the option of migrating from WEP to WPA. ICBC employs wireless networks in its claim processing centres where staff uses wireless PDAs and laptops to input information about the damage of the cars, as well as to upload digital photographs of the cars' damaged parts into the claims database.

ICBC uses Wired Equivalent Privacy (WEP) for securing its WLANs but the management is considering migrating to Wi-i Protected Access (WPA). Your group is tasked with evaluating data confidentiality, authenticity, and integrity protection as well as key management in WEP vs. WPA. Since other teams of VSE are evaluating WEP and WPA with regard to authentication, you should not be concerned with the authentication between wireless station (e.g., PDA, laptop) and the WLAN infrastructure.

Write a short report for ICBC that compares and contrasts WEP and WPA from the point of view of data integrity and authenticity protection as well as session key management in ICBC's claim centres' WLANs. The report should be as technical and detailed as possible but no longer than 3 pages, including all the text and figures. Do not include a cover page.