CS671 Fall 2021 Homework 7

Dark Patterns, Crypto, AES

Dr. Greg M. Bernstein

Due Wednesday, October 13th, 2021 by 11:59PM, 50 points.

General Instructions

The goals of this assignment are to get familiar with Dark Patterns, Basic Cryptography, AES, and Public Key Cryptography.

Create and Use a new Branch hw7

We will create a new git branch called hw7 for use in this assignment. The branch you create must exactly match the one I’ve given you for you to receive any credit for this homework.

Prior to creating this new branch make sure your working directory is “clean”, i.e., consistent with the last commit you did when you turned in homework 6. Follow the procedures in GitHub for Classroom Use to create the new branch, i.e., git checkout -b hw7. Review the section on submission for using push with a new branch.

Use README.md for Answers

You will modify the README.md file in your repo to contain the answers to this homework.

Questions

Question 1. (10 pts) Dark Patterns

(a) What is it?

What is a dark pattern in your own words? Is it illegal? Is it unethical?

(b) Example Dark Pattern

Given an example of a dark pattern that you have experienced (in general, you don’t have to reveal your details)

(c) Roach Motel Dark Pattern

Read the example of the Roach Motel Dark Pattern. Is this an example of just one dark pattern or multiple? Look at the Dark Pattern Harms page. What are the harms experienced by users that fell for the roach motel example.

For your information. From Wikipedia: Roach Motel: “the phrase roach motel has come to be used as a reference to all traps that use a scent or other form of bait to lure cockroaches into a compartment in which a sticky substance causes them to become trapped.” Tag line: “Roaches check in, but they don’t check out!”

Question 2. (10 pts) Crypto Principles

(a) Open Design Principle

What is the “open design principle”? How does this contrast to “security by obscurity”? Should you trust a crypto system whose details have not been publicly reviewed?

(b) Plaintext versus Ciphertext

What is the difference between plaintext and ciphertext?

(c) Size of the Key Space

Why does the size of the key space for cipher systems matter? Is this related at all to password length requirements? Explain.

(d) Attacks on Cipher Systems

What is a “chosen plaintext” attack on a cipher system? Does it give the attacker more information to work with than a “ciphertext only” attack? Why might a “chosen plaintext” attack be more difficult to do in practice than a “ciphertext only” attack?

Question 3. (10 pts)

(a) Crack my shift Cipher examples

Crack with brute force the following shift cipher examples (each may use a different shift). You can use my Python examples from Crypto Basics or simpleCipher.ipynb which is an IPython/Jupyter notebook.

CSJSF, SJSF IGS N GVWTH QWDVSF!
        ESP ZPIE OLDP DEFNJ TD DSLNYH MCYVPCD
        IS TSY BWOYJ DSZW SBT HWDUYS FQLSWOYMR
        UTZ GRR GRMTXNZOSY GXK KWAGR!

(b) Create a double substitution Algorithm

Create a cipher algorithm that uses two different substitution ciphers alternatively on the letters in the plaintext. Show your python code and an example encryption and decryption here.

(c) Encode a book

Encrypt the sherlockHolmes.txt and show the results of the frequency analysis on the ciphertext here.

(d) Crack your Algorithm with a chosen plaintext

Show how to crack your algorithm with a chosen plaintext attack (like in the course notes and Python notebook).

Question 4. (10 pts)

(a) AES efficiency

What is a micro-controller? Is AES available for micro-controllers? (Hint: look for AES and Arduino). If AES is available for micro-controllers why is security of IoT a problem?

(b) Key Length Compromise

Why would using text directly as a key in AES potentially compromise security? A 256 bit AES key corresponds how many bytes? What equivalent portion of a byte isn’t being used for key material if we know that each byte in the key is an ASCII printable character? What does this imply for a 256 bit key? Rough approximations are sufficient here to justify your answer.

(c) Bad AES Use

As demonstrated in class even though AES is a very well proven encryption algorithm, its misuse can leave huge security holes. To see this yourself, take a screen shot of something without much detail on your computer. Save it in JPEG format. Using either the Python in the AES slides or this Jupyter notebook encrypt the raw bytes with AES-ECB and show me the result here.

Then encrypt it with AES-CBC and show me the result here.

Question 5. SSH and Public Keys (10 pts)

(a) Generate an Key pair for SSH

On your laptop or other machine generate a Public/Private key pair using ssh-keygen. Show one of those pairs here. Which of the keys can you safely share on your homework?

(b) Share Key with CS Server

For your account on the CS department server set it up to use public key access. Show your modified authorized_keys file here.

(c) Demonstrate login without Password

Demonstrate that you can login to your account without a password, e.g., take a screenshot right after successfully logging in with your keys. Mine looks like:

SSH with no password