Document Contents

1. 
   Question 1
   
   1. 
      Public Key to Conference
      
   2. 
      Encrypted Messages Sent
      
      1. 
         Peter Graham
         
      2. 
         Edward Munns
         
      3. 
         Kevin Arnold
         
   3. 
      Encrypted Message Received
      
      1. 
         Encrypted message1
         
      2. 
         Decrypted message2
         
2. 
   Question 2
   
   1. 
      Table 2 – Validated Token
      
   2. 
      Table 3 – Answers to Questions
      
3. 
   Question 3
   

(Technical appendix-A2)

(Technical appendix-A3)

4. 
   Question 4
   
   1. 
      Reflective: Module Companion
      
   2. 
      Reflective: Original Study Plan
      

Exchange Public Keys

T209 spj3 PGP 2004

From: Karl Lawrence

Subject: Re: My public key

To: T209 spj3 PGP 2004

21 July 2005 22:48:00

Version: PGP 8.0 - not licensed for commercial use: www.pgp.com

Comment: This encryption was prepared by: Karl Lawrence
mQGiBEK+klcRBAD3hTXVrVQ1gBy8yxtctYiSpVBoHB+V1vVIukniaH30O9rQXI/T

aeNtXO6RTzTzr9xXNqixxbhfw4WYN/ejGEomP3sUq1KelSowAf84e/iD7tkfosBC

MMrx+0aO+X2bX8ZR/DdMup3VTeCagg5QQU/3ON/7bzsUx8wNxgxMtpD3bQCg/+kM

jG0KfXt7ugno6na7ibslyOcEAIHIEP7VflW5QlUfZQuGVmQoJwPnH2x8E2wEnQTJ

f+t3Qd/B+OKaIfWI/dQ5BkX6791cX5WRFrZp5ovVl3Hz9cxhc3hjE0cUkeBuMO0u

t7eGVn8bi+jxBCHzUkFBRoJ5u5VmuUo/o9je62N7BZ62lHxIhm1PRZxzLRyY7gv+

59o6A/9dZgPlhuleZ2s6q10TELr3Rbhr9FHoI7x9GrvQ1h7rxU/2MahVskA/l6+G

aF2RBkriOSmNLhvwxTzs5kDq8PnrlaZoh/NQ9mj4b8ti67cMvnA5MQb9hUd5XPSj

GT+xCSImFrGq8cI9QnGoollE/CNH8SGWUKMRu+D5a8X+l2VvtbQoS2FybCBMYXdy

ZW5jZSA8a2wyMjVAc3R1ZGVudC5vcGVuLmFjLnVrPokAWAQQEQIAGAUCQr6SVwgL

CQgHAwIBCgIZAQUbAwAAAAAKCRC0ytSY01ZFGBoAAKC5PEmAD74vVhG+rWHaTEfn

faIGNgCg9j4YsaqhWzLjcIjO6qhbOcW2+Cy5Ag0EQr6SVxAIAPZCV7cIfwgXcqK6

1qlC8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXp

F9Sh01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2R

XscBqtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMc

fFstjvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGN

fISnCnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7D

VekyCzsAAgIIAKmAAWpHCoq5ADpnXeE+tB+PIvwoCuce0T5juv9fOzeGpWGTnYO0

dIsnV2Ah+Dqu6lrFVHNediEi/LDe30iyv/32sIdV1Y+IfnS154OJmZltbU1y3Yoy

2KEwe+LP885ncL0SjR07dLFfGMMFuvPM/d4K05JNaJNF4tvivsrdKlK7HszCgJRi

z2swSlvPIXcXbQyMQjkx9FRYLM842FI+Fhqkbishp7NIRp3axKVpw4eAmH/czKSQ

n4JF49Y4YxU3Nhhw3TpuVYyymkQihp4f9lYhLGadvVODqaQO8/CWgHmtD0GRYoc/

7PxIajVS6ridCPbXpTH63WzwrkGFrVfcN8iJAEwEGBECAAwFAkK+klcFGwwAAAAA

CgkQtMrUmNNWRRgaIgCgjYhVp8NvvZXUFhuAHL/peKqwWaUAoOgXo5ms8iP0GEtn

79di/2T+G4LA

=MXfv

-------------------

Encrypted Messages Sent

Peter Graham

Message

Subject: Re: Message from Pete

To: Peter Graham

24 July 2005 09:55:29

Version: PGP 8.0 - not licensed for commercial use: www.pgp.com

Comment: This encryption was prepared by: Karl Lawrence
qANQR1DBwU4D5WUq3u5jcp8QCACu84ezo+0UEum7wv0eyY/BxI26g4QNxHZowjmH

2atjJxcmzvzTX/bF9XkR7EDi1ICNE9p8zQAlrkNyS0cPf1ohlLZXd6cB6QvjUyV3

mYk6sx+dhFzNluR6MxYF2lLcpg1ihuEdzK8Rq4L71tSvPjpyKiBCFud+Q7EbzVcD

BviOPCyX4w63Gpxb4Omza44rJEXwgEHCrwvsRPitJirmQrDtUYn8inAvrZKPaFmP

iod+QY6tCNkSdXKm4iH/fNBsCtsH9S7GaTb/Kv2KPtVOquKri/OPYFdJ+9RkRRAz

5rBmPcV9Lb1+XdIoCW8MlwC83eF7oenJm+jcRrrpmAKk647DCADHVBiMkxZkxIrJ

EZ4/VlLLBoPmkAOPbUDac4rFm+4/M2xLLOlaGJ46bRcKxA16Y7vhSgj6xr1aXLOe

CelNhDYeMLwqqRkNxBR83wnERRJVK4zB8ZbeoCZ39KEOBW+G/dmbihYwD+kjKpyv

uj9lBz6v+IA5TEAlEgZZ64o5kjFfw76wCawtJumsWSUkUR8FITO+YIkKxm4tdZTz

qGoKqJIfPGmTiWK9KCs5alHo2kq4lLpTQ8l7mrbBBDCVvVFNabN4sZfPFxP6ENjX

EbidB1H2jiFj5gf4dXcQMbEKKIdNeJhytmQPoxEc+99VxvfhJgvx2HZaHw+iuRel

iprIcLJHycC0HhysAUJpk0IHsNtJf2538zKdnOTIIAWsCyvDxaAkcosyL2vPMEc5

Ehf137j0XEcYzTUMajE1v2JthXtX+HnJ2i87GbecxbxnU8OdIs/UPCzB8ujrA5Gl

6WvevfGBrk/7ondXTZ90V+Oz06IlhMi+jhUsOTLsfPc3e63GjLrErz6vnvMeu628

iTKhqdkdUZMewR4skXdVIbSjmBsPJYQzJz1mJq/9JodgJgqH/+T0OkfREBAjzCf3

mZFYodEXqjK4K8O3yp7hMzBgIUgrU7dtKrQTYRXIcCfZk/vwGnFg/tM27jyiqq/y

9ZMffxUmdDSSocUx87WHi5IGr0mifNzszUpX4qMF39h++vwcUuddL6RD9RzfPZys

8oKI+22MzcGXQUnAycuyM5ptn4okh8yNTEESyE/bDMMsbJDIQqQ04q1+e80cL0Xj

Ai13yge9V1LCQteGagJGci8Bo+Mc+3Av9XX4zgvw5kWAkGVe97pR9KjtW/f+

=Ids0

- --------------

Edward Munns

Message

Subject: Re: Message from Ted

To: Edward Munns

24 July 2005 09:53:00

Version: PGP 8.0 - not licensed for commercial use: www.pgp.com

Comment: This encryption was prepared by: Karl Lawrence
qANQR1DBwU4DpSBXfhjZkBEQCACxe9gewGEPvtPb9X1UPADMfGkmRiamfoerTlMH

b0Cq59e8MNvNx7oC2UoUyu8EErB+aFPFbEbV+5BSnmOiZTGisLgpUPZeEwSxEeQp

h11+EBHz43dbaRFQQ3KsUXd9JBv5p4I6ruI6Hi9Nfd8nBrj9vcxn97kgBz/egIQm

WDzNSXgjVGj/dNYlFKQAZ0Yv+aTC2sV6esjeHYzjQrAWF3yrRWPyaw/ywbSfix5V

q2/Z8rUbYWzjS4WnXb8EFs/cKj+/2QflKuBjH+V+GW5W0t8MQPgUV/Cd1SVkcdKk

SwQJVjZlH86pxzy7Ka2RLghc8H1YSoLtR0U30YFWDoaBH0YAB/9M5YXOBRH3qnWY

jlbuFJ5UoH64yI4c60ALdA6IpwYLSr622qXDtJYjireBufEONQyhhhZYH8IGFmhu

xqPqXSi3YeuRIZhJxBwIrVKcfCGlHQ0Im0fQqdNtd9I9a6BXfe4g0V477qbEBSaR

s4SlJ/uCOy9ilb1PJP94k9VMReRwRSoj6M7mhon80GJTRM6L+6BHw2GFByg/9Xmi

1tJgcpD1Wu9x4yReEUCCeGkFBRp9ChfXMivo0ezoIwdgiCdemrZQrNiNWE3Y3QvW

HUCZjop/qnmepWxn4Xu4JRc/Gd9P3ICEpTrxSY+h+oA6SrJHDzhqs2BiyaC+W/3K

jhCjzQyHycC0tDwiWhXgLXvUiO6RjBn3AgPSUlAOGoCvJUOg70jTx63hdRfYrXf3

ajkLR2c8fkZogIbxkYA0rc7l3SKM7TNSb04zFZyOFfPhrxx5u9oXBPK1sdnTyZum

/qFfwS9cKEZWPGtXZe9ouhyMnXhiq4riKmAsVzUIVlmkvgEhTv+5IPJHRSPSuHoB

zY1+oBtOJVpV3zcF9ZtkgwA213Rl+zCWObMXxpdLF/bm/5JJO/HgPSBMXzpGjhzr

zjSuDt2vtCl1iquFx7L8qYjqTqHTi0CXtGejqEngQ7BrmNqnWiD5KDmoM3s1K3WI

1bliKD7SrHmdlk/cUyNwVfMsjQtt/mcyq0jc8AQzqgxGy1mzcH6FxokB4YIT5ai2

gkIWQYQ6E018J5/ChMNyvnFW+9oyrYvc0KTBr6TSjYaHthPlpvTEi93SEY/8gNRe

ZBzteVVPmHe4Zl7nlgmhcJXdBqU51fDMtW+4Cod5UShlI55CdRdqBq6Kw2Uf

=lw60

---------------

Kevin Arnold

Message

Subject: Re: Message from Kevin

To: Kevin Arnold

24 July 2005 09:50:07

Version: PGP 8.0 - not licensed for commercial use: www.pgp.com

Comment: This encryption was prepared by: Karl Lawrence
qANQR1DBwU4D/IXfU7SpsVAQCACf2Eerb2j41RW3n+I2koOzEpF3rdzwju9VF3aM

IRfyVyYg0OsiBH1wbBRdabnE9ESgqwcVFHu3WdH+62+ccutjiKa0CleAjroelZ8O

ICJ+a0rh7wNlh0Sb9FujTzeGfSmfxpJ8tik3gg1gbDoMtsL0yJLzkS82wNRRtY5H

t4PHClRTwPcRVBUKyNbcDi7nzncACqck7LMHl0gwcmQWNDyD0PC3pDdr47mXXusV

kBGBgT3Xu7+L6fk0jTnA3uG2o2OV2jZzPC8jyMkZeHSskhSvee/VXQ28s30e2EmU

u8EBqmpZK/P7xCo95fn+9YUkeur+qfgpGZeMx4xTJvmyb3MrCADNdNMhRAKt3rfn

v4J5rsT7pdoW4xL5OrA/ZDRJlwJK2EI+Kp6t3Gg/1tUMynuVYBWqgq8wWUlOrYGd

u2jqJDnxQ7kqL5t6UqqzvjdfaTQbccxwSDjjprD500O/C2PLdkFkkjzBfYhZ3RBi

qRYbGigjtSO3uJH/QZ1lpz+ooUYDql8fPbhCWhiT3hItJ94k1lTGxJg3/85gkaSY

sv19+yw5KBVB9fgjUJte8TlFv5q08yCJiL1JgfORamaA1qp7bkeG8W56CdowC9qZ

tCVhaynmSYot7TxpgqrIY+fbCh/mksWp3rA4R6ePb9LmyDqtka0NS2379ugTA3kg

eUQkAL4lycC0iVTJvaurgzwISCbYBcs1sEnxScxmb3+rmup+3uPCDhzP3UhcM0Oj

jMkl/fyg4mJ+6QlUGXpEJiUcKkVUI038cDi3J27FukhZO4R3Ls3I0aWpgFsx2PZc

m/+L2cJ8Y3eK22/PWbJL8Ot1v7wM8Sk5Lltv9ycmyCxGkmLx17P0YywWqy8+9epB

TujOypt2GmD5McylAaKACwmUkU29tQIrDa5cDLUDpbK0DmhNv181WrrBR0OKBsNO

cWhZ9NYydDqIzelvf1QjBVZX9G7WlWQ5QGyyh5YKEjxuHYigJHtWLDGBG5lEVeUZ

G94KvG83kspEePHn2qPoyO8kh/gu5cVoIGjJazJIVBwCuAV4IAijY5mzzrkFT/HT

NPVxQrYGDSf1h3gbtKbXgyqwbHy9W3vB/tpdFCVeQKDLhdC8VRWbk37iwr/HnvAR

RJZfUT85Y1wcDNGcm+bNQTKg5mbtz2bFgWUZfV+esmfXhJ1A3GejMGB0+aDM

=fgQD

---------------

Encrypted Message Received

Encrypted Message1

Message

From: Peter Graham

Subject: Message from Pete

To: Karl Lawrence

22 July 2005 10:36:41

-----BEGIN PGP MESSAGE-----

Version: PGP 8.0 - not licensed for commercial use: www.pgp.com

qANQR1DBwU4DssxDKewykOIQCACBqxIIeVnbm05Pg2JZyDez9T7ekkeIGGs9+q2K

uXkWBA0HWG4ayvbaI64krxdVEzz1+pEEwvGVBCXGlyFVheyW87XgsFbp+Lg7Gqrm

Zbn3558e5t8CWFKJKH09Xc8CTWLxPzI+iNTqvbz2rG0TdAJwPgtIpAgvdDU0Fy/N

K2816aGphootJb38blufGS3Fi6vcJ1OK+gCtRa8maoaYu6/7YTNME/BieQYB5C45

1OJyFBr2JEXJEFIpuXTC+owar84W5dfW6UqHMe9BCnCVZ09alF9gJ7/OX3L/rOXK

+DsAZyGT1UiOX1EJ79irz8T23Ab9MS5STlF4ewCJSi+DlhbDCACK6722WsoKIcY9

qpQHrdvjrojg7WmPkcm661DUQ+dkAEYxeWhs5zvRQU+BM4xbxNCaF3gO9RsaEudU

KbrnYZ/7Oybn1Nb/gQBM/p2pZ9UQbSq1K711TY8LCXBDiFCwow5wGz5PQD41lO4b

n9MKlZ/HAAgpDlgAZU24r2ETWPT1KVAp/nFI9yMHF8CsVF8DTncOeeYynWf0g0MX

7dEyCvV11uphqwR2SrjqMLK1ia9XzzlsH4bwZuSzqvNU/afooQ9S0412V9VcX+3S

4Ob17PmybwIM5CkBVuBSV1hy9yY1OLsVA8vdllFTBKY88CwqdpQfVD/j3ivzTSsJ

xJaK/MRhycAnVAaH7mK+N0xnKNJ+DSRZLwDFGGB8qSQXA3QPy/OYjSobShWhOhz1

Aju9Np9gHBebxrTOblWefVwNJkgK/6v81yoJBJWMjNLAxzsex5akCs1HkBzcSbXq

qMsp4/j9qeCRa/rfsFFeQNMtok7nkN0KEtvo8ql1j6fbjnKJtvrASs083EYrla5C

YAaLOraeID0KFKqS197DDILJ0uTe805tWUycN/AnHTX7VeV2KQxWNvotUcYShB+x

JXWtFWtu299F8ZVbt0Q2NwhVRxCs/iX0wkpiM3R/TTThT6rXtJMvk68nSUyTXZen

=7iQ9

-----END PGP MESSAGE-----

---------------

Question 1c – 2

Decrypted Message2

hi karl
My advice is don't spend too much time at module 5 and tma05(15% OCAs)

as the ECA is more important.

I scored 80%in the ocas for a previous course but my ECA was 47% and so I ended up withonly a grade 4 pass!

So be careful
regards
Pete
Back to Top

---------------

Question 2a

Validated Token

Table A2 Calculating a hash

Row number	Description	Value
1	Modulus nD for addition when creating the digest	999983
2	Visit number V	743625
3	Modulus nH for encrypting the digest	11881379
4	Key KH for encrypting the digest	5452805
5	The value stored in Step 8 of Table A1	6454892
6	Value for extracted from message received in Step 12 of Table A1	274689
7	Value for extracted from message received in Step 12 of Table A1	9917059
8	Message digest of by substitution: 743625, 274689, 9917059 and by Modular addition: 935543 mod 999983	935543
9	Value for With the calculated Message Digest, substitution gives, H (935543) And therefore digest encryption – to obtain hash – is, 9355435452805 mod 11881379 Hence, the calculated result is obtained by using the modular calculator: 6454892 mod 11881379. This result is identical to 5 above, which shows that the token (n1, B) – 274689 – is valid.	6454892

Back to Top

---------------

Question 2b

Answers to Questions

Table A3 Answers to CEO’s questions

Step	Questions	Answers
1	How is Alice’s request kept secret from eavesdroppers?	Alice encrypts her message using the bank’s public key. The message can only be decrypted with the bank’s private key which only the bank should have. Eavesdroppers cannot therefore decrypt the message and determine its contents.
2	What is the primary purpose of a certificate?	To provide assurance of the association between a public key and the keyholders’ identity and any restrictions on the use of the key i.e. start-/end date etc. –and, in the case of the bank, how much token is available to the keyholder.
	Is the data in the certificate private?	Because the certificate was encrypted with the bank’s private key it could be decrypted by anyone with the bank’s public key. This means that none of the data in the certificate is private.
3	What is the signature?	The signature appends the message. It is created by obtaining a message digest from the message and then encrypted with the sender’s private key. The encrypted appended-digest is called the signature.
	What is the purpose of the signature?	The purpose of the signature is to identify the sender (and to enable crosschecking, for integrity, with the message proper that preface the signature).
	What procedure would Alice’s card follow to use the signature?	To use the signature, Alice’s card uses the bank’s public key to decrypt the signature to obtain the message digest. Alice’s card calculates the message digest of the message prefacing the signature and compares the two digests. If they are the same the signature is valid.
	Could an eavesdropper get hold of the tokens?	Yes, an eavesdropper could intercept the token – using the bank public key.
4	No questions
5	What is a hash?	A hash is an encrypted compact representation of a message produced by a hash function.
6	No questions
7	Can the fitness centre decrypt the message to get the hash?	The fitness centre can decrypt the message using Alice’s public key.
	Can the fitness centre work out what the tokens are from the hash it received?	If the hash was produced by a one-way hash function then the fitness centre cannot find out what the tokens are since, with a one-way hash function, it is computationally infeasible to work out what messages would generate the hash.
	What assurance does the encryption by Alice’s private key offer?	Encryption of the hash with Alice’s private key gives the assurance that Alice sent it.
8	No questions
9	Looking ahead in the protocol, how is the certificate of help to the fitness centre?		The certificate provides the fitness centre with Alice’s public key and her bank’s identity.
10	How can the certificate be checked?		Given the certificate was issued by the Bank, and certificates are sign by the issuer’s private key, the fitness centre can use the Bank’s public key to access the certificate and / or contact the Bank directly for further clarification.
11	How are other client’s smart cards prevented from making sense of this message?		The message is encrypted with Alice’s public key, so it can only be decrypted with Alice’s private key.
12	Why cannot the fitness centre extract the second and third tokens from Alice’s message?		The fitness centre cannot extract the second and third tokens if the hash was produced from a one-way hash function because it would be computationally infeasible to do so.
13	How can the first token be extracted by the fitness centre from the message?		The token is part of the message and can simply be copied.
	Could an eavesdropper get hold of the token?		An eavesdropper could also copy the token.
14	How does this step assure the fitness centre that the token came from Alice?		The hash received in Step 7 was encrypted with Alice’s private key so it must have come from Alice. If the hash was created using a one-way hash function only Alice and the bank could calculate the message in Step 6 and carried in the message in Step 12.
15	Same question as Step 11		Same answer as Step 11.
16	Similar question to Step 12.		Similar answer to Step 12.
17	No questions.
18	How is the bank assured that the tokens came from the fitness centre?		The message includes data about the tokens, encrypted using the fitness centre’s private key.
	Can an eavesdropper extract tokens from the message?		An eavesdropper cannot gain access to the tokens since the message is encrypted using the bank’s public key.

Back to Top

---------------

Question 3

Title:

Electronic Wallet and Digital Cash Procedures

Briefing Document for Totally Toned Limited (TTL)
Introduction

This document sets out to provide TTL with information that will help the CEO and her Board members to fully appreciate and understand the concept and application behind the smart card and its use of (encrypted) tokens; and the parties that will be involved in any transactions i.e. the client, the bank and TTL (the fitness centre).

The areas that will be covered, in order to address questions posed, and also to breakdown the intricacies of the system, so that an overall picture and understanding of its workings can best be appreciated and debated (in the boardroom), now follows.
General explanation of encryption

To encrypt a message, a document, or a file, is to make that information/data unintelligible, to anyone, unless there is method to reverse the process to intelligible data. Therefore, encryption is a method of obfuscation, rendering security to the exchange of information, or to the data-files on one’s computer. The method of encryption (in association with decryption) is the use of a cryptographic algorithm, a mathematical process by which information/data, plaintext, is actually encrypted to become ciphertext – encrypted data.

The actual encryption process using the appropriate cryptographic algorithm and key (keys are large, the larger the more secure) takes the message and concatenates it, places it into groups, encodes them numerically, and then encrypts. This is basically the process of encryption.
There are two modes of encryption, encrypting using a secret key and securely transmitting that key to enable decryption, the “symmetric-key mode” (the key that encrypts also decrypts); the other, encrypting with one key and decrypting with another, that is the “asymmetric-key mode” (public/private key). Well known encryption method – cryptographic algorithm – for symmetric and asymmetric are: AES (Advance Encryption Standard) and RSA (named after its creators: Ron Rivest, Adi Shamir and Leonard Adelman) algorithm respectively.
Encryption on its own doesn’t provide all the security to combat eavesdroppers and determined cryptanalyst (breakers’ of ciphers). Procedures call protocols helps in this regard.
General explanation of public key encryption

The ability to encrypt messages without the worry of key distribution, act as an indicator, that public key encryption (asymmetric as oppose to symmetric) is at work. With public key encryption there are two keys, private and public. In public/private key encryption, one has to ensure that those with whom secure communication is desired have access to your public key; and visa versa, so that encrypted messages, by you, can be decrypted; and, you, using your private key, decrypt messages that are encrypted with your public key. Your private key should never be made public, but kept private or secret. Should you lose your private key, encrypted messages with its public key will never be accessible, because those messages will be inextricably link to its (your) private key.

Public keys are readily accessible from public key servers or Certificate Authorities (CA). You may choose to post your key(s) to these key-servers, if privacy is not important/priority, or via email or floppy disk to the intended party. Keys from public key servers should always be checked (or double checked with a trusted authority) to ensure that an impostor does not hold the key and its identity.
CAs are trusted authorities, they store public certificates pertaining to public keys – linking keys to keyholder’s identity. They, also, if notified, displays revoke keys on their “revocation list” for expired and compromised keys; for public key servers, post to server.
Using public key encryption to provide secrecy

By using a public key to encrypt a message, you are ensuring only the recipient can decrypt it, and should it be intercepted by an eavesdropper, he or she would be unable to decrypt because it can only be decrypted by the intended recipient’s private key. Therefore, a private and secret communication can be carried on using public key encryption, as long as the parties use each other’s public key to encrypt their secret (and confidential) message; thus encrypting using public key(s) and decrypting using one’s private key(s). Hence, as has been indicated elsewhere, making your public key available does not stop a private communication between friends.

Public key encryption employs within its algorithm a mathematical scheme, which makes it difficult to deduce key(s) from the sequence of messages (call the protocol); plus, there is no need to distribute private key(s); and, hence, public/private keys obfuscate messages except for their intended recipients. Within public key encryption there are other means to secrecy:

• 
  The blinding technique, within protocol: enables part of a message to be kept secret while allowing other parts to be revealed; and
  
• 
  The digital envelope: enables a message to be encrypted to one or more recipients with an encryption key which has a complementary decryption key which is encrypted with the recipients’ public key and appended to the message. Thus each recipient has the encrypted-decryption key which only they can decrypt with their private key.
  

Using public key encryption to provide identity

Public key encryption provides proof of identity through the authentication protocol, which identifies the source of data/information. A direct means of achieving this is through trusted agencies – notaries, for example: time-stamping documents, and Certification Authorities (CA) who – via their digital certificates – ensures public keys are linked to the keyholders’ identities and any restrictions (start-/end-date etc.) upon that key. Their trustworthiness comes in to play by encrypting the certificates with their private key. Encrypting with one’s private key is a kin to signing, which identifies the source. A signature can be provided for a message or message digest, which is used to identify the signatory e.g. a message is encrypted and appended to its plaintext. This approach serves two purposes: encryption identifies the author/signatory and decryption, if corresponds to the plaintext, asserts integrity.

To obtain identity, protocol challenges can be posed: as in a “request and a response” interchange. If the response is correct communication proceeds, else it ceases.
Conclusion

I do believe the report manages to highlight and provide the necessary details of the various aspects of the digital (electronic) charging system, which I am sure will enable the CEO and the Board to arrive at an informed decision with an overall understanding of the system.

Nevertheless, with reference to Section A4 of the Appendix, I should like to draw to their attention certain weaknesses in the system:

• 
  The certificate issued by the bank, anyone with the bank’s public key will have access to Alice’s: account no., bank’s ID no., and token amount;
  
• 
  Anyone with the bank’s public key can ascertain the bank’s signature and then get hold of Alice’s token;
  
• 
  Anyone with Alice’s public key can decrypt her hash, if it isn’t a one-way hash (Because of the security implications without a one-way hash the system would pose serious cryptanalysis threat.);
  
• 
  The fitness centre should make use of Alice’s guaranteed amount (tokens), which is stated in her certificate from the bank, so as to combat any tampering by Alice or anyone else who might come in possession of her smart card; and
  
• 
  An eavesdropper could also get hold of Alice’s first and second token (un-hash) submitted for payment to the TTL.
  

Word Count: 1200

Back to Top

---------------

Question 3(Technical appendix-A2)

Section A2 – Hash Function

Table A4 give a more in-depth explanation

Table A4 Hash Function

Steps	Hash Function Explained
1	A hash function H is said to have certain basic properties that determine its strength and usefulness: variable-length input with fix-length output, a one-way hash and collision free.
2	With these properties it is computationally infeasible to find a solution for H(M), where M represent a plaintext message.
3	A plaintext that has been convert to a message digest-hash cannot be reversed engineered, if the hash was produce by a one-way hash function; this would also ensure it was collision free.
4	A hash that is collision free is one that is computationally infeasible to find two or more messages with the same message digest and thus simple to derive the hash from message.
5	An example of the derivation of a hash: given a message M (of variable length) the message is concatenated and then separated into groups of five (say) characters that are then number-encoded.
8	By modular addition, using the appropriate modulus (and preferably a prime number), these groups of numbers are added to give a sum (equivalent length to the number-coded group – “compact representation"). This sum is directly related to the original message M.
9	An operation that function to produce a result in this way is said to be a hash function; and its result is said to be the message digest.
10	The message digest is then encrypted {H(M)}k (it is to be assumed, for a one-way hash, there is no decrypted key and hence the hash is computationally irreversible).
11	If, now, this encrypted message digest is appended to the message proper, plaintext, and sent to a keyholder who has the decryption key (Alice public key, say) the integrity of the plaintext can be ascertained, by firstly: obtaining, and encrypting, the message digest of the plaintext, which accompanied the encrypted digest, and secondly comparing the original digest to the obtained (calculated) digest to ensure no tampering of the data, and/or communicated message, had occurred in transit or otherwise.

Back to Top

---------------

Question 3(Technical appendix-A3)

Section A3 – Use of Hash Function

Table A5 gives an example of hash in the propose protocol
Table A5

Steps	Use of Hash Function in Proposed Protocol
1	The purpose of the hash function in this particular protocol step is to test and so ensure for integrity, completeness and authenticity, and that the token has not been tampered with.
2	Alice’s smart card on obtaining the fitness centre’s, F, visit number V, (which is obtained by entry to the centre) sets about using the hash function (refer to section A2) to create compact representation, hashes, of her three tokens.
3	Once the 3rd and 2nd tokens are hashed, the final hash which incorporate the1st token added to the 2nd and 3rd token-hash is sent to the fitness centre’s computer (wirelessly) encrypted with her private key.
4	Whenever Alice request use of service, via her smart card, a demand (digital-payment!) is made for a token.
5	This token, un-hashed, is sent along with a hashed token (with the exception of the last token, which is sent unaccompanied by a hashed token).
6	Therefore the tokens – un-hashed and hashed – sent by Alice’s smart card are combined and hashed and compared to the hash stored by the fitness centre (as in the case when Alice sent the initial hash to the fitness centre). If there is a match the fitness centre stores the hash for future comparison and the token for redemption from Alice’s bank.
7	This is basically the process that is taken by Alice and the fitness centre in their transaction of business.
8	Here is a practical example of the hash process: Alice’s smart card prepares the hashes and send the final hash to the fitness centre:
9	The fitness center stores the hash so as to use it for integrity and validity check against token submitted by Alice’s smart card for services used.
10	When Alice request her first service and submits an un-hash and hash token, i.e. signed with her private key, the fitness centre decrypts by using her public key and then extract the token and store the hash for the next cross-check with the second token, for service.
11	In order to carry out the validity check on the first token, please note the following assumptions: = 935543 (obtained via modular addition of V=743625, {n1, B}kb = 274689, and = 9917059 with a modulus 999983); = 6454892 (obtained via 9355435452805 mod 11881379 – exponentiation)
12	It is therefore quite apparent from 10 above that 1 is equal to 2 (by putting the number 935543 in the expression: 9355435452805 mod 11881379 = 6454892)
13	Hence, or , by 11 and 12 above, is valid. Alice’s next service request will follow the same method of cross-check/validation for the second token. The encrypted tokens, , can only be decrypted by the bank and therefore their numeric value will not be apparent. The above illustration using numerical equivalent is meant only as an example of how a hash is used.

Back to Top

---------------

Question 4a

Reflective: Module Companion

The activity that I found most helpful in drawing up my study plan for this module (module 5) was actually going step by step through the Module Companion. The companion offers a structure, suggested structure (one that I subscribe to completely) in terms of how the various books, the component parts, making up the module should be approach – with respect to the structure. The companion also outlines what will be expected from the assignment – the various questions. The companion also makes clear any additional learning aid(s) the module will require e.g. an application program etc.

Having gone through the companion and made fully aware of what was expected, I was now enabled to draw up a study plan based on my strengths and weaknesses for accomplishing those tasks, with respect to time, outlined for the assignment.
Back to Top

Word Count: 139

---------------

Question 4b

Reflective: Original Study Plan

My study plan drew upon the Module Companion, Book S, Security, and my assessment of the Monograph in terms of the time I would need to give to it to be able to feel comfortable with the concepts and principles it espouses.

How realistic was it?

Once I understood what was expected of me, I gave weight to those aspects of the tasks for which I was not familiar: the Monograph, PGP freeware, certain questions in the assessment, by being realistic with the time allocated to these areas, based on previous experiences.

Organize time effectively?

Having painstakingly drew up a study plan and being realistic about all aspects of it, it played an important role in determine the area of study I should be covering and what should have been check as completed. Without the plan I would not have been able to directly make an assessment of my progress – in terms of time and tasks completed –and from that point-a-view I believe it helped tremendously in organising my study time effectively.

What, if any, amendments?

Actually I made no amendments to my plan, the plan was drawn up, to some extent, on the experiences I had gain with the previous modules. One reason I did not make any amendments, as such, was that the only real difficulties I had with my studies was to do with the Monograph, which had to be read a couple of times. It was important that I did not shirk this task as it played such a central role in the assignment.

What lessons learnt?

It’s important that any advice and/or directions given is taken seriously as is the case in the Module Companion and Book S, Security. However, this should not stop one from taking an approach that works. I decided to tackle the Monograph first, given it was the core of the module, ensuring I fully understood the concepts and principles it espouses and then revert back to the Module Companion’s recommended route. Thus, in future ensure the problem is fully appreciated from the outset.

Back to Top

---------------

Word Count: 344

---------------

Download 101.57 Kb.

Share with your friends: