Victor Azzam

What does the "two-army problem" explain with respect to communication protocols in computer networks?
What is its impact for each communication protocol?
It illustrates the design pitfalls of attempting to coordinate an action by communicating over an unreliable link.

What is a commonly used practical and pragmatic implementation approach to mitigate the "two-army
problem" for communication protocols? Does it fully solve the problem?
Working with time and probability can combat miscommunication, although it does not eliminate it. The parties
could send message counters, or add significant timeouts to indicate a message has been received.

What is the additional impact of the "two-army problem" with respect to a security-protocol like WPA2?
The security of WPA2 can be compromised as Message 3 can be resent and a new key might be forced upon the
client. This scenario takes advantage of WPA2 client’s mitigation strategy against unreliable links.

Denote how and where is it reflected in the client's 'pseudo' state-machine that retransmissions of messages
within the handshake are allowed?
The state machine considers retransmissions of messages 1&3 if the authenticator did not receive messages 2&4.
This happens during the PTK-START and PTK-DONE stages, respectively.

Why is the race-condition for encrypted Message3's retransmission important?

It opens up the potential for the access point to be used as a gateway to inject packets to any network device.

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––

Why is active WLAN scanning the default mode?

It has a lesser effect on battery life compared to passive mode where the device must listen on many channels.

What is Time-to-first-fit?
The required time for a GPS receiver to acquire information from satellites, and the time to calculate a solution
for a certain position (also called a fix).

What is the difference between GPS and aGPS?

GPS uses satellites to get location data, while Assisted GPS uses both satellites and mobile phone cell towers.

What are the three phases of swarm-mapping? Explain the role of each phase.
1. Intrinsic localisation: smartphones collect data about sender stations (routers and cell towers) and map
them to GPS coordinates.
2. Collection: positions are encrypted and sent to the device manufacturer’s servers.
3. Extrinsic localisation: servers calculate smartphone position based on surrounding senders’ positions.

What information are stored in the CellLocationHarvest and in the WiFiLocationHarvest? Where are these files
stored?
They store location data about nearby sender stations, namely cell towers and Wi-Fi access points, respectively.
Location data in iOS is stored in the /private/var/root/Library/Caches/locationd cache directory, whereas similar
files on Android are stored in /data/data/com.google.android.location/files as binary streams.

Please debate on a technical level on the usability of the files mentioned in Q5 for a COVID-19 infection
tracking app which is currently broadly discussed.
CellLocationHarvest contains Cell Identity values that point to specific cell towers. WiFiLocationHarvest contains
MAC addresses that uniquely identify mobile devices. A tracking app could then see if one device or cell tower
showed up in the scans of another device, and could even estimate the proximity by using signal strength.

What does RSSI stand for and for what exactly can it be used? Describe the approach.
Received Signal Strength Indicator (RSSI) is used to measure wireless signal performance. It can also be used to
approximate the distance between a transmitter and receiver. This is done by using a formula that includes both
the RSSI and the transmitter’s maximum RSSI values. Environment and noise keep this from being too precise.

Why do we have a "chicken-and-egg" problem when starting the swarm mapping approach?
To estimate a base station’s position, we must first know the device’s position, and vice versa.

Why is this "chicken-and-egg" problem much more relaxed than it initially looks?
Base stations do not tend to move. Their positions are standard and known. There are many devices to help
correlate base station positions.
Victor Azzam

What is an NDA and why is it relevant with respect to the DECT security architecture?
Digital Enhanced Cordless Telecommunications (DECT) has a standard for authentication (DSAA) and
confidentiality (DSC) which are only available to manufacturers under a non-disclosure agreement (NDA),
meaning the details remain confidential. This is legally binding.

For what concrete security feature is the DSAA used for?

Authentication of a phone and base station.

At which layer(s) is the encryption mechanism of DECT located?

Encryption is negotiated at the network layer, and occurs at the MAC layer.

Describe a DECT frame with respect to its different portions.

There is a Fixed Part (FP) – 1 or more base stations – and a Portable Part (PP) – some number of phones. Per
frame:
• FP → PP: one of the first 12 time slots
• PP → FP: the time slot 12 time slots later

Why is the LCE.01 timer important to understand the interactive decryption attack on DECT?
The LCE.01 timer is responsible for counting 5 seconds before terminating a connection. After the initial attack
phase, the attacker must wait for LCE.01 to expire and send 1s as plaintext (encrypted) which can then be XORed
with 1s to reveal the key stream. This can then be XORed with the captured call to decrypt it.

Describe the authentication mechanism between Portable Part and Fixed Part.
Authentication of PP by FP:
1. FP chooses 2 random numbers: RS & RAND_F
2. FP → PP: AuthRequest(RS, RAND_F)
3. PP uses DSAA algorithms A11 & A12 with [UAK, RS, RAND_F] to compute RES1
4. PP → FP: AuthResponse(RES1)
5. FP compares RES1 with locally computed XRES1
Optionally, there is also authentication of FP by PP.

On what parameters does the frame number depend on?

Last broadcasted multi-frame number, and time elapsed since this event.

Explain for what plaintext data exactly the keystream is used for.
The first 40 bits of the keystream encrypt C-channel messages in the A-field unless it contains no traffic in which
case the bits are discarded. Remaining 320 bits are XORed with the B-field to encrypt the payload.

Explain the different usage of the LCE.01 timer in DECT compared to the timer used in the 4-way-HS in WLAN.
Is there still a relation to the "two-army-problem" with respect to the timer used in DECT?
The 4-way handshake in WPA2 attempts to accommodate for communication issues by allowing authenticators
to resend packets to clients. The LCE.01 timer on the other hand denotes whether or not communication has
been sent at all i.e., a call might not be happening, but a connection is still open (for updates, etc). The two-army
problem is relevant as the absence of frames causes clients to drop the connection after sending a sequence of
1s, which indicates that disrupting the communication flow may prevent proper coordination between PP and FP.

Recap what concrete property of the XOR operation is used for the DECT decryption attack?
XOR (⊕) is reversible, so if A⊕B = C then A⊕C = B.

Which of the listed countermeasures against the interactive DECT decryption attack would you recommend
being added to the standard? Please argue why.
Disabling B-field encryption when unused prevents a known-plaintext attack where 1s are encrypted after the
LCE.01 timer runs out.
Victor Azzam

What does the Bluetooth modus 'just-works' mean for the provided security with respect to an active attacker?
Just-works provides automatic validation without PIN involvement. An active attacker can force pairing consent,
as long as it is temporary.

Debate the practical impact of the Blueborne family.

The BlueBorne attack is resolved with a software update, but many IoT devices and older phones are left behind.

Which phase of the BT pairing phase uses ECDH?

Key exchange during the 2nd pairing phase uses Elliptic Curve Diffie-Hellman. Phases:
1. Feature exchange: choose pairing mode: numeric comparison, just works, passkey entry, out of band
2. Key exchange: Secure Simple Pairing (SSP) & Secure Connections (SC) use ECDH
3. Authentication
4. Session key derivation and validation

Denote the relevant ECDH parameters.

A prime 𝑝, a generator point 𝑃, coefficients a & b from the chosen curve E.
Elliptic curve E: 𝑦2 = 𝑥3 + a𝑥 + b mod 𝑝

Explain why for BT2.1 with Secure Simple Pairing (SSP) the invalid curve attack (Small Subgroup Attack) could
work.
The Bluetooth 2.1 specification does not require to verify if an incoming point stems from the same domain as
the chosen elliptic curve E.

Explain the reason why the Fixed Coordinate Invalid Curve attack (FCIC) is possible.
The specification only requires the x coordinate to be authenticated, hence the point can be modified (x,y) to (x,0)

Explain why the FCIC attack gives a success rate of 25% for an attacker.
It is successful if both parties choose even secrets, which produces a point at infinity.

Alice even Alice odd

Bob even

Bob odd

How can such an attack be mitigated?

Authenticate both x and y coordinates.

Why is it better for an attacker performing the FCIC attack if larger key-sizes have been chosen?
Larger key sizes increase the number of frames, easing the attack.