# CS4180 Network Security (Fall 2000): Homework 5

This homework is due at the beginning of class 22 on Tuesday, November 21, 2000. Note: K2.3 denotes homework problem 3 from chapter 2 of the class text.

1. (K6.11) In RSA, what is the probability that something to be encrypted will not be in Zn*? (20 pts.)
2. (K7.3) Extend the scenario in 7.7.4.1 Multiple KDC Domains to a chain of three KDCs. In other words, assume that Alice wants to talk to Boris through a chain of three KDCs (Alice's KDC, a KDC that has shared keys with both Alice's KDC and Boris' KDC, and finally, Boris' KDC). Give the sequence of events necessary to establish communication. (15 pts.)
3. (K9.2) In 9.2 Mutual Authentication, we discuss the reflection attack and note that Protocol 9-9 is susceptible, but Protocol 9-8 is not. How about Protocol 9-12? (15 pts.)
4. Biometric identification: One of the possible ways of identifying a user is to use the keyboard typing patterns. Record the keystroke timing pattern by measuring the delay between key strokes when typing "The quick brown fox". Please post four results to the class newsgroup as a list of whole milliseconds between key strokes, averaged over at least three tries, prefixed by your userid. Ignore or discard typos. Example output might be:
``` hgs 120 84 345 183 ...
hgs 138 48 483 181 ...
hgs 118 57 423 151 ...
hgs 129 77 413 174 ...
```

In the example, the pause between "T" and "h" in the first try is 120 ms. The list should have N-1 entries, where N is the number of characters in the test string (N=19 in our example.). The ... indicate omission of some of the numbers.

If your typing skills are not so great, you might want to do a "warm up" exercise before doing the measurements.

See if it is possible to compute a distance metric that reliably distinguishes you from your classmates, yet also recognizes you later on (on the same type of keyboard). A distance metric translates the vector difference between two people into a single number. As discussed in class, there are two modes: "confirmation", where the purported identity of the person is known and needs to be confirmed, and "identification" mode, where the system needs to pick the person from the database that most closely matches the input.

The choice of distance metric between training and measurement data is up to you, but you might want to investigate whether scaling helps or hurts recognition (in either "confirmation" or "identification" mode).

To provide enough data to everyone, please submit your measurements to the bulletin board soon, before you have finished the part that recognizes whether this is friend or foe.

Your program should take as input from a file a list of pause lists, one per line, as training material. The list of pauses for the unknown typist is provided on the command line. For example,

```typeid -f training.txt 183 482 481 48 437
```
The command prints out an an indication who it thinks is typing the sentence.

Hints:

• Paper on use of keystrokes for authentication.
• No GUI is needed, but you may create one if you like.
• Use gettimeofday() to time your keystrokes.
• Use cuserid() to obtain the name of the person supposedly at the keyboard.
• Normally, key input isn't processed until you press the "Return" key. Using the curses package, you can get keystrokes immediately. Below is a code fragment. man curses has further details.
```  #include <curses.h>
...
initscr();
cbreak();