FIN387: You Have Been Tasked to Safe-Keep the Digital Copies of all Past and Future Annual Reports of Your Company: Financial Cryptography Assignment, SUSS, Singapore

Question 1

In online banking applications, users generally need to input a one-time password in addition to their username and password.

(a) Identify the security objective of using a one-time password. Discuss at least two (2) security requirements for one-time passwords.

(b) There are many different implementations in generating one-time passwords (OTP).

Consider the two implementations below (let’s assume that the OTP is the last six digits of the resulting hash value):

1. Hash(Current Time in UNIX timestamp || Bank’s secret key)
2. Hash(Current Time in UNIX timestamp || User-specific secret key)
Appraise the security of each implementation and justify your answers. What is the desired property of the hash function in this case?

(c) The Google Authenticator app implements two-step verification services for authenticating users of software applications. On set up, a user will be given a unique user-specific secret key that is displayed as clear text on-screen. This secret key will be used to generate a time-based OTP for the user for all future logins. The time-based OTP is calculated using the SHA-1 hash function in the following manner:

SHA-1(Current Time in UNIX timestamp || User-specific secret key)

Criticise the security of this design and justify your answers. Propose a solution to overcome the flaw in the design.

You will also be evaluated based on the clarity of your argument.

(d) If we use a Merkle Hash Tree with eight leaf nodes to pre-generate a set of 15 OTPs for a user (see Figure 1), what should be the order of usage of the OTPs? State your reason.

Determine one limitation of this OTP generation approach.

Question 2

You have been tasked to safe-keep the digital copies of all past and future annual reports of your company. Each report is several hundred pages long and you must ensure integrity protection of the reports. Therefore, you decided to use the hash function to detect any intended or unintended modifications.

(a) Discuss at least three (3) advantages of using a hash function for integrity protection.

(b) Illustrate the steps that you will take to verify that a specific file is intact and has not been modified.

(c) What is the most important hash function property that is applicable in this case?

(d) Is it important to keep the hash function you used (e.g., whether it is MD5, SHA-1, SHA-2, or others) as secret information? Decide if it is necessary to use a secret key in computing the hash of the reports.

Question 3

(a) The AID: Tech blockchain solution (https://www.aid.technology/) is a gateway to financial and social inclusion. The blockchain records the hash value of a user’s identity document on a blockchain. With this record, a user can present his/her identity document to gain access to healthcare, trusted remittance with lower remittance fees, accountable international aid, and traceable welfare delivery.

State four (4) advantages of recording the hash value of the user’s identity document (instead of the actual document) on the blockchain.

(b) The AID: Tech blockchain adopts public and permissionless as well as private and permissioned blockchain approaches to balance security, efficiency, and traceability.

In your own words, contrast public, permissionless blockchain and private, permissioned blockchain in four (4) different aspects.

(c) The Surety timestamping solution (https://www.surety.com/) is one of the earliest digital document notarization services. In its earliest implementation, it started with a seed called “Summary Hash Value”, SHV0.

For the first document with hash value h1 that arrives at time t1, it calculates the new Summary Hash Value as SHV1 = Hash(SHV0 || h1 || t1). For the second document with hash value h2 that arrives at time t2, the new Summary Hash Value, SHV2 is calculated as Hash(SHV1 || h2 || t2), and so on. See Figure 3. All of the tuple <hi, ti, SHVi> are stored on Surety’s database.

At the end of the week, the set of SHVs will be published in the Public Notices Section of the New York Times. This validates the integrity of the database. The Surety timestamping solution shares similarities and differences with the Bitcoin blockchain.

In your own words, examine six (6) similarities and differences (combined) between the Surety timestamping solution and the Bitcoin blockchain. You will be also evaluated based on the clarity of your discussion.