Alone, partners, as you wish.
Throughout this assignment, you may assume that you have the capacity to observe, intercept, and modify any packet sent between Alice and Bob. That is, you can eavesdrop or play man-in-the-middle with impunity.
Suppose you have broken SHA-1 in the following sense. For any message M of length 100 bytes or more and any given SHA-1 digest D, you have figured out an algorithm that allows you to (1) pre-select which 40 bytes of M you are willing to change, and (2) compute which values you have to give those 40 bytes so that the modified message M' will have SHA-1(M') = D.
Suppose further that Alice is about to login to her amazon.com account to purchase a copy of The Iliad and a spool of 500 meters of Cat 6 cable. That is, the role of Bob will be played by amazon.com's web server.
Describe in detail the steps you will take, using your new SHA-1 knowledge, to obtain Alice's amazon.com password, and thus gain access to her credit card information.
Suppose you have figured out how to break RSA, but you have not figured out how to break SHA-1. That is, given any RSA public key, you are able to quickly compute its corresponding private key.
Describe in detail the steps you will take, using your new RSA knowledge, to get Alice's amazon.com password.
On September 5, 2014, Google announced its intention for Chrome to start alerting users to insecurity in sites whose certificates are signed using SHA-1. This flagging will begin with the Chrome release due out in November--just a few weeks from now.
Google's announcement links to Bruce Schneier's short article on the impending obsolesence of SHA-1.
Discuss whether Google's announcement makes sense, and whether its timing is right. Note that part of the fallout from Google's plan is that many thousands of HTTPS web pages that are currently marked as secure with Chrome's little green lock in the address bar will begin to be marked as insecure in the new version of Chrome. For example, unless amazon.com changes its certificates before then, Chrome will flag your Amazon shopping cart as insecure just a few weeks from now.
Produce a report showing your answers to the questions above. Submit your report in PDF form via Moodle.
Have fun!