280 likes | 291 Views
Review questions and answers on the essential ingredients of symmetric ciphers, encryption algorithms, key distribution, attacks, and message authentication mechanisms.
E N D
ECE454/599 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2012
1. What are the essential ingredients of a symmetric cipher? Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm. 2. What are the two basic functions used in encryption algorithms? Permutation and substitution. 3. How many keys are required for two people to communicate via a cipher? One key for symmetric ciphers, two keys for asymmetric ciphers. 4. What is the difference between a block cipher and a stream cipher? A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A block cipher is one in which a block of plaintext is treated as a whole and used to produce a ciphertext block of equal length. 5. What are the two general approaches to attacking a cipher? Cryptanalysis and brute force.
6. What is the difference between an unconditionally secure cipher and a computationally secure cipher? An encryption scheme is unconditionally secure if the ciphertext generated by the scheme does not contain enough information to determine uniquely the corresponding plaintext, no matter how much ciphertext is available. An encryption scheme is said to be computationally secure if: (1) the cost of breaking the cipher exceeds the value of the encrypted information, and (2) the time required to break the cipher exceeds the useful lifetime of the information. 7. What are two problems with the one-time pad? 1) There is the practical problem of making large quantities of random keys. Any heavily used system might require millions of random characters on a regular basis. Supplying truly random characters in this volume is a significant task. 2) Even more daunting is the problem of key distribution and protection. For every message to be sent, a key of equal length is needed by both sender and receiver. Thus, a mammoth key distribution problem exists.
8. List ways in which secret keys can be distributed to two communicating parties. 1) A can select a key and physically deliver it to B. 2) A third party can select the key and physically deliver it to A and B. 3) If A and B have previously and recently used a key, one party can transmit the new key to the other, encrypted using the old key. 4) If A and B each has an encrypted connection to a third party C, C can deliver a key on the encrypted links to A and B. 9. What types of attacks are addressed by message authentication? Masquerade: Insertion of messages into the network from a fraudulent source. This includes the creation of messages by an opponent that are purported to come from an authorized entity. Also included are fraudulent acknowledgments of message receipt or nonreceipt by someone other than the message recipient. Content modification: Changes to the contents of a message, including insertion, deletion, transposition, and modification. Sequence modification: Any modification to a sequence of messages between parties, including insertion, deletion, and reordering. Timing modification: Delay or replay of messages. In a connection-oriented application, an entire session or sequence of messages could be a replay of some previous valid session, or individual messages in the sequence could be delayed or replayed. In a connectionless application, an individual message (e.g., datagram) could be delayed or replayed.
10. What two levels of functionality comprise a message authentication or digital signature mechanism? At the lower level, there must be some sort of function that produces an authenticator: a value to be used to authenticate a message. This lower-level function is then used as primitive in a higher-level authentication protocol that enables a receiver to verify the authenticity of a message. 11. What are some approaches to producing message authentication? Message encryption, message authentication code, digitally signature. 12. When a combination of symmetric encryption and an error control code (e.g., CRC) is used for message authentication, in what order must the two functions be performed? Error control code, then encryption. 13. What is the difference between a message authentication code and a one-way hash function? A hash function, by itself, does not provide message authentication. A secret key must be used in some fashion with the hash function to produce authentication. A MAC, by definition, uses a secret key to calculated a code used for authentication.
14. Is it necessary to recover the secret key in order to attack a MAC algorithm? No. See problem with h(key|m). 15. What characteristics are needed in a secure hash function? 1) H can be applied to a block of data of any size. 2) H produces a fixed-length output. 3) H(x) is relatively easy to compute for any given x, making both hardware and software implementations practical. 4) For any given value h, it is computationally infeasible to find x such that H(x) = h. This is sometimes referred to in the literature as the one-way property. 5) For any given block x, it is computationally infeasible to find y ≠ x with H(y) = H(x). 6) It is computationally infeasible to find any pair (x, y) such that H(x) = H(y). 16. What is the role of a compression function in a hash function? A typical hash function uses a compression function as a basic building block, and involves repeated application of the compression function.
17. Why has there been an interest in developing a message authentication code derived from a cryptographic hash function as opposed to one derived from a symmetric cipher? 1) Cryptographic hash functions such as MD5 and SHA generally execute faster in software than symmetric block ciphers such as DES. 2) Library code for cryptographic hash functions is widely available. 18. What changes in HMAC are required in order to replace one underlying hash function with another? To replace a given hash function in an HMAC implementation, all that is required is to remove the existing hash function module and drop in the new module.
1. One way to solve the key distribution problem is to use a line from a book that both the sender and the receiver possess. Typically, at least in spy novels, the first sentence of a book serves as the key. The particular scheme discussed in this problem is from one of the best suspense novels involving secret codes, Talking to Strange Men, by Ruth Rendell. Work this problem without consulting that book! Consider the following message: SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA This ciphertext was produced using the first sentence of The Other Side of Silence (a book about the spy Kim Philby): The snow lay thick on the steps and the snowflakes driven by the wind looked black in the headlights of the cars. A simple substitution cipher was used. a. What is the encryption algorithm? b. How secure is it? c. To make the key distribution problem simple, both parties can agree to use the first or last sentence of a book as the key. To change the key, they simply need to agree on a new book. The use of the first sentence would be preferable to the use of the last. Why?
a. The first letter t corresponds to A, the second letter h corresponds to B, e is C, s is D, and so on. Second and subsequent occurrences of a letter in the key sentence are ignored. The result ciphertext: SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA plaintext: basilisk to leviathan blake is contact b. It is a monalphabetic cipher and so easily breakable. c. The last sentence may not contain all the letters of the alphabet. If the first sentence is used, the second and subsequent sentences may also be used until all 26 letters are encountered.
2. In one of Dorothy Sayers's mysteries, Lord Peter is confronted with the message shown below. He also discovers the key to the message, which is a sequence of integers: 787656543432112343456567878878765654 3432112343456567878878765654433211234 a. Decrypt the message. Hint: What is the largest integer value? b. If the algorithm is known but not the key, how secure is the scheme? c. If the key is known but not the algorithm, how secure is the scheme?
a. Lay the message out in a matrix 8 letters across. Each integer in the key tells you which letter to choose in the corresponding row. Result: He sitteth between the cherubims. The isles may be glad thereof. As the rivers in the south. b. Quite secure. In each row there is one of eight possibilities. So if the ciphertext is 8n letters in length, then the number of possible plaintexts is 8n. c. Not very secure. Lord Peter figured it out. (from The Nine Tailors)
3. For any block cipher, the fact that it is a nonlinear function is crucial to its security. To see this, suppose that we have a linear block cipher EL that encrypts 128-bit blocks of plaintext into 128-bit blocks of ciphertext. Let EL(k, m) denote the encryption of a 128-bit message m under a key k (the actual bit length of k is irrelevant). Thus EL(k, [m1 XOR m2]) = EL(k, m1) XOR EL(k, m2) for all 128-bit patterns m1, m2 Describe how, with 128 chosen ciphertexts, an adversary can decrypt any ciphertext without knowledge of the secret key k. (A "chosen ciphertext" means that an adversary has the ability to choose a ciphertext and then obtain its decryption. Here, you have 128 plaintext/ciphertext pairs to work with and you have the ability to choose the value of the ciphertexts.)
For 1 ≤ i ≤ 128, take ci {0, 1}128 to be the string containing a 1 in position i and then zeros elsewhere. Obtain the decryption of these 128 ciphertexts. Let m1, m2, . . . , m128 be the corresponding plaintexts. Now, given any ciphertext c which does not consist of all zeros, there is a unique nonempty subset of the ci’s which we can XOR together to obtain c. Let I(c) {1, 2, . . . , 128} denote this subset. Observe Thus, we obtain the plaintext of c by computing . Let 0 be the all-zero string. Note that 0 = 00. From this we obtain E(0) = E(00) = E(0) E(0) = 0. Thus, the plaintext of c = 0 is m = 0. Hence we can decrypt every c {0, 1}128.
4. With the ECB mode of DES, if there is an error in a block of the transmitted ciphertext, only the corresponding plaintext block is affected. However, in the CBC mode, this error propagates. For example, an error in the transmitted C1 obviously corrupts P1 and P2. a. Are any blocks beyond P2 affected? b. Suppose that there is a bit error in the source version of P1. Through how many ciphertext blocks is this error propagated? What is the effect at the receiver?
a. No. For example, suppose C1 is corrupted. The output block P3 depends only on the input blocks C2 and C3. b. An error in P1 affects C1. But since C1 is input to the calculation of C2, C2 is affected. This effect carries through indefinitely, so that all ciphertext blocks are affected. However, at the receiving end, the decryption algorithm restores the correct plaintext for blocks except the one in error. You can show this by writing out the equations for the decryption. Therefore, the error only effects the corresponding decrypted plaintext block.
5. The pseudo-random stream of blocks generated by 64-bit OFB must eventually repeat (since at most 264 different blocks can be generated). Will K{IV} necessarily be the first block to be repeated?
Actually, IV will be the first block to be repeated. To see this, note that the previous block to any given block must be the decryption of the given block. So if two blocks are equal, their respective previous blocks are also equal (unless one of them doesn’t have a previous because it is first—namely IV)
6. If a bit error occurs in the transmission of a ciphertext character in 8-bit CFB mode, how far does the error propagate?
Nine plaintext characters are affected. The plaintext character corresponding to the ciphertext character is obviously altered. In addition, the altered ciphertext character enters the shift register and is not removed until the next eight (b/k) characters are processed.
7. Alice and Bob agree to communicate privately via email using a scheme based on RC4, but want to avoid using a new secret key for each transmission. Alice and Bob privately agree on a 128-bit key k. To encrypt a message m, consisting of a string of bits, the following procedure is used: 1. Choose a random 80-bit value v 2. Generate the ciphertext c = RC4(v || k) XOR m 3. Send the bit string (v || c) a. Suppose Alice uses this procedure to send a message m to Bob. Describe how Bob can recover the message m from (v || c) using k. b. If an adversary observes several values (v1 || c1), (v2 || c2), ... transmitted between Alice and Bob, how can he/she determine when the same key stream has been used to encrypt two messages? c. Approximately how many messages can Alice expect to send before the same key stream will be used twice? (Use the approximate result from the birthday paradox) d. What does this imply about the lifetime of the key k (i.e., the number of messages that can be encrypted using k)?
a. By taking the first 80 bits of v || c, we obtain the initialization vector, v. Since v, c, k are known, the message can be recovered (i.e., decrypted) by computing RC4(v || k) c. b. If the adversary observes that vi = vj for distinct i, j then he/she knows that the same key stream was used to encrypt both mi and mj. In this case, the messages mi and mj may be vulnerable to the type of cryptanalysis carried out in part (a). c. Since the key is fixed, the key stream varies with the choice of the 80-bit v, which is selected randomly. Thus, after approximately messages are sent, we expect the same v, and hence the same key stream, to be used more than once. d. The key k should be changed sometime before 240 messages are sent.
8. Suppose H(m) is a collision resistant hash function that maps a message of arbitrary bit length into an n-bit hash value. Is it true that, for all messages x, x' with x != x', we have H(x) != H(x')? Explain your answer.
The statement is false. Such a function cannot be one-to-one because the number of inputs to the function is of arbitrary, but the number of unique outputs is 2n. Thus, there are multiple inputs that map into the same output.
9. This problem provides a numerical example of encryption using a one-round version of DES. We start with the same bit pattern for the key K and the plaintext, namely: in hexadecimal notation: 0 1 2 3 4 5 6 7 8 9 A B C D E F in binary notation: 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011 1100 1101 1110 1111 a. Derive K1, the first-round subkey. b. Derive L0, R0. c. Expand R0 to get EXP(R0). d. Calculate A = EXP(R0) XOR K1. e. Group the 48-bit result of (d) into sets of 6 bits and evaluate the corresponding S-box substitutions. f. Concatenate the results of (e) to get a 32-bit result, B. g. Apply the permutation to get P(B). h. Calculate R1 = P(B) XOR L0. i. Write down the ciphertext.
a. in binary notation: 0000 1011 0000 0010 0110 0111 1001 1011 0100 1001 1010 0101 in hexadecimal notation: 0 B 0 2 6 7 9 B 4 9 A 5 b. L0, R0 are derived by passing the 64-plaintext through Initial Permutation: L0 = 1100 1100 0000 0000 1100 1100 1111 1111 R0 = 1111 0000 1010 1010 1111 0000 1010 1010 c. EXP(R0) = 011110 100001 010101 010101 011110 100001 010101 010101 d. A = 011100 010001 011100 110010 111000 010101 110011 110000 e. 0 (base 10)=0000 (base 2), 12 (base 10)=1100 (base 2), 2 (base 10)=0010 (base 2), 1 (base 10)=0001 (base 2), 6 (base 10)=0110 (base 2), 13 (base 10)=1101 (base 2), 5 (base 10)=0101 (base 2), 0 (base 10)=0000 (base 2) f. B = 0000 1100 0010 0001 0110 1101 0101 0000 g. P(B) = 1001 0010 0001 1100 0010 0000 1001 1100 h. R1 = 0101 1110 0001 1100 1110 1100 0110 0011 i. L1 = R0. The ciphertext is the concatenation of L1 and R1.