100 likes | 191 Views
Exercises 2013-04-18. Information Security Course Eric Laermans – Tom Dhaene. Exercise 1 (1). RSA PKCS#1 v1.5 “Million Message Attack” (MMA): illustration of principle Given C (= M e mod n ), n and e M formatted according to PKCS#1 v1.5 ( M = 00||02||PS||00||D)
E N D
Exercises2013-04-18 Information Security Course Eric Laermans – Tom Dhaene
Exercise 1 (1) • RSA PKCS#1 v1.5 • “Million Message Attack” (MMA): illustration of principle • Given • C (= Me mod n), n and e • M formatted according to PKCS#1 v1.5 (M = 00||02||PS||00||D) • error message from victim if decryption of C’ fails because of erroneous formatting • Question • find a strategy to recover M • hint: think of the multiplicative properties of RSA Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans
Exercise 1 (2) • RSA-formatting: MMA • illustration using more limited formatting • Given • formatting: M = 0010xxxx • n = 187; e = 3; C = 81 • Question • find M • hint: 32 ≤ M ≤ 47 Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans
Exercise 2 • ElGamal • Given • in ElGamal-encryption or –signature, and also in DSA, a unique and secret random value k is used • Question • what happens if an attacker knows k? • what are the consequences if the random value k is reused: • in ElGamal-encryption? • in ElGamal-signature? • in DSA? Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans
Exercise 3 • ElGamal • Given: • RSA-signatures exhibit the issue of “existential forgery”, i.e. given some messages with their corresponding RSA-signatures, it is possible to generate new signed messages using RSA’s multiplicative properties, without requiring knowledge about the private key • Question: • is there a similar problem with ElGamal-signatures? Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans
Exercise 4 • ElGamal • Given: • in ElGamal-encryption of –signature, and in DSA, a unique and secret random value k is used • Question: • how could the owner of the private key used in the digital signature add hidden information without the person receiving the signature noticing? • such a technique is called a “subliminal channel” • can you find a way to use (a small part) of this subliminal channel without needing to use the private key for this purpose? (harder) Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans
Exercise 5 • Hash functions • Given • a hash function with a hash value of n bits, e.g. 128 bits • a limited storage capacity (N1 hash values), e.g. 1 TB • you may assume N1≪ 2n/2 • Question: • how many hash computations are required to find two messages with identical hash values with a given probability P (e.g. 95%)? • compute this with the given values • suppose a modern PC can compute 10 million hash values per second, how much time would be required? Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans
Exercise 6 • Hash functions • Given: • a competition at XKCD to generate a hash value with as many bits as possible corresponding to the bits of a givcen hash value (Skein-1024-1024) • Skein is 1 of the 5 finalists for SHA-3, used here with a 1024 bit hash value and 1024 bit internal state • winner was CMU, with only 384 wrong bits on 1024 (i.e. 640 corresponding bits) • Question: • compute if this result is an indication of some weakness in the weak collision resistance for the hash algorithm used • i.e. compute how many hash values should typically be generated to obtain a hash value with at most 384 bits (on 1024) differing from the bits of the original hash values, assuming that hash values are uniformly randomly distributed • does this seem a feasible number? Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans
Exercise 6 • Hash functions • Hints: • NCk = N!/(k!(N–k)!) • number of combinations of k elementes from a group of N • for k sufficiently small w.r.t. N • ∑(j:0..k . NCj ) ≈ (N–k–1)/(N–2*k–1)* NCk • for k more in the neighbourhood of N/2 • ∑(j:0..k . NCj ) ≈ CDF_Norm(N/2,sqrt(N)/2) (k+½) • central limit theorem • CDF_Norm(mean, stdev) (x) = Φ((x–mean)/stdev) • Φ(x) = ½ + ½ *erf(x/sqrt(2)) • erf(x) ≈ 1–(a1*t+ a2*t²+ a3*t³)*exp(-x²) • with t=1/(1+p*x) • with p=0,47047 and a1=0,3480242 and a2=-0,0958798 and a3=0,7478556 • best approximation is minimum of both Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans
Exercise 7 • Hash functions • Given • 11,4 million 1024 bit RSA-keys, of which the prime factors were generated randomly • Question • estimate the probability that at least two keys in this set have a common prime factor • Note • according to http://eprint.iacr.org/2012/064.pdf however 26965 keys shared a prime factor with another RSA-key Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans