ECE454/CS594 Computer and Network Security

1
ECE454/CS594 Computer and Network Security

• Dr. Jinyuan (Stella) Sun
• Dept. of Electrical Engineering and Computer
  Science
• University of Tennessee
• Fall 2011

2
Exercise 1 Chapters 1-5
3
Review Questions
4

• 1. What are the essential ingredients of a
  symmetric cipher?
• Plaintext, encryption algorithm, secret key,
  ciphertext, decryption algorithm.
• 2. What are the two basic functions used in
  encryption algorithms?
• Permutation and substitution.
• 3. How many keys are required for two people to
  communicate via a cipher?
• One key for symmetric ciphers, two keys for
  asymmetric ciphers.
• 4. What is the difference between a block cipher
  and a stream cipher?
• A stream cipher is one that encrypts a digital
  data stream one bit or one byte at a time. A
  block cipher is one in which a block of plaintext
  is treated as a whole and used to produce a
  ciphertext block of equal length.
• 5. What are the two general approaches to
  attacking a cipher?
• Cryptanalysis and brute force.

5

• 6. What is the difference between an
  unconditionally secure cipher and a
  computationally secure cipher?
• An encryption scheme is unconditionally secure
  if the ciphertext generated by the scheme does
  not contain enough information to determine
  uniquely the corresponding plaintext, no matter
  how much ciphertext is available. An encryption
  scheme is said to be computationally secure if
  (1) the cost of breaking the cipher exceeds the
  value of the encrypted information, and (2) the
  time required to break the cipher exceeds the
  useful lifetime of the information.
• 7. What are two problems with the one-time pad?
• 1) There is the practical problem of making
  large quantities of random keys. Any heavily used
  system might require millions of random
  characters on a regular basis. Supplying truly
  random characters in this volume is a significant
  task.
• 2) Even more daunting is the problem of key
  distribution and protection. For every message to
  be sent, a key of equal length is needed by both
  sender and receiver. Thus, a mammoth key
  distribution problem exists.

6

• 8. List ways in which secret keys can be
  distributed to two communicating parties.
• 1) A can select a key and physically deliver
  it to B.
• 2) A third party can select the key and
  physically deliver it to A and B.
• 3) If A and B have previously and recently
  used a key, one party can transmit the new key to
  the other, encrypted using the old key.
• 4) If A and B each has an encrypted connection
  to a third party C, C can deliver a key on the
  encrypted links to A and B.
• 9. What types of attacks are addressed by message
  authentication?
• Masquerade Insertion of messages into the
  network from a fraudulent source. This includes
  the creation of messages by an opponent that are
  purported to come from an authorized entity. Also
  included are fraudulent acknowledgments of
  message receipt or nonreceipt by someone other
  than the message recipient. Content modification
  Changes to the contents of a message, including
  insertion, deletion, transposition, and
  modification. Sequence modification Any
  modification to a sequence of messages between
  parties, including insertion, deletion, and
  reordering. Timing modification Delay or replay
  of messages. In a connection-oriented
  application, an entire session or sequence of
  messages could be a replay of some previous valid
  session, or individual messages in the sequence
  could be delayed or replayed. In a connectionless
  application, an individual message (e.g.,
  datagram) could be delayed or replayed.

7

• 10. What two levels of functionality comprise a
  message authentication or digital signature
  mechanism?
• At the lower level, there must be some sort
  of function that produces an authenticator a
  value to be used to authenticate a message. This
  lower-level function is then used as primitive in
  a higher-level authentication protocol that
  enables a receiver to verify the authenticity of
  a message.
• 11. What are some approaches to producing message
  authentication?
• Message encryption, message authentication
  code, digitally signature.
• 12. When a combination of symmetric encryption
  and an error control code (e.g., CRC) is used for
  message authentication, in what order must the
  two functions be performed?
• Error control code, then encryption.
• 13. What is the difference between a message
  authentication code and a one-way hash function?
• A hash function, by itself, does not provide
  message authentication. A secret key must be used
  in some fashion with the hash function to produce
  authentication. A MAC, by definition, uses a
  secret key to calculated a code used for
  authentication.

8

• 14. Is it necessary to recover the secret key in
  order to attack a MAC algorithm?
• No. See problem with h(keym).
• 15. What characteristics are needed in a secure
  hash function?
• 1) H can be applied to a block of data of
  any size.
• 2) H produces a fixed-length output.
• 3) H(x) is relatively easy to compute for
  any given x, making both hardware and software
  implementations practical.
• 4) For any given value h, it is
  computationally infeasible to find x such that
  H(x) h. This is sometimes referred to in the
  literature as the one-way property.
• 5) For any given block x, it is
  computationally infeasible to find y ? x with
  H(y) H(x).
• 6) It is computationally infeasible to find
  any pair (x, y) such that H(x) H(y).
• 16. What is the role of a compression function in
  a hash function?
• A typical hash function uses a compression
  function as a basic building block, and involves
  repeated application of the compression function.

9

• 17. Why has there been an interest in developing
  a message authentication code derived from a
  cryptographic hash function as opposed to one
  derived from a symmetric cipher?
• 1) Cryptographic hash functions such as MD5
  and SHA generally execute faster in software than
  symmetric block ciphers such as DES. 2) Library
  code for cryptographic hash functions is widely
  available.
• 18. What changes in HMAC are required in order to
  replace one underlying hash function with
  another?
• To replace a given hash function in an HMAC
  implementation, all that is required is to remove
  the existing hash function module and drop in the
  new module.

10
Problems
11

• 1. One way to solve the key distribution problem
  is to use a line from a book that both the sender
  and the receiver possess. Typically, at least in
  spy novels, the first sentence of a book serves
  as the key. The particular scheme discussed in
  this problem is from one of the best suspense
  novels involving secret codes, Talking to Strange
  Men, by Ruth Rendell. Work this problem without
  consulting that book! Consider the following
  message
• SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA
• This ciphertext was produced using the first
  sentence of The Other Side of Silence (a book
  about the spy Kim Philby)
• The snow lay thick on the steps and the
  snowflakes driven by the wind looked black in the
  headlights of the cars.
• A simple substitution cipher was used.
• a. What is the encryption algorithm?
• b. How secure is it?
• c. To make the key distribution problem simple,
  both parties can agree to use the first or last
  sentence of a book as the key. To change the key,
  they simply need to agree on a new book. The use
  of the first sentence would be preferable to the
  use of the last. Why?

12

• a. The first letter t corresponds to A, the
  second letter h corresponds to B, e is C, s is D,
  and so on. Second and subsequent occurrences of a
  letter in the key sentence are ignored. The
  result
•  
• ciphertext SIDKHKDM AF HCRKIABIE SHIMC KD
  LFEAILA
• plaintext basilisk to leviathan blake is
  contact
•  
• b. It is a monalphabetic cipher and so easily
  breakable.
• c. The last sentence may not contain all the
  letters of the alphabet. If the first sentence is
  used, the second and subsequent sentences may
  also be used until all 26 letters are encountered.

13

• 2. In one of Dorothy Sayers's mysteries, Lord
  Peter is confronted with the message shown below.
  He also discovers the key to the message, which
  is a sequence of integers
• 787656543432112343456567878878765654
• 3432112343456567878878765654433211234
• a. Decrypt the message. Hint What is the largest
  integer value?
• b. If the algorithm is known but not the key, how
  secure is the scheme?
• c. If the key is known but not the algorithm, how
  secure is the scheme?

14

• a. Lay the message out in a matrix 8 letters
  across. Each integer in the key tells you which
  letter to choose in the corresponding row.
  Result
• He sitteth between the cherubims. The isles may
  be glad thereof. As the rivers in the south.
• b. Quite secure. In each row there is one of
  eight possibilities. So if the ciphertext is 8n
  letters in length, then the number of possible
  plaintexts is 8n.
• c. Not very secure. Lord Peter figured it out.
  (from The Nine Tailors)

15

• 3. For any block cipher, the fact that it is a
  nonlinear function is crucial to its security. To
  see this, suppose that we have a linear block
  cipher EL that encrypts 128-bit blocks of
  plaintext into 128-bit blocks of ciphertext. Let
  EL(k, m) denote the encryption of a 128-bit
  message m under a key k (the actual bit length of
  k is irrelevant). Thus
• EL(k, m1 XOR m2) EL(k, m1) XOR EL(k, m1)
  for all 128-bit patterns m1, m2
• Describe how, with 128 chosen ciphertexts, an
  adversary can decrypt any ciphertext without
  knowledge of the secret key k. (A "chosen
  ciphertext" means that an adversary has the
  ability to choose a ciphertext and then obtain
  its decryption. Here, you have 128
  plaintext/ciphertext pairs to work with and you
  have the ability to choose the value of the
  ciphertexts.)

16

• For 1 i 128, take ci ? 0, 1128 to be the
  string containing a 1 in position i and then
  zeros elsewhere. Obtain the decryption of these
  128 ciphertexts. Let m1, m2, . . . , m128 be the
  corresponding plaintexts. Now, given any
  ciphertext c which does not consist of all zeros,
  there is a unique nonempty subset of the cis
  which we can XOR together to obtain c. Let I(c)
  ? 1, 2, . . . , 128 denote this subset. Observe
•  
•  
•  
• Thus, we obtain the plaintext of c by computing
  . Let 0 be the all-zero string. Note
  that 0 0 ? 0. From this we obtain E(0) E(0 ?
  0) E(0) ? E(0) 0. Thus, the plaintext of c
  0 is m 0. Hence we can decrypt every c ? 0,
  1128.

17

• 4. With the ECB mode of DES, if there is an error
  in a block of the transmitted ciphertext, only
  the corresponding plaintext block is affected.
  However, in the CBC mode, this error propagates.
  For
• example, an error in the transmitted C1 obviously
  corrupts P1 and P2.
• a. Are any blocks beyond P2 affected?
• b. Suppose that there is a bit error in the
  source version of P1. Through how many ciphertext
  blocks is this error propagated? What is the
  effect at the receiver?

18

• a. No. For example, suppose C1 is corrupted. The
  output block P3 depends only on the input blocks
  C2 and C3.
• b. An error in P1 affects C1. But since C1 is
  input to the calculation of C2, C2 is affected.
  This effect carries through indefinitely, so that
  all ciphertext blocks are affected. However, at
  the receiving end, the decryption algorithm
  restores the correct plaintext for blocks except
  the one in error. You can show this by writing
  out the equations for the decryption. Therefore,
  the error only effects the corresponding
  decrypted plaintext block.

19

• 5. The pseudo-random stream of blocks generated
  by 64-bit OFB must eventually repeat (since at
  most 264 different blocks can be generated). Will
  KIV necessarily be the first block to be
  repeated?

20

• Actually, IV will be the first block to be
  repeated. To see this, note that the previous
  block to any given block must be the decryption
  of the given block. So if two blocks are equal,
  their respective previous blocks are also equal
  (unless one of them doesnt have a previous
  because it is firstnamely IV)

21

• 6. If a bit error occurs in the transmission of a
  ciphertext character in 8-bit CFB mode, how far
  does the error propagate?

22

• Nine plaintext characters are affected. The
  plaintext character corresponding to the
  ciphertext character is obviously altered. In
  addition, the altered ciphertext character enters
  the shift register and is not removed until the
  next eight (b/k) characters are processed.

23

• 7. Alice and Bob agree to communicate privately
  via email using a scheme based on RC4, but want
  to avoid using a new secret key for each
  transmission. Alice and Bob privately agree on a
  128-bit key k. To encrypt a message m, consisting
  of a string of bits, the following procedure is
  used
• 1. Choose a random 80-bit value v
• 2. Generate the ciphertext c RC4(v k) XOR m
• 3. Send the bit string (v c)
• a. Suppose Alice uses this procedure to send a
  message m to Bob. Describe how Bob can recover
  the message m from (v c) using k.
• b. If an adversary observes several values (v1
  c1), (v2 c2), ... transmitted between Alice
  and Bob, how can he/she determine when the same
  key stream has been used to encrypt two messages?
  
• c. Approximately how many messages can Alice
  expect to send before the same key stream will be
  used twice? (Use the approximate result from the
  birthday paradox)
• d. What does this imply about the lifetime of the
  key k (i.e., the number of messages that can be
  encrypted using k)?

24

• a. By taking the first 80 bits of v c, we
  obtain the initialization vector, v. Since v, c,
  k are known, the message can be recovered (i.e.,
  decrypted) by computing RC4(v k) ? c.
• b. If the adversary observes that vi vj for
  distinct i, j then he/she knows that the same key
  stream was used to encrypt both mi and mj. In
  this case, the messages mi and mj may be
  vulnerable to the type of cryptanalysis carried
  out in part (a).
• c. Since the key is fixed, the key stream varies
  with the choice of the 80-bit v, which is
  selected randomly. Thus, after approximately
  messages are sent, we expect the same v, and
  hence the same key stream, to be used more than
  once.
• d. The key k should be changed sometime before
  240 messages are sent.

25

• 8. Suppose H(m) is a collision resistant hash
  function that maps a message of arbitrary bit
  length into an n-bit hash value. Is it true that,
  for all messages x, x' with x ! x', we have H(x)
  ! H(x')? Explain your answer.

26

• The statement is false. Such a function cannot be
  one-to-one because the number of inputs to the
  function is of arbitrary, but the number of
  unique outputs is 2n. Thus, there are multiple
  inputs that map into the same output.

27

• 9. This problem provides a numerical example of
  encryption using a one-round version of DES. We
  start with the same bit pattern for the key K and
  the plaintext, namely
• in hexadecimal notation 0 1 2 3 4 5 6 7 8 9 A
  B C D E F
• in binary notation 0000 0001 0010 0011 0100
  0101 0110 0111
• 1000 1001 1010 1011
  1100 1101 1110 1111
• a. Derive K1, the first-round subkey.
• b. Derive L0, R0.
• c. Expand R0 to get EXP(R0).
• d. Calculate A EXP(R0) XOR K1.
• e. Group the 48-bit result of (d) into sets of 6
  bits and evaluate the corresponding S-box
  substitutions.
• f. Concatenate the results of (e) to get a 32-bit
  result, B.
• g. Apply the permutation to get P(B).
• h. Calculate R1 P(B) XOR L0.
• i. Write down the ciphertext.

28

• a. in binary notation 0000 1011 0000 0010 0110
  0111
• 1001 1011 0100 1001 1010 0101
• in hexadecimal notation 0 B 0 2 6 7 9 B 4 9 A
  5
•  b. L0, R0 are derived by passing the
  64-plaintext through Initial Permutation 
• L0 1100 1100 0000 0000 1100 1100 1111 1111
• R0 1111 0000 1010 1010 1111 0000 1010 1010
•  c. EXP(R0) 011110 100001 010101 010101 011110
  100001 010101 010101
•  d. A 011100 010001 011100 110010 111000 010101
  110011 110000
•  e. 0 (base 10)0000 (base 2), 12 (base 10)1100
  (base 2), 2 (base 10)0010 (base 2), 1 (base
  10)0001 (base 2), 6 (base 10)0110 (base 2), 13
  (base 10)1101 (base 2), 5 (base 10)0101 (base
  2), 0 (base 10)0000 (base 2) 
• f. B 0000 1100 0010 0001 0110 1101 0101 0000
• g. P(B) 1001 0010 0001 1100 0010 0000 1001 1100
• h. R1 0101 1110 0001 1100 1110 1100 0110 0011
• i. L1 R0. The ciphertext is the concatenation
  of L1 and R1.