Midterm 1

Question 1

What is a passive attack?

Answer 1

When an intruder eavesdrops but does not modify the message stream in anyway.

Question 2

What is an active attack?

Answer 2

When an intruder transmission messages, replays old messages, modifies message in transit, or deletes selected messages from the wire.

Question 3

What is a typical active attack?

Answer 3

One in which an intruder impersonates one end of the conversation, or acts as a man-in-the-middle.

Question 4

What is authentication?

Answer 4

Authentication proves who you are.

Question 5

What is authorization?

Answer 5

Authorization defines what you’re allowed to do.

Question 6

Explain the process of authentication and authorization?

Answer 6

Typically the way a server decides whether someone should have access to a resource is by first authenticating the user, and then consulting a database associated with the resource that indicates who is allowed to do what with that resource. For instance, the database associated with a file might say that Alice can read it and Bob and Carol can both read and write it. This database is often referred to as an ACL (access control list).

Question 7

What is a Trojan horse?

Answer 7

Instructions hidden inside an otherwise useful program that do bad things. When malicious instructions are installed at the time the program is written. Today often on a Webpage (Active-X, plugin)

Question 8

What is a virus?

Answer 8

a set of instructions that, when executed, inserts copies of itself into other programs. More recently, the term has been applied to instructions in email messages that, when executed, cause the malicious code to be sent in email to other users.

Question 9

What is a worm?

Answer 9

program that replicates itself by installing copies of itself on other machines network.

Question 10

What is a trapdoor?

Answer 10

an undocumented entry point intentionally written into a program, often for debugging purposes, which can be exploited as a security flaw.

Question 11

List five types of network security issues?

Answer 11

Malware and viruses: These are malicious software that can infect a computer or network and cause damage by stealing sensitive information or disrupting normal operations.
Unauthorized access: This occurs when an unauthorized user gains access to a network or computer system, often through weak passwords or security vulnerabilities. It can result in data theft or modification, as well as system downtime.
Denial of service (DoS) attacks: This is a type of cyber attack that floods a network or server with traffic, overwhelming its capacity and causing it to crash or become unavailable. DoS attacks can be used to disrupt business operations, extort money or cause political disruption.
Phishing and social engineering: These are tactics used by attackers to deceive users into providing sensitive information, such as passwords or credit card numbers, by posing as a trustworthy entity or individual. These attacks often use emails or social media messages to trick users into clicking on malicious links or opening infected attachments.
Insufficient security policies and practices: This includes failures to implement proper security protocols, such as not regularly updating software, weak passwords or not training employees on how to recognize and report security threats. These vulnerabilities can be exploited by attackers to gain access to networks or steal sensitive information.

Question 12

How do you encrypt a message by streaming cipher?

Answer 12

Choose a strong encryption algorithm
Generate a key
Start the stream by creating a keystream by encrypting an initialization vector with the encryption key
XOR the plaintext with the keystream to produce the ciphertext
Send the encrypted message over the network and the receiver will use the same encryption key and IV to recover the original plaintext message.

Question 13

In what application scenario is a streaming cipher more favorable than a block cipher?

Answer 13

A streaming cipher is more favorable than a block cipher in scenarios where the encryption and decryption of data occur in real-time and with a continuous stream of data, such as in real-time communication protocols like Voice over IP (VoIP) and multimedia streaming. In these scenarios, a block cipher would be inefficient and cause delays due to the need to buffer the data until it can be processed in fixed-size blocks.

On the other hand, a streaming cipher can encrypt the data as it arrives and transmit it securely without buffering or adding any additional delay. Streaming ciphers can also be used in situations where the amount of data is unknown in advance or where the data is generated dynamically, such as in the case of sensor data or stock prices.

Overall, streaming ciphers are more suitable for applications that require real-time encryption of a continuous data stream with minimal overhead and delay. In contrast, block ciphers are more appropriate for scenarios where data can be divided into fixed-size blocks and processed accordingly.

Question 14

Why is public key technology so important for large scale network security applications?

Answer 14

Public key cryptography is when there are two keys per user. Each user has a private key and a public key that reverse each others effects. A public key is used to encrypt messages or check digital signatures. A public key is paired with a private key specific to the user. In most cases, a public key is made available to every user. This is especially important in large-scale network security applications as it eliminates the sharing of private keys between individual users. When users need to transmit their private keys, it increases the risk of intruders discovering these secret keys during transmission. Public key technology centralizes the system to one known public key, decreasing the risk of cybersecurity attacks. This is especially important when large-scale networks are exchanging millions of messages daily.

Question 15

Consider the scenario that Alice wants to send a long message m to Bob securely. Suppose that Alice and Bob have agreed in advance on the symmetric key encryption algorithm, the public key encryption algorithm, and the hash function, which may be used in the secure communication. You are required to design a security communication scheme for Alice and Bob. Your design should achieve confidentiality, authentication, and message integrity. Also the security should be achieved with an efficient computing overhead, meaning that you should avoid applying public key encryption to the whole long message m. Use a diagram to present your designed security scheme.

Answer 15

Alice and Bob establish a secure channel using a symmetric key encryption algorithm, such as AES or 3DES, to exchange a secret key Ks for use in subsequent communications.
Alice encrypts the long message m using the agreed symmetric key encryption algorithm and the secret key Ks to produce ciphertext E(K,m).
Alice computes a message authentication code (MAC) for the ciphertext E(K,m) using a hash function and the secret key Ks, such as HMAC.
Alice sends the ciphertext E(K,m) and the MAC HMAC(K, E(K,m)) to Bob over a separate channel, such as the internet. Bob verifies the MAC using the same hash function and secret key Ks, and accepts the message only if the MAC is valid.
This security scheme achieves confidentiality, authentication, and message integrity. The symmetric key encryption algorithm provides confidentiality by encrypting the message using the secret key Ks, which only Alice and Bob know. The MAC provides authentication and message integrity by ensuring that the ciphertext and the MAC are not tampered with during transmission and that they come from Alice, who knows the secret key Ks. Additionally, the security scheme is efficient because the public key encryption is not applied to the whole long message m, only to the smaller symmetric key Ks.

Question 16

Bob needs to send some messages to Tom. Bob is required to design a scheme to prevent messages from being modified by an intruder. Bob decides to append to each message a hash of that message. Does Bob’s design meet the requirement? If not, please modify Bob’s design to fix the security issue.

Answer 16

Bob’s design to append a hash of each message to itself is a good start to ensure message integrity. However, it does not prevent an intruder from modifying the message and recalculating the hash value, leading to the hash value still matching the modified message.

To fix this security issue, Bob should use a message authentication code (MAC) instead of a hash. A MAC is a cryptographic technique that ensures message integrity and authentication. It combines a secret key known only to Bob and Tom with the message to create a unique authentication code that can only be created by someone who knows the secret key. When Tom receives the message and the MAC, he can recalculate the MAC using the same secret key and compare it to the received MAC to verify the message’s integrity.

Therefore, by using a MAC, Bob can prevent an intruder from modifying the message without being detected.

Question 17

What is a playback attack?

Answer 17

A playback attack happens when an intruder eavesdrops on a secure communication, intercepts it, and then delays or resends it to trick the receiver. An intruder is able to do this even without decrypting the message as they can just resend the entire thing. This means that even encrypted messages carrying keys within them are susceptible to this attack. This is because the attacker is able to resend the entire message, keys included.

Question 18

How will you design an authentication protocol that is secure against a playback attack?

Answer 18

There are a few protocols to defend against this type of attack. One being the generation of random session keys. Both sender and receiver would establish this random session key valid for only one use not to be replicated or used again. Another possible protocol would be the implementation of timestamps to reduce the window of opportunity for intruders to eavesdrop. Coming directly from the textbook, a user can use a nonce for each connection attempt to avoid replay attacks. A nonce ensures that old communications are not being reused.

Question 19

What is the salt technique?

Answer 19

The salt technique is a method used to strengthen password security by adding a random string of characters to a password before it is hashed. This random string is called a salt and makes it more difficult for attackers to use precomputed hash tables or rainbow tables to crack passwords.

Question 20

Why is the salt technique important?

Answer 20

The salt technique is important because it significantly increases the difficulty of cracking passwords, thereby enhancing password security. It makes it more challenging for attackers to use precomputed hash tables or rainbow tables to reverse-engineer passwords. Additionally, it prevents the same password from producing the same hash value every time, which adds another layer of security to the process.

Question 21

We known that it is difficult, without public key cryptography, to have an authentication scheme which protects against both eavesdropping and server database disclosure. Consider the following authenti- cation protocol (which is based on Novell version 3 security). Alice knows a password. Bob, a server that will authenticate Alice, stores a hash of Alice’s password. Alice types her password (say fiddlesticks) to her workstation. The following exchange takes place:

Is this an example of an authentication scheme that isn’t based on public key cryptography and yet guards against both eavesdropping and server database disclosure?

Answer 21

No, the described authentication scheme does not guard against both eavesdropping and server database disclosure. In this scheme, Alice types her password to her workstation in plaintext, which means that an eavesdropper could intercept and read her password. Additionally, Bob stores a hash of Alice’s password, which could be stolen by an attacker who gains access to Bob’s server database.

Therefore, this authentication scheme is vulnerable to both eavesdropping and server database disclosure.

Question 22

A general way of encrypting a 56-bit block is to take each of the possible 56-bit input values and map it to a unique yet different 56-bit output value. If a table is used to specify such a mapping, how many bits are required to represent the mapping table?

Answer 22

If there are 2^56 possible 56-bit input values, and each of them needs to be mapped to a unique and different 56-bit output value, then there will be a total of 2^56 different mappings. To represent this mapping table, we need to use log2(2^56) = 56 bits per entry. Therefore, the total number of bits required to represent the mapping table would be (2^56) x 56 bits, which is equal to 2^64 bits.

Question 23

Please briefly and generally describe the method to design a practical block encryption algorithm.

Answer 23

The process of designing a practical block encryption algorithm typically involves defining design criteria, selecting a block cipher design, specifying the key schedule, designing the round function, testing and evaluating the algorithm, and refining the design based on feedback. The goal is to create an algorithm that provides strong security, is efficient and practical to use, and has been thoroughly tested and evaluated for potential vulnerabilities.

Question 24

In the DES algorithm, a DES round is based on the Feistel design as shown in the figure. If the Feistel module has the input pins Ln, Rn, and Kn and output pins Ln+1 and Rn+1. The figure shows that the Feistel module is used for encryption. How can you use the same module for decryption (that is, given data Ln+1 and Rn+1, recover data Ln and Rn)?

Answer 24

To use the same Feistel module for decryption, we can simply reverse the order of the round keys. That is, we use the keys in reverse order for decryption, starting with the last key and ending with the first key. Specifically, the decryption process would involve the following steps:

Reverse the order of the round keys: The round keys used for decryption should be the same as those used for encryption, but in reverse order.
Initialize the input to the final round: For decryption, the input to the final round should be the ciphertext rather than the plaintext.
Perform the Feistel rounds in reverse order: Starting with the final round and working backwards, perform the Feistel rounds using the reverse order of the round keys. That is, for each round, use the corresponding round key from the reversed key schedule.
Swap the output: Once all the rounds have been performed, swap the output of the final Feistel round to obtain the plaintext. Specifically, the left and right halves of the output should be swapped to obtain Ln and Rn.

Question 25

The structure of the k-bit cipher feedback mode (CFB) is shown in the figure. Specifically, consider the 16-bit CFB. If a 16-bit block is removed from the ciphertext stream by an attacker, how will the decrypted plaintext be impacted?

Answer 25

If a 16-bit block is removed from the ciphertext stream in the 16-bit CFB mode, the corresponding 16-bit block of decrypted plaintext will be incorrect. The CFB mode uses the previous ciphertext block as input to the block cipher to generate the keystream, which is then XORed with the plaintext to produce the ciphertext. If a block is removed from the ciphertext stream, the decryption algorithm will use the previous ciphertext block to generate the keystream for the missing block, resulting in a different plaintext block than what was originally intended. This can cause errors or corruption in the decrypted plaintext beyond the missing block.

Question 26

Regarding multiple encryption DES, using EDE with three keys has certain security weakness. Please give a practical method for finding a triple of keys that maps a given plaintext to a given ciphertext using EDE.

Answer 26

A practical method for finding a triple of keys that maps a given plaintext to a given ciphertext using EDE is known as the meet-in-the-middle attack. This involves encrypting the plaintext with all possible keys in the first stage and decrypting the ciphertext with all possible keys in the third stage, storing the results in two tables. The tables are then compared to find a match, which gives the key used in the second stage. This method requires 2^(2k) computations, where k is the key length in bits. However, with DES, the attack can be reduced to 2^(56+1) computations, which is practical but still very time-consuming. Therefore, using EDE with three keys is not considered secure against determined attackers.

Question 27

Assume that Alice and Bob agrees on a 64-bit block cipher algorithm. However, Alice and Bob needs to exchange over Internet messages that are much longer than 64 bits. Please design a security solution for Alice and Bob to ensure both confidentiality and integrity in their communications.

Answer 27

To provide both integrity and confidentiality. EDE with CBC inside can be used to encrypt the message. Then, an enhanced message digest (EMD) can be used on the message with the senders private key. These can both then be encrypted using a random key K. K can then be encrypted using the receivers public key and all then sent to the receiver.

Question 28

Assume that a strong level of security protection is equivalent to the randomness of 64 bits or more. If a certain security protocol involves cryptographic hash computation, what is the minimum size required for the hash output to ensure a strong security protection? Justify your answer.

Answer 28

If a strong level of security protection is equivalent to the randomness of 64 bits or more, the minimum size required for the hash output to ensure a strong security protection is 128 bits or more. This is because a hash function with an output size of n bits should provide at least n/2 bits of security strength, according to the birthday bound theorem. In other words, an attacker should not be able to find two different messages that hash to the same value with more than 2^(n/2) attempts. Therefore, to ensure a strong level of security protection, the output size of the hash function should be at least 128 bits.

Question 29

Design three authentication protocols using secret key, public key, and Lamport’s hash, respectively. Compare the performance of these three protocols.

Answer 29

Protocol 1: Secret Key Authentication

Alice and Bob share a secret key KAB.
Alice sends Bob a message m, and appends a message authentication code (MAC) computed as MAC = HMAC(KAB, m).
Bob receives m and MAC, recomputes the MAC using his copy of KAB, and compares it to the received MAC. If they match, Bob accepts the message as authentic.
Protocol 2: Public Key Authentication

Bob generates a key pair (public key PKB, private key SKB) and shares his public key with Alice.
Alice sends Bob a message m, and appends a digital signature computed as SIG = SIGN(SK_B, m).
Bob receives m and SIG, verifies the signature using Alice’s public key, and accepts the message as authentic if the verification succeeds.
Protocol 3: Lamport’s Hash Authentication

Alice and Bob share a hash function H and a secret key KAB.
Alice sends Bob a message m, and appends a sequence of hashes computed as HASH(i) = H^(KI)_i(m) for i = 1, …, n, where KI is the i-th bit of KAB.
Bob receives m and the sequence of hashes, recomputes the hashes using his copy of KAB, and compares them to the received hashes. If they match, Bob accepts the message as authentic.
Performance Comparison:

Secret key authentication is the fastest since it involves only one symmetric key operation for the MAC computation.
Public key authentication is slower than secret key authentication since it involves a digital signature computation using a public key operation, which is typically slower than symmetric key operations.
Lamport’s hash authentication is the slowest since it involves multiple hash computations and a large sequence of hashes, which can be computationally expensive. However, it has the advantage of being resistant to quantum attacks, unlike the other two protocols.

Question 30

Assume that Alice shares a secret key KAB with Bob. Alice needs to compute a message authentication code (MAC) for message m with a given hash algorithm MD. Please design for Alice a MAC computing method that has no known weakness.

Answer 30

A secure method for Alice to compute a message authentication code (MAC) for message m using a given hash algorithm MD and a shared secret key KAB is the HMAC (Hash-based Message Authentication Code) method. HMAC uses a nested hash function to combine the secret key and the message, which provides strong security against known attacks. It has been widely adopted as a secure MAC method and is implemented in many cryptographic libraries and protocols.

Question 31

Alice only has the Cipher Block Chaining (CBC) algorithm to use. Given a long message, how can Alice apply the CBC algorithm over the message to achieve both confidentiality and integrity protection?

Answer 31

In order to apply the CBC algorithm to the message, Alice would need to divide the message into fixed-length blocks and generate a random IV for the first block. She would then need to XOR the first block with the IV and apply the cipher to the XOR result. For each remaining block, Alice would continue applying the CBC operation by XORing the current plaintext block with the previous cipher text block before encrypting. The outputted ciphertext is sent to the intended recipient. The recipient can then decrypt the message by reversing the CBC operation using the same key and IV. A key characteristic of the CBC method is its use of a chaining process. The algorithm can achieve confidentiality and integrity protection through its use of a symmetric-key cipher algorithm and chaining together each plaintext block with the previous cipher text block. The chaining ensures that an intruder would not be able to modify the data without being detected as all subsequent blocks would be impacted.

Question 32

Alice and Bob share the same key, say KAB. When Alice send messages to Bod, Alice will attach each message a message authentication code (MAC) for integrity protection. The MAC will be computed based on a well-known hash algorithm. Please give Alice some suggestions on how to use the hash algorithm for MAC computation.

Answer 32

To use the hash algorithm for MAC computation, Alice should do the following. First, she should choose a secure hash algorithm such as SHA-256. And a secure mode of operation such as HMAC. HMAC uses a key-based padding scheme to compute a hash of a message and provide stronger security than most hash functions. She should then make sure that both the message and the shared secret key are included in the MAC computation. This ensures that the MAC is dependent on both the message and the key, making it difficult for an intruder to modify the message. This is done by concatenating the message with the key and then computing the hash using the selected hash algorithm. Alice will also need to ensure the secret key is of sufficient length, at least 128 bits for ample security. It would be ideal for Alice to use a different key for each session to prevent an intruder from recycling a compromised key. The message can be verified by concatenating the secret key and the received message, computing the hash of the concatenated value using the same hash algorithm as the sender, and comparing the hash value with the received MAC. If the MACs match, the message is authentic.

Question 33

How can you use the same Feistel module (considered as an IC chip) for both encryption and
decryption?

Question 34

Message digests are reasonably fast, but here’s a much faster function to compute. Take your message, divide it into 128-bit chunks, and all the chunks together to get a 128-bit result. Do the standard message digest on the result. Is this a good message digest function?

Answer 34

No, this would not provide sufficient security. XORing the message chunks together does not sufficiently mix the input bits, this makes it vulnerable to collision attacks, where different inputs produce the same hash value. It also does not provide any resistance against length extension attacks. Overall, XOR is a weak operation for producing secure message digests. Since XORing message blocks with the same length are reversible, any intruder can easily find a message with the same XOR output as the original message simply by XORing the original with a message of comparable length. As a result, it’s quite easy to generate another message with the same 128-bit XOR output as the original message and is not a good approach to generating a secure message digest.

Question 35

In §5.1 Introduction we discuss the devious secretary Bob having an automatic means of generating many messages that Alice would sign, and many messages that Bob would like to send. By the birthday problem, by the time Bob has tried a total of 232 messages, he will probably have found two with the same message digest. The problem is, both may be of the same type, which would not do him any good. How many messages must Bob try before it is probable that he’ll have messages with matching digests, and that the messages will be of opposite types?

Answer 35

This problem can be solved using the birthday paradox. In theory, the probability of finding two messages with the same digest and opposite types is the same probability of two people sharing a birthday. In order to calculate the number of messages Bob needs to try, you use the birthday paradox formula. The probability that two messages have the same digest and opposite types is 1/2 * 1/2^128 which equals 1/2^129. The probability that Bob has found two messages with the same digest and opposite types is about 1- e^(-N^2/2(2^129)). Since you want this probability to be greater than 0.5, you can then solve for N. As a result, Bob would need about 2^64 messages to have a greater than 50% chance of finding two messages with the same digest and opposite types.

Question 36

Assume a good 128-bit message digest function. Assume there is a particular value, d, for the message digest and you’d like to find a message that has a message digest of d. Given that there are many more 2000-bit messages that map to a particular 128-bit message digest than 1000-bit messages, would you theoretically have to test fewer 2000- bit messages to find one that has a message digest of d than if you were to test 1000-bit messages?

Answer 36

A good 128-bit message digest function would be designed in a way that it produces a unique output for each input message, and any change would result in a significant change to the output. So, for any given message digest value d, there could be various possible input messages that produce that message digest value. However, the probability of finding a message with the message digest value d is very low, regardless of length. The probability of finding a message with the message digest value d is proportional to the number of possible messages that provide the message digest value d, not the total number of possible messages. Therefore, testing fewer 2000-bit messages would make no difference as the expected number of messages is 2^128 regardless.

Question 37

We mentioned in §5.2.2 Computing a MAC with a Hash that using MD4(KAB|m) as a MAC is not secure. This is not a problem if MD2 is used instead of MD4. Why is that the case?

Answer 37

As noted, using MD4 as a MIC is not secure because it is a broken cryptographic hash function. As a result, MD4 is vulnerable to collision attacks. Meaning an intruder can find two different messages that hash to the same value with a high probability. While MD2 is also a broken cryptographic hash function, it is more secure than MD4. MD2 is simpler compared to MD4 with smaller block size and slower compression function. This makes it less susceptible to collision attacks. MD2 uses a more complex message padding scheme than MD4, computing a message checksum based on an entire padded message. This makes it more resistant to attacks looking to exploit weaknesses in the padding scheme.

Question 38

Can you modify the encryption specified in §5.2.3.2 Mixing In the Plaintext so that instead of bi = MD(KAB|ci-1) we use bi = MD(KAB|pi-1)? How do you decrypt it? Why wouldn’t the modified scheme be as secure? (Hint: what would happen if the plaintext consisted of all zeroes?)

Answer 38

The original scheme uses bi=MD(KAB|ci-1) where KAB is the shared secret key between both parties, ci-1 is the previous cipher text block, and MD is the hash function. The formula is used to calculate a new value bi which is XORed with the plaintext block pi to obtain the cipher text block. If you modify the scheme to use pi instead of ci, you would mix the key with the plaintext block rather than the ciphertext block. In order to decrypt, you would use the same KAB and the modified formula to calculate the bi values. Then, you would XOR the bi values with the cipher text blocks ci to obtain the plaintext. However, the modified scheme would not be as secure as the original scheme. This is because if the plaintext consisted of all zeroes, then all the ciphertext blocks would also be all zeroes, which would reveal the key used to encrypt the message. In the original scheme, this would not happen because the formula includes the previous ciphertext block, which is not known to the intruder. In addition, using the plaintext instead of the ciphertext in the formula could potentially leak information about the plaintext and make certain attacks easier to carry out.

Question 39

Token cards display a number that changes periodically, perhaps every minute. Each such device has a unique secret key. A human can prove possession of a particular such device by entering the displayed number into a computer system. The computer system knows the secret keys of each authorized device. How would you design such a device?

Answer 39

To design a token card device, also known as two-factor authentication, you would need to do the following. First, generate a unique secret key for each authorized device. Then, use an algorithm to generate a time-based one-time password that periodically changes. This TOTP will need to be displayed on the token card’s screen. To prove possession, the user enters the displayed TOTP into the computer system. The computer would then generate the same TOTP using the secret key and current logged time. If they match, the user is in possession of the authorized device.

Question 40

Make an argument as to why the initial permutation of the bits of the DES key cannot have any security value.

Answer 40

Before the key in a DES is used for encryption or decryption, it undergoes an initial permutation step. Since the IP step is a fixed permutation table that is publicly known, it does not add any security value. Any intruder knowing the IP table can easily reverse the permutation and recover the original key. Additionally, the IP step only rearranges the bits of the key and does not change the key’s value. Since the key is only 56 bits in length, it is vulnerable to brute-force attacks. Lastly, the IP step happens prior to the key being used in any rounds of encryption or decryption. This means an intruder would be able to recover the original key by reverse engineering the IP step if they compromised the encryption algorithm.

Question 41

Why is a DES weak key (see §3.3.6 Weak and Semi-Weak Keys) its own inverse? Hint: DES encryption and decryption are the same once the per-round keys are generated.

Answer 41

Each 64-bit plaintext block is divided into two 32-bit halves. Each half undergoes a series of 16 rounds of substitution and permutation operations, using a different 48-bit subkey in each round. The subkeys are derived from a 56-bit key using a key schedule algorithm. A DES weak key is an encryption key that causes the outputted ciphertext to be the same as the plaintext. This is a result of the generated subkeys being identical in each round. Causing the encryption and decryption operations to cancel each other out. Meaning that encrypting a plaintext with a weak key produces the same output as decrypting that output with the same weak key. In other words, the weak key is its own inverse.

Question 42

Show that DES encryption and decryption are identical except for the order of the 48- bit keys. Hint: running a round backwards is the same as running it forwards but with the halves swapped (see §3.3.4 A DES Round), and DES has a swap after round 16 when run forwards (see §3.3.1 DES Overview).

Question 43

What pseudo-random block stream is generated by 64-bit OFB with a weak DES key?

Answer 43

The 64-bit OFB mode of operation is a stream cipher mode that generates a pseudo-random stream of blocks based on a key and an initialization vector. Assuming a weak DES key is used in the 64-bit OFB mode, the resulting pseudo-random block stream would still appear random and unpredictable to anyone who does now know the key or IV. The stream would be K(IV),IV,K(IV),IV…

Question 44

Let’s assume you do DES double encryption by encrypting with K1 and doing DES in decrypt mode with K2. Does the same attack work as with double encryption with K1 and K2? If not, how could it be made to work?

Answer 44

No, the method of double encryption using K1 and then decrypting with K2 is not the same as double encryption with K1 and K2. With double encryption using K1 and K2, the plaintext is encrypted twice, with two different keys. This means that the resulting ciphertext is more secure than single encryption since an attacker would need to crack both keys to obtain the original plaintext. In the case of encrypting with K1 and then decrypting with K2, the resulting ciphertext is not as secure as double encryption with K1 and K2. The reason for this is that the second encryption step is done in decrypt mode, which means that the ciphertext is actually decrypted using the second key (K2) instead of being encrypted with it. This can lead to weaknesses in the resulting ciphertext. In order for this to work, it is important to use the correct method of double encryption with two different keys for both steps.

Question 45

What is a practical method for finding a triple of keys that maps a given plaintext to a given ciphertext using EDE? Hint: It is like the meet-in-the-middle attack of §4.4.1.2 Encrypting Twice with Two Keys.

Answer 45

The process of finding a triple of keys that maps a given plaintext to a given ciphertext using EDE (Encrypt-Decrypt-Encrypt) can be done using a meet-in-the-middle attack.
First, you would need to choose a plaintext and a corresponding ciphertext to map using EDE. You would then need to encrypt the plaintext with all possible values of the first key (K1) to obtain a set of intermediate ciphertexts. Then, you would need to decrypt the ciphertext with all possible values of the second key (K2) to obtain a set of intermediate plaintexts. You would then encrypt again each intermediate plaintext obtained with all possible values of the third key (K3) to obtain a set of final ciphertexts. You would then check the intermediate cipher texts to see if they matched the final ciphertexts. If a match is found, then the corresponding values of K1, K2, and K3 are the triple of keys that maps the given plaintext to the given ciphertext.
Note that the number of keys that need to be tried in each step is proportional to the key length. This method can be computationally expensive for large key lengths, but it is a practical method for smaller key lengths.

Question 46

Let’s assume that someone does triple encryption by using EEE with CBC on the inside. Suppose an attacker modifies bit x of ciphertext block n. How does this affect the decrypted plaintext?

Answer 46

If an attacker modifies bit x of the ciphertext block n in triple encryption using EEE with CBC on the inside, it will cause the corresponding bit to flip in the decrypted plaintext of the same block. In CBC mode, each plaintext block is XOR-ed with the previous ciphertext block before encryption. Therefore, any modification to a ciphertext block will affect the decryption of that block and the subsequent blocks. In triple encryption with CBC on the inside, the plaintext is encrypted three times using the same key. Each encryption round produces a ciphertext that is used as the plaintext for the next round. Therefore, a modification in the first encryption round will propagate through the subsequent encryption rounds and affect the corresponding decrypted plaintext block. With the triple encryption, the modification to cipher text block n would propagate to plaintext block n through n+3.

Question 47

Random J. Protocol-Designer has been told to design a scheme to prevent messages from being modified by an intruder. Random J. decides to append to each message a hash of that message. Why doesn’t this solve the problem? (We know of a protocol that uses this technique in an attempt to gain security.)

Answer 47

A hash function is a mathematical transformation that transforms a message into a fixed-length number. A hash is relatively easy to generate and append to a message. If the appended hash is the same as the message, the hash would be easily deduced. If an intruder knows the hash function, they can easily modify and corrupt a message.

Question 48

Suppose Alice, Bob, and Carol want to use secret key technology to authenticate each other. If they all used the same secret key K, then Bob could impersonate Carol to Alice (actually any of the three can impersonate the other to the third). Suppose instead that each had their own secret key, so Alice uses KA, Bob uses KB, and Carol uses KC. This means that each one, to prove his or her identity, responds to a challenge with a function of his or her secret key and the challenge. Is this more secure than having them all use the same secret key K? (Hint: what does Alice need to know in order to verify Carol’s answer to Alice’s challenge?)

Answer 48

Secret key cryptography is the use of a single key with a plaintext message. Public key cryptography combines the use a public and private key. Each user is provided with two sets of keys, one they share and one that they keep to themselves. Everyone having their own secret key is not more secure. This because in order for Alice to verify Carol’s answer, she would need to know her key. Therefore, they would all need to know each others keys to verify the message.As a result, they would all be able to impersonate each other.

Question 49

As described in §2.6.4 Downline Load Security, it is common, for performance reasons, to sign a message digest of a message rather than the message itself. Why is it so important that it be difficult to find two messages with the same message digest?

Answer 49

The downline load scheme means that devices keep a bootstrap program to obtain and run a program from the network. To ensure a downline load program hasn’t been corrupted, you can compute the hash of the loaded program. If a message digest has not been changed, the data has not been changed. Therefore, if there are two messages with the same digest, one could be corrupted and go unnoticed.

Question 50

What’s wrong with the protocol in §2.4.4 Authentication? (Hint: assume Alice can open two connections to Bob.)

Answer 50

If Alice and Bob communicate, they share Kab and want to verify that they are communicating to each other. They each pick a random challenge number. The response is the value x encrypted with the key Kab. In the scope of the example, Alice can open two communications to Bob. Since Alice doesn’t need to know Kab for Bob’s challenge, she could just open a second line on communication. The second communication line could challenge him with rb to take his response to respond to the first challenge.

Question 51

Assume a cryptographic algorithm in which the performance for the good guys (the ones that know the key) grows linearly with the length of the key, and for which the only way to break it is a brute-force attack of trying all possible keys. Suppose the performance for the good guys is adequate (e.g., it can encrypt and decrypt as fast as the bits can be transmitted over the wire) at a certain size key. Then suppose advances in computer technology make computers twice as fast. Given that both the good guys and the bad guys get faster computers, does this advance in computer speed work to the advantage of the good guys, the bad guys, or does it not make any difference?

Answer 51

With the advancement in speed, this would allow the good guys to double their key size (2e). The bad guys would then need to search through a squared value which does not scale linearly like the good guys. This would make it significantly harder for the bad guys as the good guys linearly scaled while the bad guys squared.

Question 52

In §9.6 Eavesdropping and Server Database Reading we asserted that it is extremely difficult, without public key cryptography, to have an authentication scheme which protects against both eavesdropping and server database disclosure. Consider the following authentication protocol (which is based on Novell version 3 security). Alice knows a password. Bob, a server that will authenticate Alice, stores a hash of Alice’s password. Alice types her password (say fiddlesticks) to her workstation. The following exchange takes place: Is this an example of an authentication scheme that isn’t based on public key cryptography and yet guards against both eavesdropping and server database disclosure?

Answer 52

No, this example is not based on public key cryptography. As the hash of her password is stored on her workstation, it is easy to eavesdrop or impersonate her workstation. Her key being sent through a non-secure channel would also allow an intruder to access the workstation. Hashing her password before transferring to the workstation could provide more security.