Embed Size (px)
Citation preview
traffic analysis
Review Questions
1.1 What is the OSI security architecture?
1.2 What is the difference between passive and active security threats?
1.3 List and briefly define categories of passive and active security attacks.
1.4 List and briefly define categories of security services.
1.5 List and briefly define categories of security mechanisms.
Problems
1.1 Draw a matrix similar to Table 1.4 that shows the relationship between security services and attacks.
1.2 Draw a matrix similar to Table 1.4 that shows the relationship between security mechanisms and attacks.
Playfair cipher
polyalphabetic cipher
rail fence cipher
single-key encryption
steganography
stream cipher
symmetric encryption
transposition cipher
unconditionally secure
Vigenère cipher
Review Questions
2.1 What are the essential ingredients of a symmetric cipher?
2.2 What are the two basic functions used in encryption algorithms?
2.3 How many keys are required for two people to communicate via a cipher?
2.4 What is the difference between a block cipher and a stream cipher?
2.5 What are the two general approaches to attacking a cipher?
2.6 List and briefly define types of cryptanalytic attacks based on what is known to the attacker.
2.7 What is the difference between an unconditionally secure cipher and a computationally secure cipher?
2.8 Briefly define the Caesar cipher.
2.9 Briefly define the monoalphabetic cipher.
2.10 Briefly define the Playfair cipher.
2.11 What is the difference between a monoalphabetic cipher and a polyalphabetic cipher?
2.12 What are two problems with the one-time pad?
2.13 What is a transposition cipher?
2.14 What is steganography?
Problems
2.1 A generalization of the Caesar cipher, knows as the affine Caesar cipher, has the following form: For each
plaintext letter p, substitute the ciphertext letter C:
C = E([a, b], p) = (ap + b) mod 26
[Page 57]
A basic requirement of any encryption algorithm is that it be one-to-one. That is, if p q, then E(k, p)
E(k, q). Otherwise, decryption is impossible, because more than one plaintext character maps into the same
ciphertext character. The affine Caesar cipher is not one-to-one for all values of a. For example, for a = 2 and
b = 3, then E([a, b], 0) = E([a, b], 13) = 3.
Are there any limitations on the value of b? Explain why or why not.a.
Determine which values of a are not allowed.b.
Provide a general statement of which values of a are and are not allowed. Justify your statement.c.
2.2 How many one-to-one affine Caesar ciphers are there?
2.3 A ciphertext has been generated with an affine cipher. The most frequent letter of the ciphertext is 'B', and
the second most frequent letter of the ciphertext is 'U'. Break this code.
2.4 The following ciphertext was generated using a simple substitution algorithm:
53 305))6*;4826)4 .)4 );806*;48 8¶60))85;;]8*;: *8 83
(88)5* ;46(;88*96*?;8)* (;485);5* 2:* (;4956*2(5*-4)88*
;4069285);)6 8)4 [ddagger];1( 9;48081;8:8 1;48 85;4)485 528806*81
( 9;48;(88;4( ?34;48)4 ;161;:188; ?;
Decrypt this message. Hints:
As you know, the most frequently occurring letter in English is e. Therefore, the first or second (or
perhaps third?) most common character in the message is likely to stand for e. Also, e is often
seen in pairs (e.g., meet, fleet, speed, seen, been, agree, etc.). Try to find a character in the
ciphertext that decodes to e.
1.
The most common word in English is "the." Use this fact to guess the characters that stand for t 2.
Thus, Stein's algorithm works in roughly the same number of steps as the Euclidean algorithm.
Demonstrate that Stein's algorithm does indeed return gcd(A, B).d.
4.19 Using the extended Euclidean algorithm, find the multiplicative inverse of
1234 mod 4321a.
24140 mod 40902b.
550 mod 1769c.
4.20 Develop a set of tables similar to Table 4.3 for GF(5).
4.21 Demonstrate that the set of polynomials whose coefficients form a field is a ring.
4.22 Demonstrate whether each of these statements is true or false for polynomials over a field:
The product of monic polynomials is monic.a.
The product of polynomials of degrees m and n has degree m + nb.
The sum of polynomials of degrees m and n has degree max[m, n].c.
[Page 133]
4.23 For polynomial arithmetic with coefficients in Z10, perform the following calculations:
(7x + 2) (x2 + 5)a.
(6x2 + x + 3) x (5x
2 + 2)b.
4.24 Determine which of the following are reducible over GF(2):
x3 + 1a.
x3 + x
2 + 1b.
x4 + 1 (be careful)c.
4.25 Determine the gcd of the following pairs of polynomials:
x3 + x + 1 and x
2 + x + 1 over GF(2)a.
x3 x + 1 and x
2 + 1 over GF(3)b.
x5 + x
4 + x
3 x
2 x + 1 and x
3 + x
2 + x + 1 over GF(3)c.
[Page 161 (continued)]
5.4. Key Terms, Review Questions, and Problems
Key Terms
Advanced Encryption Standard (AES)
National Institute of Standards and Technology (NIST)
power analysis
Rijndael
S-box
Review Questions
5.1 What was the original set of criteria used by NIST to evaluate candidate AES ciphers?
5.2 What was the final set of criteria used by NIST to evaluate candidate AES ciphers?
5.3 What is power analysis?
5.4 What is the difference between Rijndael and AES?
5.5 What is the purpose of the State array?
5.6 How is the S-box constructed?
5.7 Briefly describe SubBytes.
5.8 Briefly describe ShiftRows.
5.9 How many bytes in State are affected by ShiftRows?
5.10 Briefly describe MixColumns.
7.3 What types of information might be derived from a traffic analysis attack?
7.4 What is traffic padding and what is its purpose?
7.5 List ways in which secret keys can be distributed to two communicating parties.
7.6 What is the difference between a session key and a master key?
7.7 What is a nonce?
7.8 What is a key distribution center?
7.9 What is the difference between statistical randomness and unpredictability?
Problems
7.1 Electronic mail systems differ in the manner in which multiple recipients are handled. In some systems, the originating
mail-handler makes all the necessary copies, and these are sent out independently. An alternative approach is to
determine the route for each destination first. Then a single message is sent out on a common portion of the route, and
copies are made only when the routes diverge; this process is referred to as mail bagging.
Leaving aside considerations of security, discuss the relative advantages and disadvantages of the two methods.a.
Discuss the security requirements and implications of the two methods.b.
7.2 Section 7.2 describes the use of message length as a means of constructing a covert channel. Describe three additional
schemes for using traffic patterns to construct a covert channel.
7.3 One local area network vendor provides a key distribution facility, as illustrated in Figure 7.15.
Describe the scheme.a.
Compare this scheme to that of Figure 7.9. What are the pros and cons?b.
[Page 229]
Figure 7.15. Figure for Problem 7.3
[View full size image]
8.3 Why is gcd(n,n +1) = 1 for two consecutive integers n and n + 1?
8.4Using Fermat's theorem, find 3
201 mod 11.
8.5 Use Fermat's Theorem to find a number a between 0 and 72 with a congruent to 9794 modulo 73.
8.6Use Fermat's Theorem to find a number x between 0 and 28 with x
85 congruent to 6 modulo 29. (You should
not need to use any brute force searching.)
8.7Use Euler's Theorem to find a number a between 0 and 9 such that a is congruent to 7
1000 modulo 10. (Note
that this is the same as the last digit of the decimal expansion of 71000
.)
8.8Use Euler's Theorem to find a number x between 0 and 28 with x
85 congruent to 6 modulo 35. (You should
not need to use any brute force searching.)
8.9 Notice in Table 8.2 that f(n) is even for n > 2. This is true for all n > 2. Give a concise argument why this is so.
8.10Prove the following: If p is prime, then f(p
i) = p
i p
i1. Hint: What numbers have a factor in common with p
i?
8.11 It can be shown (see any book on number theory) that if gcd(m, n) = 1 then f(mn) = f(m)f(n). Using this
property and the property developed in the preceding problem and the property that f(p) = p 1 for p prime, it is
straightforward to determine the value of f(n) for any n. Determine the following:
f(41)a.
f(27)b.
f(231)c.
f(440)d.
8.12 It can also be shown that for arbitrary positive integer a,f(a) is given by:
where a is given by Equation (8.1), namely: . Demonstrate this result.
8.13Consider the function: f(n) = number of elements in the set {a: 0 a < n and gcd(a,n) = 1}. What is this
function?
8.14 Although ancient Chinese mathematicians did good work coming up with their remainder theorem, they did
not always get it right. They had a test for primality. The test said that n is prime if and only if n divides (2n 2).
Give an example that satisfies the condition using an odd prime.a.
9.1 Prior to the discovery of any specific public-key schemes, such as RSA, an existence proof was developed whose purpose
was to demonstrate that public-key encryption is possible in theory. Consider the functions f1(x1) = z1; f2(x2, y2) = z2; f3(x3,
y3) = z3, where all values are integers with 1 < xi, yi, zi N. Function f1 can be represented by a vector M1 of length N, in
which the kth entry is the value of f1(k). Similarly, f2 and f3 can be represented by N x N matrices M2 and M3. The intent is
to represent the encryption/decryption process by table look-ups for tables with very large values of N. Such tables would
be impractically huge but could, in principle, be constructed. The scheme works as follows: construct M1 with a random
permutation of all integers between 1 and N; that is, each integer appears exactly once in M1. Construct M2 so that each
row contains a random permutation of the first N integers. Finally, fill in M3 to satisfy the following condition:
[Page 282]
f3(f2(f1(k),p),k) = pfor all k, p with 1 k, p N
In words,
M1 takes an input k and produces an output x.1.
M2 takes inputs x and p giving output z.2.
M3 takes inputs z and k and produces p.
The three tables, once constructed, are made public.
3.
It should be clear that it is possible to construct M3 to satisfy the preceding condition. As an example, fill in M3 for
the following simple case:
Convention: The ith element of M1 corresponds to k = i. The ith row of M2 corresponds x = i; to the jth column of
M2 corresponds to p = j. The ith row of M3 corresponds to z = i; the jth column of M3 corresponds to k = j.
a.
Describe the use of this set of tables to perform encryption and decryption between two users.b.
Argue that this is a secure scheme.c.
9.2 Perform encryption and decryption using the RSA algorithm, as in Figure 9.6, for the following:
p = 3; q = 11, e = 7; M = 51.
p = 5; q = 11, e = 3; M = 92.
p = 7; q = 11, e = 17; M = 83.
p = 11; q = 13, e = 11; M = 74.
p = 17; q = 31, e = 7; M = 2. Hint: Decryption is not as hard as you think; use some finesse.5.
9.3 In a public-key system using RSA, you intercept the ciphertext C = 10 sent to a user whose public key is e = 5, n = 35. What
is the plaintext M?
9.4 In an RSA system, the public key of a given user is e = 31, n = 3599. What is the private key of this user? Hint: First use trail
and error to determine p and q; then use the extended Euclidean algorithm to find the multiplicative inverse of 31 modulo
f(n).
9.5 In using the RSA algorithm, if a small number of repeated encodings give back the plaintext, what is the likely cause?
9.6 Suppose we have a set of blocks encoded with the RSA algorithm and we don't have the private key. Assume n = pq, e is
the public key. Suppose also someone tells us they know one of the plaintext blocks has a common factor with n. Does this
help us in any way?
9.7 In the RSA public-key encryption scheme, each user has a public key, e, and a private key, d. Suppose Bob leaks his
private key. Rather than generating a new modulus, he decides to generate a new public and a new private key. Is this
safe?
9.8 Suppose Bob uses the RSA cryptosystem with a very large modulus n for which the factorization cannot be found in a
reasonable amount of time. Suppose Alice sends a message to Bob by representing each alphabetic character as an
integer between 0 and 25(A 0,..., Z 25), and then encrypting each number separately using RSA with large e and
large n. Is this method secure? If not, describe the most efficient attack against this encryption method.
[Page 283]
9.9 Using a spreadsheet (such as Excel), or a calculator, perform the described below operations. Document results of all
intermediate modular multiplications. Determine a number of modular multiplications per each major transformation (such
as encryption, decryption, primality testing, etc.).
Test all odd numbers in the range from 233 to 241 for primality using the Miller-Rabin test with base 2.a.
Encrypt the message block M = 2 using RSA with the following parameters: e = 23 and n = 233 x 241.b.
Compute a private key (d, p, q) corresponding to the given above public key (e, n).c.
Perform the decryption of the obtained ciphertext using two different methods:
without using the Chinese Remainder Theorem,1.
using the Chinese Remainder Theorem.2.
d.
9.10 Assume that you generate an authenticated and encrypted message by first applying the RSA transformation determined
by your private key, and then enciphering the message using recipient's public key (note that you do NOT use hash
function before the first transformation). Will this scheme work correctly [i.e., give the possibility to reconstruct the original
message at the recipient's side, for all possible relations between the sender's modulus ns and the recipient's modulus nR
(nS > nR, nS < nR, nS = nR)]? Explain your answer. In case your answer is "no," how would you correct this scheme?
9.11 "I want to tell you, Holmes," Dr. Watson's voice was enthusiastic, "that your recent activities in network security have
increased my interest in cryptography. And just yesterday I found a way to make one-time pad encryption practical."
"Oh, really?" Holmes' face lost its sleepy look.
"Yes, Holmes. The idea is quite simple. For a given one-way function F, I generate a long pseudorandom sequence of
elements by applying F to some standard sequence of arguments. The cryptanalyst is assumed to know F and the general
nature of the sequence, which may be as simple as S, S + 1, S + 2,..., but not secret S. And due to the one-way nature of F
no one is able to extract S given F(S + i) for some i, thus even if he somehow obtains a certain segment of the sequence,
he will not be able to determine the rest."
13.3 What requirements should a digital signature scheme satisfy?
13.4 What is the difference between direct and arbitrated digital signature?
13.5 In what order should the signature function and the confidentiality function be applied to a message, and why?
13.6 What are some threats associated with a direct digital signature scheme?
13.7 Give examples of replay attacks.
13.8 List three general approaches to dealing with replay attacks.
13.9 What is a suppress-replay attack?
Problems
13.1 Modify the digital signature techniques of Table 13.1a and b to enable the receiver to verify the signature.
13.2 Modify the digital signature technique of Table 13.1c to avoid triple encryption of the entire message.
13.3 In discussing Table 13.1c, it was stated that alliances to defraud were impossible. In fact, there is one
possibility. Describe it and explain why it would have so little credibility that we can safely ignore it.
13.4 In Section 13.2, we outlined the public-key scheme proposed in [WOO92a] for the distribution of secret keys.
The revised version includes IDA in steps 5 and 6. What attack, specifically, is countered by this revision?
13.5 The protocol referred to in Problem 13.1 can be reduced from seven steps to five, having the following
sequence:
(1) A B:
(2) B KDC:
(3) KDC B:
(4) B A:
(5) A B:
Show the message transmitted at each step. Hint: The final message in this protocol is the same as the final
message in the original protocol.
![courses.cs.washington.edu · –mkdir hw1/{old,new,test} – hw1/old, hw1/new, hw1/test – ~bob – [abc] [a-c]](https://img.pdfslide.us/doc/110x75/60616dbea5b58226b1373df9/amkdir-hw1oldnewtest-a-hw1old-hw1new-hw1test-a-bob-a-abc-a-c.jpg)
