INSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:

Transcription

1 A INSE 6110 Midterm Fall 2016 Duration: 80 minutes LAST NAME FIRST NAME ID NUMBER QUESTION Total GRADE Notes: 1) Calculator (non-programming) allowed, nothing else permitted 2) Each page contains two questions and you will only answer one of the two. Which one you answer depends on your student number. 3) Answer each question below the question itself and on the back of the following page. INSE 6150 Test Page 1 of 5 Variant A

2 Question 1 4 marks [ ] The last digit of my student number is odd. Answer this question: Alice wants to use a hash function with a short output but she is also concerned about collision-resistance. She uses the full SHA256 algorithm (which has a 256 bit output) but keeps only the first 128 bits of the output. Discuss how this change impacts (a) collision resistance and (b) length extension attacks. [ ] The last digit of my student number is even. Answer this question: Bob has a list of 1 million credit cards, which are each sixteen digits long. He protects the list by salting and hashing each credit card number in the list once with MD5 (which has a 128 bit output). Assume this protected list is stolen by Eve. Discuss how much work does Eve have to do to (a) crack Alice s credit card (assuming she knows Alice s is the tenth in the list) and (b) how much work she has to do to crack any credit card on the list (without a preference as to which). INSE 6150 Test Page 2 of 5 Variant A

3 Question 2 5 marks [ ] The last digit of my student number is {0,1,2,3,4}. Answer this question: Assume a company issues 6 digit employee IDs. The first two digits are always 10 and the third digit is 1-4 depending on which division of the company the employee is from (each division has roughly the same number of employees). The last three digits are unique but otherwise random. What is the min-entropy of 15 ID numbers? If the list were a secret used to extract a PRG seed, would it be enough? (Note: If you do not have a calculator, Log2(10) is approximately 10/3.) [ ] The last digit of my student number is {5,6,7,8,9}. Answer this question: Alice s computer is generating entropy for /dev/urandom. It harvests some unpredictable fine-grained timestamps for certain events. The timestamps are 16 bits, where the last 7 bits are effectively random, the next 4 bits take on only 8 possible values (with equal probability), and the first 5 bits are fixed. What is the min-entropy of 15 timestamps? Is it enough to extract a secure PRG seed? INSE 6150 Test Page 3 of 5 Variant A

4 Question 3 4 marks [ ] The second-last digit of my student number is odd. Answer this question: Carol asks Alice and Bob a question with an answer of Yes or No. Both submit their answer encrypted to Carol, using the same key. If their answer is Yes, they encode their vote as 128 zeros (no padding), and if it is No they encrypt 128 ones (no padding). If Alice and Bob use Chacha20 and accidentally use the same keystream (e.g., the same IV), (a) can Eve (who does not know the key) determine how each person answered? If so, how? If not, can she determine anything about their answer? (b) How can Eve change Bob s answer? [ ] The second-last digit of my student number is even. Answer this question: Carol asks Alice and Bob a question with an answer of Yes or No. Both submit their answer encrypted to Carol, using the same key. If their answer is Yes, they encode their vote as 128 zeros (no padding), and if it is No they encrypt 128 ones (no padding). If Alice and Bob use AES in CBC-mode and accidentally use the same IV, (a) can Eve (who does not know the key) determine how each person answered? If so, how? If not, can she determine anything about their answer? (b) How can Eve change Bob s answer? INSE 6150 Test Page 4 of 5 Variant A

5 Question 4 7 marks [ ] The second-last digit of my student number is {0,1,2,3,4}. Answer this question: Alice is tasked with implementing AES-128-CBC. She starts by generating a random IV each time she encrypts but finds that sometimes she cannot get a randomness quickly from her computer (/dev/random blocks). So she implements the following: she uses a random IV the first time someone calls AES-128-CBC. The next time, she sets IV=000 0 if the last ciphertext block she sent was an even number and sets IV=111 1 if it was an odd number. Show this construction is not CPA-secure by (a) showing a winning strategy for the CPA game and (b) showing that your winning strategy is nonnegligible. Note: You may assume I already know the steps in the CPA game and there are no marks for repeating them here. Just describe how to win the game. [ ] The second-last digit of my student number is {5,6,7,8,9}. Answer this question: Alice is tasked with implementing AES-128-CBC. She starts by generating a random IV each time she encrypts but finds that sometimes she cannot get a randomness quickly from her computer (/dev/random blocks). So instead of asking for a full 128-bit (or 16- byte) IV, she just asks for one random byte (a value between 0 and 15). If she receives byte X, she sets IV=XXX X (note that she asks for a new X each time she encrypts). Show this construction is not CPA-secure by (a) showing a winning strategy for the CPA game and (b) showing that your winning strategy is non-negligible. Note: You may assume I already know the steps in the CPA game and there are no marks for repeating them here. Just describe how to win the game. INSE 6150 Test Page 5 of 5 Variant A