CS 161 Computer Security

Similar documents
CS 161 Computer Security

CS 161 Computer Security

CS 161 Computer Security

CS 161 Computer Security

CS 161 Computer Security

Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy

Homework 1 CS161 Computer Security, Spring 2008 Assigned 2/4/08 Due 2/13/08

L13. Reviews. Rocky K. C. Chang, April 10, 2015

CS Computer Networks 1: Authentication

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Key Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings

Computer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018

CPSC 467: Cryptography and Computer Security

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

CSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography

CS408 Cryptography & Internet Security

RSA. Public Key CryptoSystem

Outline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CS 161 Computer Security

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Outline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)

Chapter 9 Public Key Cryptography. WANG YANG

Cryptographic Systems

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CSE 127: Computer Security Cryptography. Kirill Levchenko

PROTECTING CONVERSATIONS

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

What did we talk about last time? Public key cryptography A little number theory

CS61A Lecture #39: Cryptography

Feedback Week 4 - Problem Set

CS 161 Computer Security

Cryptographic Concepts

Introduction to Cryptography Lecture 7

CS 161 Computer Security

18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh

Lecture 9a: Secure Sockets Layer (SSL) March, 2004

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

1. Diffie-Hellman Key Exchange

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Kurose & Ross, Chapters (5 th ed.)

Cryptography: More Primitives

CS 161 Computer Security

CS408 Cryptography & Internet Security

CPSC 467: Cryptography and Computer Security

Key Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature

Encrypted Data Deduplication in Cloud Storage

Introduction to Cryptography and Security Mechanisms. Abdul Hameed

CIS 4360 Secure Computer Systems Applied Cryptography

Encryption. INST 346, Section 0201 April 3, 2018

Computer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Public Key Cryptography and the RSA Cryptosystem

Lecture 1: Course Introduction

Lecture 2 Applied Cryptography (Part 2)

Introduction to Cryptography Lecture 7

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Ref:

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

ח'/סיון/תשע "א. RSA: getting ready. Public Key Cryptography. Public key cryptography. Public key encryption algorithms

Public-key Cryptography: Theory and Practice

n-bit Output Feedback

1 Achieving IND-CPA security

Senior Math Circles Cryptography and Number Theory Week 1

Other Topics in Cryptography. Truong Tuan Anh

CSC/ECE 774 Advanced Network Security

2.1 Basic Cryptography Concepts

Encryption Providing Perfect Secrecy COPYRIGHT 2001 NON-ELEPHANT ENCRYPTION SYSTEMS INC.

CS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

T Cryptography and Data Security

Block cipher modes. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 75

ASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1

INSE 6110 Midterm LAST NAME FIRST NAME. Fall 2016 Duration: 80 minutes ID NUMBER. QUESTION Total GRADE. Notes:

Computer Security: Principles and Practice

Spring 2010: CS419 Computer Security

CPSC 467b: Cryptography and Computer Security

Lecture 07: Private-key Encryption. Private-key Encryption

Public-Key Cryptography

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Uzzah and the Ark of the Covenant

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

1-7 Attacks on Cryptosystems

LECTURE NOTES ON PUBLIC- KEY CRYPTOGRAPHY. (One-Way Functions and ElGamal System)

Refresher: Applied Cryptography

1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class

Public Key Algorithms

CPSC 467b: Cryptography and Computer Security

Computer Security 3/23/18

Digital Signatures. Luke Anderson. 7 th April University Of Sydney.

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Cryptography. Recall from last lecture. [Symmetric] Encryption. How Cryptography Helps. One-time pad. Idea: Computational security

1. Out of the 3 types of attacks an adversary can mount on a cryptographic algorithm, which ones does differential cryptanalysis utilize?

ECEN 5022 Cryptography

Data Security and Privacy. Topic 14: Authentication and Key Establishment

Applied Cryptography and Computer Security CSE 664 Spring 2018

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Transcription:

Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted. You must submit this homework electronically via Gradescope (not by any other method). When submitting to Gradescope, for each question your answer should have each question s answer on its own page. This assignment must be done on your own. Problem 1 True-or-False Questions (40 points) Answer each question. You don t need to justify or explain your answer. (a) True or False: Diffie Hellman protects against eavesdroppers but is vulnerable to man-in-the-middle attacks. (b) True or False: Suppose there is a transmission error in a block B of ciphertext using CBC mode. This error propagates to every block in decryption, which means that the block B and every block after B cannot be decrypted correctly. (c) True or False: The IV for CBC mode must be kept secret. (d) True or False: The random number r in El Gamal must be kept secret. (e) True or False: The best way to be confident in the cryptography that you use is to write your own implementation. (f) True or False: Alice and Bob share a symmetric key k. Alice sends Bob a message encrypted with k stating, I owe you $100, using AES-CBC encryption. Assuming AES is secure, we can be confident that an active attacker cannot tamper with this message; its integrity is protected. (g) True or False: If the daily lottery numbers are truly random, then they can be used as the entropy for a one-time-pad since a one-time-pad needs to be random. (h) True or False: It is okay if multiple people perform El Gamal encryption with the same modulus p. (i) True or False (Optional, 0 points): It is okay if an RSA library generates multiple public keys with the same N, as long as it uses different values for e. (j) True or False (Optional, 0 points): Alice and Bob share a secret symmetric key k which they use for calculating MACs. Alice sends the message M = I (Alice) owe you (Bob) $100 to Bob along with its message authentication code MAC k (M). Bob can present (M, MAC k (M)) to a judge as proof that Alice owes him $100 since a MAC provides integrity. Page 1 of 8

Problem 2 New Block Cipher Mode (30 points) Nick decides to invent a new block cipher mode, called NBC. It is defined as follows: C i = E k (C i 1 ) P i C 0 = IV Here (P 1,..., P n ) is the plaintext message, E k is block cipher encryption with key k. (a) Given (C 0, C 1,..., C n ) and the key k, explain how to recover the original message (P 1,..., P n ). (b) As we saw in discussion, CBC mode is vulnerable to a chosen plaintext attack when the IV which will be used to encrypt the message is known in advance. Is NBC vulnerable to the same issue? (c) Say that Alice means to send the message (P 1,..., P n ) to Bob using NBC mode. By accident, Alice typos and encrypts (P 1 1,..., P n ) instead (i.e., she accidentally flips the last bit of the first block). True or False: after Bob decrypts the resulting ciphertext, every block after the first is incorrect. Explain your answer. (d) Alice encrypts the message (P 1,..., P 5 ). Unfortunately, the block C 3 of the ciphertext is lost in transmission, so that Bob recieves (C 0, C 1, C 2, C 4, C 5 ). Assuming that Bob knows that he is missing C 3, which blocks of the original plaintext can Bob recover? Homework 2 Page 2 of 8 CS 161 Sp 18

Problem 3 Alternate Feedback (40 points) Leland has taken inspiration from Nick s cipher mode and decided to create his own scheme, FFM, which in his words is a new and improved version of Nick s scheme. Leland chose to not redesign the wheel and keeps the block & key size to be 128b, but believes that by using the inputs in a different way that the scheme could be better. The following is a diagram of the FFM block cipher mode of encryption. Figure 1: FFM Encryption Mode (a) Explain/draw what the decryption mode will have to look like. (b) If you reuse the IV for two secret messages, M 1 and M 2, both using the same key, producing two ciphertexts C 1 and C 2 seen by the eavesdropper, what can the eavesdroper learn? Assume that the first bit of M 1 and M 2 are different but the rest of the bits may or may not be the same. (c) If the first bit of the ciphertext is corrupted in transmission after the encryption is complete and then decrypted, which bits of the decrypted plaintext will be corrupted? (d) True or False: The encryption can be parallelized. (e) True or False: The decryption can be parallelized. (f) Is this IND-CPA? Why or why not? Homework 2 Page 3 of 8 CS 161 Sp 18

Problem 4 Finding Common Patients (40 points) Caltopia has two hospitals: Bear Hospital and Tree Hospital, each of which has a database of patient medical records. These records contain highly sensitive patient information that should be kept confidential. For both hospitals, each medical record is a tuple (p i, m i ), where p i and m i are strings that correspond to the patient s full name and medical record respectively; assume that every person in Caltopia has a unique full name. Thus, we can think of Bear Hospital s patient database as a list of tuples (x 1, m 1 ), (x 2, m 2 ),..., (x n, m n ), where m i is the medical information that Bear Hospital has for patient x i. Similarly, we can think of Tree Hospital s database as a list (y 1, m 1), (y 2, m 2),..., (y m, m m), where m i is a string that encodes the medical information that Tree Hospital has for the patient named y i. Note that for a given patient, Tree Hospital and Bear Hospital might have different medical information. The two hospitals want to collaborate on a way to identify which Caltopia citizens are patients at both hospitals. However, due to privacy laws, the two hospitals cannot share any plaintext information about patients (including their names) unless both hospitals know a priori that a patient has used both hospitals. Thus, the two hospitals decide to build a system that will allow them to identify common patients of both hospitals. They enlist the help of Lady Olenna, who provides them with a trusted, third-party server S, which they will use to discover the names of patients who use both hospitals. Specifically, Bear Hospital will take some information from its patient database and transform it into a list (x 1), (x 2),..., (x n) (where (x i ) is somehow derived from x i (the patient s full name) and upload it to S. Similarly, Tree Hospital will take information from its patient database, transform it into a list (y 1), (y 2),..., (y m), and upload this transformed list to S. Finally, S will compute a set of tuples P = (i, j) : x i = y j of all pairs (i, j) such that x i = y j and send P to both Bear Hospital and Tree Hospital. The two hospitals can then take their respective indices from the tuples in P to identify patients who use both hospitals. We want to ensure three requirements with the above scheme: (1) if x i = y j, then (i, j) P, (2) if x i y j, then it is very unlikely that (i, j) P, (3) even if Eve (an attacker) compromises S, she cannot learn the name of any patient at either hospital or the medical information for any patient. For this question, assume that Eve is a passive attacker who cannot conduct Chosen Plaintext Attacks; however, she does know the names of everyone in Caltopia, and there are citizens whose full names are a unique length. Fill in your solutions below. Your solution can use the cryptographic hash SHA-256 and/or AES with one of the three block cipher encryption modes discussed in class; keep in mind that Eve can also compute SHA-256 hashes and use AES with any block cipher mode. You can assume that Bear Hospital and Tree Hospital share a key k that is not known to anyone else. You cannot use public-key cryptography or modular arithmetic. (a) In the collaboration scheme described above, how should Bear Hospital compute x i (as a function of x i )? How should Tree Hospital compute y i (as a function of y i )? Specifically, your solution should define a function F that Bear Hospital will use to Homework 2 Page 4 of 8 CS 161 Sp 18

transform x i into x i, and if relevant, a function G that Tree Hospital will use to transform y i into y i. (b) Explain why requirement (1) is met by your solution, i.e., explain why it is guaranteed that if x i = y j, then x i = yj will hold. Explain your answer in one or two sentences. (c) Explain why requirement (2) is met by your solution, i.e., if x i y j, explain why it is unlikely that x i = y j. Explain your answer in one or two sentences. (d) Explain why requirement (3) is met by your solution, i.e., if S is compromised by Eve, then the information known to S does not let Eve learn any patient information (neither the names of patients at a particular hospital nor the medical history for any patient). Explain your answer in one or two sentences. Homework 2 Page 5 of 8 CS 161 Sp 18

Problem 5 Hashing Functions (20 points) Recall the definition of one-way functions and collision-resistance from lecture. We say a function f is one-way if given f(x) it is hard to find x such that f(x ) = f(x). Likewise, we say a function f is collision-resistant if it is hard to find two inputs x, y such that f(x) = f(y) but x y. For each of the given functions H below, determine if it is one-way or not, and if it is collision-resistant or not. (State any assumptions that you make.) (a) H(x) = x. One-way? Collision-resistant? (b) H(x) = x mod 2. One-way? Collision-resistant? (c) H(x) = E k (x), where E k is a secure block cipher with a known and published key k. One-way? Collision-resistant? (d) H(x) = g x mod p, where p is a prime, 2 g < p 1, and 0 x < p 1. Both g and p are public. One-way? Collision-resistant? (e) H(x) = SH(x), where SH is a cryptographically-secure hash function which takes Θ(x 2 ) time to compute. Homework 2 Page 6 of 8 CS 161 Sp 18

Problem 6 El Gamal Encryption (30 points) Recall the definition of El Gamal encryption from lecture. Bob publishes a large prime p, and an integer g with 1 < g < p 1. To generate a key, Bob chooses a random value 0 b p 2, and computes B = g b mod p. Bob s public key is B, and his private key is b. If Alice wants to send a message m to Bob, she begins by generating a random r such that 0 r p 2, and creates the ciphertext (c 1, c 2 ) = (g r mod p, m B r mod p). To decrypt the ciphertext, Bob calculates c b 1 c 2 m (mod p). (a) Suppose you intercept a ciphertext (c 1, c 2 ) that Alice has encrypted for Bob, which is the encryption for some message m. Explain how to construct a ciphertext (c 1, c 2) which is the encryption of 2m. (b) Suppose you intercept two ciphertexts (c 1, c 2 ) and (c 1, c 2) that Alice has encrypted for Bob. Assume they are encryptions of some unknown messages m 1 and m 2. Show how you can construct a ciphertext which is a valid El Gamal encryption of the message m 1 m 2 mod p. (c) Consider a new scheme where the value r is not generated randomly every time. Instead, Alice begins by randomly generating an initial value r 0, and then simply incrementing r 0 by 1 every time she needs to encrypt another message. Is the resulting encryption scheme IND-CPA? Homework 2 Page 7 of 8 CS 161 Sp 18

Problem 7 Feedback (0 points) Optionally, feel free to include feedback. What s the single thing we could do to make the class better? Or, what did you find most difficult or confusing from lectures or the rest of class, and what would you like to see explained better? Homework 2 Page 8 of 8 CS 161 Sp 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback