Midterm Exam. CS381-Cryptography. October 30, 2014

Similar documents
Senior Math Circles Cryptography and Number Theory Week 1

ECE 646 Fall 2009 Final Exam December 15, Multiple-choice test

CS 161 Computer Security. Week of September 11, 2017: Cryptography I

CSC 580 Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security

CS 556 Spring 2017 Project 3 Study of Cryptographic Techniques

CPSC 467b: Cryptography and Computer Security

Block Cipher Operation. CS 6313 Fall ASU

Substitution Ciphers, continued. 3. Polyalphabetic: Use multiple maps from the plaintext alphabet to the ciphertext alphabet.

CPSC 467b: Cryptography and Computer Security

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 31 October 2017

CSCI3381-Cryptography

7. Symmetric encryption. symmetric cryptography 1

Applied Cryptography and Computer Security CSE 664 Spring 2018

CS 161 Computer Security

Cryptography. How to Protect Your Data

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

CS 161 Computer Security

CS669 Network Security

Introduction to Cryptology Dr. Sugata Gangopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Roorkee

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

CS 161 Computer Security

Assignment 3: Block Ciphers

L2. An Introduction to Classical Cryptosystems. Rocky K. C. Chang, 23 January 2015

Modular Arithmetic. Marizza Bailey. December 14, 2015

0x1A Great Papers in Computer Security

Assignment 7. Computer Science 52. Due November 30, 2018, at 5:00 pm

Content of this part

CPSC 467b: Cryptography and Computer Security

RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È.

Computer Security 3/23/18

CHAPTER 6. SYMMETRIC CIPHERS C = E(K2, E(K1, P))

CPSC 467: Cryptography and Computer Security

Cryptography III Want to make a billion dollars? Just factor this one number!

RSA (Rivest Shamir Adleman) public key cryptosystem: Key generation: Pick two large prime Ô Õ ¾ numbers È.

Davenport University ITS Lunch and Learn February 2, 2012 Sneden Center Meeting Hall Presented by: Scott Radtke

Cryptography and Network Security

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Number Theory and RSA Public-Key Encryption

Applied Cryptography and Network Security

Understanding Cryptography A Textbook for Students and Practitioners by Christof Paar and Jan Pelzl

Cryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi

1 Achieving IND-CPA security

Stream ciphers. Lecturers: Mark D. Ryan and David Galindo. Cryptography Slide: 91

A nice outline of the RSA algorithm and implementation can be found at:

Public Key Algorithms

RSA. Public Key CryptoSystem

Solutions to exam in Cryptography December 17, 2013

Cryptography and Network Security 2. Symmetric Ciphers. Lectured by Nguyễn Đức Thái

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

Cryptography: Matrices and Encryption

(a) Symmetric model (b) Cryptography (c) Cryptanalysis (d) Steganography

ECE596C: Handout #7. Analysis of DES and the AES Standard. Electrical and Computer Engineering, University of Arizona, Loukas Lazos

CSC 474/574 Information Systems Security

Defending Computer Networks Lecture 20: More Encryp1on. Stuart Staniford Adjunct Professor of Computer Science

Great Theoretical Ideas in Computer Science. Lecture 27: Cryptography

Module 2 Congruence Arithmetic pages 39 54

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Cryptography. What is Cryptography?

Feedback Week 4 - Problem Set

Network Security Essentials

A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4

Encryption à la Mod Name

Homework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.

Classical Encryption Techniques. CSS 322 Security and Cryptography

Chapter 3 Public Key Cryptography

ISA 562: Information Security, Theory and Practice. Lecture 1

2 What does it mean that a crypto system is secure?

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

CS 161 Computer Security

Introduction to Modern Cryptography. Lecture 2. Symmetric Encryption: Stream & Block Ciphers

INDIAN INSTITUTE OF TECHNOLOGY KHARAGPUR Stamp / Signature of the Invigilator

Information Security CS526

CS61A Lecture #39: Cryptography

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

Elementary number theory

Math 25 and Maple 3 + 4;

INTERNATIONAL JOURNAL OF ELECTRONICS AND COMMUNICATION ENGINEERING & TECHNOLOGY (IJECET)

Some Stuff About Crypto

Study Guide to Mideterm Exam

More on Cryptography CS 136 Computer Security Peter Reiher January 19, 2017

Information Security CS526

CRYPTOGRAPHY Thursday, April 24,

CS 135: Fall Project 2 Simple Cryptography

Introduction to Cryptography CS 136 Computer Security Peter Reiher October 9, 2014

n-bit Output Feedback

Cryptography and Network Security. Sixth Edition by William Stallings

Conventional Encryption Principles Conventional Encryption Algorithms Cipher Block Modes of Operation Location of Encryption Devices Key Distribution

Block Cipher Modes of Operation

Workshop Challenges Startup code in PyCharm Projects

Introduction to Cryptography Lecture 7

Block Ciphers and Data Encryption Standard. CSS Security and Cryptography

Tuesday, January 17, 17. Crypto - mini lecture 1

MITOCW watch?v=kvtlwgctwn4

P2_L6 Symmetric Encryption Page 1

CPSC 467: Cryptography and Computer Security

Public Key Cryptography

A different kind of Crypto

CPSC 467: Cryptography and Computer Security

Transcription:

Midterm Exam CS381-Cryptography October 30, 2014 Useful Items denotes exclusive-or, applied either to individual bits or to sequences of bits. The same operation in Python is denoted ˆ. 2 10 10 3 = 1000, and likewise for any (smallish) positive integer k, 2 10 k 10 3 k, so, for instance, 2 30 is about 10 9, or one billion. (In fact, a gigabyte is not one billion bytes, but 2 30 bytes.) Security Benchmarks Through use of a custom hardware unit that costs about $10,000 to build, a 56-bit DES key can be recovered by exhaustive search in about a week. The record for factoring a product of two primes is a number of 768 decimal digits. The calculation, distributed over hundreds of processors, took two years. There are about 3 10 7 (30 million) seconds in a year. Language statistics There are about 100 printable ASCII characters. In ordinary ASCII text in English (including punctuation and capitalization) the most common character by far is a space, accounting for about 18% of all characters, distantly followed by lower-case e, which accounts for about 9% of all characters. Note that this is different from the letter-frequency statistics we used earlier, in which we considered only the 26 letters and ignored punctuation and capitalization. 1

1 Insecure Encryption in a very old version of Microsoft Word The earliest version of encryption in Microsoft Word (present in Windows 95) was to have the user select a password of printable characters, and then simply XOR repeated copies of the password with the plaintext. For instance, if the password was here_15a*p@5swd which has 16 characters, the the first byte of ciphertext will be the first character of plaintext XORed with h, the second byte of ciphertext will be the second character of plaintext XOR d with E, etc. Once the seventeenth charcacter of plaintext is reached, we return to the first character of the password and XOR with h, etc. In general, if the three strings are viewed as lists of bytes, we have, in Python: ciphertext[i]=plaintext[i]ˆpassword[i % 16] Assume all passwords have exactly 16 characters. (a) How many different passwords are there? Is it feasible to carry out an exhaustivesearch attack that recovers the plaintext from ciphertext by trying out all possible keys? There are three possible answers here: (i) it can be done on my laptop by a program that runs in under an hour; (ii) it can be done with specialized hardware and/or a widely distributed network of collaborating computers in under a year; (iii) it cannot be done with available computing power in under a century. Pick the best answer and justify with a rough calculation. Solution. With an estimate of 100 printable characters there are 100 16 = 10 32 2 32 3.3 > 2 100 keys as a very rough approximation. The best answer is (iii): Using the DES cracker as a benchmark, we would need 2 44 times the computing power. 2 44 is about 16 trillion (one million million), so under the very implausible scenario that one million copies of the machine are available, you would need 16 million weeks or about three hundred twenty thousand years. (It is true that a single encryption for this cipher is just an XOR, and thus much faster than a DES encryption, but this is still not going to make the attack plausible.) Common errors: Mild : using 256 16 because you didn t restrict the password bytes to printable characters. Fantasy math version 1: writing something like 16 100, or getting 100 16 correctly and then simplifying it using magical laws of exponents of your own invention. Fantasy math version 2: getting something like the right magnitude for the number of keys, and then saying it wouldn t take all that long to count that high. (b) Assume that the original plaintext is at least several thousand characters long, in ASCII characters, consisting of ordinary English sentences with spacing, punctuation, 2

and the like. You possess the encrypted version of the file. Describe an efficient procedure for recovering the first character of the password. (The same procedure, applied fifteen additional times, should recover the entire password, which can then be used to decrypt the file.) Solution. Collect the first, 17th, 33rd, 49th, etc. bytes of plaintext. These are the bytes that were encrypted using the first key character. Find the most commonly occurring byte. XOR with the ASCII code for the space character. The result is the ASCII code for the first key character. This will hold unless you have some very weird text that does not use the space character in the conventional way, but that would not accord with the description in the problem. You may have noticed the resemblance to the Vigenére cipher, but here the cryptanalysis is even easier: you don t have to worry about determining the length of the key because I gave it to you, and the statistics are so extremely skewed by the presence of the space character that you don t have to do anything fancy with the statistics. Most students recognized that this resembled the Vigenre cipher, but then tried to do much more work than was really required, for instance XORing the selected ciphertext bytes with every one of the 100 characters, and/or doing a fancy frequency analysis. (This was usually graded correct.) Some students did a brain dump about Vigenére cryptanalysis, but did not connect it with the problem at hand. (c) Now suppose that documents are not ordinary English, but rather random, uniformly distributed sequences of characters. You have a brief plaintext document a.doc, its encryption a enc.doc, and the encryption b enc.doc of a long second document. Describe an efficient procedure for recovering the plaintext b.doc. (Assume the user, like most users, employed the same password for each document he encrypted.) Solution. XOR the first sixteen bytes of a enc.doc with the first sixteen bytes of a.doc. This is the key, which you can now use to decrypt the entire second document. Many students recognized that this is the case of the one-time pad being used two times, and thus suggested computing the entire XOR of a enc.doc and a.doc. This was graded as correct, but it s just about twice as much work as necessary, since given the structure of this cipher we only need to use 16 bytes of known plaintext. 3

2 Block Cipher in Cipher Feedback Mode The accompanying diagram shows a block cipher mode of operation called cipher feedback mode (CFB). Like most of the other modes we have seen, there is an initial IV block that is generated at random and sent in the clear. Like CTR mode, this mode uses a block cipher as a stream cipher, XORing the plaintext with the keystream. Unlike CTR mode, the keystream cannot be generated completely from the IV and the key, since each keystream block depends on the preceding plaintext blocks. Here are equations and a diagram describing the encryption algorithm. The inputs are the plaintext blocks P 1, P 2,..., along with the IV block and the key K. E is the block encryption function. The outputs are C 0, C 1, C 2,..., where C 0 = IV. if i > 0. C 0 = IV, C i = P i E(K, C i 1 ), (a) Write equations for the decryption function, giving the plaintext blocks P 1, P 2,... in terms of C 0, C 1,.... Solution. P i = C i E(K, C i 1 ), for i > 0. Notice that you don t need the block decryption function. (This is what happens as well with other modes, like CTR, in which the block cipher is used as a stream cipher.) A few students were desperate to work the decryption function into this problem, and it is indeed possible to write an equation involving D, for instance C i 1 = D(K, P i C i ). But this is not what was asked for, and is unhelpful when the task at hand is to determine the plaintext blocks from the given ciphertext. (b) Suppose this encryption mode is used with a block cipher with a four-bit block size. The shared secret key is K, and the block encryption function E K is given in Table 1. You receive a message 0000 1111 0000. Determine the plaintext message. (Remember that the first block of the received message is the IV, so that there will be two plaintext blocks, not 3.) Solution. We have P 1 = C 1 E(K, C 0 ) = 1111 E(K, 0000) = 1111 0011 = 1100. P 2 = C 2 E(K, C 1 ) = 0000 E(K, 1111) = 0000 1110 = 1110. 4

(c) This problem concerns what happens when you re-use the initialization vector in CFB mode. You receive two new messages that were encrypted with a different key K (so that Table 1 is no longer relevant). The messages are 0000 1111 0000 0000 0000 1111. Let P 1 P 2 and P 1P 2 denote the corresponding plaintext messages. Describe all the information you can obtain about the blocks P i and P i from this description. As above, This gives P 1 = 1111 E(K, 0000) P 2 = 0000 E(K, 1111) = E(K, 1111). P 1 = 0000 E(K, 0000) = E(K, 0000) P 2 = 1111 E(K, 0000). P 2 = P 1. P 2 = P 1 1111, in other words, P 1 differs from P 1 = P 2 in every bit. What about P 2? It looks like we get no information, because we do not know what E(K, 1111) is, but we do know that it is different from E(K, 0000) = P 1. So we also have P 2 P 1. And this is as far as we can go, since any choice of P i, P i consistent with the three displayed equations above is possible. One way to look at this problem is that in the absence of any information, there are 16 4 = 65536 possibilities for the four blocks, but we are able to whittle this down to 16 15 = 240 possibilities because of the regularities in the ciphertext messages. 5

3 Number Theory and RSA (a) Compute 101 48,000,000,000,023 mod 35 by hand. (HINT: Use Fermat s Theorem and the Chinese Remainder Theorem. When you apply the CRT, you need not use the explicit formula for the solution of the two congruences; the numbers are so small that you can solve the system by inspection.) Solution. so 101 1 (mod 5), 101 48,000,000,000,023 1 48,000,000,000,023 = 1 (mod 5). 101 3 (mod 7), so by Fermat s Theorem, 101 48,000,000,000,023 (3 6 ) 8,000,000,000,003 3 5 1 8,000,000,000,003 3 5 = 3 5 = 3 (3 2 ) 2 3 2 2 = 12 So we are looking for the unique solution to 5 (mod 7). x 1 (mod 5) x 5 (mod 7). We can do this by inspection, checking 6,11,16, etc., until we get a result congruent to 5 modulo 7. The correct answer is 26. (Alternatively, you could apply the formula giving the explicit solution to this pair of congruences, but that is actually more work.) Typically, students failed to take advantage of all the tools that make it possible to solve this problem without ever having to write down a large number. (And even with that, some still managed to solve it correctly!) (b) A public RSA key has encryption exponent e = 3 and modulus N = 55. Show all the steps in the calculation of the decryption exponent d. Solution. The decryption key is 3 1 mod (10 4) = 3 1 mod 40, since since 55 = 5 11. You really could do this by simple trial and error, observing 27 3 = 81 1 (mod 40). If you apply the extended Euclid algorithm, there is only one division: 40 = 13 3 + 1, 6

so In either case we get the result 27. 3 1 mod 13 27. A common error was computing 3 1 mod 55 instead of 3 1 mod 40. Another was giving the answer as 13. (c) Using your result from (b), determine how many multiplications and reductions mod 55 are required to decrypt a ciphertext C. (You do not have to decrypt anything, just understand the algorithm.) Solution. To decrypt a ciphertext C you need to compute C 27 = C 16 C 8 C 2 C mod 55. We need four multiplications (squarings) and reductions to compute C k mod 40 for k = 2, 4, 8, 16, and three more multiplications and reductions to multiply these four values together. So there are 7 multiplications and 7 reductions in all. Some students just missed the business about repeated squaring entirely. Others knew that repeated squaring was involved but gave a generic answer rather than one specific to the parameters of this problem. A common, and much less serious error, was to neglect to count the three additional multiplications at the end. And someone came up with the following ingenious solution: Compute C 27 mod 11, which is the same as C 6 mod 11, and C 27 mod 5, which is the same as C 3 mod 5, and then apply the Chinese Remainder Theorem. (d) A friend who is curious about cryptography asks you why symmetric AES keys are only 128 bits long, while the decryption exponent and modulus for RSA keys are about 2048 bits long. Give a succinct answer. Solution. Key length for AES is chosen to be resistant to brute-force attack, but the RSA modulus has to be large enough to resist factoring, which requires a much larger number. (128-bit integers can be factored efficiently, although not with the naïve algorithm of repeated trial division.) Serves me right for asking an essay question. I got a lot of brain dumps with correct but irrelevant information (the fact that RSA is used in practice to encrypt keys, that there are various attacks against small RSA exponents or messages) as well as the occasional downright falsehood. 7

Figure 1: Cipher Feedback Mode Encryption M E(K,M) 0000 0011 0001 0001 0010 0111 0011 1100 0100 1001 0101 1111 0110 0000 0111 1010 1000 1101 1001 0010 1010 0101 1011 0110 1100 0100 1101 1000 1110 1011 1111 1110 Table 1: Block encryption function for the block cipher in Problem 2, with respect to some fixed key K. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback