Lin He
52924739
ICS168 HW2
03/01/06
Problem 1
Suppose that we define a new block cipher DES-x which operates like this:
C = DES-x(K1,K2,P) = K1 xor DES(K2,P)
where P is a 64-bit plaintext block, K1 is a 64-bit secret key and K2 is a normal 56-bit DES
key. The output is a 64-bit block C.
a) Assume that you have one known plaintext/ciphertext pair [P1,C1] produced by DES-x.
How many trials would you need to mount a brute force attack (in order to discover K1 and
K2)?
b) Now assume that you have two known plaintext/ciphertext pairs [P1,C1] and [P2,C2].
How many trials would you need in this case?
a). If we use a large hash table that hashes all possible K1 values, then we do:
for K2=0 to K2=256
K1 = C1 XOR DES(K2,P1)
See if K1 is in the hash table, if yes, we find K1 and K2
end for
We need 256 trials provided that a hash table is used. However, if we don’t use a hash table,
we need 2120 trials.
b). Now we have two pairs, we obtain two equations below:
C1 = K1 XOR DES(K2, P1)
C2 = K1 XOR DES(K2, P2)
K1 = C1 XOR DES(K2, P1)
K1 = C2 XOR DES(K2, P2)
for K2=0 to K2=256
if C1 XOR DES(K2, P1) = C2 XOR DES(K2, P2)
end for loop // K2 is found. To get K1, just plug in.
end for
We need 256 trials.
Problem 3
Recall the problem on the midterm where Eve has an RSA ciphertext C and someone tells
her that P (the plaintext corresponding to C) has one common factor with the encryption
modulus n. Now, suppose that we are using a variant of RSA where, instead of n being a
product of two large primes, n is a product of 3 (three) large primes: p, q and s. In other
words, n=pqs. This version of RSA happens to be as secure as normal RSA and
phi(n)=(p-1)(q-1)(s-1)
Assume that, as in the midterm problem, Eve has a ciphertext C for some unknown
plaintext P. And, as before, P has a common factor with n. Eve also knows the encryption
exponent e.
Can Eve compute P? Can she factor n? Can she discover d?
The most we can do is to find out q assume that the common factor between P and n is q.
For example, do the following:
Pe mod q = x = 0
We know that C= Pe mod pqs can differ from x by multiples of q
C= x + kq = 0 + kq = kq for some integer k
Using Euclidian;
GCD(C, n) = q
n/q = ps
However, we are left with ps and with no further clue to factor out ps…so Eve cannot
computer P, nor can she factor n and discover d.
Problem 4
Briefly answer the following questions: (Try not to use more than 4 sentences for each)
a) What are the differences between a MAC and a digital signature? What are the
respective advantages/disadvantages of each?
d
d
b) An RSA signature operation x mod n can be sped up by first computing x in Z and
p
in Z and then getting the answer in Z by the Chinese Remainder Theorem. In this
q
n
way, the size of both the bases and the exponents in the computations will be
reduced. Can this optimization be also used to speed up the RSA encryption
operation? Why/why not?
a).
Unlike a checksum, which can be generated by anyone, a digital signature can only be
generated by someone knowing the private key. A public key signature differs from a secret
key MAC because verification of a MAC requires knowledge of the same secret as was used to
create it. Therefore anyone who can verify a MAC can also generate one, and so be able to
substitute a different message and corresponding MAC. In contrast, verification of the
signature only requires knowledge of the public key. So Alice can sign a message by
generating a signature only she can generate, and other people can verify that it is Alice’s
signature, but cannot forge her signature.
b).
As we can see above, in order to speed up decryption, one has to know p and q, however,
when we encrypt using RSA, we know only n and e. p and q must be kept secret. As a result,
we cannot use this optimization to speed up the RSA encryption operation.
Problem 5
Suppose Alice wants to encrypt a message and send it to Bob. She encrypts one word at a
time (i.e., one word corresponds to one plaintext block). Consider the following 3 cases:
a) Alice and Bob share a DES key K and Alice encrypts using DES
b) Alice has Bob’s public key and encrypts using RSA
c) Alice has Bob’s public key and encrypts using ElGamal
Eve is a passive attacker – she only listens (but does not interfere). How secure are these 3
cases? In other words, can Eve discover the message Alice is sending?
a). Yes, Eve can discover the message Alice is sending. Since Alice is doing word by word
encryption, Eve can mount a crypto frequency analysis attack since each distinct word
would give a unique corresponding ciphertext. For example, words like “the” “of” appear
very frequently. If Eve can be determined that a ciphertext corresponds to a work for
example like “the”, then Eve has a plaintext and ciphertext pair that she can use to figure
out the DES encryption key.
b). Yes, Eve can discover the message Alice is sending. Same explanation as a), since each
distinct word would give a unique corresponding ciphertext, a crypto frequency analysis
attack can be used by Eve.
c). No, since ElGamal uses a randomizer for each encryption, so that each distinct word
would give different ciphertext. A crypto frequency analysis attack cannot be used by Eve.
Problem 7
i
i
i-1
Prove that if p is prime, then Φ(p ) = p – p
Since only multiples of p are not relatively prime to pi, and every pth number is a multiple of
p, so there are pi-1 of them less than pi. So
i
p = p * p * p * p *…. * p * p * p
{----------- i -----------}
Any number times p is going to be multiple of p have a common factor p with pi, so NOT
relatively prime to pi, so there are
p * p * p * p *…. * p * p
{-------- i-1 - -----}
of them.
For example, if i = 2, then we have
p2 = p * p, then there will be: p*1, p*2 ….p*p. each of them is a multiple of p. there is a total
2
2
2-1
of p numbers. Therefore, Φ(p ) = p – p
thus, end proof.
Problem 8
Yes, it guards against both eavesdropping and server database disclosure. First of all, Eve
cannot obtain Alice’s password since Alice transmits only her hashed password to Bob. It
would be very difficult for discover appropriate keys without knowing the hash function. So
it guards against eavesdropping. Second, from reading information on the Server (or Bob in
this case), Eve wouldn’t be able to know Alice’s password since Bob only keeps Alice’s
hashed value of her password. So it also guards against server database disclosure. Moreover,
Eve cannot reuse hash(Y,R) to impersonate Alice since R is a random challenge.
Problem 9
a) Not secure. First of all if Bob is a stateless server, I see no point for Bob to send R to
Alice since Alice can send any number R’ with KAlice-Bob{R’} back to Bob. Bob won’t know
if R equals R’ or not. Eve can gain KAlice-Bob{R’} from Alice and Bob’s previous
conversations. So when Bob receives the message: R’, KAlice-Bob{R’}, he decrypts
KAlice-Bob{R’} using KAlice-Bob, compares the result with R’, and authenticates Alice who
instead is actually Eve.
b) Not secure. Same reason as a), since Bob is a stateless server, Eve can gain the third
message in this protocol “KBob{R}, KAlice-Bob{R’}” from Alice and Bob’s previous
conversations and reuse it to impersonate Alice. Bob won’t remember what R was. So
the R in “KBob{R}, KAlice-Bob{R’}” can be anything.
Problem 10
Design a protocol that (using public key) accomplishes both mutual authentication and
establishment of a symmetric session key in two-rounds (in total, two messages are sent over
the Alice-Bob link). Assume that Alice and Bob know each other’s public key in advance).
Let:
T = time stamp
Kbob- private = Bob’s private key
Kbob- public = Bob’s public key
Kalice- private = Alice’s private key
Kalice- public = Alice’s public key
[..]K means encrypted under key K.
KsessionA = some key
KsessionB = some key
Alice
Alice, [T, [R, KsessionA]Kbob-public]Kalice-private
---------------------------------------------------->
Bob
[Bob, [R, KsessionB] Kalice-public ] Kbob-private
<--------------------------------------------------To establish the session key, Alice and Bob xor KsessionA with KsessionB.
Reasoning:
Since in the first message that Alice sends to Bob, Alice includes a timestamp T in the
content that is encrypted using Alice’s private key, this ensures that this message cannot be
reused (ignoring time skew issues). It also authenticates Alice to Bob. Moreover, Alice sends
a random challenge encrypted using Bob’s public key, so only the real Bob can decrypt it and
send the correct R to Alice. Thus it also authenticates Bob to Alice. Moreover, components of
the session key are exchanged during this protocol and a session key is established by xoring
KsessionA and KsessionB.