Lin He 52924739 ICS168 HW2 03/01/06 Problem 1 Suppose that we define a new block cipher DES-x which operates like this: C = DES-x(K1,K2,P) = K1 xor DES(K2,P) where P is a 64-bit plaintext block, K1 is a 64-bit secret key and K2 is a normal 56-bit DES key. The output is a 64-bit block C. a) Assume that you have one known plaintext/ciphertext pair [P1,C1] produced by DES-x. How many trials would you need to mount a brute force attack (in order to discover K1 and K2)? b) Now assume that you have two known plaintext/ciphertext pairs [P1,C1] and [P2,C2]. How many trials would you need in this case? a). If we use a large hash table that hashes all possible K1 values, then we do: for K2=0 to K2=256 K1 = C1 XOR DES(K2,P1) See if K1 is in the hash table, if yes, we find K1 and K2 end for We need 256 trials provided that a hash table is used. However, if we don’t use a hash table, we need 2120 trials. b). Now we have two pairs, we obtain two equations below: C1 = K1 XOR DES(K2, P1) C2 = K1 XOR DES(K2, P2) K1 = C1 XOR DES(K2, P1) K1 = C2 XOR DES(K2, P2) for K2=0 to K2=256 if C1 XOR DES(K2, P1) = C2 XOR DES(K2, P2) end for loop // K2 is found. To get K1, just plug in. end for We need 256 trials. Problem 3 Recall the problem on the midterm where Eve has an RSA ciphertext C and someone tells her that P (the plaintext corresponding to C) has one common factor with the encryption modulus n. Now, suppose that we are using a variant of RSA where, instead of n being a product of two large primes, n is a product of 3 (three) large primes: p, q and s. In other words, n=pqs. This version of RSA happens to be as secure as normal RSA and phi(n)=(p-1)(q-1)(s-1) Assume that, as in the midterm problem, Eve has a ciphertext C for some unknown plaintext P. And, as before, P has a common factor with n. Eve also knows the encryption exponent e. Can Eve compute P? Can she factor n? Can she discover d? The most we can do is to find out q assume that the common factor between P and n is q. For example, do the following: Pe mod q = x = 0 We know that C= Pe mod pqs can differ from x by multiples of q C= x + kq = 0 + kq = kq for some integer k Using Euclidian; GCD(C, n) = q n/q = ps However, we are left with ps and with no further clue to factor out ps…so Eve cannot computer P, nor can she factor n and discover d. Problem 4 Briefly answer the following questions: (Try not to use more than 4 sentences for each) a) What are the differences between a MAC and a digital signature? What are the respective advantages/disadvantages of each? d d b) An RSA signature operation x mod n can be sped up by first computing x in Z and p in Z and then getting the answer in Z by the Chinese Remainder Theorem. In this q n way, the size of both the bases and the exponents in the computations will be reduced. Can this optimization be also used to speed up the RSA encryption operation? Why/why not? a). Unlike a checksum, which can be generated by anyone, a digital signature can only be generated by someone knowing the private key. A public key signature differs from a secret key MAC because verification of a MAC requires knowledge of the same secret as was used to create it. Therefore anyone who can verify a MAC can also generate one, and so be able to substitute a different message and corresponding MAC. In contrast, verification of the signature only requires knowledge of the public key. So Alice can sign a message by generating a signature only she can generate, and other people can verify that it is Alice’s signature, but cannot forge her signature. b). As we can see above, in order to speed up decryption, one has to know p and q, however, when we encrypt using RSA, we know only n and e. p and q must be kept secret. As a result, we cannot use this optimization to speed up the RSA encryption operation. Problem 5 Suppose Alice wants to encrypt a message and send it to Bob. She encrypts one word at a time (i.e., one word corresponds to one plaintext block). Consider the following 3 cases: a) Alice and Bob share a DES key K and Alice encrypts using DES b) Alice has Bob’s public key and encrypts using RSA c) Alice has Bob’s public key and encrypts using ElGamal Eve is a passive attacker – she only listens (but does not interfere). How secure are these 3 cases? In other words, can Eve discover the message Alice is sending? a). Yes, Eve can discover the message Alice is sending. Since Alice is doing word by word encryption, Eve can mount a crypto frequency analysis attack since each distinct word would give a unique corresponding ciphertext. For example, words like “the” “of” appear very frequently. If Eve can be determined that a ciphertext corresponds to a work for example like “the”, then Eve has a plaintext and ciphertext pair that she can use to figure out the DES encryption key. b). Yes, Eve can discover the message Alice is sending. Same explanation as a), since each distinct word would give a unique corresponding ciphertext, a crypto frequency analysis attack can be used by Eve. c). No, since ElGamal uses a randomizer for each encryption, so that each distinct word would give different ciphertext. A crypto frequency analysis attack cannot be used by Eve. Problem 7 i i i-1 Prove that if p is prime, then Φ(p ) = p – p Since only multiples of p are not relatively prime to pi, and every pth number is a multiple of p, so there are pi-1 of them less than pi. So i p = p * p * p * p *…. * p * p * p {----------- i -----------} Any number times p is going to be multiple of p have a common factor p with pi, so NOT relatively prime to pi, so there are p * p * p * p *…. * p * p {-------- i-1 - -----} of them. For example, if i = 2, then we have p2 = p * p, then there will be: p*1, p*2 ….p*p. each of them is a multiple of p. there is a total 2 2 2-1 of p numbers. Therefore, Φ(p ) = p – p thus, end proof. Problem 8 Yes, it guards against both eavesdropping and server database disclosure. First of all, Eve cannot obtain Alice’s password since Alice transmits only her hashed password to Bob. It would be very difficult for discover appropriate keys without knowing the hash function. So it guards against eavesdropping. Second, from reading information on the Server (or Bob in this case), Eve wouldn’t be able to know Alice’s password since Bob only keeps Alice’s hashed value of her password. So it also guards against server database disclosure. Moreover, Eve cannot reuse hash(Y,R) to impersonate Alice since R is a random challenge. Problem 9 a) Not secure. First of all if Bob is a stateless server, I see no point for Bob to send R to Alice since Alice can send any number R’ with KAlice-Bob{R’} back to Bob. Bob won’t know if R equals R’ or not. Eve can gain KAlice-Bob{R’} from Alice and Bob’s previous conversations. So when Bob receives the message: R’, KAlice-Bob{R’}, he decrypts KAlice-Bob{R’} using KAlice-Bob, compares the result with R’, and authenticates Alice who instead is actually Eve. b) Not secure. Same reason as a), since Bob is a stateless server, Eve can gain the third message in this protocol “KBob{R}, KAlice-Bob{R’}” from Alice and Bob’s previous conversations and reuse it to impersonate Alice. Bob won’t remember what R was. So the R in “KBob{R}, KAlice-Bob{R’}” can be anything. Problem 10 Design a protocol that (using public key) accomplishes both mutual authentication and establishment of a symmetric session key in two-rounds (in total, two messages are sent over the Alice-Bob link). Assume that Alice and Bob know each other’s public key in advance). Let: T = time stamp Kbob- private = Bob’s private key Kbob- public = Bob’s public key Kalice- private = Alice’s private key Kalice- public = Alice’s public key [..]K means encrypted under key K. KsessionA = some key KsessionB = some key Alice Alice, [T, [R, KsessionA]Kbob-public]Kalice-private ----------------------------------------------------> Bob [Bob, [R, KsessionB] Kalice-public ] Kbob-private <--------------------------------------------------To establish the session key, Alice and Bob xor KsessionA with KsessionB. Reasoning: Since in the first message that Alice sends to Bob, Alice includes a timestamp T in the content that is encrypted using Alice’s private key, this ensures that this message cannot be reused (ignoring time skew issues). It also authenticates Alice to Bob. Moreover, Alice sends a random challenge encrypted using Bob’s public key, so only the real Bob can decrypt it and send the correct R to Alice. Thus it also authenticates Bob to Alice. Moreover, components of the session key are exchanged during this protocol and a session key is established by xoring KsessionA and KsessionB.