ECE454/599

Computer and Network Security

Dr. Jinyuan (Stella) Sun

Dept. of Electrical Engineering and Computer Science
University of Tennessee
Fall 2012

1
Exercise 1: Chapters 1-5
Review Questions
1. What are the essential ingredients of a symmetric cipher?
Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.
2. What are the two basic functions used in encryption algorithms?
Permutation and substitution.
3. How many keys are required for two people to communicate via
a cipher?
One key for symmetric ciphers, two keys for asymmetric ciphers.
4. What is the difference between a block cipher and a stream
cipher?
A stream cipher is one that encrypts a digital data stream one bit or one byte
at a time. A block cipher is one in which a block of plaintext is treated as a whole
and used to produce a ciphertext block of equal length.
5. What are the two general approaches to attacking a cipher?
Cryptanalysis and brute force.
6. What is the difference between an unconditionally secure cipher
and a computationally secure cipher?
An encryption scheme is unconditionally secure if the ciphertext generated by
the scheme does not contain enough information to determine uniquely the
corresponding plaintext, no matter how much ciphertext is available. An encryption
scheme is said to be computationally secure if: (1) the cost of breaking the
cipher exceeds the value of the encrypted information, and (2) the time required to
break the cipher exceeds the useful lifetime of the information.
7. What are two problems with the one-time pad?
1) There is the practical problem of making large quantities of random keys. Any
heavily used system might require millions of random characters on a regular basis.
Supplying truly random characters in this volume is a significant task.
2) Even more daunting is the problem of key distribution and protection. For
every message to be sent, a key of equal length is needed by both sender and
receiver. Thus, a mammoth key distribution problem exists.
8. List ways in which secret keys can be distributed to two
communicating parties.
1) A can select a key and physically deliver it to B.
2) A third party can select the key and physically deliver it to A and B.
3) If A and B have previously and recently used a key, one party can transmit the
new key to the other, encrypted using the old key.
4) If A and B each has an encrypted connection to a third party C, C can deliver a
key on the encrypted links to A and B.
9. What types of attacks are addressed by message authentication?
Masquerade: Insertion of messages into the network from a fraudulent source.
This includes the creation of messages by an opponent that are purported to come
from an authorized entity. Also included are fraudulent acknowledgments of message
receipt or nonreceipt by someone other than the message recipient. Content
modification: Changes to the contents of a message, including insertion, deletion,
transposition, and modification. Sequence modification: Any modification to a
sequence of messages between parties, including insertion, deletion, and reordering.
Timing modification: Delay or replay of messages. In a connection-oriented
application, an entire session or sequence of messages could be a replay of some
previous valid session, or individual messages in the sequence could be delayed or
replayed. In a connectionless application, an individual message (e.g., datagram) could
be delayed or replayed.
10. What two levels of functionality comprise a message
authentication or digital signature mechanism?
At the lower level, there must be some sort of function that produces an
authenticator: a value to be used to authenticate a message. This lower-level function
is then used as primitive in a higher-level authentication protocol that enables a
receiver to verify the authenticity of a message.
11. What are some approaches to producing message
authentication?
Message encryption, message authentication code, digitally signature.
12. When a combination of symmetric encryption and an error
control code (e.g., CRC) is used for message authentication, in what
order must the two functions be performed?
Error control code, then encryption.
13. What is the difference between a message authentication code
and a one-way hash function?
A hash function, by itself, does not provide message authentication. A secret key
must be used in some fashion with the hash function to produce authentication. A
MAC, by definition, uses a secret key to calculated a code used for authentication.
14. Is it necessary to recover the secret key in order to attack a MAC
algorithm?
No. See problem with h(key|m).
15. What characteristics are needed in a secure hash function?
1) H can be applied to a block of data of any size.
2) H produces a fixed-length output.
3) H(x) is relatively easy to compute for any given x, making both hardware and
software implementations practical.
4) For any given value h, it is computationally infeasible to find x such that H(x) = h. This
is sometimes referred to in the literature as the one-way property.
5) For any given block x, it is computationally infeasible to find y ≠ x with H(y) = H(x).
6) It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
16. What is the role of a compression function in a hash function?
A typical hash function uses a compression function as a basic building block, and
involves repeated application of the compression function.
17. Why has there been an interest in developing a message
authentication code derived from a cryptographic hash function as
opposed to one derived from a symmetric cipher?
1) Cryptographic hash functions such as MD5 and SHA generally execute faster in
software than symmetric block ciphers such as DES. 2) Library code for cryptographic
hash functions is widely available.
18. What changes in HMAC are required in order to replace one
underlying hash function with another?
To replace a given hash function in an HMAC implementation, all that is required is to
remove the existing hash function module and drop in the new module.
Problems
1. One way to solve the key distribution problem is to use a line from
a book that both the sender and the receiver possess. Typically, at
least in spy novels, the first sentence of a book serves as the key. The
particular scheme discussed in this problem is from one of the best
suspense novels involving secret codes, Talking to Strange Men, by Ruth
Rendell. Work this problem without consulting that book! Consider
the following message:
SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA
This ciphertext was produced using the first sentence of The Other
Side of Silence (a book about the spy Kim Philby):
The snow lay thick on the steps and the snowflakes driven by the
wind looked black in the headlights of the cars.
A simple substitution cipher was used.
a. What is the encryption algorithm?
b. How secure is it?
c. To make the key distribution problem simple, both parties can
agree to use the first or last sentence of a book as the key. To change
the key, they simply need to agree on a new book. The use of the first
sentence would be preferable to the use of the last. Why?
a. The first letter t corresponds to A, the second letter h corresponds
to B, e is C, s is D, and so on. Second and subsequent occurrences of a
letter in the key sentence are ignored. The result

ciphertext: SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA

plaintext: basilisk to leviathan blake is contact

b. It is a monalphabetic cipher and so easily breakable.

c. The last sentence may not contain all the letters of the alphabet. If
the first sentence is used, the second and subsequent sentences may
also be used until all 26 letters are encountered.
2. In one of Dorothy Sayers's mysteries, Lord Peter is confronted with
the message shown below. He also discovers the key to the message,
which is a sequence of integers:
787656543432112343456567878878765654
3432112343456567878878765654433211234
a. Decrypt the message. Hint: What is the largest integer value?
b. If the algorithm is known but not the key, how secure is the scheme?
c. If the key is known but not the algorithm, how secure is the scheme?
a. Lay the message out in a matrix 8 letters across. Each integer in the
key tells you which letter to choose in the corresponding row. Result:
He sitteth between the cherubims. The isles may be glad
thereof. As the rivers in the south.

b. Quite secure. In each row there is one of eight possibilities. So if

the ciphertext is 8n letters in length, then the number of possible
plaintexts is 8n.
c. Not very secure. Lord Peter figured it out. (from The Nine Tailors)
3. For any block cipher, the fact that it is a nonlinear function is crucial
to its security. To see this, suppose that we have a linear block cipher
EL that encrypts 128-bit blocks of plaintext into 128-bit blocks of
ciphertext. Let EL(k, m) denote the encryption of a 128-bit message m
under a key k (the actual bit length of k is irrelevant). Thus
EL(k, [m1 XOR m2]) = EL(k, m1) XOR EL(k, m2) for all 128-bit
patterns m1, m2
Describe how, with 128 chosen ciphertexts, an adversary can decrypt
any ciphertext without knowledge of the secret key k. (A "chosen
ciphertext" means that an adversary has the ability to choose a
ciphertext and then obtain its decryption. Here, you have 128
plaintext/ciphertext pairs to work with and you have the ability to
choose the value of the ciphertexts.)
For 1 ≤ i ≤ 128, take ci  {0, 1}128 to be the string containing a 1 in
position i and then zeros elsewhere. Obtain the decryption of these
128 ciphertexts. Let m1, m2, . . . , m128 be the corresponding
plaintexts. Now, given any ciphertext c which does not consist of all
zeros, there is a unique nonempty subset of the ci’s which we can
XOR together to obtain c. Let I(c)  {1, 2, . . . , 128} denote this
subset. Observe

c   ci   E mi   E   mi 
iI c  iI c   iI c  
Thus, we obtain the plaintext of c by computing i I c 
mi . Let 0 be the
all-zero string. Note that 0 = 0  0. From this we obtain E(0) = E(0 
0) = E(0)  E(0) = 0. Thus, the plaintext of c = 0 is m = 0. Hence we
can decrypt every c  {0, 1}128.
4. With the ECB mode of DES, if there is an error in a block of the
transmitted ciphertext, only the corresponding plaintext block is
affected. However, in the CBC mode, this error propagates. For
example, an error in the transmitted C1 obviously corrupts P1 and P2.
a. Are any blocks beyond P2 affected?
b. Suppose that there is a bit error in the source version of P1. Through
how many ciphertext blocks is this error propagated? What is the
effect at the receiver?
a. No. For example, suppose C1 is corrupted. The output block P3
depends only on the input blocks C2 and C3.
b. An error in P1 affects C1. But since C1 is input to the calculation of
C2, C2 is affected. This effect carries through indefinitely, so that all
ciphertext blocks are affected. However, at the receiving end, the
decryption algorithm restores the correct plaintext for blocks except
the one in error.You can show this by writing out the equations for the
decryption. Therefore, the error only effects the corresponding
decrypted plaintext block.
5. The pseudo-random stream of blocks generated by 64-bit OFB must
eventually repeat (since at most 264 different blocks can be generated).
Will K{IV} necessarily be the first block to be repeated?
Actually, IV will be the first block to be repeated. To see this, note that
the previous block to any given block must be the decryption of the
given block. So if two blocks are equal, their respective previous blocks
are also equal (unless one of them doesn’t have a previous because it is
first—namely IV)
6. If a bit error occurs in the transmission of a ciphertext character in
8-bit CFB mode, how far does the error propagate?
Nine plaintext characters are affected. The plaintext character
corresponding to the ciphertext character is obviously altered. In
addition, the altered ciphertext character enters the shift register and is
not removed until the next eight (b/k) characters are processed.
7. Alice and Bob agree to communicate privately via email using a
scheme based on RC4, but want to avoid using a new secret key for
each transmission. Alice and Bob privately agree on a 128-bit key k. To
encrypt a message m, consisting of a string of bits, the following
procedure is used:
1. Choose a random 80-bit value v
2. Generate the ciphertext c = RC4(v || k) XOR m
3. Send the bit string (v || c)
a. Suppose Alice uses this procedure to send a message m to Bob.
Describe how Bob can recover the message m from (v || c) using k.
b. If an adversary observes several values (v1 || c1), (v2 || c2), ...
transmitted between Alice and Bob, how can he/she determine when
the same key stream has been used to encrypt two messages?
c. Approximately how many messages can Alice expect to send before
the same key stream will be used twice? (Use the approximate result
from the birthday paradox)
d. What does this imply about the lifetime of the key k (i.e., the number
of messages that can be encrypted using k)?
a. By taking the first 80 bits of v || c, we obtain the initialization vector, v.
Since v, c, k are known, the message can be recovered (i.e., decrypted)
by computing RC4(v || k)  c.
b. If the adversary observes that vi = vj for distinct i, j then he/she
knows that the same key stream was used to encrypt both mi and mj. In
this case, the messages mi and mj may be vulnerable to the type of
cryptanalysis carried out in part (a).
c. Since the key is fixed, the key stream varies with the choice of the
80-bit v, which is selected randomly. Thus, after approximately 2 80  2 40
messages are sent, we expect the same v, and hence the same key
stream, to be used more than once.
d. The key k should be changed sometime before 240 messages are
sent.
8. Suppose H(m) is a collision resistant hash function that maps a
message of arbitrary bit length into an n-bit hash value. Is it true
that, for all messages x, x' with x != x', we have H(x) != H(x')?
Explain your answer.
The statement is false. Such a function cannot be one-to-one
because the number of inputs to the function is of arbitrary, but
the number of unique outputs is 2n. Thus, there are multiple inputs
that map into the same output.
9. This problem provides a numerical example of encryption using
a one-round version of DES. We start with the same bit pattern for
the key K and the plaintext, namely:
in hexadecimal notation: 0 1 2 3 4 5 6 7 8 9 A B C D E F
in binary notation: 0000 0001 0010 0011 0100 0101 0110 0111
1000 1001 1010 1011 1100 1101 1110 1111
a. Derive K1, the first-round subkey.
b. Derive L0, R0.
c. Expand R0 to get EXP(R0).
d. Calculate A = EXP(R0) XOR K1.
e. Group the 48-bit result of (d) into sets of 6 bits and evaluate the
corresponding S-box substitutions.
f. Concatenate the results of (e) to get a 32-bit result, B.
g. Apply the permutation to get P(B).
h. Calculate R1 = P(B) XOR L0.
i. Write down the ciphertext.
a. in binary notation: 0000 1011 0000 0010 0110 0111
1001 1011 0100 1001 1010 0101
in hexadecimal notation: 0 B 0 2 6 7 9 B 4 9 A 5
b. L0, R0 are derived by passing the 64-plaintext through Initial
Permutation:
L0 = 1100 1100 0000 0000 1100 1100 1111 1111
R0 = 1111 0000 1010 1010 1111 0000 1010 1010
c. EXP(R0) = 011110 100001 010101 010101 011110 100001
010101 010101
d. A = 011100 010001 011100 110010 111000 010101 110011
110000
e. 0 (base 10)=0000 (base 2), 12 (base 10)=1100 (base 2), 2 (base
10)=0010 (base 2), 1 (base 10)=0001 (base 2), 6 (base 10)=0110
(base 2), 13 (base 10)=1101 (base 2), 5 (base 10)=0101 (base 2), 0
(base 10)=0000 (base 2)
f. B = 0000 1100 0010 0001 0110 1101 0101 0000
g. P(B) = 1001 0010 0001 1100 0010 0000 1001 1100
h. R1 = 0101 1110 0001 1100 1110 1100 0110 0011
i. L1 = R0. The ciphertext is the concatenation of L1 and R1.