Review Questions
20.1 Give examples of applications of IPsec.
Get 20.1 exercise solution
20.2 What services are provided by IPsec?
Get 20.2 exercise solution
20.3 What parameters identify an SA and what parameters characterize the nature of a
particular SA?
Get 20.3 exercise solution
20.4 What is the difference between transport mode and tunnel mode?
Get 20.4 exercise solution
20.5 What is a replay attack?
Get 20.5 exercise solution
20.6 Why does ESP include a padding field?
Get 20.6 exercise solution
20.7 What are the basic approaches to bundling SAs?
Get 20.7 exercise solution
20.8 What are the roles of the Oakley key determination protocol and ISAKMP in IPsec?
Get 20.8 exercise solution
Problems
20.1 Describe and explain each of the entries in Table 20.2.
Get 20.1 exercise solution
20.2 Draw a figure similar to Figure 20.8 for AH.
Get 20.2 exercise solution
20.3 List the major security services provided by AH and ESP, respectively.
Get 20.3 exercise solution
20.4 In discussing AH processing, it was mentioned that not all of the fields in an IP header
are included in MAC calculation.
a. For each of the fields in the IPv4 header, indicate whether the field is immutable,
mutable but predictable, or mutable (zeroed prior to ICV calculation).
b. Do the same for the IPv6 header.
c. Do the same for the IPv6 extension headers.
In each case, justify your decision for each field.
Get 20.4 exercise solution
20.5 Suppose that the current replay window spans from 120 to 530.
a. If the next incoming authenticated packet has sequence number 105, what will the receiver
do with the packet, and what will be the parameters of the window after that?
b. If instead the next incoming authenticated packet has sequence number 440, what
will the receiver do with the packet, and what will be the parameters of the window
after that?
c. If instead the next incoming authenticated packet has sequence number 540, what
will the receiver do with the packet, and what will be the parameters of the window
after that?
Get 20.5 exercise solution
20.6 When tunnel mode is used, a new outer IP header is constructed. For both IPv4
and IPv6, indicate the relationship of each outer IP header field and each extension
header in the outer packet to the corresponding field or extension header of the inner
IP packet. That is, indicate which outer values are derived from inner values and
which are constructed independently of the inner values.
Get 20.6 exercise solution
20.7 End-to-end authentication and encryption are desired between two hosts. Draw
figures
similar to Figure 20.8 that show each of the following.
a. Transport adjacency with encryption applied before authentication.
b. A transport SA bundled inside a tunnel SA with encryption applied before
authentication.
c. A transport SA bundled inside a tunnel SA with authentication applied before
encryption.
Get 20.7 exercise solution
20.8 The IPsec architecture document states that when two transport mode SAs are bundled
to allow both AH and ESP protocols on the same end-to-end flow, only one
ordering of security protocols seems appropriate: performing the ESP protocol before
performing the AH protocol. Why is this approach recommended rather than
authentication before encryption?
Get 20.8 exercise solution
20.9 For the IKE key exchange, indicate which parameters in each message go in which
ISAKMP payload types.
Get 20.9 exercise solution
20.10 Where does IPsec reside in a protocol stack?
Get 20.10 exercise solution
Solutions for Chapter 19 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
19.1 What are the five principal services provided by PGP?
Get 19.1 exercise solution
19.2 What is the utility of a detached signature?
Get 19.2 exercise solution
19.3 Why does PGP generate a signature before applying compression?
Get 19.3 exercise solution
19.4 What is R64 conversion?
Get 19.4 exercise solution
19.5 Why is R64 conversion useful for an e-mail application?
Get 19.5 exercise solution
19.6 How does PGP use the concept of trust?
Get 19.6 exercise solution
19.7 What is RFC 5322?
Get 19.7 exercise solution
19.8 What is MIME?
Get 19.8 exercise solution
19.9 What is S/MIME?
Get 19.9 exercise solution
19.10 What is DKIM?
Get 19.10 exercise solution
Problems
19.1 PGP makes use of the cipher feedback (CFB) mode of CAST-128, whereas most symmetric encryption applications (other than key encryption) use the cipher block chaining (CBC) mode. We have CBC: Ci = E(K, [Ci-1 Pi]); Pi = Ci-1 D(K, Ci) CFB: Ci = Pi E(K, Ci-1); Pi = Ci E(K, Ci-1) These two appear to provide equal security. Suggest a reason why PGP uses the CFB mode.
Get 19.1 exercise solution
19.2 In the PGP scheme, what is the expected number of session keys generated before a previously created key is produced?
Get 19.2 exercise solution
19.3 As discussed in Appendix P, a PGP user may have multiple public keys. So that a recipient knows which public key is being used by a sender, a key ID, consisting of the least significant 64 bits of the public key, is sent with the message. What is the probability that a user with N public keys will have at least one duplicate key ID?
Get 19.3 exercise solution
19.4 As discussed in Appendix P, the first 16 bits of the message digest in a PGP signature are translated in the clear. This enables the recipient to determine if the correct public key was used to decrypt the message digest by comparing the plaintext copy of the first two octets with the first two octets of the decrypted digest. a. To what extent does this compromise the security of the hash algorithm? b. To what extent does it in fact perform its intended function, namely, to help determine if the correct RSA key was used to decrypt the digest?
Get 19.4 exercise solution
19.5 For this problem and the next, consult Appendix P. In Figure P.2, each entry in the public-key ring contains an Owner Trust field that indicates the degree of trust associated with this public-key owner. Why is that not enough? That is, if this owner is trusted and this is supposed to be the owner’s public key, why is that trust not enough to permit PGP to use this public key?
Get 19.5 exercise solution
19.6 What is the basic difference between X.509 and PGP in terms of key hierarchies and key trust?
Get 19.6 exercise solution
19.7 Phil Zimmermann chose IDEA, three-key triple DES, and CAST-128 as symmetric encryption algorithms for PGP. Give reasons why each of the following symmetric encryption algorithms described in this book is suitable or unsuitable for PGP: DES, two-key triple DES, and AES.
Get 19.7 exercise solution
19.8 Consider radix-64 conversion as a form of encryption. In this case, there is no key. But suppose that an opponent knew only that some form of substitution algorithm was being used to encrypt English text and did not guess that it was R64. How effective would this algorithm be against cryptanalysis?
Get 19.8 exercise solution
19.9 Encode the text “plaintext” using the following techniques. Assume characters are stored in 8-bit ASCII with zero parity. a. Radix-64 b. Quoted-printable
Get 19.9 exercise solution
19.1 What are the five principal services provided by PGP?
Get 19.1 exercise solution
19.2 What is the utility of a detached signature?
Get 19.2 exercise solution
19.3 Why does PGP generate a signature before applying compression?
Get 19.3 exercise solution
19.4 What is R64 conversion?
Get 19.4 exercise solution
19.5 Why is R64 conversion useful for an e-mail application?
Get 19.5 exercise solution
19.6 How does PGP use the concept of trust?
Get 19.6 exercise solution
19.7 What is RFC 5322?
Get 19.7 exercise solution
19.8 What is MIME?
Get 19.8 exercise solution
19.9 What is S/MIME?
Get 19.9 exercise solution
19.10 What is DKIM?
Get 19.10 exercise solution
Problems
19.1 PGP makes use of the cipher feedback (CFB) mode of CAST-128, whereas most symmetric encryption applications (other than key encryption) use the cipher block chaining (CBC) mode. We have CBC: Ci = E(K, [Ci-1 Pi]); Pi = Ci-1 D(K, Ci) CFB: Ci = Pi E(K, Ci-1); Pi = Ci E(K, Ci-1) These two appear to provide equal security. Suggest a reason why PGP uses the CFB mode.
Get 19.1 exercise solution
19.2 In the PGP scheme, what is the expected number of session keys generated before a previously created key is produced?
Get 19.2 exercise solution
19.3 As discussed in Appendix P, a PGP user may have multiple public keys. So that a recipient knows which public key is being used by a sender, a key ID, consisting of the least significant 64 bits of the public key, is sent with the message. What is the probability that a user with N public keys will have at least one duplicate key ID?
Get 19.3 exercise solution
19.4 As discussed in Appendix P, the first 16 bits of the message digest in a PGP signature are translated in the clear. This enables the recipient to determine if the correct public key was used to decrypt the message digest by comparing the plaintext copy of the first two octets with the first two octets of the decrypted digest. a. To what extent does this compromise the security of the hash algorithm? b. To what extent does it in fact perform its intended function, namely, to help determine if the correct RSA key was used to decrypt the digest?
Get 19.4 exercise solution
19.5 For this problem and the next, consult Appendix P. In Figure P.2, each entry in the public-key ring contains an Owner Trust field that indicates the degree of trust associated with this public-key owner. Why is that not enough? That is, if this owner is trusted and this is supposed to be the owner’s public key, why is that trust not enough to permit PGP to use this public key?
Get 19.5 exercise solution
19.6 What is the basic difference between X.509 and PGP in terms of key hierarchies and key trust?
Get 19.6 exercise solution
19.7 Phil Zimmermann chose IDEA, three-key triple DES, and CAST-128 as symmetric encryption algorithms for PGP. Give reasons why each of the following symmetric encryption algorithms described in this book is suitable or unsuitable for PGP: DES, two-key triple DES, and AES.
Get 19.7 exercise solution
19.8 Consider radix-64 conversion as a form of encryption. In this case, there is no key. But suppose that an opponent knew only that some form of substitution algorithm was being used to encrypt English text and did not guess that it was R64. How effective would this algorithm be against cryptanalysis?
Get 19.8 exercise solution
19.9 Encode the text “plaintext” using the following techniques. Assume characters are stored in 8-bit ASCII with zero parity. a. Radix-64 b. Quoted-printable
Get 19.9 exercise solution
Solutions for Chapter 18 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
18.1 What is the basic building block of an 802.11 WLAN?
Get 18.1 exercise solution
18.2 Define an extended service set.
Get 18.2 exercise solution
18.3 List and briefly define IEEE 802.11 services.
Get 18.3 exercise solution
18.4 Is a distribution system a wireless network?
Get 18.4 exercise solution
18.5 How is the concept of an association related to that of mobility?
Get 18.5 exercise solution
18.6 What security areas are addressed by IEEE 802.11i?
Get 18.6 exercise solution
18.7 Briefly describe the four IEEE 802.11i phases of operation.
Get 18.7 exercise solution
18.8 What is the difference between TKIP and CCMP?
Get 18.8 exercise solution
Problems
18.1 In IEEE 802.11, open system authentication simply consists of two communications. An authentication is requested by the client, which contains the station ID (typically the MAC address). This is followed by an authentication response from the AP/router containing a success or failure message. An example of when a failure may occur is if the client’s MAC address is explicitly excluded in the AP/router configuration. a. What are the benefits of this authentication scheme? b. What are the security vulnerabilities of this authentication scheme?
Get 18.1 exercise solution
18.2 Prior to the introduction of IEEE 802.11i, the security scheme for IEEE 802.11 was Wired Equivalent Privacy (WEP). WEP assumed all devices in the network share a secret key. The purpose of the authentication scenario is for the STA to prove that it possesses the secret key. Authentication proceeds as shown in Figure 18.12. The STA sends a message to the AP requesting authentication. The AP issues a challenge, which is a sequence of 128 random bytes sent as plaintext. The STA encrypts the challenge with the shared key and returns it to the AP. The AP decrypts the incoming value and compares it to the challenge that it sent. If there is a match, the AP confirms that authentication has succeeded. a. What are the benefits of this authentication scheme? b. This authentication scheme is incomplete. What is missing and why is this important? Hint: The addition of one or two messages would fix the problem. c. What is a cryptographic weakness of this scheme?
Get 18.2 exercise solution
18.3 For WEP, data integrity and data confidentiality are achieved using the RC4 stream encryption algorithm. The transmitter of an MPDU performs the following steps, referred to as encapsulation: 1. The transmitter selects an initial vector (IV) value. 2. The IV value is concatenated with the WEP key shared by transmitter and receiver to form the seed, or key input, to RC4. 3. A 32-bit cyclic redundancy check (CRC) is computed over all the bits of the MAC data field and appended to the data field. The CRC is a common error-detection code used in data link control protocols. In this case, the CRC serves as a integrity check value (ICV).
4. The result of step 3 is encrypted using RC4 to form the ciphertext block. 5. The plaintext IV is prepended to the ciphertext block to form the encapsulated MPDU for transmission. a. Draw a block diagram that illustrates the encapsulation process. b. Describe the steps at the receiver end to recover the plaintext and perform the integrity check. c. Draw a block diagram that illustrates part b.
Get 18.3 exercise solution
18.4 A potential weakness of the CRC as an integrity check is that it is a linear function. This means that you can predict which bits of the CRC are changed if a single bit of the message is changed. Furthermore, it is possible to determine which combination of bits could be flipped in the message so that the net result is no change in the CRC. Thus, there are a number of combinations of bit flippings of the plaintext message that leave the CRC unchanged, so message integrity is defeated. However, in WEP, if an attacker does not know the encryption key, the attacker does not have access to the plaintext, only to the ciphertext block. Does this mean that the ICV is protected from the bit flipping attack? Explain.
Get 18.4 exercise solution
18.1 What is the basic building block of an 802.11 WLAN?
Get 18.1 exercise solution
18.2 Define an extended service set.
Get 18.2 exercise solution
18.3 List and briefly define IEEE 802.11 services.
Get 18.3 exercise solution
18.4 Is a distribution system a wireless network?
Get 18.4 exercise solution
18.5 How is the concept of an association related to that of mobility?
Get 18.5 exercise solution
18.6 What security areas are addressed by IEEE 802.11i?
Get 18.6 exercise solution
18.7 Briefly describe the four IEEE 802.11i phases of operation.
Get 18.7 exercise solution
18.8 What is the difference between TKIP and CCMP?
Get 18.8 exercise solution
Problems
18.1 In IEEE 802.11, open system authentication simply consists of two communications. An authentication is requested by the client, which contains the station ID (typically the MAC address). This is followed by an authentication response from the AP/router containing a success or failure message. An example of when a failure may occur is if the client’s MAC address is explicitly excluded in the AP/router configuration. a. What are the benefits of this authentication scheme? b. What are the security vulnerabilities of this authentication scheme?
Get 18.1 exercise solution
18.2 Prior to the introduction of IEEE 802.11i, the security scheme for IEEE 802.11 was Wired Equivalent Privacy (WEP). WEP assumed all devices in the network share a secret key. The purpose of the authentication scenario is for the STA to prove that it possesses the secret key. Authentication proceeds as shown in Figure 18.12. The STA sends a message to the AP requesting authentication. The AP issues a challenge, which is a sequence of 128 random bytes sent as plaintext. The STA encrypts the challenge with the shared key and returns it to the AP. The AP decrypts the incoming value and compares it to the challenge that it sent. If there is a match, the AP confirms that authentication has succeeded. a. What are the benefits of this authentication scheme? b. This authentication scheme is incomplete. What is missing and why is this important? Hint: The addition of one or two messages would fix the problem. c. What is a cryptographic weakness of this scheme?
Get 18.2 exercise solution
18.3 For WEP, data integrity and data confidentiality are achieved using the RC4 stream encryption algorithm. The transmitter of an MPDU performs the following steps, referred to as encapsulation: 1. The transmitter selects an initial vector (IV) value. 2. The IV value is concatenated with the WEP key shared by transmitter and receiver to form the seed, or key input, to RC4. 3. A 32-bit cyclic redundancy check (CRC) is computed over all the bits of the MAC data field and appended to the data field. The CRC is a common error-detection code used in data link control protocols. In this case, the CRC serves as a integrity check value (ICV).
4. The result of step 3 is encrypted using RC4 to form the ciphertext block. 5. The plaintext IV is prepended to the ciphertext block to form the encapsulated MPDU for transmission. a. Draw a block diagram that illustrates the encapsulation process. b. Describe the steps at the receiver end to recover the plaintext and perform the integrity check. c. Draw a block diagram that illustrates part b.
Get 18.3 exercise solution
18.4 A potential weakness of the CRC as an integrity check is that it is a linear function. This means that you can predict which bits of the CRC are changed if a single bit of the message is changed. Furthermore, it is possible to determine which combination of bits could be flipped in the message so that the net result is no change in the CRC. Thus, there are a number of combinations of bit flippings of the plaintext message that leave the CRC unchanged, so message integrity is defeated. However, in WEP, if an attacker does not know the encryption key, the attacker does not have access to the plaintext, only to the ciphertext block. Does this mean that the ICV is protected from the bit flipping attack? Explain.
Get 18.4 exercise solution
Solutions for Chapter 17 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
17.1 What are the advantages of each of the three approaches shown in Figure 17.1?
Get 17.1 exercise solution
17.2 What protocols comprise SSL?
Get 17.2 exercise solution
17.3 What is the difference between an SSL connection and an SSL session?
Get 17.3 exercise solution
17.4 List and briefly define the parameters that define an SSL session state.
Get 17.4 exercise solution
17.5 List and briefly define the parameters that define an SSL session connection.
Get 17.5 exercise solution
17.6 What services are provided by the SSL Record Protocol?
Get 17.6 exercise solution
17.7 What steps are involved in the SSL Record Protocol transmission?
Get 17.7 exercise solution
17.8 What is the purpose of HTTPS?
Get 17.8 exercise solution
17.9 For what applications is SSH useful?
Get 17.9 exercise solution
17.10 List and briefly define the SSH protocols.
Get 17.10 exercise solution
Problems
17.1 In SSL and TLS, why is there a separate Change Cipher Spec Protocol rather than including a change_cipher_spec message in the Handshake Protocol?
Get 17.1 exercise solution
17.2 What purpose does the MAC serve during the change cipher spec SSL exchange?
Get 17.2 exercise solution
17.3 Consider the following threats to Web security and describe how each is countered by a particular feature of SSL. a. Brute-Force Cryptanalytic Attack: An exhaustive search of the key space for a conventional encryption algorithm. b. Known Plaintext Dictionary Attack: Many messages will contain predictable plaintext, such as the HTTP GET command. An attacker constructs a dictionary containing every possible encryption of the known-plaintext message. When an encrypted message is intercepted, the attacker takes the portion containing the encrypted known plaintext and looks up the ciphertext in the dictionary. The ciphertext should match against an entry that was encrypted with the same secret key. If there are several matches, each of these can be tried against the full ciphertext to determine the right one. This attack is especially effective against small key sizes (e.g., 40-bit keys). c. Replay Attack: Earlier SSL handshake messages are replayed. d. Man-in-the-Middle Attack: An attacker interposes during key exchange, acting as the client to the server and as the server to the client. e. Password Sniffing: Passwords in HTTP or other application traffic are eavesdropped.
f. IP Spoofing: Uses forged IP addresses to fool a host into accepting bogus data. g. IP Hijacking: An active, authenticated connection between two hosts is disrupted and the attacker takes the place of one of the hosts. h. SYN Flooding: An attacker sends TCP SYN messages to request a connection but does not respond to the final message to establish the connection fully. The attacked TCP module typically leaves the “half-open connection” around for a few minutes. Repeated SYN messages can clog the TCP module.
Get 17.3 exercise solution
17.4 Based on what you have learned in this chapter, is it possible in SSL for the receiver to reorder SSL record blocks that arrive out of order? If so, explain how it can be done. If not, why not?
Get 17.4 exercise solution
17.5 For SSH packets, what is the advantage, if any, of not including the MAC in the scope of the packet encryption?
Get 17.5 exercise solution
17.1 What are the advantages of each of the three approaches shown in Figure 17.1?
Get 17.1 exercise solution
17.2 What protocols comprise SSL?
Get 17.2 exercise solution
17.3 What is the difference between an SSL connection and an SSL session?
Get 17.3 exercise solution
17.4 List and briefly define the parameters that define an SSL session state.
Get 17.4 exercise solution
17.5 List and briefly define the parameters that define an SSL session connection.
Get 17.5 exercise solution
17.6 What services are provided by the SSL Record Protocol?
Get 17.6 exercise solution
17.7 What steps are involved in the SSL Record Protocol transmission?
Get 17.7 exercise solution
17.8 What is the purpose of HTTPS?
Get 17.8 exercise solution
17.9 For what applications is SSH useful?
Get 17.9 exercise solution
17.10 List and briefly define the SSH protocols.
Get 17.10 exercise solution
Problems
17.1 In SSL and TLS, why is there a separate Change Cipher Spec Protocol rather than including a change_cipher_spec message in the Handshake Protocol?
Get 17.1 exercise solution
17.2 What purpose does the MAC serve during the change cipher spec SSL exchange?
Get 17.2 exercise solution
17.3 Consider the following threats to Web security and describe how each is countered by a particular feature of SSL. a. Brute-Force Cryptanalytic Attack: An exhaustive search of the key space for a conventional encryption algorithm. b. Known Plaintext Dictionary Attack: Many messages will contain predictable plaintext, such as the HTTP GET command. An attacker constructs a dictionary containing every possible encryption of the known-plaintext message. When an encrypted message is intercepted, the attacker takes the portion containing the encrypted known plaintext and looks up the ciphertext in the dictionary. The ciphertext should match against an entry that was encrypted with the same secret key. If there are several matches, each of these can be tried against the full ciphertext to determine the right one. This attack is especially effective against small key sizes (e.g., 40-bit keys). c. Replay Attack: Earlier SSL handshake messages are replayed. d. Man-in-the-Middle Attack: An attacker interposes during key exchange, acting as the client to the server and as the server to the client. e. Password Sniffing: Passwords in HTTP or other application traffic are eavesdropped.
f. IP Spoofing: Uses forged IP addresses to fool a host into accepting bogus data. g. IP Hijacking: An active, authenticated connection between two hosts is disrupted and the attacker takes the place of one of the hosts. h. SYN Flooding: An attacker sends TCP SYN messages to request a connection but does not respond to the final message to establish the connection fully. The attacked TCP module typically leaves the “half-open connection” around for a few minutes. Repeated SYN messages can clog the TCP module.
Get 17.3 exercise solution
17.4 Based on what you have learned in this chapter, is it possible in SSL for the receiver to reorder SSL record blocks that arrive out of order? If so, explain how it can be done. If not, why not?
Get 17.4 exercise solution
17.5 For SSH packets, what is the advantage, if any, of not including the MAC in the scope of the packet encryption?
Get 17.5 exercise solution
Solutions for Chapter 16 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
16.1 Provide a brief definition of network access control.
Get 16.1 exercise solution
16.2 What is an EAP?
Get 16.2 exercise solution
16.3 List and briefly define four EAP authentication methods.
Get 16.3 exercise solution
16.4 What is EAPOL?
Get 16.4 exercise solution
16.5 What is the function of IEEE 802.1X?
Get 16.5 exercise solution
16.6 Define cloud computing.
Get 16.6 exercise solution
16.7 List and briefly define three cloud service models.
Get 16.7 exercise solution
16.8 What is the cloud computing reference architecture?
Get 16.8 exercise solution
16.9 Describe some of the main cloud-specific security threats.
Get 16.9 exercise solution
Problems
16.2 Figure 16.3 suggests that EAP can be described in the context of a four-layer model. Indicate the functions and formats of each of the four layers. You may need to refer to RFC 3748.
Get 16.2 exercise solution
16.1 Provide a brief definition of network access control.
Get 16.1 exercise solution
16.2 What is an EAP?
Get 16.2 exercise solution
16.3 List and briefly define four EAP authentication methods.
Get 16.3 exercise solution
16.4 What is EAPOL?
Get 16.4 exercise solution
16.5 What is the function of IEEE 802.1X?
Get 16.5 exercise solution
16.6 Define cloud computing.
Get 16.6 exercise solution
16.7 List and briefly define three cloud service models.
Get 16.7 exercise solution
16.8 What is the cloud computing reference architecture?
Get 16.8 exercise solution
16.9 Describe some of the main cloud-specific security threats.
Get 16.9 exercise solution
Problems
16.2 Figure 16.3 suggests that EAP can be described in the context of a four-layer model. Indicate the functions and formats of each of the four layers. You may need to refer to RFC 3748.
Get 16.2 exercise solution
Solutions for Chapter 15 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
15.1 Give examples of replay attacks.
Get 15.1 exercise solution
15.2 List three general approaches to dealing with replay attacks.
Get 15.2 exercise solution
15.3 What is a suppress-replay attack?
Get 15.3 exercise solution
15.4 What problem was Kerberos designed to address?
Get 15.4 exercise solution
15.5 What are three threats associated with user authentication over a network or Internet?
Get 15.5 exercise solution
15.6 List three approaches to secure user authentication in a distributed environment.
Get 15.6 exercise solution
15.7 What four requirements were defined for Kerberos?
Get 15.7 exercise solution
15.8 What entities constitute a full-service Kerberos environment?
Get 15.8 exercise solution
15.9 In the context of Kerberos, what is a realm?
Get 15.9 exercise solution
15.10 What are the principal differences between version 4 and version 5 of Kerberos?
Get 15.10 exercise solution
Problems
15.1 In Section 15.4, we outlined the public-key scheme proposed in [WOO92a] for the distribution of secret keys. The revised version includes IDA in steps 5 and 6. What attack, specifically, is countered by this revision?
Get 15.1 exercise solution
15.2 The protocol referred to in Problem 15.1 can be reduced from seven steps to five, having the following sequence:
a. A -> B:
b. A S KDC:
c. KDC -> B:
d. B -> A:
e. A -> B: Show the message transmitted at each step. Hint: The final message in this protocol is the same as the final message in the original protocol.
Get 15.2 exercise solution
15.3 Reference the suppress-replay attack described in Section 15.2 to answer the following. a. Give an example of an attack when a party’s clock is ahead of that of the KDC. b. Give an example of an attack when a party’s clock is ahead of that of another party.
Get 15.3 exercise solution
15.4 There are three typical ways to use nonces as challenges. Suppose Na is a nonce generated by A, A and B share key K, and f() is a function (such as an increment). The three usages are
Describe situations for which each usage is appropriate.
Get 15.4 exercise solution
15.5 Show that a random error in one block of ciphertext is propagated to all subsequent blocks of plaintext in PCBC mode (See Figure T.2 in Appendix T).
Get 15.5 exercise solution
15.6 Suppose that, in PCBC mode, blocks Ci and Ci+1 are interchanged during transmission. Show that this affects only the decrypted blocks Pi and Pi+1 but not subsequent blocks.
Get 15.6 exercise solution
15.7 In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol. The original version of X.509 contains a security flaw. The essence of the protocol is as follows.
where tA and tB are timestamps, rA and rB are nonces and the notation X {Y} indicates that the message Y is transmitted, encrypted, and signed by X. The text of X.509 states that checking timestamps tA and tB is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B: C -> B: A {0, rA, IDB} B responds, thinking it is talking to A but is actually talking to C: B -> C: B {0, r"B, IDA, rA} C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following: A -> C: A {0, r"A, IDC} C responds to A using the same nonce provided to C by B: C -> A: C {0, r"B, IDA, r"A} A responds with A -> C: A {r"B} This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B. C -> B: A {r"B} So B will believe it is talking to A whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.
Get 15.7 exercise solution
15.8 Consider a one-way authentication technique based on asymmetric encryption: A -> B: IDA B -> A: R1 A -> B: E(PRa, R1) a. Explain the protocol. b. What type of attack is this protocol susceptible to?
Get 15.8 exercise solution
15.9 Consider a one-way authentication technique based on asymmetric encryption: A -> B: IDA B -> A: E(PUa, R2) A -> B: R2 a. Explain the protocol. b. What type of attack is this protocol susceptible to?
Get 15.9 exercise solution
15.10 In Kerberos, when Bob receives a Ticket from Alice, how does he know it is genuine?
Get 15.10 exercise solution
15.11 In Kerberos, when Bob receives a Ticket from Alice, how does he know it came from Alice?
Get 15.11 exercise solution
15.12 In Kerberos, when Alice receives a reply, how does she know it came from Bob (that it’s not a replay of an earlier message from Bob)?
Get 15.12 exercise solution
15.13 In Kerberos, what does the Ticket contain that allows Alice and Bob to talk securely?
Get 15.13 exercise solution
15.1 Give examples of replay attacks.
Get 15.1 exercise solution
15.2 List three general approaches to dealing with replay attacks.
Get 15.2 exercise solution
15.3 What is a suppress-replay attack?
Get 15.3 exercise solution
15.4 What problem was Kerberos designed to address?
Get 15.4 exercise solution
15.5 What are three threats associated with user authentication over a network or Internet?
Get 15.5 exercise solution
15.6 List three approaches to secure user authentication in a distributed environment.
Get 15.6 exercise solution
15.7 What four requirements were defined for Kerberos?
Get 15.7 exercise solution
15.8 What entities constitute a full-service Kerberos environment?
Get 15.8 exercise solution
15.9 In the context of Kerberos, what is a realm?
Get 15.9 exercise solution
15.10 What are the principal differences between version 4 and version 5 of Kerberos?
Get 15.10 exercise solution
Problems
15.1 In Section 15.4, we outlined the public-key scheme proposed in [WOO92a] for the distribution of secret keys. The revised version includes IDA in steps 5 and 6. What attack, specifically, is countered by this revision?
Get 15.1 exercise solution
15.2 The protocol referred to in Problem 15.1 can be reduced from seven steps to five, having the following sequence:
a. A -> B:
b. A S KDC:
c. KDC -> B:
d. B -> A:
e. A -> B: Show the message transmitted at each step. Hint: The final message in this protocol is the same as the final message in the original protocol.
Get 15.2 exercise solution
15.3 Reference the suppress-replay attack described in Section 15.2 to answer the following. a. Give an example of an attack when a party’s clock is ahead of that of the KDC. b. Give an example of an attack when a party’s clock is ahead of that of another party.
Get 15.3 exercise solution
15.4 There are three typical ways to use nonces as challenges. Suppose Na is a nonce generated by A, A and B share key K, and f() is a function (such as an increment). The three usages are
Describe situations for which each usage is appropriate.
Get 15.4 exercise solution
15.5 Show that a random error in one block of ciphertext is propagated to all subsequent blocks of plaintext in PCBC mode (See Figure T.2 in Appendix T).
Get 15.5 exercise solution
15.6 Suppose that, in PCBC mode, blocks Ci and Ci+1 are interchanged during transmission. Show that this affects only the decrypted blocks Pi and Pi+1 but not subsequent blocks.
Get 15.6 exercise solution
15.7 In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol. The original version of X.509 contains a security flaw. The essence of the protocol is as follows.
where tA and tB are timestamps, rA and rB are nonces and the notation X {Y} indicates that the message Y is transmitted, encrypted, and signed by X. The text of X.509 states that checking timestamps tA and tB is optional for three-way authentication. But consider the following example: Suppose A and B have used the preceding protocol on some previous occasion, and that opponent C has intercepted the preceding three messages. In addition, suppose that timestamps are not used and are all set to 0. Finally, suppose C wishes to impersonate A to B. C initially sends the first captured message to B: C -> B: A {0, rA, IDB} B responds, thinking it is talking to A but is actually talking to C: B -> C: B {0, r"B, IDA, rA} C meanwhile causes A to initiate authentication with C by some means. As a result, A sends C the following: A -> C: A {0, r"A, IDC} C responds to A using the same nonce provided to C by B: C -> A: C {0, r"B, IDA, r"A} A responds with A -> C: A {r"B} This is exactly what C needs to convince B that it is talking to A, so C now repeats the incoming message back out to B. C -> B: A {r"B} So B will believe it is talking to A whereas it is actually talking to C. Suggest a simple solution to this problem that does not involve the use of timestamps.
Get 15.7 exercise solution
15.8 Consider a one-way authentication technique based on asymmetric encryption: A -> B: IDA B -> A: R1 A -> B: E(PRa, R1) a. Explain the protocol. b. What type of attack is this protocol susceptible to?
Get 15.8 exercise solution
15.9 Consider a one-way authentication technique based on asymmetric encryption: A -> B: IDA B -> A: E(PUa, R2) A -> B: R2 a. Explain the protocol. b. What type of attack is this protocol susceptible to?
Get 15.9 exercise solution
15.10 In Kerberos, when Bob receives a Ticket from Alice, how does he know it is genuine?
Get 15.10 exercise solution
15.11 In Kerberos, when Bob receives a Ticket from Alice, how does he know it came from Alice?
Get 15.11 exercise solution
15.12 In Kerberos, when Alice receives a reply, how does she know it came from Bob (that it’s not a replay of an earlier message from Bob)?
Get 15.12 exercise solution
15.13 In Kerberos, what does the Ticket contain that allows Alice and Bob to talk securely?
Get 15.13 exercise solution
Solutions for Chapter 14 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
14.1 List ways in which secret keys can be distributed to two communicating parties.
Get 14.1 exercise solution
14.2 What is the difference between a session key and a master key?
Get 14.2 exercise solution
14.3 What is a nonce?
Get 14.3 exercise solution
14.4 What is a key distribution center?
Get 14.4 exercise solution
14.5 What are two different uses of public-key cryptography related to key distribution?
Get 14.5 exercise solution
14.6 List four general categories of schemes for the distribution of public keys.
Get 14.6 exercise solution
14.7 What are the essential ingredients of a public-key directory?
Get 14.7 exercise solution
14.8 What is a public-key certificate?
Get 14.8 exercise solution
14.9 What are the requirements for the use of a public-key certificate scheme?
Get 14.9 exercise solution
14.10 What is the purpose of the X.509 standard?
Get 14.10 exercise solution
14.11 What is a chain of certificates?
Get 14.11 exercise solution
14.12 How is an X.509 certificate revoked?
Get 14.12 exercise solution
Problems
14.1 One local area network vendor provides a key distribution facility, as illustrated in Figure 14.18. a. Describe the scheme. b. Compare this scheme to that of Figure 14.3. What are the pros and cons?
Get 14.1 exercise solution
14.2 “We are under great pressure, Holmes.” Detective Lestrade looked nervous. “We have learned that copies of sensitive government documents are stored in computers of one foreign embassy here in London. Normally these documents exist in electronic form only on a selected few government computers that satisfy the most stringent security requirements. However, sometimes they must be sent through the network connecting all government computers. But all messages in this network are encrypted using a top-secret encryption algorithm certified by our best crypto experts. Even the NSA and the KGB are unable to break it. And now these documents have appeared in hands of diplomats of a small, otherwise insignificant, country. And we have no idea how it could happen.” “But you do have some suspicion who did it, do you?” asked Holmes. “Yes, we did some routine investigation. There is a man who has legal access to one of the government computers and has frequent contacts with diplomats from the embassy. But the computer he has access to is not one of the trusted ones where these documents are normally stored. He is the suspect, but we have no idea how he could obtain copies of the documents. Even if he could obtain a copy of an encrypted document, he couldn’t decrypt it.” “Hmm, please describe the communication protocol used on the network.” Holmes opened his eyes, thus proving that he had followed Lestrade’s talk with an attention that contrasted with his sleepy look. “Well, the protocol is as follows. Each node N of the network has been assigned a unique secret key Kn. This key is used to secure communication between the node and a trusted server. That is, all the keys are stored also on the server. User A, wishing to send a secret message M to user B, initiates the following protocol: 1. A generates a random number R and sends to the server his name A, destination B, and E(Ka, R). 2. Server responds by sending E(Kb, R) to A. 3. A sends E(R, M) together with E(Kb, R) to B. 4. B knows Kb, thus decrypts E(Kb, R), to get R and will subsequently use R to decrypt E(R, M) to get M. You see that a random key is generated every time a message has to be sent. I admit the man could intercept messages sent between the top-secret trusted nodes, but I see no way he could decrypt them.” “Well, I think you have your man, Lestrade. The protocol isn’t secure because the server doesn’t authenticate users who send him a request. Apparently designers of the protocol have believed that sending E(Kx, R) implicitly authenticates user X as the sender, as only X (and the server) knows Kx. But you know that E(Kx, R) can be intercepted and later replayed. Once you understand where the hole is, you will be able to obtain enough evidence by monitoring the man’s use of the computer he has access to. Most likely he works as follows. After intercepting E(Ka, R) and E(R, M) (see steps 1 and 3 of the protocol), the man, let’s denote him as Z, will continue by pretending to be A and … Finish the sentence for Holmes.
Get 14.2 exercise solution
14.3 The 1988 version of X.509 lists properties that RSA keys must satisfy to be secure given current knowledge about the difficulty of factoring large numbers. The discussion concludes with a constraint on the public exponent and the modulus n: It must be ensured that e 7 log2(n) to prevent attack by taking the eth root mod n to disclose the plaintext. Although the constraint is correct, the reason given for requiring it is incorrect. What is wrong with the reason given and what is the correct reason?
Get 14.3 exercise solution
14.4 Find at least one intermediate certification authority’s certificate and one trusted root certification authority’s certificate on your computer (e.g. in the browser). Print screenshots of both the general and details tab for each certificate.
Get 14.4 exercise solution
14.5 NIST defines the term cryptoperiod as the time span during which a specific key is authorized for use or in which the keys for a given system or application may remain in effect. One document on key management uses the following time diagram for a shared secret key.
Explain the overlap by giving an example application in which the originator’s usage period for the shared secret key begins before the recipient’s usage period and also ends before the recipients usage period.
Get 14.5 exercise solution
14.6 Consider the following protocol, designed to let A and B decide on a fresh, shared session key K=AB. We assume that they already share a long-term key KAB. 1. AS B:A, NA. 2. B S A:E(KAB, [NA, K=AB]) 3. AS B:E(K=AB, NA) a. We first try to understand the protocol designer’s reasoning: — Why would A and B believe after the protocol ran that they share K=AB with the other party? —Why would they believe that this shared key is fresh? In both cases, you should explain both the reasons of both A and B, so your answer should complete the sentences A believes that she shares K=AB with B since… B believes that he shares K=AB with A since… A believes that K=AB is fresh since… B believes that K=AB is fresh since… b. Assume now that A starts a run of this protocol with B. However, the connection is intercepted by the adversary C. Show how C can start a new run of the protocol using reflection, causing A to believe that she has agreed on a fresh key with B (in spite of the fact that she has only been communicating with C). Thus, in particular, the belief in (a) is false. c. Propose a modification of the protocol that prevents this attack.
Get 14.6 exercise solution
14.7 What are the core components of a PKI? Briefly describe each component.
Get 14.7 exercise solution
14.8 Explain the problems with key management and how it affects symmetric cryptography. Note: The remaining problems deal with the a cryptographic product developed by IBM, which is briefly described in a document at this book’s Premium Content Web site (IBMCrypto. pdf). Try these problems after reviewing the document.
Get 14.8 exercise solution
14.9 What is the effect of adding the instruction EMKi EMKi: XS E(KMHi, X) i = 0, 1
Get 14.9 exercise solution
14.10 Suppose N different systems use the IBM Cryptographic Subsystem with host master keys KMH[i](i = 1, 2,cN). Devise a method for communicating between systems without requiring the system to either share a common host master key or to divulge their individual host master keys. Hint: each system needs three variants of its host master key.
Get 14.10 exercise solution
14.11 The principal objective of the IBM Cryptographic Subsystem is to protect transmissions between a terminal and the processing system. Devise a procedure, perhaps adding instructions, which will allow the processor to generate a session key KS and distribute it to Terminal i and Terminal j without having to store a key-equivalent variable in the host.
Get 14.11 exercise solution
14.1 List ways in which secret keys can be distributed to two communicating parties.
Get 14.1 exercise solution
14.2 What is the difference between a session key and a master key?
Get 14.2 exercise solution
14.3 What is a nonce?
Get 14.3 exercise solution
14.4 What is a key distribution center?
Get 14.4 exercise solution
14.5 What are two different uses of public-key cryptography related to key distribution?
Get 14.5 exercise solution
14.6 List four general categories of schemes for the distribution of public keys.
Get 14.6 exercise solution
14.7 What are the essential ingredients of a public-key directory?
Get 14.7 exercise solution
14.8 What is a public-key certificate?
Get 14.8 exercise solution
14.9 What are the requirements for the use of a public-key certificate scheme?
Get 14.9 exercise solution
14.10 What is the purpose of the X.509 standard?
Get 14.10 exercise solution
14.11 What is a chain of certificates?
Get 14.11 exercise solution
14.12 How is an X.509 certificate revoked?
Get 14.12 exercise solution
Problems
14.1 One local area network vendor provides a key distribution facility, as illustrated in Figure 14.18. a. Describe the scheme. b. Compare this scheme to that of Figure 14.3. What are the pros and cons?
Get 14.1 exercise solution
14.2 “We are under great pressure, Holmes.” Detective Lestrade looked nervous. “We have learned that copies of sensitive government documents are stored in computers of one foreign embassy here in London. Normally these documents exist in electronic form only on a selected few government computers that satisfy the most stringent security requirements. However, sometimes they must be sent through the network connecting all government computers. But all messages in this network are encrypted using a top-secret encryption algorithm certified by our best crypto experts. Even the NSA and the KGB are unable to break it. And now these documents have appeared in hands of diplomats of a small, otherwise insignificant, country. And we have no idea how it could happen.” “But you do have some suspicion who did it, do you?” asked Holmes. “Yes, we did some routine investigation. There is a man who has legal access to one of the government computers and has frequent contacts with diplomats from the embassy. But the computer he has access to is not one of the trusted ones where these documents are normally stored. He is the suspect, but we have no idea how he could obtain copies of the documents. Even if he could obtain a copy of an encrypted document, he couldn’t decrypt it.” “Hmm, please describe the communication protocol used on the network.” Holmes opened his eyes, thus proving that he had followed Lestrade’s talk with an attention that contrasted with his sleepy look. “Well, the protocol is as follows. Each node N of the network has been assigned a unique secret key Kn. This key is used to secure communication between the node and a trusted server. That is, all the keys are stored also on the server. User A, wishing to send a secret message M to user B, initiates the following protocol: 1. A generates a random number R and sends to the server his name A, destination B, and E(Ka, R). 2. Server responds by sending E(Kb, R) to A. 3. A sends E(R, M) together with E(Kb, R) to B. 4. B knows Kb, thus decrypts E(Kb, R), to get R and will subsequently use R to decrypt E(R, M) to get M. You see that a random key is generated every time a message has to be sent. I admit the man could intercept messages sent between the top-secret trusted nodes, but I see no way he could decrypt them.” “Well, I think you have your man, Lestrade. The protocol isn’t secure because the server doesn’t authenticate users who send him a request. Apparently designers of the protocol have believed that sending E(Kx, R) implicitly authenticates user X as the sender, as only X (and the server) knows Kx. But you know that E(Kx, R) can be intercepted and later replayed. Once you understand where the hole is, you will be able to obtain enough evidence by monitoring the man’s use of the computer he has access to. Most likely he works as follows. After intercepting E(Ka, R) and E(R, M) (see steps 1 and 3 of the protocol), the man, let’s denote him as Z, will continue by pretending to be A and … Finish the sentence for Holmes.
Get 14.2 exercise solution
14.3 The 1988 version of X.509 lists properties that RSA keys must satisfy to be secure given current knowledge about the difficulty of factoring large numbers. The discussion concludes with a constraint on the public exponent and the modulus n: It must be ensured that e 7 log2(n) to prevent attack by taking the eth root mod n to disclose the plaintext. Although the constraint is correct, the reason given for requiring it is incorrect. What is wrong with the reason given and what is the correct reason?
Get 14.3 exercise solution
14.4 Find at least one intermediate certification authority’s certificate and one trusted root certification authority’s certificate on your computer (e.g. in the browser). Print screenshots of both the general and details tab for each certificate.
Get 14.4 exercise solution
14.5 NIST defines the term cryptoperiod as the time span during which a specific key is authorized for use or in which the keys for a given system or application may remain in effect. One document on key management uses the following time diagram for a shared secret key.
Explain the overlap by giving an example application in which the originator’s usage period for the shared secret key begins before the recipient’s usage period and also ends before the recipients usage period.
Get 14.5 exercise solution
14.6 Consider the following protocol, designed to let A and B decide on a fresh, shared session key K=AB. We assume that they already share a long-term key KAB. 1. AS B:A, NA. 2. B S A:E(KAB, [NA, K=AB]) 3. AS B:E(K=AB, NA) a. We first try to understand the protocol designer’s reasoning: — Why would A and B believe after the protocol ran that they share K=AB with the other party? —Why would they believe that this shared key is fresh? In both cases, you should explain both the reasons of both A and B, so your answer should complete the sentences A believes that she shares K=AB with B since… B believes that he shares K=AB with A since… A believes that K=AB is fresh since… B believes that K=AB is fresh since… b. Assume now that A starts a run of this protocol with B. However, the connection is intercepted by the adversary C. Show how C can start a new run of the protocol using reflection, causing A to believe that she has agreed on a fresh key with B (in spite of the fact that she has only been communicating with C). Thus, in particular, the belief in (a) is false. c. Propose a modification of the protocol that prevents this attack.
Get 14.6 exercise solution
14.7 What are the core components of a PKI? Briefly describe each component.
Get 14.7 exercise solution
14.8 Explain the problems with key management and how it affects symmetric cryptography. Note: The remaining problems deal with the a cryptographic product developed by IBM, which is briefly described in a document at this book’s Premium Content Web site (IBMCrypto. pdf). Try these problems after reviewing the document.
Get 14.8 exercise solution
14.9 What is the effect of adding the instruction EMKi EMKi: XS E(KMHi, X) i = 0, 1
Get 14.9 exercise solution
14.10 Suppose N different systems use the IBM Cryptographic Subsystem with host master keys KMH[i](i = 1, 2,cN). Devise a method for communicating between systems without requiring the system to either share a common host master key or to divulge their individual host master keys. Hint: each system needs three variants of its host master key.
Get 14.10 exercise solution
14.11 The principal objective of the IBM Cryptographic Subsystem is to protect transmissions between a terminal and the processing system. Devise a procedure, perhaps adding instructions, which will allow the processor to generate a session key KS and distribute it to Terminal i and Terminal j without having to store a key-equivalent variable in the host.
Get 14.11 exercise solution
Solutions for Chapter 13 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
13.1 List two disputes that can arise in the context of message authentication.
Get 13.1 exercise solution
13.2 What are the properties a digital signature should have?
Get 13.2 exercise solution
13.3 What requirements should a digital signature scheme satisfy?
Get 13.3 exercise solution
13.4 What is the difference between direct and arbitrated digital signature?
Get 13.4 exercise solution
13.5 In what order should the signature function and the confidentiality function be applied to a message, and why?
Get 13.5 exercise solution
13.6 What are some threats associated with a direct digital signature scheme?
Get 13.6 exercise solution
Problems
13.1 Dr. Watson patiently waited until Sherlock Holmes finished. “Some interesting problem to solve, Holmes?” he asked when Holmes finally logged out. “Oh, not exactly. I merely checked my e-mail and then made a couple of network experiments instead of my usual chemical ones. I have only one client now and I have already solved his problem. If I remember correctly, you once mentioned cryptology among your other hobbies, so it may interest you.” “Well, I am only an amateur cryptologist, Holmes. But of course I am interested in the problem. What is it about?” “My client is Mr. Hosgrave, director of a small but progressive bank. The bank is fully computerized and of course uses network communications extensively. The bank already uses RSA to protect its data and to digitally sign documents that are communicated. Now the bank wants to introduce some changes in its procedures; in particular, it needs to digitally sign some documents by two signatories. 1. The first signatory prepares the document, forms its signature, and passes the document to the second signatory. 2. The second signatory as a first step must verify that the document was really signed by the first signatory. She then incorporates her signature into the document’s signature so that the recipient, as well as any member of the public, may verify that the document was indeed signed by both signatories. In addition, only the second signatory has to be able to verify the document’s signature after the first step; that is, the recipient (or any member of the public) should be able to verify only the complete document with signatures of both signatories, but not the document in its intermediate form where only one signatory has signed it. Moreover, the bank would like to make use of its existing modules that support RSA-style digital signatures.” “Hm, I understand how RSA can be used to digitally sign documents by one signatory, Holmes. I guess you have solved the problem of Mr. Hosgrave by appropriate generalization of RSA digital signatures.” “Exactly, Watson,” nodded Sherlock Holmes. “Originally, the RSA digital signature was formed by encrypting the document by the signatory’s private decryption key ‘d’, and the signature could be verified by anyone through its decryption using publicly known encryption key ‘e’. One can verify that the signature S was formed by the person who knows d, which is supposed to be the only signatory. Now the problem of Mr. Hosgrave can be solved in the same way by slight generalization of the process, that is …” Finish the explanation.
Get 13.1 exercise solution
13.2 DSA specifies that if the signature generation process results in a value of s = 0, a new value of k should be generated and the signature should be recalculated. Why?
Get 13.2 exercise solution
13.3 What happens if a k value used in creating a DSA signature is compromised?
Get 13.3 exercise solution
13.4 The DSA document includes a recommended algorithm for testing a number for primality. 1. [Choose w] Let w be a random odd integer. Then (w - 1) is even and can be expressed in the form 2am with m odd. That is, 2a is the largest power of 2 that divides (w - 1). 2. [Generate b] Let b be a random integer in the range 1 6 b 6 w. 3. [Exponentiate] Set j = 0 and z = bm mod w. 4. [Done?] If j = 0 and z = 1, or if z = w - 1, then w passes the test and may be prime; go to step 8. 5. [Terminate?] If j 7 0 and z = 1, then w is not prime; terminate algorithm for this w. 6. [Increase j] Set j = j + 1. If j 6 a, set z = z2mod w and go to step 4. 7. [Terminate] w is not prime; terminate algorithm for this w. 8. [Test again?] If enough random values of b have been tested, then accept w as prime and terminate algorithm; otherwise, go to step 2. a. Explain how the algorithm works. b. Show that it is equivalent to the Miller-Rabin test described in Chapter 8.
Get 13.4 exercise solution
13.5 With DSA, because the value of k is generated for each signature, even if the same message is signed twice on different occasions, the signatures will differ. This is not true of RSA signatures. What is the practical implication of this difference?
Get 13.5 exercise solution
13.6 Consider the problem of creating domain parameters for DSA. Suppose we have already found primes p and q such that q|(p - 1). Now we need to find g E Zp with g of order q mod p. Consider the following two algorithms:
a. Prove that the value returned by Algorithm 1 has order q. b. Prove that the value returned by Algorithm 2 has order q. c. Suppose p = 40193 and q = 157. How many loop iterations do you expect Algorithm 1 to make before it finds a generator? d. If p is 1024 bits and q is 160 bits, would you recommend using Algorithm 1 to find g? Explain. e. Suppose p = 40193 and q = 157. What is the probability that Algorithm 2 computes a generator in its very first loop iteration? (If it is helpful, you may use the fact that
when answering this question.)
Get 13.6 exercise solution
13.7 It is tempting to try to develop a variation on Diffie-Hellman that could be used as a digital signature. Here is one that is simpler than DSA and that does not require a secret random number in addition to the private key. Public elements: q prime number a a < q and a is a primitive root of q Private key: X X < q Public key: Y = aX mod q To sign a message M, compute h = H(M), which is the hash code of the message. We require that gcd(h, q - 1) = 1. If not, append the hash to the message and calculate a new hash. Continue this process until a hash code is produced that is relatively prime to (q - 1). Then calculate Z to satisfy Z * h K X(mod q - 1). The signature of the message is aZ. To verify the signature, a user verifies that Y = (aZ)h = aXmod q. a. Show that this scheme works. That is, show that the verification process produces an equality if the signature is valid. b. Show that the scheme is unacceptable by describing a simple technique for forging a user’s signature on an arbitrary message.
Get 13.7 exercise solution
13.8 An early proposal for a digital signature scheme using symmetric encryption is based on the following. To sign an n-bit message, the sender randomly generates in advance 2n 56-bit cryptographic keys: k1, K1, k2, K2,c,... kn, Kn which are kept private. The sender prepares in advance two sets of corresponding non-secret 64-bit validation parameters, which are made public: u1, U1, u2, U2,c, un, Un and v1, V1, v2, V2,c, vn, Vn where vi = E(ki, ui), Vi = E(ki, Ui) The message M is signed as follows. For the ith bit of the message, either ki or Ki is attached to the message, depending on whether the message bit is 0 or 1. For example, if the first three bits of the message are 011, then the first three keys of the signature are k1, K2, K3. a. How does the receiver validate the message? b. Is the technique secure? c. How many times can the same set of secret keys be safely used for different messages? d. What, if any, practical problems does this scheme present?
Get 13.8 exercise solution
13.1 List two disputes that can arise in the context of message authentication.
Get 13.1 exercise solution
13.2 What are the properties a digital signature should have?
Get 13.2 exercise solution
13.3 What requirements should a digital signature scheme satisfy?
Get 13.3 exercise solution
13.4 What is the difference between direct and arbitrated digital signature?
Get 13.4 exercise solution
13.5 In what order should the signature function and the confidentiality function be applied to a message, and why?
Get 13.5 exercise solution
13.6 What are some threats associated with a direct digital signature scheme?
Get 13.6 exercise solution
Problems
13.1 Dr. Watson patiently waited until Sherlock Holmes finished. “Some interesting problem to solve, Holmes?” he asked when Holmes finally logged out. “Oh, not exactly. I merely checked my e-mail and then made a couple of network experiments instead of my usual chemical ones. I have only one client now and I have already solved his problem. If I remember correctly, you once mentioned cryptology among your other hobbies, so it may interest you.” “Well, I am only an amateur cryptologist, Holmes. But of course I am interested in the problem. What is it about?” “My client is Mr. Hosgrave, director of a small but progressive bank. The bank is fully computerized and of course uses network communications extensively. The bank already uses RSA to protect its data and to digitally sign documents that are communicated. Now the bank wants to introduce some changes in its procedures; in particular, it needs to digitally sign some documents by two signatories. 1. The first signatory prepares the document, forms its signature, and passes the document to the second signatory. 2. The second signatory as a first step must verify that the document was really signed by the first signatory. She then incorporates her signature into the document’s signature so that the recipient, as well as any member of the public, may verify that the document was indeed signed by both signatories. In addition, only the second signatory has to be able to verify the document’s signature after the first step; that is, the recipient (or any member of the public) should be able to verify only the complete document with signatures of both signatories, but not the document in its intermediate form where only one signatory has signed it. Moreover, the bank would like to make use of its existing modules that support RSA-style digital signatures.” “Hm, I understand how RSA can be used to digitally sign documents by one signatory, Holmes. I guess you have solved the problem of Mr. Hosgrave by appropriate generalization of RSA digital signatures.” “Exactly, Watson,” nodded Sherlock Holmes. “Originally, the RSA digital signature was formed by encrypting the document by the signatory’s private decryption key ‘d’, and the signature could be verified by anyone through its decryption using publicly known encryption key ‘e’. One can verify that the signature S was formed by the person who knows d, which is supposed to be the only signatory. Now the problem of Mr. Hosgrave can be solved in the same way by slight generalization of the process, that is …” Finish the explanation.
Get 13.1 exercise solution
13.2 DSA specifies that if the signature generation process results in a value of s = 0, a new value of k should be generated and the signature should be recalculated. Why?
Get 13.2 exercise solution
13.3 What happens if a k value used in creating a DSA signature is compromised?
Get 13.3 exercise solution
13.4 The DSA document includes a recommended algorithm for testing a number for primality. 1. [Choose w] Let w be a random odd integer. Then (w - 1) is even and can be expressed in the form 2am with m odd. That is, 2a is the largest power of 2 that divides (w - 1). 2. [Generate b] Let b be a random integer in the range 1 6 b 6 w. 3. [Exponentiate] Set j = 0 and z = bm mod w. 4. [Done?] If j = 0 and z = 1, or if z = w - 1, then w passes the test and may be prime; go to step 8. 5. [Terminate?] If j 7 0 and z = 1, then w is not prime; terminate algorithm for this w. 6. [Increase j] Set j = j + 1. If j 6 a, set z = z2mod w and go to step 4. 7. [Terminate] w is not prime; terminate algorithm for this w. 8. [Test again?] If enough random values of b have been tested, then accept w as prime and terminate algorithm; otherwise, go to step 2. a. Explain how the algorithm works. b. Show that it is equivalent to the Miller-Rabin test described in Chapter 8.
Get 13.4 exercise solution
13.5 With DSA, because the value of k is generated for each signature, even if the same message is signed twice on different occasions, the signatures will differ. This is not true of RSA signatures. What is the practical implication of this difference?
Get 13.5 exercise solution
13.6 Consider the problem of creating domain parameters for DSA. Suppose we have already found primes p and q such that q|(p - 1). Now we need to find g E Zp with g of order q mod p. Consider the following two algorithms:
a. Prove that the value returned by Algorithm 1 has order q. b. Prove that the value returned by Algorithm 2 has order q. c. Suppose p = 40193 and q = 157. How many loop iterations do you expect Algorithm 1 to make before it finds a generator? d. If p is 1024 bits and q is 160 bits, would you recommend using Algorithm 1 to find g? Explain. e. Suppose p = 40193 and q = 157. What is the probability that Algorithm 2 computes a generator in its very first loop iteration? (If it is helpful, you may use the fact that
when answering this question.)
Get 13.6 exercise solution
13.7 It is tempting to try to develop a variation on Diffie-Hellman that could be used as a digital signature. Here is one that is simpler than DSA and that does not require a secret random number in addition to the private key. Public elements: q prime number a a < q and a is a primitive root of q Private key: X X < q Public key: Y = aX mod q To sign a message M, compute h = H(M), which is the hash code of the message. We require that gcd(h, q - 1) = 1. If not, append the hash to the message and calculate a new hash. Continue this process until a hash code is produced that is relatively prime to (q - 1). Then calculate Z to satisfy Z * h K X(mod q - 1). The signature of the message is aZ. To verify the signature, a user verifies that Y = (aZ)h = aXmod q. a. Show that this scheme works. That is, show that the verification process produces an equality if the signature is valid. b. Show that the scheme is unacceptable by describing a simple technique for forging a user’s signature on an arbitrary message.
Get 13.7 exercise solution
13.8 An early proposal for a digital signature scheme using symmetric encryption is based on the following. To sign an n-bit message, the sender randomly generates in advance 2n 56-bit cryptographic keys: k1, K1, k2, K2,c,... kn, Kn which are kept private. The sender prepares in advance two sets of corresponding non-secret 64-bit validation parameters, which are made public: u1, U1, u2, U2,c, un, Un and v1, V1, v2, V2,c, vn, Vn where vi = E(ki, ui), Vi = E(ki, Ui) The message M is signed as follows. For the ith bit of the message, either ki or Ki is attached to the message, depending on whether the message bit is 0 or 1. For example, if the first three bits of the message are 011, then the first three keys of the signature are k1, K2, K3. a. How does the receiver validate the message? b. Is the technique secure? c. How many times can the same set of secret keys be safely used for different messages? d. What, if any, practical problems does this scheme present?
Get 13.8 exercise solution
Solutions for Chapter 12 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
12.1 What types of attacks are addressed by message authentication?
Get 12.1 exercise solution
12.2 What two levels of functionality comprise a message authentication or digital signature mechanism?
Get 12.2 exercise solution
12.3 What are some approaches to producing message authentication?
Get 12.3 exercise solution
12.4 When a combination of symmetric encryption and an error control code is used for message authentication, in what order must the two functions be performed?
Get 12.4 exercise solution
12.5 What is a message authentication code?
Get 12.5 exercise solution
12.6 What is the difference between a message authentication code and a one-way hash function?
Get 12.6 exercise solution
12.7 In what ways can a hash value be secured so as to provide message authentication?
Get 12.7 exercise solution
12.8 Is it necessary to recover the secret key in order to attack a MAC algorithm?
Get 12.8 exercise solution
12.9 What changes in HMAC are required in order to replace one underlying hash function with another?
Get 12.9 exercise solution
Problems
12.1 If F is an error-detection function, either internal or external use (Figure 12.2) will provide error-detection capability. If any bit of the transmitted message is altered, this will be reflected in a mismatch of the received FCS and the calculated FCS, whether the FCS function is performed inside or outside the encryption function. Some codes also provide an error-correction capability. Depending on the nature of the function, if one or a small number of bits is altered in transit, the error-correction code contains sufficient redundant information to determine the errored bit or bits and correct them. Clearly, an error-correction code will provide error correction capability when used external to the encryption function. Will it also provide this capability if used internal to the encryption function?
Get 12.1 exercise solution
12.2 The data authentication algorithm, described in Section 12.6, can be defined as using the cipher block chaining (CBC) mode of operation of DES with an initialization vector of zero (Figure 12.7). Show that the same result can be produced using the cipher feedback mode.
Get 12.2 exercise solution
12.3 At the beginning of Section 12.6, it was noted that given the CBC MAC of a oneblock message X, say T = MAC(K, X), the adversary immediately knows the CBC MAC for the two-block message X || (X + T) since this is once again T. Justify this statement.
Get 12.3 exercise solution
12.4 In this problem, we demonstrate that for CMAC, a variant that XORs the second key after applying the final encryption doesn’t work. Let us consider this for the case of the message being an integer multiple of the block size. Then, the variant can be expressed as VMAC(K, M) = CBC(K, M) + K1. Now suppose an adversary is able to ask for the MACs of three messages: the message 0 = 0n, where n is the cipher block size; the message 1 = 1n; and the message 1 } 0. As a result of these three queries, the adversary gets T0 = CBC(K, 0) + K1; T1 = CBC(K, 1) + K1 and T2 = CBC(K, [CBC(K, 1)]) + K1. Show that the adversary can compute the correct MAC for the (unqueried) message 0 } (T0+ T1).
Get 12.4 exercise solution
12.5 In the discussion of subkey generation in CMAC, it states that the block cipher is applied to the block that consists entirely of 0 bits. The first subkey is derived from the resulting string by a left shift of one bit and, conditionally, by XORing a constant that depends on the block size. The second subkey is derived in the same manner from the first subkey. a. What constants are needed for block sizes of 64 and 128 bits? b. Explain how the left shift and XOR accomplishes the desired result.
Get 12.5 exercise solution
12.6 Section 12.6 listed three general approaches to authenticated encryption: A S E, E S A, E + A. a. Which approach is used by CCM? b. Which approach is used by GCM?
Get 12.6 exercise solution
12.7 Show that the GHASH function calculates (X1 # Hm) + (X2 # Hm-1) + c+ (Xm-1 # H2) + (Xm # H)
Get 12.7 exercise solution
12.8 Draw a figure similar to Figure 12.11 that shows authenticated decryption.
Get 12.8 exercise solution
12.9 Alice want to send a single bit of information (a yes or a no) to Bob by means of a word of length 2. Alice and Bob have four possible keys available to perform message authentication. The following matrix shows the 2-bit word sent for each message under each key:
a. The preceding matrix is in a useful form for Alice. Construct a matrix with the same information that would be more useful for Bob. b. What is the probability that someone else can successfully impersonate Alice? c. What is the probability that someone can replace an intercepted message with another message successfully?
Get 12.9 exercise solution
12.10 Draw figures similar to Figures 12.12 and 12.13 for the unwrap algorithm.
Get 12.10 exercise solution
12.11 Consider the following key wrapping algorithm: 1. Initialize variables. A = A6A6A6A6A6A6A6A6 for i = 1 to n R(i) = Pi 2. Calculate intermediate values. for j = 0 to 5 for i = 1 to n B = E(K, [A || R(i)]) t = (n × j)+i A = t + MSB64(B) R(i) = LSB64(B) 3. Output results. C0 = A for i = 1 to n Ci = R(i) a. Compare this algorithm, functionally, with the algorithm specified in SP 800-38F and described in Section 12.8. b. Write the corresponding unwrap algorithm.
Get 12.11 exercise solution
12.1 What types of attacks are addressed by message authentication?
Get 12.1 exercise solution
12.2 What two levels of functionality comprise a message authentication or digital signature mechanism?
Get 12.2 exercise solution
12.3 What are some approaches to producing message authentication?
Get 12.3 exercise solution
12.4 When a combination of symmetric encryption and an error control code is used for message authentication, in what order must the two functions be performed?
Get 12.4 exercise solution
12.5 What is a message authentication code?
Get 12.5 exercise solution
12.6 What is the difference between a message authentication code and a one-way hash function?
Get 12.6 exercise solution
12.7 In what ways can a hash value be secured so as to provide message authentication?
Get 12.7 exercise solution
12.8 Is it necessary to recover the secret key in order to attack a MAC algorithm?
Get 12.8 exercise solution
12.9 What changes in HMAC are required in order to replace one underlying hash function with another?
Get 12.9 exercise solution
Problems
12.1 If F is an error-detection function, either internal or external use (Figure 12.2) will provide error-detection capability. If any bit of the transmitted message is altered, this will be reflected in a mismatch of the received FCS and the calculated FCS, whether the FCS function is performed inside or outside the encryption function. Some codes also provide an error-correction capability. Depending on the nature of the function, if one or a small number of bits is altered in transit, the error-correction code contains sufficient redundant information to determine the errored bit or bits and correct them. Clearly, an error-correction code will provide error correction capability when used external to the encryption function. Will it also provide this capability if used internal to the encryption function?
Get 12.1 exercise solution
12.2 The data authentication algorithm, described in Section 12.6, can be defined as using the cipher block chaining (CBC) mode of operation of DES with an initialization vector of zero (Figure 12.7). Show that the same result can be produced using the cipher feedback mode.
Get 12.2 exercise solution
12.3 At the beginning of Section 12.6, it was noted that given the CBC MAC of a oneblock message X, say T = MAC(K, X), the adversary immediately knows the CBC MAC for the two-block message X || (X + T) since this is once again T. Justify this statement.
Get 12.3 exercise solution
12.4 In this problem, we demonstrate that for CMAC, a variant that XORs the second key after applying the final encryption doesn’t work. Let us consider this for the case of the message being an integer multiple of the block size. Then, the variant can be expressed as VMAC(K, M) = CBC(K, M) + K1. Now suppose an adversary is able to ask for the MACs of three messages: the message 0 = 0n, where n is the cipher block size; the message 1 = 1n; and the message 1 } 0. As a result of these three queries, the adversary gets T0 = CBC(K, 0) + K1; T1 = CBC(K, 1) + K1 and T2 = CBC(K, [CBC(K, 1)]) + K1. Show that the adversary can compute the correct MAC for the (unqueried) message 0 } (T0+ T1).
Get 12.4 exercise solution
12.5 In the discussion of subkey generation in CMAC, it states that the block cipher is applied to the block that consists entirely of 0 bits. The first subkey is derived from the resulting string by a left shift of one bit and, conditionally, by XORing a constant that depends on the block size. The second subkey is derived in the same manner from the first subkey. a. What constants are needed for block sizes of 64 and 128 bits? b. Explain how the left shift and XOR accomplishes the desired result.
Get 12.5 exercise solution
12.6 Section 12.6 listed three general approaches to authenticated encryption: A S E, E S A, E + A. a. Which approach is used by CCM? b. Which approach is used by GCM?
Get 12.6 exercise solution
12.7 Show that the GHASH function calculates (X1 # Hm) + (X2 # Hm-1) + c+ (Xm-1 # H2) + (Xm # H)
Get 12.7 exercise solution
12.8 Draw a figure similar to Figure 12.11 that shows authenticated decryption.
Get 12.8 exercise solution
12.9 Alice want to send a single bit of information (a yes or a no) to Bob by means of a word of length 2. Alice and Bob have four possible keys available to perform message authentication. The following matrix shows the 2-bit word sent for each message under each key:
a. The preceding matrix is in a useful form for Alice. Construct a matrix with the same information that would be more useful for Bob. b. What is the probability that someone else can successfully impersonate Alice? c. What is the probability that someone can replace an intercepted message with another message successfully?
Get 12.9 exercise solution
12.10 Draw figures similar to Figures 12.12 and 12.13 for the unwrap algorithm.
Get 12.10 exercise solution
12.11 Consider the following key wrapping algorithm: 1. Initialize variables. A = A6A6A6A6A6A6A6A6 for i = 1 to n R(i) = Pi 2. Calculate intermediate values. for j = 0 to 5 for i = 1 to n B = E(K, [A || R(i)]) t = (n × j)+i A = t + MSB64(B) R(i) = LSB64(B) 3. Output results. C0 = A for i = 1 to n Ci = R(i) a. Compare this algorithm, functionally, with the algorithm specified in SP 800-38F and described in Section 12.8. b. Write the corresponding unwrap algorithm.
Get 12.11 exercise solution
Solutions for Chapter 11 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
11.1 What characteristics are needed in a secure hash function?
Get 11.1 exercise solution
11.2 What is the difference between weak and strong collision resistance?
Get 11.2 exercise solution
11.3 What is the role of a compression function in a hash function?
Get 11.3 exercise solution
11.4 What is the difference between little-endian and big-endian format?
Get 11.4 exercise solution
11.5 What basic arithmetical and logical functions are used in SHA?
Get 11.5 exercise solution
11.6 Describe the set of criteria used by NIST to evaluate SHA-3 candidates.
Get 11.6 exercise solution
11.7 Define the term sponge construction.
Get 11.7 exercise solution
11.8 Briefly describe the internal structure of the iteration function f.
Get 11.8 exercise solution
11.9 List and briefly describe the step functions that comprise the iteration function f.
Get 11.9 exercise solution
Problems
11.1 The high-speed transport protocol XTP (Xpress Transfer Protocol) uses a 32-bit checksum function defined as the concatenation of two 16-bit functions: XOR and RXOR, defined in Section 11.4 as “two simple hash functions” and illustrated in Figure 11.5. a. Will this checksum detect all errors caused by an odd number of error bits? Explain. b. Will this checksum detect all errors caused by an even number of error bits? If not, characterize the error patterns that will cause the checksum to fail. c. Comment on the effectiveness of this function for use as a hash function for authentication.
Get 11.1 exercise solution
11.2
a. Consider the Davies and Price hash code scheme described in Section 11.4 and assume that DES is used as the encryption algorithm: Hi = Hi-1⊕ E(Mi, Hi-1) Recall the complementarity property of DES (Problem 3.14): If Y = E(K, X), then Y′ = E(K′, X′). Use this property to show how a message consisting of blocks M1, M2,c, MN can be altered without altering its hash code. b. Show that a similar attack will succeed against the scheme proposed in [MEYE88]: Hi = Mi⊕ E(Hi-1, Mi)
Get 11.2 exercise solution
11.3
a. Consider the following hash function. Messages are in the form of a sequence of numbers in Zn, M = (a1, a2,cat). The hash value h is calculated as
for some predefined value n. Does this hash function satisfy any of the requirements for a hash function listed in Table 11.1? Explain your answer. b. Repeat part (a) for the hash function
mod n. c. Calculate the hash function of part (b) for M = (189, 632, 900, 722, 349) and n = 989.
Get 11.3 exercise solution
11.4 It is possible to use a hash function to construct a block cipher with a structure similar to DES. Because a hash function is one way and a block cipher must be reversible (to decrypt), how is it possible?
Get 11.4 exercise solution
11.5 Now consider the opposite problem: using an encryption algorithm to construct a oneway hash function. Consider using RSA with a known key. Then process a message consisting of a sequence of blocks as follows: Encrypt the first block, XOR the result with the second block and encrypt again, etc. Show that this scheme is not secure by solving the following problem. Given a two-block message B1, B2, and its hash RSAH(B1, B2) = RSA(RSA(B1) ⊕ B2) Given an arbitrary block C1, choose C2 so that RSAH(C1, C2) = RSAH(B1, B2). Thus, the hash function does not satisfy weak collision resistance.
Get 11.5 exercise solution
11.6 Suppose H(m) is a collision-resistant hash function that maps a message of arbitrary bit length into an n-bit hash value. Is it true that, for all messages x, x′ with x ≠ x′, we have H(x) ≠ H(x′) Explain your answer.
Get 11.6 exercise solution
11.7 In Figure 11.12, it is assumed that an array of 80 64-bit words is available to store the values of Wt, so that they can be precomputed at the beginning of the processing of a block. Now assume that space is at a premium. As an alternative, consider the use of a 16-word circular buffer that is initially loaded with W0 through W15. Design an algorithm that, for each step t, computes the required input value Wt.
Get 11.7 exercise solution
11.8 For SHA-512, show the equations for the values of W16, W17, W18, and W19.
Get 11.8 exercise solution
11.9 State the value of the padding field in SHA-512 if the length of the message is a. 1919 bits b. 1920 bits c. 1921 bits
Get 11.9 exercise solution
11.10 State the value of the length field in SHA-512 if the length of the message is a. 1919 bits b. 1920 bits c. 1921 bits
Get 11.10 exercise solution
11.11 Suppose a1a2a3a4 are the 4 bytes in a 32-bit word. Each ai can be viewed as an integer in the range 0 to 255, represented in binary. In a big-endian architecture, this word represents the integer a1224 + a2216 + a328 + a4 In a little-endian architecture, this word represents the integer a4224 + a3216 + a228 + a1 a. Some hash functions, such as MD5, assume a little-endian architecture. It is important that the message digest be independent of the underlying architecture. Therefore, to perform the modulo 2 addition operation of MD5 or RIPEMD-160 on a big-endian architecture, an adjustment must be made. Suppose X = x1 x2 x3 x4 and Y = y1 y2 y3 y4. Show how the MD5 addition operation (X + Y) would be carried out on a big-endian machine. b. SHA assumes a big-endian architecture. Show how the operation (X + Y) for SHA would be carried out on a little-endian machine.
Get 11.11 exercise solution
11.12 This problem introduces a hash function similar in spirit to SHA that operates on letters instead of binary data. It is called the toy tetragraph hash (tth).6 Given a message consisting of a sequence of letters, tth produces a hash value consisting of four letters. First, tth divides the message into blocks of 16 letters, ignoring spaces, punctuation, and capitalization. If the message length is not divisible by 16, it is padded out with nulls. A four-number running total is maintained that starts out with the value (0, 0, 0, 0); this is input to the compression function for processing the first block. The compression function consists of two rounds.
Round 1 Get the next block of text and arrange it as a row-wise 4 * 4 block of text and covert it to numbers (A = 0, B = 1, etc.). For example, for the block ABCDEFGHIJKLMNOP, we have
Then, add each column mod 26 and add the result to the running total, mod 26. In this example, the running total is (24, 2, 6, 10).
Round 2 Using the matrix from round 1, rotate the first row left by 1, second row left by 2,
third row left by 3, and reverse the order of the fourth row.
In our example:
Now, add each column mod 26 and add the result to the running total. The new running total is (5, 7, 9, 11). This running total is now the input into the first round of the compression function for the next block of text. After the final block is processed, convert the final running total to letters. For example, if the message is ABCDEFGHIJKLMNOP, then the hash is FHJL. a. Draw figures comparable to Figures 11.9 and 11.10 to depict the overall tth logic and the compression function logic. b. Calculate the hash function for the 48-letter message “I leave twenty million dollars to my friendly cousin Bill.” c. To demonstrate the weakness of tth, find a 48-letter block that produces the same hash as that just derived. Hint: Use lots of A’s.
Get 11.12 exercise solution
11.13 For each of the possible capacity values of SHA-3 (Table 11.5), which lanes in the internal 55 state matrix start out as lanes of all zeros?
Get 11.13 exercise solution
11.14 Consider the SHA-3 option with a block size of 1024 bits and assume that each of the lanes in the first message block (P0) has at least one nonzero bit. To start, all of the lanes in the internal state matrix that correspond to the capacity portion of the initial state are all zeros. Show how long it will take before all of these lanes have at least one nonzero bit. Note: Ignore the permutation. That is, keep track of the original zero lanes even after they have changed position in the matrix.
Get 11.14 exercise solution
11.15 Consider the state matrix as illustrated in Figure 11.16a. Now rearrange the rows and columns of the matrix so that L[0, 0] is in the center. Specifically, arrange the columns in the left-to-right order (x = 3, x = 4, x = 0, x = 1, x = 2) and arrange the rows in the top-to-bottom order (y = 2, y = 1, y = 0, y = 4, y = 6). This should give you some insight into the permutation algorithm used for the function and for permuting the rotation constants in the function. Using this rearranged matrix, describe the permutation algorithm.
Get 11.15 exercise solution
11.16 The function only affects L[0, 0]. Section 11.6 states that the changes to L[0, 0] diffuse through u and to all lanes of the state after a single round. a. Show that this is so. b. How long before all of the bit positions in the matrix are affected by the changes to L[0, 0]?
Get 11.16 exercise solution
11.1 What characteristics are needed in a secure hash function?
Get 11.1 exercise solution
11.2 What is the difference between weak and strong collision resistance?
Get 11.2 exercise solution
11.3 What is the role of a compression function in a hash function?
Get 11.3 exercise solution
11.4 What is the difference between little-endian and big-endian format?
Get 11.4 exercise solution
11.5 What basic arithmetical and logical functions are used in SHA?
Get 11.5 exercise solution
11.6 Describe the set of criteria used by NIST to evaluate SHA-3 candidates.
Get 11.6 exercise solution
11.7 Define the term sponge construction.
Get 11.7 exercise solution
11.8 Briefly describe the internal structure of the iteration function f.
Get 11.8 exercise solution
11.9 List and briefly describe the step functions that comprise the iteration function f.
Get 11.9 exercise solution
Problems
11.1 The high-speed transport protocol XTP (Xpress Transfer Protocol) uses a 32-bit checksum function defined as the concatenation of two 16-bit functions: XOR and RXOR, defined in Section 11.4 as “two simple hash functions” and illustrated in Figure 11.5. a. Will this checksum detect all errors caused by an odd number of error bits? Explain. b. Will this checksum detect all errors caused by an even number of error bits? If not, characterize the error patterns that will cause the checksum to fail. c. Comment on the effectiveness of this function for use as a hash function for authentication.
Get 11.1 exercise solution
11.2
a. Consider the Davies and Price hash code scheme described in Section 11.4 and assume that DES is used as the encryption algorithm: Hi = Hi-1⊕ E(Mi, Hi-1) Recall the complementarity property of DES (Problem 3.14): If Y = E(K, X), then Y′ = E(K′, X′). Use this property to show how a message consisting of blocks M1, M2,c, MN can be altered without altering its hash code. b. Show that a similar attack will succeed against the scheme proposed in [MEYE88]: Hi = Mi⊕ E(Hi-1, Mi)
Get 11.2 exercise solution
11.3
a. Consider the following hash function. Messages are in the form of a sequence of numbers in Zn, M = (a1, a2,cat). The hash value h is calculated as
for some predefined value n. Does this hash function satisfy any of the requirements for a hash function listed in Table 11.1? Explain your answer. b. Repeat part (a) for the hash function
mod n. c. Calculate the hash function of part (b) for M = (189, 632, 900, 722, 349) and n = 989.
Get 11.3 exercise solution
11.4 It is possible to use a hash function to construct a block cipher with a structure similar to DES. Because a hash function is one way and a block cipher must be reversible (to decrypt), how is it possible?
Get 11.4 exercise solution
11.5 Now consider the opposite problem: using an encryption algorithm to construct a oneway hash function. Consider using RSA with a known key. Then process a message consisting of a sequence of blocks as follows: Encrypt the first block, XOR the result with the second block and encrypt again, etc. Show that this scheme is not secure by solving the following problem. Given a two-block message B1, B2, and its hash RSAH(B1, B2) = RSA(RSA(B1) ⊕ B2) Given an arbitrary block C1, choose C2 so that RSAH(C1, C2) = RSAH(B1, B2). Thus, the hash function does not satisfy weak collision resistance.
Get 11.5 exercise solution
11.6 Suppose H(m) is a collision-resistant hash function that maps a message of arbitrary bit length into an n-bit hash value. Is it true that, for all messages x, x′ with x ≠ x′, we have H(x) ≠ H(x′) Explain your answer.
Get 11.6 exercise solution
11.7 In Figure 11.12, it is assumed that an array of 80 64-bit words is available to store the values of Wt, so that they can be precomputed at the beginning of the processing of a block. Now assume that space is at a premium. As an alternative, consider the use of a 16-word circular buffer that is initially loaded with W0 through W15. Design an algorithm that, for each step t, computes the required input value Wt.
Get 11.7 exercise solution
11.8 For SHA-512, show the equations for the values of W16, W17, W18, and W19.
Get 11.8 exercise solution
11.9 State the value of the padding field in SHA-512 if the length of the message is a. 1919 bits b. 1920 bits c. 1921 bits
Get 11.9 exercise solution
11.10 State the value of the length field in SHA-512 if the length of the message is a. 1919 bits b. 1920 bits c. 1921 bits
Get 11.10 exercise solution
11.11 Suppose a1a2a3a4 are the 4 bytes in a 32-bit word. Each ai can be viewed as an integer in the range 0 to 255, represented in binary. In a big-endian architecture, this word represents the integer a1224 + a2216 + a328 + a4 In a little-endian architecture, this word represents the integer a4224 + a3216 + a228 + a1 a. Some hash functions, such as MD5, assume a little-endian architecture. It is important that the message digest be independent of the underlying architecture. Therefore, to perform the modulo 2 addition operation of MD5 or RIPEMD-160 on a big-endian architecture, an adjustment must be made. Suppose X = x1 x2 x3 x4 and Y = y1 y2 y3 y4. Show how the MD5 addition operation (X + Y) would be carried out on a big-endian machine. b. SHA assumes a big-endian architecture. Show how the operation (X + Y) for SHA would be carried out on a little-endian machine.
Get 11.11 exercise solution
11.12 This problem introduces a hash function similar in spirit to SHA that operates on letters instead of binary data. It is called the toy tetragraph hash (tth).6 Given a message consisting of a sequence of letters, tth produces a hash value consisting of four letters. First, tth divides the message into blocks of 16 letters, ignoring spaces, punctuation, and capitalization. If the message length is not divisible by 16, it is padded out with nulls. A four-number running total is maintained that starts out with the value (0, 0, 0, 0); this is input to the compression function for processing the first block. The compression function consists of two rounds.
Round 1 Get the next block of text and arrange it as a row-wise 4 * 4 block of text and covert it to numbers (A = 0, B = 1, etc.). For example, for the block ABCDEFGHIJKLMNOP, we have
Then, add each column mod 26 and add the result to the running total, mod 26. In this example, the running total is (24, 2, 6, 10).
Round 2 Using the matrix from round 1, rotate the first row left by 1, second row left by 2,
third row left by 3, and reverse the order of the fourth row.
In our example:
Now, add each column mod 26 and add the result to the running total. The new running total is (5, 7, 9, 11). This running total is now the input into the first round of the compression function for the next block of text. After the final block is processed, convert the final running total to letters. For example, if the message is ABCDEFGHIJKLMNOP, then the hash is FHJL. a. Draw figures comparable to Figures 11.9 and 11.10 to depict the overall tth logic and the compression function logic. b. Calculate the hash function for the 48-letter message “I leave twenty million dollars to my friendly cousin Bill.” c. To demonstrate the weakness of tth, find a 48-letter block that produces the same hash as that just derived. Hint: Use lots of A’s.
Get 11.12 exercise solution
11.13 For each of the possible capacity values of SHA-3 (Table 11.5), which lanes in the internal 55 state matrix start out as lanes of all zeros?
Get 11.13 exercise solution
11.14 Consider the SHA-3 option with a block size of 1024 bits and assume that each of the lanes in the first message block (P0) has at least one nonzero bit. To start, all of the lanes in the internal state matrix that correspond to the capacity portion of the initial state are all zeros. Show how long it will take before all of these lanes have at least one nonzero bit. Note: Ignore the permutation. That is, keep track of the original zero lanes even after they have changed position in the matrix.
Get 11.14 exercise solution
11.15 Consider the state matrix as illustrated in Figure 11.16a. Now rearrange the rows and columns of the matrix so that L[0, 0] is in the center. Specifically, arrange the columns in the left-to-right order (x = 3, x = 4, x = 0, x = 1, x = 2) and arrange the rows in the top-to-bottom order (y = 2, y = 1, y = 0, y = 4, y = 6). This should give you some insight into the permutation algorithm used for the function and for permuting the rotation constants in the function. Using this rearranged matrix, describe the permutation algorithm.
Get 11.15 exercise solution
11.16 The function only affects L[0, 0]. Section 11.6 states that the changes to L[0, 0] diffuse through u and to all lanes of the state after a single round. a. Show that this is so. b. How long before all of the bit positions in the matrix are affected by the changes to L[0, 0]?
Get 11.16 exercise solution
Solutions for Chapter 10 - Cryptography and Network Security - Stallings - 6th edition
Review Questions
10.1 Briefly explain Diffie-Hellman key exchange.
Get 10.1 exercise solution
10.2 What is an elliptic curve?
Get 10.2 exercise solution
10.3 What is the zero point of an elliptic curve?
Get 10.3 exercise solution
10.4 What is the sum of three points on an elliptic curve that lie on a straight line?
Get 10.4 exercise solution
Problems
10.1 Users A and B use the Diffie-Hellman key exchange technique with a common prime q = 71 and a primitive root a = 7. a. If user A has private key XA = 5, what is A’s public key YA? b. If user B has private key XB = 12, what is B’s public key YB? c. What is the shared secret key?
Get 10.1 exercise solution
10.2 Consider a Diffie-Hellman scheme with a common prime q = 11 and a primitive root a = 2. a. Show that 2 is a primitive root of 11. b. If user A has public key YA = 9, what is A’s private key XA? c. If user B has public key YB = 3, what is the secret key K shared with A?
Get 10.2 exercise solution
10.3 In the Diffie-Hellman protocol, each participant selects a secret number x and sends the other participant ax mod q for some public number
a. What would happen if the participants sent each other xa for some public number a instead? Give at least one method Alice and Bob could use to agree on a key. Can Eve break your system without finding the secret numbers? Can Eve find the secret numbers?
Get 10.3 exercise solution
10.4 This problem illustrates the point that the Diffie-Hellman protocol is not secure without the step where you take the modulus; i.e. the “Indiscrete Log Problem” is not a hard problem! You are Eve and have captured Alice and Bob and imprisoned them. You overhear the following dialog. Bob: Oh, let’s not bother with the prime in the Diffie-Hellman protocol, it will make things easier. Alice: Okay, but we still need a base a to raise things to. How about a = 3? Bob: All right, then my result is 27. Alice: And mine is 243. What is Bob’s private key XB and Alice’s private key XA? What is their secret combined key? (Don’t forget to show your work.)
Get 10.4 exercise solution
10.5 Section 10.1 describes a man-in-the-middle attack on the Diffie-Hellman key exchange protocol in which the adversary generates two public–private key pairs for the attack. Could the same attack be accomplished with one pair? Explain.
Get 10.5 exercise solution
10.6 Consider an Elgamal scheme with a common prime q = 71 and a primitive root a = 7. a. If B has public key YB = 3 and A choose the random integer k = 2, what is the ciphertext of M = 30? b. If A now chooses a different value of k so that the encoding of M = 30 is C = (59, C2), what is the integer C2?
Get 10.6 exercise solution
10.7 Rule (5) for doing arithmetic in elliptic curves over real numbers states that to double a point Q2, draw the tangent line and find the other point of intersection S. Then Q + Q = 2Q = -S. If the tangent line is not vertical, there will be exactly one point of intersection. However, suppose the tangent line is vertical? In that case, what is the value 2Q? What is the value 3Q?
Get 10.7 exercise solution
10.8 Demonstrate that the two elliptic curves of Figure 10.4 each satisfy the conditions for a group over the real numbers.
Get 10.8 exercise solution
10.9 Is (4, 7) a point on the elliptic curve y2 = x3 - 5x + 5 over real numbers?
Get 10.9 exercise solution
10.10 On the elliptic curve over the real numbers y2 = x3 - 36x, let P = (-3.5, 9.5) and Q = (-2.5, 8.5). Find P + Q and 2P.
Get 10.10 exercise solution
10.11 Does the elliptic curve equation y2 = x3 + 10x + 5 define a group over Z17?
Get 10.11 exercise solution
10.12 Consider the elliptic curve E11(1, 6); that is, the curve is defined by y2 = x3 + x + 6 with a modulus of p = 11. Determine all of the points in E11(1, 6). Hint: Start by calculating the right-hand side of the equation for all values of x.
Get 10.12 exercise solution
10.13 What are the negatives of the following elliptic curve points over Z17? P = (5, 8); Q = (3, 0); R = (0, 6).
Get 10.13 exercise solution
10.14 For E11(1, 6), consider the point G = (2, 7). Compute the multiples of G from 2G through 13G.
Get 10.14 exercise solution
10.15 This problem performs elliptic curve encryption/decryption using the scheme outlined in Section 10.4. The cryptosystem parameters are E11(1, 6) and G = (2, 7). B’s private key is nB = 7. a. Find B’s public key PB. b. A wishes to encrypt the message Pm = (10, 9) and chooses the random value k = 3. Determine the ciphertext Cm. c. Show the calculation by which B recovers Pm from Cm.
Get 10.15 exercise solution
10.16 The following is a first attempt at an elliptic curve signature scheme. We have a global elliptic curve, prime p, and “generator” G. Alice picks a private signing key XA and forms the public verifying key YA = XAG. To sign a message M: • Alice picks a value k. • Alice sends Bob M, k and the signature S = M - kXAG. • Bob verifies that M = S + kYA. a. Show that this scheme works. That is, show that the verification process produces an equality if the signature is valid. b. Show that the scheme is unacceptable by describing a simple technique for forging a user’s signature on an arbitrary message.
Get 10.16 exercise solution
10.17 Here is an improved version of the scheme given in the previous problem. As before, we have a global elliptic curve, prime p, and “generator” G. Alice picks a private signing key XA and forms the public verifying key YA = XAG. To sign a message M: • Bob picks a value k. • Bob sends Alice C1 = kG. • Alice sends Bob M and the signature S = M - XAC1. • Bob verifies that M = S + kYA. a. Show that this scheme works. That is, show that the verification process produces an equality if the signature is valid. b. Show that forging a message in this scheme is as hard as breaking (Elgamal) elliptic curve cryptography. (Or find an easier way to forge a message?) c. This scheme has an extra “pass” compared to other cryptosystems and signature schemes we have looked at. What are some drawbacks to this?
Get 10.17 exercise solution
10.1 Briefly explain Diffie-Hellman key exchange.
Get 10.1 exercise solution
10.2 What is an elliptic curve?
Get 10.2 exercise solution
10.3 What is the zero point of an elliptic curve?
Get 10.3 exercise solution
10.4 What is the sum of three points on an elliptic curve that lie on a straight line?
Get 10.4 exercise solution
Problems
10.1 Users A and B use the Diffie-Hellman key exchange technique with a common prime q = 71 and a primitive root a = 7. a. If user A has private key XA = 5, what is A’s public key YA? b. If user B has private key XB = 12, what is B’s public key YB? c. What is the shared secret key?
Get 10.1 exercise solution
10.2 Consider a Diffie-Hellman scheme with a common prime q = 11 and a primitive root a = 2. a. Show that 2 is a primitive root of 11. b. If user A has public key YA = 9, what is A’s private key XA? c. If user B has public key YB = 3, what is the secret key K shared with A?
Get 10.2 exercise solution
10.3 In the Diffie-Hellman protocol, each participant selects a secret number x and sends the other participant ax mod q for some public number
a. What would happen if the participants sent each other xa for some public number a instead? Give at least one method Alice and Bob could use to agree on a key. Can Eve break your system without finding the secret numbers? Can Eve find the secret numbers?
Get 10.3 exercise solution
10.4 This problem illustrates the point that the Diffie-Hellman protocol is not secure without the step where you take the modulus; i.e. the “Indiscrete Log Problem” is not a hard problem! You are Eve and have captured Alice and Bob and imprisoned them. You overhear the following dialog. Bob: Oh, let’s not bother with the prime in the Diffie-Hellman protocol, it will make things easier. Alice: Okay, but we still need a base a to raise things to. How about a = 3? Bob: All right, then my result is 27. Alice: And mine is 243. What is Bob’s private key XB and Alice’s private key XA? What is their secret combined key? (Don’t forget to show your work.)
Get 10.4 exercise solution
10.5 Section 10.1 describes a man-in-the-middle attack on the Diffie-Hellman key exchange protocol in which the adversary generates two public–private key pairs for the attack. Could the same attack be accomplished with one pair? Explain.
Get 10.5 exercise solution
10.6 Consider an Elgamal scheme with a common prime q = 71 and a primitive root a = 7. a. If B has public key YB = 3 and A choose the random integer k = 2, what is the ciphertext of M = 30? b. If A now chooses a different value of k so that the encoding of M = 30 is C = (59, C2), what is the integer C2?
Get 10.6 exercise solution
10.7 Rule (5) for doing arithmetic in elliptic curves over real numbers states that to double a point Q2, draw the tangent line and find the other point of intersection S. Then Q + Q = 2Q = -S. If the tangent line is not vertical, there will be exactly one point of intersection. However, suppose the tangent line is vertical? In that case, what is the value 2Q? What is the value 3Q?
Get 10.7 exercise solution
10.8 Demonstrate that the two elliptic curves of Figure 10.4 each satisfy the conditions for a group over the real numbers.
Get 10.8 exercise solution
10.9 Is (4, 7) a point on the elliptic curve y2 = x3 - 5x + 5 over real numbers?
Get 10.9 exercise solution
10.10 On the elliptic curve over the real numbers y2 = x3 - 36x, let P = (-3.5, 9.5) and Q = (-2.5, 8.5). Find P + Q and 2P.
Get 10.10 exercise solution
10.11 Does the elliptic curve equation y2 = x3 + 10x + 5 define a group over Z17?
Get 10.11 exercise solution
10.12 Consider the elliptic curve E11(1, 6); that is, the curve is defined by y2 = x3 + x + 6 with a modulus of p = 11. Determine all of the points in E11(1, 6). Hint: Start by calculating the right-hand side of the equation for all values of x.
Get 10.12 exercise solution
10.13 What are the negatives of the following elliptic curve points over Z17? P = (5, 8); Q = (3, 0); R = (0, 6).
Get 10.13 exercise solution
10.14 For E11(1, 6), consider the point G = (2, 7). Compute the multiples of G from 2G through 13G.
Get 10.14 exercise solution
10.15 This problem performs elliptic curve encryption/decryption using the scheme outlined in Section 10.4. The cryptosystem parameters are E11(1, 6) and G = (2, 7). B’s private key is nB = 7. a. Find B’s public key PB. b. A wishes to encrypt the message Pm = (10, 9) and chooses the random value k = 3. Determine the ciphertext Cm. c. Show the calculation by which B recovers Pm from Cm.
Get 10.15 exercise solution
10.16 The following is a first attempt at an elliptic curve signature scheme. We have a global elliptic curve, prime p, and “generator” G. Alice picks a private signing key XA and forms the public verifying key YA = XAG. To sign a message M: • Alice picks a value k. • Alice sends Bob M, k and the signature S = M - kXAG. • Bob verifies that M = S + kYA. a. Show that this scheme works. That is, show that the verification process produces an equality if the signature is valid. b. Show that the scheme is unacceptable by describing a simple technique for forging a user’s signature on an arbitrary message.
Get 10.16 exercise solution
10.17 Here is an improved version of the scheme given in the previous problem. As before, we have a global elliptic curve, prime p, and “generator” G. Alice picks a private signing key XA and forms the public verifying key YA = XAG. To sign a message M: • Bob picks a value k. • Bob sends Alice C1 = kG. • Alice sends Bob M and the signature S = M - XAC1. • Bob verifies that M = S + kYA. a. Show that this scheme works. That is, show that the verification process produces an equality if the signature is valid. b. Show that forging a message in this scheme is as hard as breaking (Elgamal) elliptic curve cryptography. (Or find an easier way to forge a message?) c. This scheme has an extra “pass” compared to other cryptosystems and signature schemes we have looked at. What are some drawbacks to this?
Get 10.17 exercise solution
Subscribe to:
Posts (Atom)