12.1 What types of attacks are addressed by message authentication?
Get 12.1 exercise solution
12.2 What two levels of functionality comprise a message authentication or digital signature mechanism?
Get 12.2 exercise solution
12.3 What are some approaches to producing message authentication?
Get 12.3 exercise solution
12.4 When a combination of symmetric encryption and an error control code is used for message authentication, in what order must the two functions be performed?
Get 12.4 exercise solution
12.5 What is a message authentication code?
Get 12.5 exercise solution
12.6 What is the difference between a message authentication code and a one-way hash function?
Get 12.6 exercise solution
12.7 In what ways can a hash value be secured so as to provide message authentication?
Get 12.7 exercise solution
12.8 Is it necessary to recover the secret key in order to attack a MAC algorithm?
Get 12.8 exercise solution
12.9 What changes in HMAC are required in order to replace one underlying hash function with another?
Get 12.9 exercise solution
Problems
12.1 If F is an error-detection function, either internal or external use (Figure 12.2) will provide error-detection capability. If any bit of the transmitted message is altered, this will be reflected in a mismatch of the received FCS and the calculated FCS, whether the FCS function is performed inside or outside the encryption function. Some codes also provide an error-correction capability. Depending on the nature of the function, if one or a small number of bits is altered in transit, the error-correction code contains sufficient redundant information to determine the errored bit or bits and correct them. Clearly, an error-correction code will provide error correction capability when used external to the encryption function. Will it also provide this capability if used internal to the encryption function?
Get 12.1 exercise solution
12.2 The data authentication algorithm, described in Section 12.6, can be defined as using the cipher block chaining (CBC) mode of operation of DES with an initialization vector of zero (Figure 12.7). Show that the same result can be produced using the cipher feedback mode.
Get 12.2 exercise solution
12.3 At the beginning of Section 12.6, it was noted that given the CBC MAC of a oneblock message X, say T = MAC(K, X), the adversary immediately knows the CBC MAC for the two-block message X || (X + T) since this is once again T. Justify this statement.
Get 12.3 exercise solution
12.4 In this problem, we demonstrate that for CMAC, a variant that XORs the second key after applying the final encryption doesn’t work. Let us consider this for the case of the message being an integer multiple of the block size. Then, the variant can be expressed as VMAC(K, M) = CBC(K, M) + K1. Now suppose an adversary is able to ask for the MACs of three messages: the message 0 = 0n, where n is the cipher block size; the message 1 = 1n; and the message 1 } 0. As a result of these three queries, the adversary gets T0 = CBC(K, 0) + K1; T1 = CBC(K, 1) + K1 and T2 = CBC(K, [CBC(K, 1)]) + K1. Show that the adversary can compute the correct MAC for the (unqueried) message 0 } (T0+ T1).
Get 12.4 exercise solution
12.5 In the discussion of subkey generation in CMAC, it states that the block cipher is applied to the block that consists entirely of 0 bits. The first subkey is derived from the resulting string by a left shift of one bit and, conditionally, by XORing a constant that depends on the block size. The second subkey is derived in the same manner from the first subkey. a. What constants are needed for block sizes of 64 and 128 bits? b. Explain how the left shift and XOR accomplishes the desired result.
Get 12.5 exercise solution
12.6 Section 12.6 listed three general approaches to authenticated encryption: A S E, E S A, E + A. a. Which approach is used by CCM? b. Which approach is used by GCM?
Get 12.6 exercise solution
12.7 Show that the GHASH function calculates (X1 # Hm) + (X2 # Hm-1) + c+ (Xm-1 # H2) + (Xm # H)
Get 12.7 exercise solution
12.8 Draw a figure similar to Figure 12.11 that shows authenticated decryption.
Get 12.8 exercise solution
12.9 Alice want to send a single bit of information (a yes or a no) to Bob by means of a word of length 2. Alice and Bob have four possible keys available to perform message authentication. The following matrix shows the 2-bit word sent for each message under each key:
a. The preceding matrix is in a useful form for Alice. Construct a matrix with the same information that would be more useful for Bob. b. What is the probability that someone else can successfully impersonate Alice? c. What is the probability that someone can replace an intercepted message with another message successfully?
Get 12.9 exercise solution
12.10 Draw figures similar to Figures 12.12 and 12.13 for the unwrap algorithm.
Get 12.10 exercise solution
12.11 Consider the following key wrapping algorithm: 1. Initialize variables. A = A6A6A6A6A6A6A6A6 for i = 1 to n R(i) = Pi 2. Calculate intermediate values. for j = 0 to 5 for i = 1 to n B = E(K, [A || R(i)]) t = (n × j)+i A = t + MSB64(B) R(i) = LSB64(B) 3. Output results. C0 = A for i = 1 to n Ci = R(i) a. Compare this algorithm, functionally, with the algorithm specified in SP 800-38F and described in Section 12.8. b. Write the corresponding unwrap algorithm.
Get 12.11 exercise solution
