6.1 What is triple encryption?
Get 6.1 exercise solution
6.2 What is a meet-in-the-middle attack?
Get 6.2 exercise solution
6.3 How many keys are used in triple encryption?
Get 6.3 exercise solution
6.4 Why is the middle portion of 3DES a decryption rather than an encryption?
Get 6.4 exercise solution
6.5 Why do some block cipher modes of operation only use encryption while others use both encryption and decryption?
Get 6.5 exercise solution
Problems
6.1 You want to build a hardware device to do block encryption in the cipher block chaining (CBC) mode using an algorithm stronger than DES. 3DES is a good candidat
e. Figure 6.12 shows two possibilities, both of which follow from the definition of CBC. Which of the two would you choose:
a. For security?
b. For performance?
Get 6.1 exercise solution
6.2 Can you suggest a security improvement to either option in Figure 6.12, using only three DES chips and some number of XOR functions? Assume you are still limited to two keys.
Get 6.2 exercise solution
6.3 The Merkle-Hellman attack on 3DES begins by assuming a value of A = 0 (Figure 6.1b). Then, for each of the 256 possible values of K1, the plaintext P that produces A = 0 is determine
d. Describe the rest of the algorithm.
Get 6.3 exercise solution
6.4 With the ECB mode, if there is an error in a block of the transmitted ciphertext, only the corresponding plaintext block is affecte
d. However, in the CBC mode, this error propagates. For example, an error in the transmitted C1 (Figure 6.4) obviously corrupts P1 and P2.
a. Are any blocks beyond P2 affected?
b. Suppose that there is a bit error in the source version of P1. Through how many ciphertext blocks is this error propagated? What is the effect at the receiver?
Get 6.4 exercise solution
6.5 Is it possible to perform encryption operations in parallel on multiple blocks of plaintext in CBC mode? How about decryption?
Get 6.5 exercise solution
6.6 CBC-Pad is a block cipher mode of operation used in the RC5 block cipher, but it could be used in any block cipher. CBC-Pad handles plaintext of any length. The ciphertext is longer then the plaintext by at most the size of a single block. Padding is used to assure that the plaintext input is a multiple of the block length. It is assumed that the original plaintext is an integer number of bytes. This plaintext is padded at the end by from 1 to bb bytes, where bb equals the block size in bytes. The pad bytes are all the same and set to a byte that represents the number of bytes of padding. For example, if there are 8 bytes of padding, each byte has the bit pattern 00001000. Why not allow zero bytes of padding? That is, if the original plaintext is an integer multiple of the block size, why not refrain from padding?
Get 6.6 exercise solution
6.7 For the ECB, CBC, and CFB modes, the plaintext must be a sequence of one or more complete data blocks (or, for CFB mode, data segments). In other words, for these three modes, the total number of bits in the plaintext must be a positive multiple of the block (or segment) size. One common method of padding, if needed, consists of a 1 bit followed by as few zero bits, possibly none, as are necessary to complete the final block. It is considered good practice for the sender to pad every message, including messages in which the final message block is already complet
e. What is the motivation for including a padding block when padding is not needed?
Get 6.7 exercise solution
6.8 If a bit error occurs in the transmission of a ciphertext character in 8-bit CFB mode, how far does the error propagate?
Get 6.8 exercise solution
6.9 In discussing OFB, it was mentioned that if it was known that two different messages had an identical block of plaintext in the identical position, it is possible to recover the corresponding Oi block. Show the calculation.
Get 6.9 exercise solution
6.10 In discussing the CTR mode, it was mentioned that if any plaintext block that is encrypted using a given counter value is known, then the output of the encryption function can be determined easily from the associated ciphertext block. Show the calculation.
Get 6.10 exercise solution
6.11 Padding may not always be appropriat
e. For example, one might wish to store the encrypted data in the same memory buffer that originally contained the plaintext. In that case, the ciphertext must be the same length as the original plaintext. We saw the use of ciphertext stealing in the case of XTS-AES to deal with partial blocks. Figure 6.13a shows the use of ciphertext stealing to modify CBC mode, called CBC-CTS.
a. Explain how it works.
b. Describe how to decrypt Cn-1 and Cn.
Get 6.11 exercise solution
6.12 Figure 6.13b shows an alternative to CBC-CTS for producing ciphertext of equal length to the plaintext when the plaintext is not an integer multiple of the block size.
a. Explain the algorithm.
b. Explain why CBC-CTS is preferable to this approach illustrated in Figure 6.13b.
Get 6.12 exercise solution
6.13 Draw a figure similar to those of Figure 6.8 for XTS-AES mode.
Get 6.13 exercise solution
