ECE454/CS594

Computer and Network Security

Dr. Jinyuan (Stella) Sun
Dept. of Electrical Engineering and Computer
Science
University of Tennessee
Fall 2011
1
Exercise 1: Chapters 1-5
Review Questions
1. What are the essential ingredients of a symmetric cipher?
Plaintext, encryption algorithm, secret key, ciphertext, decryption algorithm.
2. What are the two basic functions used in encryption
algorithms?
Permutation and substitution.
3. How many keys are required for two people to
communicate via a cipher?
One key for symmetric ciphers, two keys for asymmetric ciphers.
4. What is the difference between a block cipher and a stream
cipher?
A stream cipher is one that encrypts a digital data stream one bit or one
byte at a time. A block cipher is one in which a block of plaintext is treated
as a whole and used to produce a ciphertext block of equal length.
5. What are the two general approaches to attacking a cipher?
Cryptanalysis and brute force.
6. What is the difference between an unconditionally secure
cipher and a computationally secure cipher?
An encryption scheme is unconditionally secure if the ciphertext
generated by the scheme does not contain enough information to determine
uniquely the corresponding plaintext, no matter how much ciphertext is
available. An encryption scheme is said to be computationally secure if: (1)
the cost of breaking the cipher exceeds the value of the encrypted
information, and (2) the time required to break the cipher exceeds the useful
lifetime of the information.
7. What are two problems with the one-time pad?
1) There is the practical problem of making large quantities of random
keys. Any heavily used system might require millions of random characters on
a regular basis. Supplying truly random characters in this volume is a
significant task.
2) Even more daunting is the problem of key distribution and protection. For
every message to be sent, a key of equal length is needed by both sender
and receiver. Thus, a mammoth key distribution problem exists.
8. List ways in which secret keys can be distributed to two
communicating parties.
1) A can select a key and physically deliver it to B.
2) A third party can select the key and physically deliver it to A and B.
3) If A and B have previously and recently used a key, one party can
transmit the new key to the other, encrypted using the old key.
4) If A and B each has an encrypted connection to a third party C, C can
deliver a key on the encrypted links to A and B.
9. What types of attacks are addressed by message
authentication?
Masquerade: Insertion of messages into the network from a fraudulent
source. This includes the creation of messages by an opponent that are
purported to come from an authorized entity. Also included are fraudulent
acknowledgments of message receipt or nonreceipt by someone other than
the message recipient. Content modification: Changes to the contents of a
message, including insertion, deletion, transposition, and modification.
Sequence modification: Any modification to a sequence of messages
between parties, including insertion, deletion, and reordering. Timing
modification: Delay or replay of messages. In a connection-oriented
application, an entire session or sequence of messages could be a replay of
some previous valid session, or individual messages in the sequence could
be delayed or replayed. In a connectionless application, an individual
message (e.g., datagram) could be delayed or replayed.

10. What two levels of functionality comprise a message
authentication or digital signature mechanism?
At the lower level, there must be some sort of function that produces an
authenticator: a value to be used to authenticate a message. This lower-level
function is then used as primitive in a higher-level authentication protocol that
enables a receiver to verify the authenticity of a message.
11. What are some approaches to producing message
authentication?
Message encryption, message authentication code, digitally signature.
12. When a combination of symmetric encryption and an error
control code (e.g., CRC) is used for message authentication,
in what order must the two functions be performed?
Error control code, then encryption.
13. What is the difference between a message authentication
code and a one-way hash function?
A hash function, by itself, does not provide message authentication. A
secret key must be used in some fashion with the hash function to produce
authentication. A MAC, by definition, uses a secret key to calculated a code
used for authentication.
14. Is it necessary to recover the secret key in order to attack a
MAC algorithm?
No. See problem with h(key|m).
15. What characteristics are needed in a secure hash function?
1) H can be applied to a block of data of any size.
2) H produces a fixed-length output.
3) H(x) is relatively easy to compute for any given x, making both hardware and
software implementations practical.
4) For any given value h, it is computationally infeasible to find x such that H(x)
= h. This is sometimes referred to in the literature as the one-way property.
5) For any given block x, it is computationally infeasible to find y x with H(y) =
H(x).
6) It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).
16. What is the role of a compression function in a hash function?
A typical hash function uses a compression function as a basic building block,
and involves repeated application of the compression function.

17. Why has there been an interest in developing a message
authentication code derived from a cryptographic hash function as
opposed to one derived from a symmetric cipher?
1) Cryptographic hash functions such as MD5 and SHA generally execute
faster in software than symmetric block ciphers such as DES. 2) Library code for
cryptographic hash functions is widely available.
18. What changes in HMAC are required in order to replace one
underlying hash function with another?
To replace a given hash function in an HMAC implementation, all that is
required is to remove the existing hash function module and drop in the new
module.

Problems
1. One way to solve the key distribution problem is to use a line
from a book that both the sender and the receiver possess.
Typically, at least in spy novels, the first sentence of a book
serves as the key. The particular scheme discussed in this
problem is from one of the best suspense novels involving
secret codes, Talking to Strange Men, by Ruth Rendell. Work
this problem without consulting that book! Consider the
following message:
SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA
This ciphertext was produced using the first sentence of The
Other Side of Silence (a book about the spy Kim Philby):
The snow lay thick on the steps and the snowflakes driven
by the wind looked black in the headlights of the cars.
A simple substitution cipher was used.
a. What is the encryption algorithm?
b. How secure is it?
c. To make the key distribution problem simple, both parties can
agree to use the first or last sentence of a book as the key. To
change the key, they simply need to agree on a new book. The
use of the first sentence would be preferable to the use of the
last. Why?
a. The first letter t corresponds to A, the second letter h
corresponds to B, e is C, s is D, and so on. Second and
subsequent occurrences of a letter in the key sentence are
ignored. The result

ciphertext: SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA
plaintext: basilisk to leviathan blake is contact

b. It is a monalphabetic cipher and so easily breakable.
c. The last sentence may not contain all the letters of the
alphabet. If the first sentence is used, the second and
subsequent sentences may also be used until all 26 letters are
encountered.
2. In one of Dorothy Sayers's mysteries, Lord Peter is confronted
with the message shown below. He also discovers the key to the
message, which is a sequence of integers:
787656543432112343456567878878765654
3432112343456567878878765654433211234
a. Decrypt the message. Hint: What is the largest integer value?
b. If the algorithm is known but not the key, how secure is the
scheme?
c. If the key is known but not the algorithm, how secure is the
scheme?
a. Lay the message out in a matrix 8 letters across. Each
integer in the key tells you which letter to choose in the
corresponding row. Result:
He sitteth between the cherubims. The isles may be glad
thereof. As the rivers in the south.

b. Quite secure. In each row there is one of eight possibilities.
So if the ciphertext is 8n letters in length, then the number of
possible plaintexts is 8n.
c. Not very secure. Lord Peter figured it out. (from The Nine
Tailors)
3. For any block cipher, the fact that it is a nonlinear function is
crucial to its security. To see this, suppose that we have a linear
block cipher EL that encrypts 128-bit blocks of plaintext into
128-bit blocks of ciphertext. Let EL(k, m) denote the encryption
of a 128-bit message m under a key k (the actual bit length of k
is irrelevant). Thus
EL(k, [m1 XOR m2]) = EL(k, m1) XOR EL(k, m1) for all 128-
bit patterns m1, m2
Describe how, with 128 chosen ciphertexts, an adversary can
decrypt any ciphertext without knowledge of the secret key k. (A
"chosen ciphertext" means that an adversary has the ability to
choose a ciphertext and then obtain its decryption. Here, you
have 128 plaintext/ciphertext pairs to work with and you have
the ability to choose the value of the ciphertexts.)
For 1 i 128, take ci e {0, 1}
128
to be the string containing a 1
in position i and then zeros elsewhere. Obtain the decryption of
these 128 ciphertexts. Let m1, m2, . . . , m128 be the
corresponding plaintexts. Now, given any ciphertext c which
does not consist of all zeros, there is a unique nonempty subset
of the cis which we can XOR together to obtain c. Let I(c) _ {1,
2, . . . , 128} denote this subset. Observe



Thus, we obtain the plaintext of c by computing . Let 0 be
the all-zero string. Note that 0 = 0 0. From this we obtain E(0)
= E(0 0) = E(0) E(0) = 0. Thus, the plaintext of c = 0 is m =
0. Hence we can decrypt every c e {0, 1}
128
.
( ) ( )
( )
( )
|
.
|

\
|
= = =
e e e
i
c I i
i
c I i
i
c I i
m E m E c c
( )
i
c I i
m
e

4. With the ECB mode of DES, if there is an error in a block of the

transmitted ciphertext, only the corresponding plaintext block is
affected. However, in the CBC mode, this error propagates. For
example, an error in the transmitted C1 obviously corrupts P1
and P2.
a. Are any blocks beyond P2 affected?
b. Suppose that there is a bit error in the source version of P1.
Through how many ciphertext blocks is this error propagated?
What is the effect at the receiver?
a. No. For example, suppose C1 is corrupted. The output block
P3 depends only on the input blocks C2 and C3.
b. An error in P1 affects C1. But since C1 is input to the
calculation of C2, C2 is affected. This effect carries through
indefinitely, so that all ciphertext blocks are affected. However, at
the receiving end, the decryption algorithm restores the correct
plaintext for blocks except the one in error. You can show this by
writing out the equations for the decryption. Therefore, the error
only effects the corresponding decrypted plaintext block.
5. The pseudo-random stream of blocks generated by 64-bit OFB
must eventually repeat (since at most 2
64
different blocks can be
generated). Will K{IV} necessarily be the first block to be
repeated?
Actually, IV will be the first block to be repeated. To see this, note
that the previous block to any given block must be the decryption
of the given block. So if two blocks are equal, their respective
previous blocks are also equal (unless one of them doesnt have
a previous because it is firstnamely IV)
6. If a bit error occurs in the transmission of a ciphertext character
in 8-bit CFB mode, how far does the error propagate?
Nine plaintext characters are affected. The plaintext character
corresponding to the ciphertext character is obviously altered. In
addition, the altered ciphertext character enters the shift register
and is not removed until the next eight (b/k) characters are
processed.

7. Alice and Bob agree to communicate privately via email using
a scheme based on RC4, but want to avoid using a new secret
key for each transmission. Alice and Bob privately agree on a
128-bit key k. To encrypt a message m, consisting of a string of
bits, the following procedure is used:
1. Choose a random 80-bit value v
2. Generate the ciphertext c = RC4(v || k) XOR m
3. Send the bit string (v || c)
a. Suppose Alice uses this procedure to send a message m to
Bob. Describe how Bob can recover the message m from (v || c)
using k.
b. If an adversary observes several values (v1 || c1), (v2 || c2), ...
transmitted between Alice and Bob, how can he/she determine
when the same key stream has been used to encrypt two
messages?
c. Approximately how many messages can Alice expect to send
before the same key stream will be used twice? (Use the
approximate result from the birthday paradox)
d. What does this imply about the lifetime of the key k (i.e., the
number of messages that can be encrypted using k)?
a. By taking the first 80 bits of v || c, we obtain the initialization
vector, v. Since v, c, k are known, the message can be recovered
(i.e., decrypted) by computing RC4(v || k) c.
b. If the adversary observes that vi = vj for distinct i, j then he/she
knows that the same key stream was used to encrypt both mi and
mj. In this case, the messages mi and mj may be vulnerable to
the type of cryptanalysis carried out in part (a).
c. Since the key is fixed, the key stream varies with the choice of
the 80-bit v, which is selected randomly. Thus, after
approximately messages are sent, we expect the same v, and
hence the same key stream, to be used more than once.
d. The key k should be changed sometime before 2
40
messages
are sent.
40 80
2 2 =
8. Suppose H(m) is a collision resistant hash function that
maps a message of arbitrary bit length into an n-bit hash
value. Is it true that, for all messages x, x' with x != x', we
have H(x) != H(x')? Explain your answer.
The statement is false. Such a function cannot be one-to-one
because the number of inputs to the function is of arbitrary,
but the number of unique outputs is 2
n
. Thus, there are
multiple inputs that map into the same output.

9. This problem provides a numerical example of encryption
using a one-round version of DES. We start with the same bit
pattern for the key K and the plaintext, namely:
in hexadecimal notation: 0 1 2 3 4 5 6 7 8 9 A B C D E F
in binary notation: 0000 0001 0010 0011 0100 0101 0110
0111
1000 1001 1010 1011 1100 1101 1110
1111
a. Derive K1, the first-round subkey.
b. Derive L0, R0.
c. Expand R0 to get EXP(R0).
d. Calculate A = EXP(R0) XOR K1.
e. Group the 48-bit result of (d) into sets of 6 bits and
evaluate the corresponding S-box substitutions.
f. Concatenate the results of (e) to get a 32-bit result, B.
g. Apply the permutation to get P(B).
h. Calculate R1 = P(B) XOR L0.
i. Write down the ciphertext.
a. in binary notation: 0000 1011 0000 0010 0110 0111
1001 1011 0100 1001 1010 0101
in hexadecimal notation: 0 B 0 2 6 7 9 B 4 9 A 5
b. L0, R0 are derived by passing the 64-plaintext through
Initial Permutation:
L0 = 1100 1100 0000 0000 1100 1100 1111
1111
R0 = 1111 0000 1010 1010 1111 0000 1010
1010
c. EXP(R0) = 011110 100001 010101 010101 011110
100001 010101 010101
d. A = 011100 010001 011100 110010 111000 010101
110011 110000
e. 0 (base 10)=0000 (base 2), 12 (base 10)=1100 (base 2), 2
(base 10)=0010 (base 2), 1 (base 10)=0001 (base 2), 6
(base 10)=0110 (base 2), 13 (base 10)=1101 (base 2), 5
(base 10)=0101 (base 2), 0 (base 10)=0000 (base 2)
f. B = 0000 1100 0010 0001 0110 1101 0101 0000
g. P(B) = 1001 0010 0001 1100 0010 0000 1001 1100
h. R1 = 0101 1110 0001 1100 1110 1100 0110 0011
i. L1 = R0. The ciphertext is the concatenation of L1 and R1.