ECE454/CS594 Computer and Network Security - PowerPoint PPT Presentation

About This Presentation
Title:

ECE454/CS594 Computer and Network Security

Description:

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 29
Provided by: Kui94
Learn more at: https://web.eecs.utk.edu
Category:

less

Transcript and Presenter's Notes

Title: ECE454/CS594 Computer and Network Security


1
ECE454/CS594 Computer and Network Security
  • Dr. Jinyuan (Stella) Sun
  • Dept. of Electrical Engineering and Computer
    Science
  • University of Tennessee
  • Fall 2011

2
Exercise 1 Chapters 1-5
3
Review Questions
4
  • 1. What are the essential ingredients of a
    symmetric cipher?
  • Plaintext, encryption algorithm, secret key,
    ciphertext, decryption algorithm.
  • 2. What are the two basic functions used in
    encryption algorithms?
  • Permutation and substitution.
  • 3. How many keys are required for two people to
    communicate via a cipher?
  • One key for symmetric ciphers, two keys for
    asymmetric ciphers.
  • 4. What is the difference between a block cipher
    and a stream cipher?
  • A stream cipher is one that encrypts a digital
    data stream one bit or one byte at a time. A
    block cipher is one in which a block of plaintext
    is treated as a whole and used to produce a
    ciphertext block of equal length.
  • 5. What are the two general approaches to
    attacking a cipher?
  • Cryptanalysis and brute force.

5
  • 6. What is the difference between an
    unconditionally secure cipher and a
    computationally secure cipher?
  • An encryption scheme is unconditionally secure
    if the ciphertext generated by the scheme does
    not contain enough information to determine
    uniquely the corresponding plaintext, no matter
    how much ciphertext is available. An encryption
    scheme is said to be computationally secure if
    (1) the cost of breaking the cipher exceeds the
    value of the encrypted information, and (2) the
    time required to break the cipher exceeds the
    useful lifetime of the information.
  • 7. What are two problems with the one-time pad?
  • 1) There is the practical problem of making
    large quantities of random keys. Any heavily used
    system might require millions of random
    characters on a regular basis. Supplying truly
    random characters in this volume is a significant
    task.
  • 2) Even more daunting is the problem of key
    distribution and protection. For every message to
    be sent, a key of equal length is needed by both
    sender and receiver. Thus, a mammoth key
    distribution problem exists.

6
  • 8. List ways in which secret keys can be
    distributed to two communicating parties.
  • 1) A can select a key and physically deliver
    it to B.
  • 2) A third party can select the key and
    physically deliver it to A and B.
  • 3) If A and B have previously and recently
    used a key, one party can transmit the new key to
    the other, encrypted using the old key.
  • 4) If A and B each has an encrypted connection
    to a third party C, C can deliver a key on the
    encrypted links to A and B.
  • 9. What types of attacks are addressed by message
    authentication?
  • Masquerade Insertion of messages into the
    network from a fraudulent source. This includes
    the creation of messages by an opponent that are
    purported to come from an authorized entity. Also
    included are fraudulent acknowledgments of
    message receipt or nonreceipt by someone other
    than the message recipient. Content modification
    Changes to the contents of a message, including
    insertion, deletion, transposition, and
    modification. Sequence modification Any
    modification to a sequence of messages between
    parties, including insertion, deletion, and
    reordering. Timing modification Delay or replay
    of messages. In a connection-oriented
    application, an entire session or sequence of
    messages could be a replay of some previous valid
    session, or individual messages in the sequence
    could be delayed or replayed. In a connectionless
    application, an individual message (e.g.,
    datagram) could be delayed or replayed.

7
  • 10. What two levels of functionality comprise a
    message authentication or digital signature
    mechanism?
  • At the lower level, there must be some sort
    of function that produces an authenticator a
    value to be used to authenticate a message. This
    lower-level function is then used as primitive in
    a higher-level authentication protocol that
    enables a receiver to verify the authenticity of
    a message.
  • 11. What are some approaches to producing message
    authentication?
  • Message encryption, message authentication
    code, digitally signature.
  • 12. When a combination of symmetric encryption
    and an error control code (e.g., CRC) is used for
    message authentication, in what order must the
    two functions be performed?
  • Error control code, then encryption.
  • 13. What is the difference between a message
    authentication code and a one-way hash function?
  • A hash function, by itself, does not provide
    message authentication. A secret key must be used
    in some fashion with the hash function to produce
    authentication. A MAC, by definition, uses a
    secret key to calculated a code used for
    authentication.

8
  • 14. Is it necessary to recover the secret key in
    order to attack a MAC algorithm?
  • No. See problem with h(keym).
  • 15. What characteristics are needed in a secure
    hash function?
  • 1) H can be applied to a block of data of
    any size.
  • 2) H produces a fixed-length output.
  • 3) H(x) is relatively easy to compute for
    any given x, making both hardware and software
    implementations practical.
  • 4) For any given value h, it is
    computationally infeasible to find x such that
    H(x) h. This is sometimes referred to in the
    literature as the one-way property.
  • 5) For any given block x, it is
    computationally infeasible to find y ? x with
    H(y) H(x).
  • 6) It is computationally infeasible to find
    any pair (x, y) such that H(x) H(y).
  • 16. What is the role of a compression function in
    a hash function?
  • A typical hash function uses a compression
    function as a basic building block, and involves
    repeated application of the compression function.

9
  • 17. Why has there been an interest in developing
    a message authentication code derived from a
    cryptographic hash function as opposed to one
    derived from a symmetric cipher?
  • 1) Cryptographic hash functions such as MD5
    and SHA generally execute faster in software than
    symmetric block ciphers such as DES. 2) Library
    code for cryptographic hash functions is widely
    available.
  • 18. What changes in HMAC are required in order to
    replace one underlying hash function with
    another?
  • To replace a given hash function in an HMAC
    implementation, all that is required is to remove
    the existing hash function module and drop in the
    new module.

10
Problems
11
  • 1. One way to solve the key distribution problem
    is to use a line from a book that both the sender
    and the receiver possess. Typically, at least in
    spy novels, the first sentence of a book serves
    as the key. The particular scheme discussed in
    this problem is from one of the best suspense
    novels involving secret codes, Talking to Strange
    Men, by Ruth Rendell. Work this problem without
    consulting that book! Consider the following
    message
  • SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA
  • This ciphertext was produced using the first
    sentence of The Other Side of Silence (a book
    about the spy Kim Philby)
  • The snow lay thick on the steps and the
    snowflakes driven by the wind looked black in the
    headlights of the cars.
  • A simple substitution cipher was used.
  • a. What is the encryption algorithm?
  • b. How secure is it?
  • c. To make the key distribution problem simple,
    both parties can agree to use the first or last
    sentence of a book as the key. To change the key,
    they simply need to agree on a new book. The use
    of the first sentence would be preferable to the
    use of the last. Why?

12
  • a. The first letter t corresponds to A, the
    second letter h corresponds to B, e is C, s is D,
    and so on. Second and subsequent occurrences of a
    letter in the key sentence are ignored. The
    result
  •  
  • ciphertext SIDKHKDM AF HCRKIABIE SHIMC KD
    LFEAILA
  • plaintext basilisk to leviathan blake is
    contact
  •  
  • b. It is a monalphabetic cipher and so easily
    breakable.
  • c. The last sentence may not contain all the
    letters of the alphabet. If the first sentence is
    used, the second and subsequent sentences may
    also be used until all 26 letters are encountered.

13
  • 2. In one of Dorothy Sayers's mysteries, Lord
    Peter is confronted with the message shown below.
    He also discovers the key to the message, which
    is a sequence of integers
  • 787656543432112343456567878878765654
  • 3432112343456567878878765654433211234
  • a. Decrypt the message. Hint What is the largest
    integer value?
  • b. If the algorithm is known but not the key, how
    secure is the scheme?
  • c. If the key is known but not the algorithm, how
    secure is the scheme?

14
  • a. Lay the message out in a matrix 8 letters
    across. Each integer in the key tells you which
    letter to choose in the corresponding row.
    Result
  • He sitteth between the cherubims. The isles may
    be glad thereof. As the rivers in the south.
  • b. Quite secure. In each row there is one of
    eight possibilities. So if the ciphertext is 8n
    letters in length, then the number of possible
    plaintexts is 8n.
  • c. Not very secure. Lord Peter figured it out.
    (from The Nine Tailors)

15
  • 3. For any block cipher, the fact that it is a
    nonlinear function is crucial to its security. To
    see this, suppose that we have a linear block
    cipher EL that encrypts 128-bit blocks of
    plaintext into 128-bit blocks of ciphertext. Let
    EL(k, m) denote the encryption of a 128-bit
    message m under a key k (the actual bit length of
    k is irrelevant). Thus
  • EL(k, m1 XOR m2) EL(k, m1) XOR EL(k, m1)
    for all 128-bit patterns m1, m2
  • Describe how, with 128 chosen ciphertexts, an
    adversary can decrypt any ciphertext without
    knowledge of the secret key k. (A "chosen
    ciphertext" means that an adversary has the
    ability to choose a ciphertext and then obtain
    its decryption. Here, you have 128
    plaintext/ciphertext pairs to work with and you
    have the ability to choose the value of the
    ciphertexts.)

16
  • For 1 i 128, take ci ? 0, 1128 to be the
    string containing a 1 in position i and then
    zeros elsewhere. Obtain the decryption of these
    128 ciphertexts. Let m1, m2, . . . , m128 be the
    corresponding plaintexts. Now, given any
    ciphertext c which does not consist of all zeros,
    there is a unique nonempty subset of the cis
    which we can XOR together to obtain c. Let I(c)
    ? 1, 2, . . . , 128 denote this subset. Observe
  •  
  •  
  •  
  • Thus, we obtain the plaintext of c by computing
    . Let 0 be the all-zero string. Note
    that 0 0 ? 0. From this we obtain E(0) E(0 ?
    0) E(0) ? E(0) 0. Thus, the plaintext of c
    0 is m 0. Hence we can decrypt every c ? 0,
    1128.

17
  • 4. With the ECB mode of DES, if there is an error
    in a block of the transmitted ciphertext, only
    the corresponding plaintext block is affected.
    However, in the CBC mode, this error propagates.
    For
  • example, an error in the transmitted C1 obviously
    corrupts P1 and P2.
  • a. Are any blocks beyond P2 affected?
  • b. Suppose that there is a bit error in the
    source version of P1. Through how many ciphertext
    blocks is this error propagated? What is the
    effect at the receiver?

18
  • a. No. For example, suppose C1 is corrupted. The
    output block P3 depends only on the input blocks
    C2 and C3.
  • b. An error in P1 affects C1. But since C1 is
    input to the calculation of C2, C2 is affected.
    This effect carries through indefinitely, so that
    all ciphertext blocks are affected. However, at
    the receiving end, the decryption algorithm
    restores the correct plaintext for blocks except
    the one in error. You can show this by writing
    out the equations for the decryption. Therefore,
    the error only effects the corresponding
    decrypted plaintext block.

19
  • 5. The pseudo-random stream of blocks generated
    by 64-bit OFB must eventually repeat (since at
    most 264 different blocks can be generated). Will
    KIV necessarily be the first block to be
    repeated?

20
  • Actually, IV will be the first block to be
    repeated. To see this, note that the previous
    block to any given block must be the decryption
    of the given block. So if two blocks are equal,
    their respective previous blocks are also equal
    (unless one of them doesnt have a previous
    because it is firstnamely IV)

21
  • 6. If a bit error occurs in the transmission of a
    ciphertext character in 8-bit CFB mode, how far
    does the error propagate?

22
  • Nine plaintext characters are affected. The
    plaintext character corresponding to the
    ciphertext character is obviously altered. In
    addition, the altered ciphertext character enters
    the shift register and is not removed until the
    next eight (b/k) characters are processed.

23
  • 7. Alice and Bob agree to communicate privately
    via email using a scheme based on RC4, but want
    to avoid using a new secret key for each
    transmission. Alice and Bob privately agree on a
    128-bit key k. To encrypt a message m, consisting
    of a string of bits, the following procedure is
    used
  • 1. Choose a random 80-bit value v
  • 2. Generate the ciphertext c RC4(v k) XOR m
  • 3. Send the bit string (v c)
  • a. Suppose Alice uses this procedure to send a
    message m to Bob. Describe how Bob can recover
    the message m from (v c) using k.
  • b. If an adversary observes several values (v1
    c1), (v2 c2), ... transmitted between Alice
    and Bob, how can he/she determine when the same
    key stream has been used to encrypt two messages?
  • c. Approximately how many messages can Alice
    expect to send before the same key stream will be
    used twice? (Use the approximate result from the
    birthday paradox)
  • d. What does this imply about the lifetime of the
    key k (i.e., the number of messages that can be
    encrypted using k)?

24
  • a. By taking the first 80 bits of v c, we
    obtain the initialization vector, v. Since v, c,
    k are known, the message can be recovered (i.e.,
    decrypted) by computing RC4(v k) ? c.
  • b. If the adversary observes that vi vj for
    distinct i, j then he/she knows that the same key
    stream was used to encrypt both mi and mj. In
    this case, the messages mi and mj may be
    vulnerable to the type of cryptanalysis carried
    out in part (a).
  • c. Since the key is fixed, the key stream varies
    with the choice of the 80-bit v, which is
    selected randomly. Thus, after approximately
    messages are sent, we expect the same v, and
    hence the same key stream, to be used more than
    once.
  • d. The key k should be changed sometime before
    240 messages are sent.

25
  • 8. Suppose H(m) is a collision resistant hash
    function that maps a message of arbitrary bit
    length into an n-bit hash value. Is it true that,
    for all messages x, x' with x ! x', we have H(x)
    ! H(x')? Explain your answer.

26
  • The statement is false. Such a function cannot be
    one-to-one because the number of inputs to the
    function is of arbitrary, but the number of
    unique outputs is 2n. Thus, there are multiple
    inputs that map into the same output.

27
  • 9. This problem provides a numerical example of
    encryption using a one-round version of DES. We
    start with the same bit pattern for the key K and
    the plaintext, namely
  • in hexadecimal notation 0 1 2 3 4 5 6 7 8 9 A
    B C D E F
  • in binary notation 0000 0001 0010 0011 0100
    0101 0110 0111
  • 1000 1001 1010 1011
    1100 1101 1110 1111
  • a. Derive K1, the first-round subkey.
  • b. Derive L0, R0.
  • c. Expand R0 to get EXP(R0).
  • d. Calculate A EXP(R0) XOR K1.
  • e. Group the 48-bit result of (d) into sets of 6
    bits and evaluate the corresponding S-box
    substitutions.
  • f. Concatenate the results of (e) to get a 32-bit
    result, B.
  • g. Apply the permutation to get P(B).
  • h. Calculate R1 P(B) XOR L0.
  • i. Write down the ciphertext.

28
  • a. in binary notation 0000 1011 0000 0010 0110
    0111
  • 1001 1011 0100 1001 1010 0101
  • in hexadecimal notation 0 B 0 2 6 7 9 B 4 9 A
    5
  •  b. L0, R0 are derived by passing the
    64-plaintext through Initial Permutation 
  • L0 1100 1100 0000 0000 1100 1100 1111 1111
  • R0 1111 0000 1010 1010 1111 0000 1010 1010
  •  c. EXP(R0) 011110 100001 010101 010101 011110
    100001 010101 010101
  •  d. A 011100 010001 011100 110010 111000 010101
    110011 110000
  •  e. 0 (base 10)0000 (base 2), 12 (base 10)1100
    (base 2), 2 (base 10)0010 (base 2), 1 (base
    10)0001 (base 2), 6 (base 10)0110 (base 2), 13
    (base 10)1101 (base 2), 5 (base 10)0101 (base
    2), 0 (base 10)0000 (base 2) 
  • f. B 0000 1100 0010 0001 0110 1101 0101 0000
  • g. P(B) 1001 0010 0001 1100 0010 0000 1001 1100
  • h. R1 0101 1110 0001 1100 1110 1100 0110 0011
  • i. L1 R0. The ciphertext is the concatenation
    of L1 and R1.
Write a Comment
User Comments (0)
About PowerShow.com