Prof. Reuven Aviv, Nov 2013 Public Key Infrastructure1 Prof. Reuven Aviv Tel Hai Academic College Department of Computer Science Problem Set 1: Cryptography

Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI2 Problem 203 In DES: For a bit M, Let M' be the bitwise complement of M. Prove that : If Y = DES K (X) Then Y' = DES K' (X' ) Hint : Begin by showing that for any two bit strings of equal length, A and B, (A  B)' = A'  B (A’  B’) = A  B

Answer 203: DES Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI3

Answer 203: DES Single round L i = R i-1 R i = L i-1  F(R i-1,K i ) F(R i-1,K i ) a complex function: –Input R i-1 –Permutation/expansion (32 bit  48 bits) Using ”E Tables” –XOR with K i (48 bits) –Substitution/choice (48 bits  32 bits) Using 8 ”S boxs”, each 6 bits  4 bits –Permutation P Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI4

Answer 203 First show (A  B)' = A'  B, (A  B) = A’  B’, Now Consider 1 st round of DES K' (X' ) All bits in RE 0 are complemented. Then we call F. F has all kinds of permutations and expansions, and a XOR, with complemented K. Hence the result up to this point is the same as in DES K (X) Then The result is XORed again with complemented K. The result of 1 st round is complemented relative to the result of DES K (X). Similarly for all rounds 5

Problem 205 Consider a CFB mode, with 1 character data and 8 characters register. If a bit error occurs in the transmission of a ciphertext character, how far, in the decryption process, does the error propagate? Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI6

Answer 205: Cipher Feedback Mode - Decryption C 1 = P 1  MSB s (E K (R 1 ))  P 1 = C 1  MSB s (E K ( R 1 )) C 2 = P 2  MSB s (E K (R 2 ))  P 2 = C 2  MSB s (E K ( R 2 )) C n = P n  MSB s (E K (R n ))  P n = C n  MSB s (E K ( R n )) Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI7

Answer 205 Each character (8 bits) is a block The register R has 8 chars (64 bits) Suppose There was an error in C1 (cipher of char 1) P 1 = C 1  MSB s (E K (R 1 )). P1 is obviously affected –Register R2 now has 8 bits with possible error P 2 = C 2  MSB s (E K (R 2 )) is possibly affected The 8 bits with possible errors will not completely removed from the register until the next eight plaintext characters are calculated. Nine plaintext characters are affected. 8

Problem 207 Suppose that someone suggested the following way to confirm that the two of you are both in possession of the same secret key. You create a random bit string the length of the key, XOR it with the key, and send the results over the channel. Your partner XORs the incoming block with the key he knows, sends the result back to you. You check and if what you receive is your original random string, you have verified that your partner has the same secret key, yet neither of you has ever transmitted the key. Is there a flaw in this scheme? Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI9

Answer 207 The algorithm indeed proves that your partner and you are using the same key. But an attacker can get be in the middle, and get the two messages sent. The first message is an XOR of the original random string, with the Key. The second string is the original random string (if your partner indeed knows the key). Thus all the attacker has to do is to XOR the two messages to get the Key. Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI10

Problem 211 What RC4 key K will leave S unchanged during initialization? That is. After the initial permutation of S, the entries of S will be equal to the values from 0 to through 255 in ascending order? Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI11

Answer 211 The initial permutation of S is calculated by assigning to each index i to another index j(i) by j(i) = (j(i-1) +S[i] + T[i]) mod 256, then swap S[i] and S[j]. Initial value of j is 0. Since all values of S[i] are different, a permutation that leaves S unchanged requires j(i) = i for all i. We need to find the key K that will do that: The temporary vector T has the values of K (if K is smaller than T, then K repeats in T) i= 0: we have: j(0) = (0 + S[0] + T[0]) mod 256 = = T[0]mod 256 = K[0]mod256 We require j(0) = i = 0; hence K[0]mode 256 = 0; K[0] = 0

i = 1: j(1) = (j(0) + S[1] + K[1]) mod 256 = (K[1] + 1)mode 256; We require j(1) = i = 1;hence ( K[1] +1)mod256 = 1; K[1] = 0 i = 2: j(2) = (j(1) +S[2] +K[2])mod 256 = (3 + K[2])mod 256. We require j(2) = i = 2; hence (K[2] +3)mod256 = 2; K[2] = 255 i = 3: j(3) = (j(2) + S[3] + K[3])mod256 = (5 + K[3])mod256. We require j(3) = i = 3; hence (K[3] + 5) mode256 = 3; K[3] = 254 Similarly for the rest of the Bytes of the key. 13

Problem 308 Suppose we are attackers. We have a set of blocks encoded with the RSA algorithm and but we obviously don’t know the private key. We know the public key, {n = pq, e}. Suppose also someone tells us they know one of the plaintext blocks (we call it the special block, but we don't know which one) has a common factor with n. Does this helps us in any way to find p and q? Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI14

Answer 308 The encoded special block will also have a common factor with n. Since n = pq, & both p and q are primes, the common factor is either p or q. The plaintext (and the ciphertext) of the special block is a multiple of either p or q. Test each ciphertext for primality. If it is a prime, it’s either p or q. divide it into n to find the other If the cipher is not prime, factor it and check if either of the factors is also a factor of n. If none of them is a factor, go to the next cipher. Eventually we find p and q. 15

Problem 311 Assume the hash of a 2-block message (B1,B2) is RSAH(B1,B2) = RSA(RSA(B1)  B2) After calculating the hash of the message, it is attached to the (un-encrypted) message and sent to a receiver. An opponent catches a two block message (B1,B2) and its hash RSAH(B1,B2). The opponent picks an arbitrary block C1. Show that the opponent can easily construct another block C2 so that the hash of the 2-block message (C1,C2) is equal to the hash of the original 2-block message (B1,B2). 16

Answer 311 The opponent has the 2-block message (B1, B2) and its hash RSAH(B1, B2). The opponent picks an arbitrary block C1 and then constructed a second block C2 by: C2 = RSA(C1)  RSA(B1)  B2 Then: RSA(C1)  C2 = RSA(C1)  [RSA(C1)  RSA(B1)  B2] = RSA(B1)  B2 So RSAH(C1, C2) = RSA[RSA(C1)  C2] = RSA[RSA(B1)  B2] = RSAH(B1, B2) 17

Problem 318 Suppose Alice sends a message to Bob by representing each alphabetic character by as an integer between 0 and 25 (A  0, B  1, … Z  25), and then encrypting each number separately using RSA with large e and large n. Is this method secure? If not explain why. Describe the most efficient attack against this encryption method. Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI18

Answer 318 A plaintext M is a set of blocks, each one is an element of the set {0, 1, 2, …, 25}. Very few different blocks Similarly, a ciphertext C is a set of blocks, each is an element of the set = {0 e mod n, 1 e mod n, …, 25 e mod n}. Very few different ciphers. These can be computed by everybody with the knowledge of the public key of Bob, e, and n. Thus, a man in the middle computes M e mod n for all possible values of M, then create a lookup table with a ciphertext as an index and the corresponding plaintext as a value of the appropriate location in the table. Prof. Reuven Aviv, Nov 2006 Public Key Cryptography and PKI19