Design Problems (Open book) Network Security Final Examination Lecture ID: ET-IDA-082 (2416082) Design Problems (Open book) Duration: 120 Minutes 14.08.2008 v15 Sample Solution Name: …………………………………………….. Matr. Nr.: ………………………….……………… Prof. W. Adi

Andre Zierfuß, Arther Strasser Many thanks to : Andre Zierfuß, Arther Strasser For their valuable contribution to the sample solution

How many public keys are possible to choose for each user? P1: A public key RSA System is used by two users A and B with the private secret primes for A: 19, 7 and for B:17, 7. Find out the adequate open key of user A from the following list of integers [12, 21, 35] and for B [16, 33, 22]. Compute the corresponding secret keys for user A and B. User A encrypts the message M=3 to send the cryptogram YA to B and generates from M the signature SA . Compute YA and SA . Decrypt cryptogram YA on the receiver‘s side B and verify the signature SA of user A. User B signs the received message M and sends back the resulting signature SB to A. Compute the signature SB How many public keys are possible to choose for each user? MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

Solution: Find out the adequate open key of user A from the following list of integers [12, 21, 35] and for B [16, 33, 22]. Compute the corresponding secret keys for user A and B. NA = 19 x 7 = 133 , φ (NA ) = (19-1)(7-1) = 108 gcd [ EA, φ (NA ) ] = 1 => select 35 as gcd (108,35) = 1 (12 and 21 are not relatively prime to 108) EA = 35 DA = -37 mod 108 =-37+108= 71 (see computation below) DA = 35 -1 mod 108 = - 37 = 108-37 = 71 n1 n2 b1 b2 q r 108 35 1 3 -3 11 2 34 -37 Find out the adequate open key of user B from the following list of integers: [16, 33, 22]. Compute the corresponding secret key for user B. NB = 17 x 5 = 85 , φ (NB) = (17-1)(5-1) = 64 gcd (EB, φ (NB ) ] =1 => select 33 as gcd (64,33) = 1 EB = 33 DB = -31 mod 64 = 33 (see computation below) DB = 33 -1 mod 64 = - 31 = -31+64 = 33 n1 n2 b1 b2 q r 64 33 1 31 -1 2 15 -31 4

5. How many public keys are possible to choose for each user? 2. User A encrypts the message M=3 to send the cryptogram YA to B and generates from M the signature SA . Compute YA and SA . 3. Decrypt cryptogram YA on the receiver‘s side B and verify the signature SA of user A. Decryption: Verification: 4. User B signs the received message M and sends back the resulting signature SB to A. Compute the signature SB 5. How many public keys are possible to choose for each user? # of keys for user A = φ [φ (NA )] = φ (108 ) = φ (2.2.3.3.3 )= 108 (1 -1/2 ) ( 1 – 1/3 ) = 36 keys # of keys for user B = φ [φ (NB )] = φ (64 ) = φ (26 )= 64 (1 -1/2 ) = 32 keys 5

What are the possible multiplicative orders of elements in GF(26)? P2: A Diffie-Hellman (DH) Exchange-System with public key uses GF(26) with the irreducible polynomial P(x) = x6 + x3 + 1 as field modulus. Calculate all exponents of the element x from 1 to 10. Compute the multiplicative order of x? What are the possible multiplicative orders of elements in GF(26)? Let β= (1+x3) be an element from GF(26). Calculate the order of ß. Hint: 1+x3 = x6. Use α=(1+x) as open element for DH System. Users A and B have the private keys Xa=31 und Xb=43 respectively. Compute the DH open key for A and B and the shared key ZAB in the form αt for the smallest t and as a binary vector. Compute is the order for the element (1+x)45 ? Compute all elements having the same order . Compute the multiplicative inverse of β = x3 + 1 in the form β -1 = xk for the smallest possible k. MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

Solution: Calculate all exponents of the element x from 1 to 10. Compute the multiplicative order of x? P(x) = x6 + x3 + 1 = 0 => x6 = x3 + 1 x1 = x x2 = x2 x3 = x3 x4 = x4 x5 = x5 x6 = x3 +1 x7 = x4 + x x8 = x5 + x2 x9 = x6 + x3 = x3 + 1 + x3 = 1 => order of x = 9 x10 = x 2. What are the possible multiplicative orders of elements in GF(26)? Possible orders are the divisors of 26 -1 = 63 Divisors of 63 are: 1, 3,7,9,21,63 3. Let β= (1+x3) be an element from GF(26). Calculate the order of ß. Hint: 1+x3 = x6. The order can be 1, 3,7,9,21,63. Order of β= 3 7

α = 1 + x, P(x) = x6 + x3 + 1 4. Computing the order of α = (1+x) α3 = (1+x)3 =(1+x)2 (1+x)= 1 + x2 +x + x3 ≠ 1 α7 = (1+x)4 (1+x)3 = (1+x4)(1+ x2 +x + x3 ) = 1+ x2 +x + x3 + x4+ x6 +x5 + x7 ≠ 1 α7= 1+ x2 +x + x3 + x4+ x3 +1 +x5 + x4 + x = x2 +x5 ≠ 1 α 9 = α7 α2 = (x2 +x5) (1+ x2 ) = x2 + x5 + x4 + x7 = x2 + x5 + x4 + x4 + x = x2 + x5 + x ≠ 1 α14 = ((1+x)7)2 = (x2 +x5 )2 = x4 +x10 = x4 +x ≠ 1 α21 = (1+x)14 (1+x)7 = (x4 +x ) (x2 +x5 ) = x6 +x3 + x9+ x6 = x3 + 1 ≠ 1 => order of α=(1+x) is 63 => α is a primitive element. Public Directory: GF(26) α = 1 + x, P(x) = x6 + x3 + 1 order α = 63 Ya = α 31 , Yb = α 43 User A: Xa= 31 , Ya = α31 User B: Xb= 43 , Yb = α 49 Common secret key for users A and B Zab = (α 31) 43 = α 31x43 mod 63 = α 10 α10 = (1+x)7 (1+x)3 = (x2 +x5 ) (1+x2 +x + x3 ) = x2 +x4 + x3+ x5 + x5 +x7 + x6+ x8 = x2 +x4 + x3+ x5 + x5 +x4 + x + 1+x3+ x5 + x2 = 1 + x + x5 = 100011 8

Elements having the same order as γ are γi = for gcd(7,i)=1 : 5. Compute is the order for the element (1+x)45 ? Compute all elements having the same order . Order of (1+x)45 = α45 =γ Elements having the same order as γ are γi = for gcd(7,i)=1 : γ1 = (1+x)45 γ2 = (1+x)45x2 = (1+x)90 mod 63 = (1+x)27 γ3 = (1+x)45x3 = (1+x)135 mod 63 = (1+x)9 γ4 = (1+x)45x4 = (1+x)180 mod 63 = (1+x)54 γ5 = (1+x)45x5 = (1+x)225 mod 63 = (1+x)36 γ6 = (1+x)45x6 = (1+x)270 mod 63 = (1+x)18 6. Compute the multiplicative inverse of β = x3 + 1 in the form β -1 = xk for the smallest possible k. β -1 mod 3 = β -1 + 3 = β 2  t = 2 As the order of β is 3. Notice. Using the modulus 63 in the exponent would work, however the solution would not deliver the required minimum!.

Prove that P is a prime according to Pocklington’s theorem. P3: A PGP-based security system as shown in fig.1 is setup such that an appropriate prime number P = 2 x 41 + 1 = 83 is generated for GF(P), where q=41 is a prime. Prove that P is a prime according to Pocklington’s theorem. Find a primitive element „a“ in GF(83). Compute the probability, that a randomly chosen element is primitive. Take the private keys for Diffie-Hellmann System over GF(83) for sender and receiver shown in fig. 1 as Xa=13 and Xb=17 . Use the primitive element “a” and compute the resulting session key Ks. (Ks in the form of at for the smallest t is sufficient as a result) Design an appropriate RSA System for fig. 1, such that the same private keys in question 3 can be used for sender and receiver. Compute the corresponding open keys. The message M= 342685 is sent. Use the hash function H = ( M mod 100) mod 32 and state all necessary computations for all framed symbols in Fig. 1. MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

PGP Message with Confidentiality & Authentication Ks: Session Key PRa: A’s Private key for PK scheme PUa: A’s Public key for PK scheme EP : Public Key Encryption RSA DP : Public Key Decryption RSA EC: Symmetric Encryption DC: Symmetric Decryption H : Hash Function || : Concatenation Z : Compression (not applied) MD: Message Digest A: Sender H(M)=MD Signed Message Z=1 PE(PUb, Ks) PE(PRa, MD) B: Emfänger PE(PUb, Ks) Message MD is ciphered using key PRa PE(PRa, MD) Ks MD Z-1=1 Fig. 1 MD

the probability that a randomly selected element is primitive. Solution: 1. Prove that N is prime according to Pocklington’s Theorem. N = R . F + 1 = 2 x 41 + 1 = 83 , F = 41 and R = 2.. Is 83 a prime? Proof: 1. gcd ( a (N-1)/ pj –1 , N ) = gcd ( 2 82/ 41 –1 , 83 ) = gcd ( 3 , 83 ) = 1 is true 2. a N-1 = 1 ( mod N )  282 = 1 (mod 83) is true 3. F > 83 =9,11 that is 41 > 9,11 is true As all conditions 1, 2 and 3 are all true  83 is a prime number. 2. Find a primitive element „a“ in GF(83). Compute the probability, that a randomly chosen element is primitive. Possible multiplicative orders are the divisors of of φ (83) = 82 that is => 1, 2, 41, 82 Checking if the element 2 is a primitive one: 2 1 ≠ 1 , 2 2 ≠ 1 , 2 41 =82= -1 ≠ 1  Ord (2) = 82  2 is a primitive element the probability that a randomly selected element is primitive. # of all non-zero elements : 83 – 1 = 82 # of primitive elements: φ ( 82 ) = φ ( 2 . 41 ) = (2-1)(41-1) = 40 P( element=primitive ) = ( 40 / 82 ) . 100 = 48,78% 12

3. DH key exchange system: Public directory User A. XA = 13 YA =  Xa = 2 13 = -- User B. XB = 17 YB =  Xb = 2 17 mod 83 = -- α = 2 , GF(83) YA = 2 13 , YB = 2 17 Shared DH key Ks= ZAB= XA XB= 217x13 mod 82 = 257 mod 83 = 34 RSA system for PGP ( Notice: the selected modulo should be larger than 82 which is the maximum key size of KS)) NA = 2 x 47= 94 , φ (NA ) = (2-1)(47-1) = 46 gcd [ DA, φ (NA ) ] = 1 , DA = 13 EA = -7 mod 46 = 39 (see computation below) EA = 13 -1 mod 46 = - 7= 39 n1 n2 b1 b2 q r 46 13 1 3 7 -3 6 4 -7 NB = 2 x 53 = 106 , φ (NB ) = (2-1)(53-1) = 52 gcd [ DB, φ (NB ) ] = 1 , DB = 17 EB = -3 mod 52 = 49 (see computation below) EB = 17 -1 mod 52 =- 3 n1 n2 b1 b2 q r 52 17 1 3 -3

Ks= ZAB= 257 mod 83 = 34 5. PGP messages H(M) = M mod 100 mod 32 H(M) = 342685 mod 100 mod 32 = 21 PRa = 13 PE(PRa, MD) = H DA mod NA = 2113 mod 94 = -- PUb = 3 Ks= ZAB= 257 mod 83 = 34 PE(PUb, KS) = KS Eb mod NB = (34)3 mod 102 PRb = 17 PUa = 39

How secure is the system according to this procedure? P4: A key distribution center KDC is shown in fig. 2. A one-time pad system with private keystreams KA-KDC and KB-KDC is used. A random value R1= 11011101 is chosen as key by the KDC as a secret key for users A and B. User identities for A and B are given in fig. 2. Calculate the messages M1, M2, M3 in binary format. (the Symbol || is Concatenation) How secure is the system according to this procedure? The key lengths used for this method is too long. Suggest an alternative effective ciphering technique instead of the used „One-Time-Pad” and discuss its security level. MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

Key Distribution Center (KDC) (Secret key) KA-KDC = 10110101 11010111 10110101 11010111 A= 0101 KB-KDC = 11101001 10101011 11100100 01001101 B= 0011 KDC generates R1= 11011101 M1= KA-KDC(A||B) M2= KA-KDC( R1 || KB-KDC(A||R1) ) Alice Computes R1 Bob computes R1 to communicate with Alice M3= KB-KDC(A||R1) MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen? Alice and Bob communicate: using R1 as session key for shared symmetric encryption Fig. 2

M2= KA-KDC( R1 || KB-KDC(A||R1) ) = 11011101 0101 11011101 1. Messages M1, M2 and M3 KA-KDC = 10110101 11010111 10110101 11010111 A= 0101 KB-KDC = 11101001 10101011 11100100 01001101 B= 0011 M1= KA-KDC(A||B) = 01010011 XOR 10110101 KA-KDC M1 = 11100110 R1 A R1 KDC generates R1= 11011101 M2= KA-KDC( R1 || KB-KDC(A||R1) ) = 11011101 0101 11011101 XOR 1110 10011010 KB-KDC XOR 11010111 1011 01011101 KA-KDC M2 = 00001010 0000 00011010 A decrypts M2 to extract M3 KB-KDC(A||R1) = 0000 00011010 XOR 1011 01011101 KA-KDC M3 = 1011 01000111 Check by deciphering M3= KB-KDC(A||R1) = 1011 01000111 at Bob’s site XOR 1110 10011010 KB-KDC M3’ = 0101 11011101 A R1

The system is unconditionally secure if no keys are repeatedly used. The system is equivalent to the one-time-pad Vernam cipher. A block cipher like DES or AES can be deployed with fixed key of length say 128 bits. Keys are distributed once between users and key distribution center (N keys exchanged for N users). The used ciphers are not perfect compared with Vernam cipher and can be theoretically broken as their unicity distance is finite.