Exam Security January 19, :30 11:30

Similar documents
Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Question: Total Points: Score:

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lecture 1: Introduction to Public key cryptography

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Problem 1. k zero bits. n bits. Block Cipher. Block Cipher. Block Cipher. Block Cipher. removed

Practice Assignment 2 Discussion 24/02/ /02/2018

SIGNATURE SCHEMES & CRYPTOGRAPHIC HASH FUNCTIONS. CIS 400/628 Spring 2005 Introduction to Cryptography

Solution of Exercise Sheet 7

ECS 189A Final Cryptography Spring 2011

Public Key Cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

Asymmetric Encryption

2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms

ASYMMETRIC ENCRYPTION

CPSC 467: Cryptography and Computer Security

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

March 19: Zero-Knowledge (cont.) and Signatures

RSA RSA public key cryptosystem

CRYPTOGRAPHY AND NUMBER THEORY

1 Number Theory Basics

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Chapter 8 Public-key Cryptography and Digital Signatures

University of Regina Department of Mathematics & Statistics Final Examination (April 21, 2009)

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Cryptography IV: Asymmetric Ciphers

Introduction to Cybersecurity Cryptography (Part 4)

Number theory (Chapter 4)

Ex1 Ex2 Ex3 Ex4 Ex5 Ex6

Solutions to the Midterm Test (March 5, 2011)

Lecture 22: RSA Encryption. RSA Encryption

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

CPSC 467b: Cryptography and Computer Security

Public Key Cryptography

ENEE 459-C Computer Security. Message authentication (continue from previous lecture)

Introduction to Cybersecurity Cryptography (Part 4)

You submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.

Final Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.

Public Key Cryptography

Cryptography and Security Final Exam

Mathematical Foundations of Public-Key Cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Lecture 28: Public-key Cryptography. Public-key Cryptography

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Cryptography. P. Danziger. Transmit...Bob...

Univ.-Prof. Dr. rer. nat. Rudolf Mathar. Written Examination. Cryptography. Tuesday, August 29, 2017, 01:30 p.m.

Introduction to Modern Cryptography. Benny Chor

Solution to Midterm Examination

Algorithmic Number Theory and Public-key Cryptography

CIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography

Winter 2008 Introduction to Modern Cryptography Benny Chor and Rani Hod. Assignment #2

MATH UN Midterm 2 November 10, 2016 (75 minutes)

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Public-Key Cryptosystems CHAPTER 4

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

Authentication. Chapter Message Authentication

Introduction to Cryptography k. Lecture 5. Benny Pinkas k. Requirements. Data Integrity, Message Authentication

Public-Key Encryption: ElGamal, RSA, Rabin

Cryptography. pieces from work by Gordon Royle

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Introduction to Modern Cryptography. Benny Chor

Mathematics of Cryptography

Lecture Notes, Week 6

Lecture 7: ElGamal and Discrete Logarithms

Hashes and Message Digests Alex X. Liu & Haipeng Dai

Lecture V : Public Key Cryptography

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Security II: Cryptography exercises

Elliptic Curves. Giulia Mauri. Politecnico di Milano website:

The RSA public encryption scheme: How I learned to stop worrying and love buying stuff online

Great Theoretical Ideas in Computer Science

Public Key Algorithms

Cryptographical Security in the Quantum Random Oracle Model

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

DM49-2. Obligatoriske Opgave

Other Public-Key Cryptosystems

Cryptographic Protocols Notes 2

Fundamentals of Modern Cryptography

Leftovers from Lecture 3

CPSC 467b: Cryptography and Computer Security

Digital Signatures. p1.

Cryptographic Hashes. Yan Huang. Credits: David Evans, CS588

The security of RSA (part 1) The security of RSA (part 1)

10 Modular Arithmetic and Cryptography

CODING AND CRYPTOLOGY III CRYPTOLOGY EXERCISES. The questions with a * are extension questions, and will not be included in the assignment.

Lecture 5, CPA Secure Encryption from PRFs

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Biomedical Security. Overview 9/15/2017. Erwin M. Bakker

1/ 17 2/20 3/19 4/12 5/14 6/13 7/10 Total /105. Please do not write in the spaces above.

dit-upm RSA Cybersecurity Cryptography

10 Concrete candidates for public key crypto

Introduction to Cryptography Lecture 4

Transcription:

Exam Security January 19, 2016. 8:30 11:30 You can score a maximum of 100. Each question indicates how many it is worth. You are NOT allowed to use books or notes, or a (smart) phone. You may answer in Dutch or in English. Read each exercise carefully (RTFE). Please write clearly, and don t forget to put your name and student number on each page that you hand in. Keep the scrap paper for yourself. You can keep this exam too, but don t forget to return the calculator! Tip: describe the formula or method of calculation explicitly before you start computing; it will give you some, if correct, even if you don t manage to finish the computation. 1. (18 ) (protocols, hashing, public key crypto, one-time-pad) Consider the following scenario, where Alice sends a (plaintext) message m to Bob, followed by a message-authentication-code (MAC) on this message m. The goal is to ensure integrity of the message transfer. Different forms of MAC will be considered below. A B : m, MAC(m). Briefly explain for the different MAC options (a) (c) below: what Bob has to do to check the integrity of the message m; start your answer as follows: Bob receives a pair m, M and... whether or not the particular MAC guarantees integrity; if not, explain how integrity can be compromised...... Grading for all sub-questions (6 each): Correct integrity check method 2 if secure: For stating that the scheme is secure 4 For giving an (unneeded) incorrect argument -2 if not secure: For stating that the scheme is not secure 2 For briefly explaining why 2..... (a) (6 ) MAC(m) = h(k m), where h is a secure hash function, K is a secret key that only A, B know, and is used for concatenation; Upon receiving m, MAC Bob checks if h(k m ) = MAC = h(k m), if so, then m is the original message m that A sent.

This is secure, since an attacker does not have K, and so cannot produce a valid MAC h(k m ) for an altered message m. (b) (6 ) MAC(m) = [m] da, where d A is the private RSA key of Alice. Upon receiving m, MAC Bob uses Alice s public key e A to turn MAC = [m] da into m, and checks if m = m. This is secure, because an attacker does not have Alice s private key d A, and so cannot produce such a MAC [m ] da for a modified message m. Erratum: Specifically for RSA, however, this is not secure. This is due to the malleability of RSA ciphertexts, allowing an attacker to randomize both m and [m] da to obtain m and [m ] da. Similarly, one could simply take a random number r, use that as value for the MAC, and derive m = [r] ea. As we had also overlooked this initially, accept both interpretations. (c) (6 ) MAC(m) = K m, where is bitwise XOR, and K is a secret key that only A, B know (of the same length as the message m). Upon receiving m, MAC, Bob computes m = K MAC, and checks if m = m. This is not secure, since an attacker can obtain K = m MAC(m) = m (K m). Then he can send his own modified message m, K m, which passes the test by Bob. 2. (18 ) hash functions, protocols, one-time-pads Suppose Alice and Bob have agreed on a shared a key K, when they physically met a long time ago. At this moment Alice wants to check that Bob still possesses this same key K. She sends Bob the following (plaintext) message. A B : Hi Bob, prove to me that you still have our secret key We consider the following three different options (a) (c) for follow-up messages to this protocol line ( ). Assume that h is a cryptographic hash function. The main questions for each of the three cases below are whether Bob s answer is convincing and, whether an attacker can obtain the key K. (a) (6 ) Bob answers ( ) directly by: B A : here is its hash, h(k) ( ) Which property of the hash function h are re- Is this convincing and secure? quired? Yes, this is convincing if the hash function is collision-resistant and/or second preimage resistant and secure if the hash function is one-way. Explanation:

If Bob chooses a different key K and hashes it instead of K by mistake, then the resulting hash h(k ) must not equal h(k). This means that the hash function must be collision-free. Then Alice can be convinced that the hash she has received from Bob is indeed the hash of the key K, not of any arbitrary key K. Alice expects the hash of key K; if Bob manages to find another input K such that h(k) = h(k ), then he could still convince Alice (maliciously). So the hash function should also be second-preimage resistant to convince Alice. Collision resistance 3 One wayness 3 (b) (6 ) The protocol ( ) now continues as: A B : N B A : h(n K) (a fresh nonce) You may now assume that h is a secure hash function. Is this convincing and secure? What advantages, if any, does this protocol offer with respect to the previous one? This protocol is equally convincing. In the case of the first protocol, attacker can reply with the intercepted message h(k), and make Alice think that Bob still has K, whereas he may have lost K. The current protocol has advantages over the first protocol because if Alice poses the same question again in the future with a different nonce, an attacker cannot replay the hash of the key with the old nonce. But if it is a one time query from Alice, then adding nonce does not make much difference. From that perspective the advantage gained by this protocol is small. replay possibility 6 (c) (6 ) Consider now the follow-up steps to ( ) described below, where is bitwise XOR, like before. A B : X, B A : Y, where X = K N and N is a fresh nonce, with the length of K where Y = X K Is this convincing and secure? This is insecure (and thus not convincing after the first run): the attacker can obtain X Y = K N K N K = K.

For pointing out that it is insecure 2 Correct method to obtain the key K 4 3. (12 ) (hash properties, modular arithmetic) For this exercise, assume that x is a natural number. (a) (6 ) Consider the function h(x) = 3x+2 mod 9 as hash function. Show that it is not second pre-image resistant, starting with input x = 3. We have h(1) = 5, h(2) = 8, h(3) = 2, h(4) = 5, h(5) = 8, h(6) = 2. Hence we found another input, namely 6 with h(6) = 2 = h(3). h(3) = 2 2 correct form: we need to find x with h(x) = h(3) 2 correct calculations 2 (b) (6 ) Consider h(x) = 5x+3 mod 11 and show that it is not collision resistant. h(1) = 8, h(2) = 2, h(3) = 7, h(4) = 1, h(5) = 6, h(6) = 0, h(7) = 5, h(8) = 10, h(9) = 4, h(10) = 9, h(11) = 3, h(12) = 8. Hence h(1) = h(12). correct form: we need to find x, y with h(x) = h(y) 2 correct calculations 4 4. (28 ) RSA system, modular arithmetic Take p = 7 and q = 23 as prime numbers for RSA. (a) (4 ) Compute n and ϕ(n). n = p q = 7 23 = 161, ϕ(n) = (p 1) (q 1) = 6 22 = 132.

Grading (total 5): Correct formula for n and ϕ(n) 2 Correct computation 2 (b) (4 ) We could set the public exponent e = 3. Why does that not work out? We need e and ϕ(n) to be co-prime, i.e. gcd(e, ϕ(n)) = 1. Grading (total 5): Correct explanation 4 (c) (6 ) Instead, we set e = 5. Find the corresponding private exponent d. Describe your computations. We need to invert e mod ϕ(n), i.e. find d such that d 5 1 mod 132. 132 26 5 = 2 5 2 2 = 1 So 1 = 5 2 (132 26 5) = 53 5 2 132, so d = 53. Correct computation 3 correct value of d 3 (d) (8 ) Sign the message m = 17 to obtain signature s. Include calculation details. s = m d = 17 53 145 mod 161

Explicitly, via square and multiply: 17 53 = 17 (17 2 ) 26 = 17 128 26 since 17 2 = 289 = 128 = 17 (128 2 ) 13 = 17 (123) 13 since 128 2 = 16384 = 16384 101 161 = 123 = 17 123 (123 2 ) 6 = 2091 ( 5) 6 since 123 2 = 15129 = 15129 94 161 = 5 = 159 (( 5) 2 ) 3 = 159 25 3 = 159 25 25 2 = 111 625 = 111 142 = 15762 = 145. Grading (total 8): Correct formula for signature 2 application of square and multiply method 2 correct computation 4 (e) (6 ) Verify the signature s. Show how you do this. m = s e = 145 5 17 mod 161 Explicitly: 145 5 = 145 (145 2 ) 2 = 145 95 2 since 145 2 = 21025 = 21025 130 161 = 95 = 145 9 since 95 2 = 9025 = 9025 56 161 = 9 = 1305 = 1306 8 161 = 17 Correct formula for signature verification 2 application of square and multiply method 2 correct verification 2

5. (24 ) ElGamal public key crypto, modular calculation, insight into the cipher Consider the ElGamal encryption scheme with generator g = 2, modulo p = 19, private key x = 7 and public key y = g x = 2 7 = 14 mod 19. (a) (6 ) Decrypt the cipher text (c 1, c 2 ), where c 1 = 13 and c 2 = 4. c x 1 c p 1 x 1 = 13 19 1 7 = 13 11 2 mod 19. Alternative: egcd to compute c 1 1 3 mod 19, then c x 1 = (c 1 1 ) x = 3 7 2 mod 19. m = c 2 c x 1 = 4 2 = 8. Another, complicated version that students will probably follow: c x 1 = 13 7 = 13 (13 2 ) 3 = 13 169 3 = 13 17 3 = 13 17 17 2 = 221 289 = 12 4 = 48 = 10. Next, 1 10 mod 19 = 2, since 2 10 = 20 = 1. Hence: c 2 c x 1 = 4 2 = 8. Correct formula 2 x Correct computation of c 1 2 (Correct computation of c x 1, if this route is taken 1) Correct decryption 2 (b) (6 ) Let s = 6. Now compute the pair (d 1, d 2 ) = (g s c 1, y s c 2 ) mod p. (d 1, d 2 ) = (g s c 1, y s c 2 ) = (2 6 13, 14 6 4) (15, 9) mod 19

More explicitly 2 6 = 64 = 7 and: 14 6 = (14 2 ) 3 = 196 3 = 6 3 = 6 36 = 6 17 = 102 = 7. Thus: (d 1, d 2 ) = (7 13, 7 4) = (91, 28) = (15, 9) correct g s = 7 2 correct y s = 7 2 correct final result 2 (c) (6 ) Decrypt the cipher text (d 1, d 2 ) that you obtained in (b). d 1 x d 1 p 1 x = 15 19 1 7 = 15 11 3 mod 19 m = d 2 d 1 x = 9 3 8 mod 19 Explicit route: d x 1 = 15 7 We have 1 13 = 15 (15 2 ) 3 = 15 225 3 = 15 16 3 = 15 16 16 2 = 240 256 = 12 9 = 72 = 13. = 3 mod 19 since 3 13 = 39 = 1. Hence: d 2 d x 1 = 9 3 = 27 = 8. Note that solutions that use a (valid) proof obtained in (d) are also accepted.

Correct formula 2 x Correct computation of d 1 2 (Correct computation of d x 1, if this route is taken 1) Correct decryption 2 (d) (6 ) Now assume s is any random number and that (c 1, c 2 ) is an arbitrary cipher text. Prove that in general the re-randomised cipher text (g s c 1, y s c 2 ) decrypts to the same message as (c 1, c 2 ). (g s c 1, y s c 2 ) decrypts to: y s c 2 (g s c 1 ) x = (gx ) s c 2 (g s ) x c x 1 = gxs c 2 g xs c x 1 = c 2 c x 1 which is also the decryption of (c 1, c 2 ). Grading (total 4): apply correct decryption formula 2 distribute exponent correctly 2 correct cancelling 2........... Finally we have a toetsmatrix, relating the original goals of the course to the exercises: goal exercise recognise security goals 1, 2 hash functions 1,2,3 public key crypto 4,5 secret key crypto 1,2 protocols 1,2..........

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback