Chapter 7 Review Questions

Question 1. Confidentiality is the property that the original plaintext message can not be determined by an attacker who intercepts the ciphertext-encryption of the original plaintext message. Message integrity is the property that the receiver can detect whether the message sent (whether encrypted or not) was altered in transit. The two are thus different concepts and one can have one without the other. !n encrypted message that is altered in transmit may still be confidential (the attacker can not determine the original plaintext) but will not have message integrity if the error is undetected. "imilarly a message that is altered in transit (and detected) could have been sent in plaintext and thus would not be confidential. Question 2. ! passive intruder only monitors (#sniffs$ intercepts) messages. !n active intruder can also monitor traffic but will also actively send messages into the network Question 3. %ne important difference between symmetric and public key systems is that in symmetric key systems both the sender and receiver must know the same (secret) key. &n public key systems the encryption and decryption keys are distinct. The encryption key is known by the entire world (including the sender) but the decryption key is known only by the receiver. Question 4. &n this case a known plaintext attack is performed. &f somehow the message encrypted by the sender was chosen by the attacker then this would be a chosen-plaintext attack. Question 5. &f each user wants to communicate with ' other users then each pair of users must have a shared symmetric key. There are '(('-))*+ such pairs and thus there are '(('-))*+ keys. ,ith a public key system each user has a public key which is known to all and a private key (which is secret and only known by the user). There are thus +' keys in the public key system. Question 6. ! nonce is used to ensure that the person being authenticated is #live.$ 'onces thus are used to combat playback attacks. Question 7. %nce in a lifetimes means that the entity sending the noce will never again use that value to check whether another entity is #live$. Question 8. &n a man-in-the-middle attacker the attacker interposes him*herself between the sender and receiver often performing some transformation (e.g. re-encoding or altering) of data

between the sender and receiver. Man-in-the-middle attacks can be particularly pernicious since (as shown in -igure ..)/) the sender and receiver will each receive what the other has sent and since they are using encryption would think that they have achieved confidentiality. Question 9. "uppose 0ob sends an encrypted document to !lice. To be verifiable !lice must be able to convince herself that 0ob sent the encrypted document. To be non-forgeable !lice must be able to convince herself that only 0ob could have sent the encrypted document (e.g. non one else could have guess a key and encrypted*sent the document) To be nonreputiable !lice must be able to convince someone else that only 0ob could have sent the document. To illustrate the latter distinction suppose 0ob and !lice share a secret key and they are the only ones in the world who know the key. &f !lice receives a document that was encrypted with the key and knows that she did not encrypt the document herself then the document is known to be verifiable and non-forgeable (assuming a suitably strong encryption system was used). 1owever !lice can not convince someone else that 0ob must have sent the document since in fact !lice knew the key herself and could have encrypted*sent the document. Question 10. %ne re2uirement of a message digest is that given a message M it is very difficult to find another message M that has the same message digest and as a corollary that given a message digest value it is difficult to find a message M that has that given message digest value. ,e have #message integrity$ in the sense that we have reasonable confidence that given a message M and its signed message digest that the message was not altered since the message digest was computed and signed. This is not true of the &nternet checksum where we saw in -igure ..)3 that it easy to find two messages with the same &nternet checksum. Question 11. ! public-key signed message digest is #better$ in that one need only encrypt (using the private key) a short message digest rather than the entire message. "ince public key encryption with a techni2ue like 4"! is expensive it5s desirable to have to sign (encrypt) a smaller amount of data than a larger amount of data. Question 12. The message associated with a message digest value need not be encrypted. 6ncrypting the message provides for confidentiality which the message digest provides for integrity 7 two different goals. Question 13. ! key distribution center is used to create a distribute a symmetric session key for two communicating parties re2uiring only that the two parties each have their own symmetric key that allows them to encrypt*decrypt communication to*from the key distribution center. ! certification authority binds an individual5s identity with a public key. The C! signs that key with its (the C!s) private key. Thus given the public key of a C! one can

retrieve the C!-signed public key for an entity verify the C!5s signature and then have the C!-certified public key for an entity. Question 14. The !1 provides for authentication and message integrity while 6"8 provides for authentication integrity and confidentiality.

Chapter 7 Proble s
Proble 1. The encoding of #This is an easy problem$ is #uasi si my cmiw lokngch$. The decoding of #rmi9:u uamu xy9$ is #wasn:t that fun$. Proble 2. &f Trudy knew that the words #bob$ and #alice$ appeared in the text then she would know the ciphertext for b o a l i c e (since #bob$ is the only palindrome in the message and #alice$ is the only ;-letter word. &f Trudy knows the ciphertext for . of the letters then she only needs to try )<= rather than +>= plaintext-ciphertext pairs. The difference between )<= and +>= is +>(+;(+?...(+@ which is //);/)+@@@ or approximately )@ <. Proble 3. 6very letter in the alphabet appears in the phrase #The 2uick fox 9umps over the laAy brown dog.$ Biven this phrase in a chosen plaintext attack (where the attacker has both the plain text and the ciphertext) the Caesar cipher would be broken - the intruder would know the ciphertext character for every plaintext character. 1owever the Cigenere cipher does not alway translate a given plaintext character to the same ciphertext character each time and hence a Cigenere cipher would not be immediately broken by this chosen plaintext attack. Proble 4. ,e are given p = / and q =)). ,e thus have n = // and q =)). Choose e = < (it might be a good idea to give students a hint that < is a good value to choose since the resulting calculations are less likely to run into numerical stability problems than other choices for e. ) since / and ( p )) ( ( q )) = +@ have no common factors. Choose d = < also so that e ( d = 3) and thus e ( d ) = 3@ is exactly divisible by +@. ,e can now perform the 4"! encryption and decryption using n = // e = < and d = <. letter h e l l o m 8 5 12 12 15 m**e 134217728 1953125 5159780352 5159780352 38443359375 c**d 14507145975869 ciphertext = m**e mod 33 29 20 12 12 3 m = c**d mod n 8 letter h

ciphertext 29

20 12 12 3 Proble 5.

512000000000 5159780352 5159780352 19683

5 12 12 15

e l l o

0ob does not know if he is talking to Trudy or !lice initially. 0ob and !lice share a secret key D!-0 that is unknown to Trudy. Trudy wants 0ob to authenticate her (Trudy) as !lice. Trudy is going to have 0ob authenticate himself and waits for 0ob to startE ). !ob"to"#ru$%& '( a !ob) CommentaryE 0ob starts to authenticate himself. 0ob5s authentication of himself to the other side then stops for a few steps. +. #ru$%"to"!ob& '( a *li+e) CommentaryE Trudy starts to authenticate herself as !lice /. !ob"to"#ru$%& 'R) CommentaryE 0ob responds to step + by sending a nonce in reply. Trudy does not yet know D!-0(4) so she can not yet reply. ?. #ru$%"to"!ob& 'R) CommentaryE Trudy responds to step ) now continuing 0ob5s authentication picking as the nonce for 0ob to encrypt the exact same value that Bob sent her to encrypt in Step 3. ;. !ob"to"#ru$%& 'D!-0(4)$ 0ob completes his own authentication of himself to the other side by encrypting the nonce he was sent in step ?. Trudy now has D!-0(4). ('oteE she does not have nor need D!-0 >. Trudy-to-Bob: 'D!-0(4)$ Trudy completes her authentication responding to the 4 that 0ob sent in step / above with D!-0(4). "ince Trudy has returned the properly encrypted nonce that 0ob send in step / 0ob thinks Trudy is !lice= Proble 6.

This wouldn:t really solve the problem. Fust as 0ob thinks (incorrectly) that he is authenticating !lice in the first half of -igure ..)? so too can Trudy fool !lice into thinking (incorrectly) that she is authenticating 0ob. The root of the problem that neither 0ob nor !lice can tell is the public key they are getting is indeed the public key of !lice of 0ob. Proble 7.

!s discussed in section ..?.+ full blown encryption is more computationally complex than a message digest such as MG;.

Proble

8.

The message I 0 9 O 0 B U . O 2 8 B

has the same checksum. Proble 9. &f !lice wants to ensure that the DGC is live (that is the message she will be receiving ack from the DGC are not part of a playback attack) she can include a nonce 4@ in the initial message ( K AK ! ( A B R @) ) to the DGC. The DGC would then include 4) in the reply back to !lice thus proving the DGC is indeed live. 'ote that it is already assumed that only the DGC and !lice know the key to decrypt K AK ! ( A B R @) . Proble 10. The message from !lice is encoded using a key that is only known to !lice and the DGC. Therefore the DGC knows (by definition) that anyone using the key must be !lice. &t is interesting to think about what damage Trudy could do if she obtains !lice:s key. &n this case she can impersonate !lice to anyoneH see also the answer to 2uestion )). Proble 11. &f the DGC goes down no one can communicate securely as a first step in communication (see -igure ..)<) is to get the one-time session key from the DGC. &f the C! goes down then as along as the C!:s public key is known one can still communicate securely using previously-issued certificates (recall that once a certificate is issued the C! is not explicitly involved in any later communication among parties using the C!:s certificate. %f course if the C! goes down no new certificates can be issued. Proble
$ata,ra 8) 8+ 8/

12.
.our+e (P a$$r ))).)).)).) (hacker subnet) ))).)).)).) (hacket subnet) ))).)).>.> (univ. net not hacker subnet) ))).)).>.> (univ. net not hacker subnet) /est (P a$$ +++.++.>.> (corp.net) +++.++.++.+ (special subnet) +++.++.++.+ (special subnet) +++.++.>.> (corp. net) $esire$ a+tion deny permit permit a+tion un$er R10 R20 R3 deny(4+) permit(4)) permit(4)) a+tion un$er R2 R1 R3 deny(4+) deny(4+) permit(4))

8?

deny

deny(4/)

deny(4/)

Inder the ordering 4) 4+ 4/ removing 4+ would have no effect. 'ote that under this ordering 4+ is only involved in the denial of 8). "ince 8) would also be denied under 4/ the removal of 8+ would have no effect. Inder the ordering 4+ 4) 4/ if 4+ is removed then 8+ would be admitted. Proble 13.

KA(H(m)) KS(m, KA(H(m)) )

KA

KS( )

m, KA(H(m))

+( ) KA

H(m )

Internet

KB(KS )

KS K ()
B

H( )

compare H(m )

KB