This homework is due in class, February 17, 2000. If you prefer to e-mail your solution, submit it in some Unix-palatable format such as a LaTeX file, PostScript, PDF, HTML, etc. Send your e-mail to dwallach+comp527@cs.rice.edu. If it's in my inbox before class begins, it counts as on-time.
Honor code stuff: read your book, surf the Web, and so forth. Your written assignment should be your own work. If you use a source you find on the Web or a book beyond our course textbook, you should cite it. Just don't go looking for the answers in other online courses' solution sets...
1. Simple substitution ciphers.
Let's take the English alphabet and make a permutation, so that we change each letter to some other letter. Now let's change each symbol of plain text according to our permutation. We have a simple substitution cipher.
1) What is the key?
2) How many keys are possible?
3) How would you do a brute force attack to decrypt a message? Provide
pseudocode.
4) If we apply the cipher twice with different keys, does it increase
security? What about three times?
5) Suppose, you're given a table with occurrence frequencies for all
English letters. How would you implement a frequency based analysis? Provide
pseudocode.
2. Seeds for random number generators.
One of the most important problems in crypto is to generate a "good"
sequence of random numbers. Usually random generator requires a seed to
start such a sequence. Here are several ideas:
- use the response time for hard disk requests
- use mouse motion generated by user
- use frequencies of user key-strokes
- use the response time for network calls
For each of above show in details how you can get a seed. Estimate
how many random bits you can get per second. What restrictions do you see
for using each of these methods? Suggest some other (hardware or software)
methods for getting a good seed.
3. One-way hash functions.
1) What is a one-way hash function? (be careful!) What does a collision
mean?
2) Suppose you don't have a pre-existing hash function like MD5 or SHA-1.
The only thing you have is a block cipher, e.g. DES. You want a one-way
hash function. Design one using DES.
3) Design a one-way hash function h() such that:
- it's easy to find many (x,y) pairs where x != y such that h(x)=h(y)
AND
- given only h(x), it's hard to find a pair (x,y) such that x != y, yet h(x)=h(y)
4. DES in OFB mode.
1) What are the problems (2) of using DES in OFB mode?
2) The most advanced security service that can be obtained by using
DES in OFB mode are:
- authentication and non-repudiation
- integrity and authentication
- confidentiality and non-repudiation
- confidentiality and authentication
3) What is the average cycle length of a keystream in the case when
the feedback block size is equal to plain text block size (64 bits)?
5. Modular arithmetic.
Some useful theory:
1) gcd = greates common divisor
2) to find the gcd(a,b) you can use Euclid's algorithm:
EUCLID(a, b)
if b=0 then return a
else return EUCLID(b, a mod b)
3) Extended Euclid's algorithm:
Given integers a, b and d = gcd(a, b), find integers x and y such that d = a*x + b*y
Extended-EUCLID(a, b)
if b=0 then return (a, 1, 0)
(d', x', y') := Extended-EUCLID(b, a mod b)
(d, x, y) := (d', y', x' - trunc(a/b)*y')
return (d, x, y)
4) Fermat's Little Theorem. For any g != 0 mod p we have: g^(p-1)=1 mod p
Problems:
1) Not using a computer or calculator compute (and show your work):
- 2^300 mod 13
- 3^40 mod 83
2) Compute gcd(5865, 3162) using Euclid's algorithm
3) What is another way of computing gcd? Do you think it's feasible
for large integers?
4) Give 2 ways (not brute force) of how to find the inverse of a
number. An inverse x^(-1) of a number x is defined such that x * x^(-1) = 1 mod p.
or a-inverse). Analyze their runtime complexity.
5) Compute:
- 5^(-1) mod 17
- 7^(-1) mod 2531
6) Prove Euclid's algorithm. Estimate running time of Euclid's algorithm
(Hint: use the Fibonacci numbers).
6. Man-in-the-middle attacks.
1) What exactly is a man-in-the-middle attack? In what kinds of real-world
scenarios would an attacker be about to mount a man-in-the-middle attack?
2) Consider the basic Diffie-Hellman protocol. Present a
message-by-message run of the protocol where a man-in-the-middle
compromises the system.
3) Is it possible to design an extension to Diffie-Hellman that thwarts a
man-in-the-middle attack? If so, how would you do it? If not, why not?
7. Protocol design (the problem is from MIT; designed by Ronald Rivest)
Design and analyze a protocol for the following situation.
Alice is an employee of ABC Corp. She has a public RSA key Pa and a secret RSA key Sa. ABC has many PC's, any one of which Alice may wish to sit down at log in to. All the PC's run the same software, and all are connected to a central ABC server via a network. The server is capable of storing user files remotely and securely, and capable of performing cryptographic operations securely. Assume that the PC and server software is secure, but that the network connection is not secure.
Alice wishes to use her secret key Sa to sign documents, etc. However, she does not have a smart card or any secure way of carrying her secret key with her from PC to PC. Alice is, however, capable of remembering a password.
Your answer should show:
- How the server can store an encrypted form of
Alice's secret key.
- How Alice can securely download the secret key
from the server.
- How well your protocol protects Alice's secret
key from various attacks, including at least:
1. An off-line dictionary
search for Alice's password by a passive eavesdropper who overhears Alice
download her secret key (your solution should definitely protect Alice
against this threat).
2. An attack on Alice's
secret key by a corrupted server.
3. An on-line attack by
someone attempting to impersonate Alice to the server.
4. An on-line attack by
someone attempting to impersonate the server to Alice.
You should also try to be efficient, and minimize the number of messages required by the protocol.
(Hint: consider modifications to Diffie-Hellman or RSA.)
8. Exercise 12.11 (course book)
Modify the Needham-Schroeder key exchange protocol so that both parties A and B can contribute input to the generation of the session key.