CS 683 - Security and Privacy Spring 2018 Instructor: Karim - - PowerPoint PPT Presentation

CS 683 - Security and Privacy Spring 2018

Instructor: Karim Eldefrawy

University of San Francisco

http://www.cs.usfca.edu/~keldefrawy/teaching /spring2018/cs683/cs683_main.htm (https://goo.gl/t396Fw)

1

Homework 1 Answers

4 [5 pts] Block Cipher

For each block cipher mode (CBC, OFB, CFB, CTR), explain the precise consequences of a 1-bit error in a single block of ciphertext (the i-the block). Assume that there are n > i plaintext (and ciphertext) blocks. Solution: CBC: it will mess up the whole corresponding plaintext block and invert the corresponding bit in the next plaintext block. OFB: it will invert the corresponding bit in the corresponding plaintext block. CFB: it will invert the corresponding bit in the same plaintext block and mess up the whole next plaintext block. CTR: it will invert the corresponding bit in the corresponding plaintext block.

5 [4 pts] Applications of Block Cipher Modes (CBC, OFB, CFB, CTR)

Answer the following question. If more than one answer exists, provide and briefly justify all of them. (a) A user wants to encrypt an incoming stream of audio data. Which block cipher mode(s) should be used? (b) A user wants to take advantage of multiprocessing for encrypting her data. Which block cipher mode(s) should be used? (c) A user wants to construct a message authentication code (MAC) on a message. Which block cipher mode(s) should be used? (d) A user wants wants to transmit an encrypted message through a noisy communication channel where ciphertext blocks can sometimes be swapped. The user wants to ensure that the decryptor can detect this side-effect when it happens regardless of the value and pattern of plaintext. Which block cipher(s) mode should be used?

Solution: (a) CFB, OFB and CTR since these modes support encrypting less than a block size. Alternate correct answers: OFB and CTR are also accepted if the justification mentions that error will be minimized or a key- stream can be pre-computed . (b) CTR since its encryption algorithm can be carried out in parallel. Alternate correct answers: OFB is also accepted if the justification mentions that the key-stream can be pre-computed in advance, which makes only the final operation (⊕) parallelizable. (c) CBC and CFB. Recall that a MAC is used for providing integrity of a message and is generally sent along with that message. To construct MAC mode from other modes, we can just encrypt a message normally using that block cipher mode and take only the last ciphertext block and use it as MAC. CTR and OFB should not be used as MAC because they cannot guarantee the integrity of a message since each ciphertext block is independent of other ciphertext blocks. This will allow an adversary to add, delete or swap any plaintext blocks before the last block, which still results in the same MAC as the original plaintext. This is, however, not true for CBC and CFB since their ciphertext blocks depend on previous blocks. MAC mode is also accepted as a correct answer. (d) CBC, CFB, OFB and CTR. All of them support detection of block rearrangement.

Homework 2 Answers

2 [5 pts total] Fill In The Blanks

• 1. The digest size of SHA-1 is

160 bits.

• 2. The block size of MD5 is

512 bits.

• 3. A prefix MAC construction, i.e. H(KABkm), cannot provide the integrity of a message because

it allows concatenation with arbitrary message .

• 4. The inverse of 9 in Z∗

11 is

5 .

• 5. ord(9) in Z∗

11 =

5 .

• 6. If α is a primitive element in Z∗

p for a prime p, this means ord(α) equals

p-1 .

• 7. Square-and-Multiply algorithm can be used to compute 58 mod 9 in 3 (if you start with tmp = 5) or 4 (if you start

iterations.

• 8. The Digital Signature Standard (DSS) is a variant of

El Gamal signature scheme.

• 9. Extended Euclidean Algorithm can be used to speed-up the calculation of private exponent in RSA

Encryption, given a public exponent (e) and the modulus factor (p and q).

• 10. In RSA signature scheme, a signature of a message m can be created by computing y = (md mod n)

whereas the signature can be verified by testing whether m = ye mod n . Assume d is the secret key, e is the public key, and n is a product of two large prime numbers.

4 [4 pts] Groups and Subgroups

(a) List all elements in the group Z∗

10.

(b) Show that the group (Z∗

10 under modular multiplication) is cyclic.

(c) Suppose S = {1, 3, 9}. Is S a subgroup of Z∗

10 under modular multiplication? If it is, show that all

subgroup properties hold for S. If it is not, briefly explain why not. (d) Suppose S = {1, 3, 7}. Is S a subgroup of Z∗

10 under modular multiplication? If it is, show that all

subgroup properties hold for S. If it is not, briefly explain why not. Solution: Solution: (a) {1, 3, 7, 9} (b) There exists a generator in Z∗

• 10. For instance, 3 is a generator since 30 = 1, 31 = 3, 32 = 9, 33 = 7

mod 10. (c) It is not since S does not contain an inverse of 3 and/or does not have closure property. (d) It is not since S does not have closure property, e.g., 7 ∗ 7 = 9 / ∈ S.

5 [4 pts] RSA

Assume the following RSA parameters: p = 13, q = 5, d = 29, C = 7 (a) Use Chinese Remainder Theorem to find the value of plaintext M. Show your work. (b) Use Extended Euclidean Algorithm to find the value of public exponent e. Show your work. Solution: Solution: (a) We follow the algorithm in the lecture. First, compute dp and dq: dp = 29 = 5 mod 12 and dq = 29 = 1 mod 4 Then, Mp = Cdp = 75 = 11 mod 13 and Mq = Cdq = 71 = 7 mod 5. We then perform exhaustive search to find the following inverse values: q−1 mod p = 5−1 mod 13 = 8 and p−1 mod q = 13−1 mod 5 = 2. Finally, M = (11 ∗ 5 ∗ 8 + 7 ∗ 13 ∗ 2) mod 65 = 37. (b) First, compute φ(n): φ(n) = (p − 1) ∗ (q − 1) = 48. Then, we can use Extended Euclidean Algorithm to solve for e in the following equation: 29∗e = 1 mod 48. We follow the algorithm from the lecture slide: init: R0 = 48, R1 = 29 and T0 = 0 For i > 1, Qi = floor(Ri−1/Ri), Ri+1 = Ri−1 mod Ri and Ti = Ti−2 − Qi−1 ∗ Ti−1 mod R0. I = 1: R1 = 29, T1 = 1, and Q1 = 1. I = 2: R2 = 19, T2 = 47 and Q2 = 1. I = 3: R3 = 10, T3 = 2 and Q3 = 1. I = 4: R4 = 9, T4 = 45 and Q4 = 1 I = 5: R5 = 1, T5 = 5. We stop here since R5 = 1. Thus, e = T5 = 5.

6 [3 pts] 3-Party Diffie-Hellman

Recall from the lecture that the Diffie-Hellman protocol allows two parties to establish a shared secret key. However, the use of Diffie-Hellman is not limited to only two parties. In fact, the Diffie-Hellman scheme can be extended to support the key establishment between any number of parties. Describe how to establish a shared secret key between three parties based on the Diffie-Hellman key exchange scheme. (Note that minimizing communication rounds and bandwidth consumed between the parties in this case is not a concern.) Solution: Solution: Suppose Alice, Bob and Charlie want to establish a shared secret. First, Alice, Bob and Charlie have to agree on prime p and a generator g. Each of them then selects his/her own random number: a for Alice, b for Bob, and c for Charlie. Then, Alice sends ya = ga mod p to Bob and he computes yab = yb

a mod p. Bob then sends yab to

• Charlie. Finally, Charlie computes a shared secret key as Kabc = yc

ab = gabc mod p.

The similar procedure with the same random numbers can be done (by starting from Bob to Charlie to Alice and starting again from Charlie to Alice and finally to Bob) such that Bob and Alice can also learn the shared secret key.

7 [3 pts] Randomness in El Gamal’s Scheme

Suppose Alice wants to encrypt two messages using El Gamal Public Key Cryptosystem. However, she is lazy and does not want to generate a new random number for the second encryption. Thus, she applies the same random number (which is only secret to her) for both encryptions. Suppose Eve learns both ciphertexts and one of the plaintext message. Show that Eve can efficiently learn the value of the other plaintext message as well. Also, you can assume that the same public- and private-key pair is used for both encryptions. Solution: Solution: Suppose m1 and m2 are two plaintext messages and (c1, c2) and (c0

1, c0 2) are the corresponding

ciphertexts generated by El Gamal Encryption scheme with the same randomness r and private key x. Thus, by definitions, we get (c1, c2) = (gr, m1 ∗ yr) mod p and (c0

1, c0 2) = (gr, m2 ∗ yr) mod p where

p is a large prime, g is a generator and y is gx. If Eve knows (c1, c2) and m1, Eve can easily compute yr by first finding m1

1

mod p using Extended Euclidean Algorithm and then computing yr = m1

1

∗ c2 mod p. Once she knows yr and (c0

1, c0 2), she then can learn m2 by computing the inverse of yr using EEA

and multiply the result by c0

2.

8 [3 pts] Fiat-Shamir

One of the requirements of the Fiat-Shamir identification protocol is to have a trusted-third party generate n and keep its factors (prime p and q) secret from the prover and verifier. Suppose the verifier knows one of those two factors. Explain how the verifier can learn the secret of the prover when Fiat-Shamir identification protocol is run by both sides. (Hint: you may assume it is computationally feasible to compute a1/2 mod b ONLY when b is a prime less than n.) Solution: Solution: Suppose the prover’s secret is S and I2 = S. If the verifier learns one factor, then he can easily learn the other one by dividing n by the factor he

• learned. Once he learns both p and q, it will become much easier for him to compute S1 = I1/2 mod p

and S2 = I1/2 mod q through brute-force or exhaustive search since p, q << n. Finally, he can compute S from S1 and S2 using Chinese Remainder Theorem.