CS 683 - Security and Privacy Spring 2018 Instructor: Karim - PowerPoint PPT Presentation

CS 683 - Security and Privacy Spring 2018 Instructor: Karim Eldefrawy University of San Francisco http://www.cs.usfca.edu/~keldefrawy/teaching /spring2018/cs683/cs683_main.htm (https://goo.gl/t396Fw) 1

Homework 1 Answers

4 [5 pts] Block Cipher For each block cipher mode (CBC, OFB, CFB, CTR), explain the precise consequences of a 1-bit error in a single block of ciphertext (the i-the block). Assume that there are n > i plaintext (and ciphertext) blocks. Solution: CBC: it will mess up the whole corresponding plaintext block and invert the corresponding bit in the next plaintext block. OFB: it will invert the corresponding bit in the corresponding plaintext block. CFB: it will invert the corresponding bit in the same plaintext block and mess up the whole next plaintext block. CTR: it will invert the corresponding bit in the corresponding plaintext block.

5 [4 pts] Applications of Block Cipher Modes (CBC, OFB, CFB, CTR) Answer the following question. If more than one answer exists, provide and briefly justify all of them. (a) A user wants to encrypt an incoming stream of audio data. Which block cipher mode(s) should be used? (b) A user wants to take advantage of multiprocessing for encrypting her data. Which block cipher mode(s) should be used? (c) A user wants to construct a message authentication code (MAC) on a message. Which block cipher mode(s) should be used? (d) A user wants wants to transmit an encrypted message through a noisy communication channel where ciphertext blocks can sometimes be swapped. The user wants to ensure that the decryptor can detect this side-e ff ect when it happens regardless of the value and pattern of plaintext. Which block cipher(s) mode should be used?

Solution: (a) CFB, OFB and CTR since these modes support encrypting less than a block size. Alternate correct answers: OFB and CTR are also accepted if the justification mentions that error will be minimized or a key- stream can be pre-computed . (b) CTR since its encryption algorithm can be carried out in parallel. Alternate correct answers: OFB is also accepted if the justification mentions that the key-stream can be pre-computed in advance, which makes only the final operation ( ⊕ ) parallelizable. (c) CBC and CFB. Recall that a MAC is used for providing integrity of a message and is generally sent along with that message. To construct MAC mode from other modes, we can just encrypt a message normally using that block cipher mode and take only the last ciphertext block and use it as MAC. CTR and OFB should not be used as MAC because they cannot guarantee the integrity of a message since each ciphertext block is independent of other ciphertext blocks. This will allow an adversary to add, delete or swap any plaintext blocks before the last block, which still results in the same MAC as the original plaintext. This is, however, not true for CBC and CFB since their ciphertext blocks depend on previous blocks. MAC mode is also accepted as a correct answer. (d) CBC, CFB, OFB and CTR. All of them support detection of block rearrangement.

Homework 2 Answers

2 [5 pts total] Fill In The Blanks 1. The digest size of SHA-1 is 160 bits. 2. The block size of MD5 is 512 bits. 3. A prefix MAC construction, i.e. H ( K AB k m ), cannot provide the integrity of a message because it allows concatenation with arbitrary message . 4. The inverse of 9 in Z ∗ 11 is 5 . 5. ord (9) in Z ∗ 11 = 5 . 6. If α is a primitive element in Z ∗ p for a prime p , this means ord ( α ) equals p-1 . 7. Square-and-Multiply algorithm can be used to compute 5 8 mod 9 in 3 (if you start with tmp = 5) or 4 (if you start iterations. 8. The Digital Signature Standard (DSS) is a variant of El Gamal signature scheme. 9. Extended Euclidean Algorithm can be used to speed-up the calculation of private exponent in RSA Encryption, given a public exponent ( e ) and the modulus factor ( p and q ). 10. In RSA signature scheme, a signature of a message m can be created by computing y = ( m d mod n) testing whether m = y e mod n whereas the signature can be verified by . Assume d is the secret key, e is the public key, and n is a product of two large prime numbers.

4 [4 pts] Groups and Subgroups (a) List all elements in the group Z ∗ 10 . (b) Show that the group ( Z ∗ 10 under modular multiplication) is cyclic. (c) Suppose S = { 1, 3, 9 } . Is S a subgroup of Z ∗ 10 under modular multiplication? If it is, show that all subgroup properties hold for S. If it is not, briefly explain why not. (d) Suppose S = { 1, 3, 7 } . Is S a subgroup of Z ∗ 10 under modular multiplication? If it is, show that all subgroup properties hold for S. If it is not, briefly explain why not. Solution: Solution: (a) { 1, 3, 7, 9 } 10 . For instance, 3 is a generator since 3 0 = 1, 3 1 = 3, 3 2 = 9, 3 3 = 7 (b) There exists a generator in Z ∗ mod 10. (c) It is not since S does not contain an inverse of 3 and/or does not have closure property. (d) It is not since S does not have closure property, e.g., 7 ∗ 7 = 9 / ∈ S.

5 [4 pts] RSA Assume the following RSA parameters: p = 13, q = 5, d = 29, C = 7 (a) Use Chinese Remainder Theorem to find the value of plaintext M . Show your work. (b) Use Extended Euclidean Algorithm to find the value of public exponent e . Show your work. Solution: Solution: (a) We follow the algorithm in the lecture. First, compute d p and d q : d p = 29 = 5 mod 12 and d q = 29 = 1 mod 4 Then, M p = C d p = 7 5 = 11 mod 13 and M q = C d q = 7 1 = 7 mod 5. We then perform exhaustive search to find the following inverse values: q − 1 mod p = 5 − 1 mod 13 = 8 and p − 1 mod q = 13 − 1 mod 5 = 2. Finally, M = (11 ∗ 5 ∗ 8 + 7 ∗ 13 ∗ 2) mod 65 = 37. (b) First, compute φ ( n ): φ ( n ) = ( p − 1) ∗ ( q − 1) = 48. Then, we can use Extended Euclidean Algorithm to solve for e in the following equation: 29 ∗ e = 1 mod 48. We follow the algorithm from the lecture slide: init: R 0 = 48, R 1 = 29 and T 0 = 0 For i > 1, Q i = floor ( R i − 1 /R i ), R i +1 = R i − 1 mod R i and T i = T i − 2 − Q i − 1 ∗ T i − 1 mod R 0 . I = 1: R 1 = 29, T 1 = 1, and Q 1 = 1. I = 2: R 2 = 19, T 2 = 47 and Q 2 = 1. I = 3: R 3 = 10, T 3 = 2 and Q 3 = 1. I = 4: R 4 = 9, T 4 = 45 and Q 4 = 1 I = 5: R 5 = 1, T 5 = 5. We stop here since R 5 = 1. Thus, e = T 5 = 5.

6 [3 pts] 3-Party Di ffi e-Hellman Recall from the lecture that the Di ffi e-Hellman protocol allows two parties to establish a shared secret key. However, the use of Di ffi e-Hellman is not limited to only two parties. In fact, the Di ffi e-Hellman scheme can be extended to support the key establishment between any number of parties. Describe how to establish a shared secret key between three parties based on the Di ffi e-Hellman key exchange scheme. (Note that minimizing communication rounds and bandwidth consumed between the parties in this case is not a concern.) Solution: Solution: Suppose Alice, Bob and Charlie want to establish a shared secret. First, Alice, Bob and Charlie have to agree on prime p and a generator g . Each of them then selects his/her own random number: a for Alice, b for Bob, and c for Charlie. Then, Alice sends y a = g a mod p to Bob and he computes y ab = y b a mod p . Bob then sends y ab to ab = g abc mod p . Charlie. Finally, Charlie computes a shared secret key as K abc = y c The similar procedure with the same random numbers can be done (by starting from Bob to Charlie to Alice and starting again from Charlie to Alice and finally to Bob) such that Bob and Alice can also learn the shared secret key.

7 [3 pts] Randomness in El Gamal’s Scheme Suppose Alice wants to encrypt two messages using El Gamal Public Key Cryptosystem. However, she is lazy and does not want to generate a new random number for the second encryption. Thus, she applies the same random number (which is only secret to her) for both encryptions. Suppose Eve learns both ciphertexts and one of the plaintext message. Show that Eve can e ffi ciently learn the value of the other plaintext message as well. Also, you can assume that the same public- and private-key pair is used for both encryptions. Solution: Solution: Suppose m 1 and m 2 are two plaintext messages and ( c 1 , c 2 ) and ( c 0 1 , c 0 2 ) are the corresponding ciphertexts generated by El Gamal Encryption scheme with the same randomness r and private key x . Thus, by definitions, we get ( c 1 , c 2 ) = ( g r , m 1 ∗ y r ) mod p and ( c 0 1 , c 0 2 ) = ( g r , m 2 ∗ y r ) mod p where p is a large prime, g is a generator and y is g x . If Eve knows ( c 1 , c 2 ) and m 1 , Eve can easily compute y r by first finding m � 1 mod p using Extended 1 Euclidean Algorithm and then computing y r = m � 1 ∗ c 2 mod p . 1 Once she knows y r and ( c 0 2 ), she then can learn m 2 by computing the inverse of y r using EEA 1 , c 0 and multiply the result by c 0 2 .