You are on page 1of 93

SOLUTIONS MANUAL

CRYPTOGRAPHY AND NETWORK


SECURITY
PRINCIPLES AND PRACTICE
FOURTH EDITION
WILLIAM STALLINGS
Copyright 2006: William Stallings
-2-
2006 by William Stallings
All rights reserved. No part of this docment may
be reprodced! in any form or by any means! or
posted on the "nternet! #ithot permission in
#riting from the athor.
-3-
N$%"C&
%his manal contains soltions to all of the revie# 'estions and
home#or( problems in Cryptography and Network Security, Fourth
Edition. "f yo spot an error in a soltion or in the #ording of a
problem! " #old greatly appreciate it if yo #old for#ard the
information via email to #s)shore.net. An errata sheet for this manal!
if needed! is available at ftp:**shell.shore.net*members*#*s*#s*S .
W.S.
-4-
%A+,& $- C$N%&N%S
Chapter 1: Introduction ..................................................................................................5
Chapter 2: Classical Encryption Techniques ...............................................................7
Chapter 3: Bloc Ciphers and the !ate Encryption "tandard ................................13
Chapter 4: #inite #ields.................................................................................................21
Chapter 5: $d%anced Encryption "tandard ..............................................................2&
Chapter ': (ore on "y))etric Ciphers ....................................................................33
Chapter 7: Con*identiality +sin, "y))etric Encryption .......................................3&
Chapter &: Introduction to -u).er Theory..............................................................42
Chapter /: 0u.lic-1ey Crypto,raphy and 2"$........................................................4'
Chapter 13: 1ey (ana,e)ent4 5ther 0u.lic-1ey Cryptosyste)s ...........................55
Chapter 11: (essa,e $uthentication and 6ash #unctions .......................................5/
Chapter 12: 6ash and ($C $l,orith)s .....................................................................'2
Chapter 13: !i,ital "i,natures and $uthentication 0rotocols ..................................''
Chapter 14: $uthentication $pplications ....................................................................71
Chapter 15: Electronic (ail "ecurity............................................................................73
Chapter 1': I0 "ecurity...................................................................................................7'
Chapter 17: 7e. "ecurity...............................................................................................&3
Chapter 1&: Intruders ......................................................................................................&3
Chapter 1/: (alicious "o*t8are ....................................................................................&7
Chapter 23: #ire8alls......................................................................................................&/
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
1.1 The OSI Security Architecture is a framework that provides a systematic way of defining
the requirements for security and characterizing the approaches to satisfying those
requirements. The document defines security attacks, mechanisms, and services, and the
relationships among these categories.
..2 /assive attac(s ha%e to do 8ith ea%esdroppin, on9 or )onitorin,9 trans)issions.
Electronic )ail9 *ile trans*ers9 and client : ser%er e;chan,es are e;a)ples o*
trans)issions that can .e )onitored. Active attac(s include the )odi*ication o*
trans)itted data and atte)pts to ,ain unauthori<ed access to co)puter syste)s.
..0 /assive attac(s: release o* )essa,e contents and tra**ic analysis. Active attac(s:
)asquerade9 replay9 )odi*ication o* )essa,es9 and denial o* ser%ice.
1.4 Authentication: The assurance that the communicating entity is the one that it claims to be.
Access control: The prevention of unauthorized use of a resource (i.e., this service controls
who can have access to a resource, under what conditions access can occur, and what those
accessing the resource are allowed to do).
Data confidentiality: The protection of data from unauthorized disclosure.
Data integrity: The assurance that data received are exactly as sent by an authorized entity
(i.e., contain no modification, insertion, deletion, or replay).
Nonrepudiation: Provides protection against denial by one of the entities involved in a
communication of having participated in all or part of the communication.
Availability service: The property of a system or a system resource being accessible and
usable upon demand by an authorized system entity, according to performance
specifications for the system (i.e., a system is available if it provides services according to
the system design whenever users request them).
1.5 See Table 1.3.
-5-
CHAPTER 1
INTRODUCTION
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
... Release
of
message
contents
Traffic
analysis
Masquerade Replay Modificatio
n of
messages
Denial
of
service
Peer entity
authentication
1
Data origin
authentication
1
Access control 1
Confidentiality 1
Traffic flow
confidentiality
1
Data integrity 1 1
Non-repudiation 1
Availability 1
..2 Release
of
message
contents
Traffic
analysis
Masquerade Replay Modificatio
n of
messages
Denial
of
service
Encipherment 1
Digital signature 1 1 1
Access control 1 1 1 1 1
Data integrity 1 1
Authentication
exchange
1 1 1 1
Traffic padding 1
Routing control 1 1 1
Notarization 1 1 1
-'-
CHAPTER 2
CLASSICAL ENCRYPTION TECHNIQUESR
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
2.. 0lainte;t9 encryption al,orith)9 secret ey9 cipherte;t9 decryption al,orith).
2.2 0er)utation and su.stitution.
2.0 5ne ey *or sy))etric ciphers9 t8o eys *or asy))etric ciphers.
2.2 $ stream cipher is one that encrypts a di,ital data strea) one .it or one .yte at a
ti)e. $ bloc( cipher is one in 8hich a .loc o* plainte;t is treated as a 8hole and
used to produce a cipherte;t .loc o* equal len,th.
2.3 Cryptanalysis and .rute *orce.
2.6 Cipherte4t only. 5ne possi.le attac under these circu)stances is the .rute- *orce
approach o* tryin, all possi.le eys. I* the ey space is %ery lar,e9 this .eco)es
i)practical. Thus9 the opponent )ust rely on an analysis o* the cipherte;t itsel*9
,enerally applyin, %arious statistical tests to it. 5no#n plainte4t. The analyst )ay
.e a.le to capture one or )ore plainte;t )essa,es as 8ell as their encryptions.
7ith this no8led,e9 the analyst )ay .e a.le to deduce the ey on the .asis o* the
8ay in 8hich the no8n plainte;t is trans*or)ed. Chosen plainte4t. I* the analyst
is a.le to choose the )essa,es to encrypt9 the analyst )ay deli.erately pic
patterns that can .e e;pected to re%eal the structure o* the ey.
2.6 $n encryption sche)e is nconditionally secre i* the cipherte;t ,enerated .y the
sche)e does not contain enou,h in*or)ation to deter)ine uniquely the
correspondin, plainte;t9 no )atter ho8 )uch cipherte;t is a%aila.le. $n
encryption sche)e is said to .e comptationally secre i*: =1> the cost o* .reain,
the cipher e;ceeds the %alue o* the encrypted in*or)ation9 and =2> the ti)e
required to .rea the cipher e;ceeds the use*ul li*eti)e o* the in*or)ation.
2.7 The Caesar cipher in%ol%es replacin, each letter o* the alpha.et 8ith the letter
standin, k places *urther do8n the alpha.et9 *or k in the ran,e 1 throu,h 25.
2.8 $ monoalphabetic sbstittion cipher )aps a plainte;t alpha.et to a cipherte;t
alpha.et9 so that each letter o* the plainte;t alpha.et )aps to a sin,le unique letter
o* the cipherte;t alpha.et.
2..0 The /layfair algorithm is .ased on the use o* a 5 5 )atri; o* letters constructed
usin, a ey8ord. 0lainte;t is encrypted t8o letters at a ti)e usin, this )atri;.
2... $ polyalphabetic sbstittion cipher uses a separate )onoalpha.etic su.stitution
cipher *or each successi%e letter o* plainte;t9 dependin, on a ey.
-7-
2..2 .. There is the practical pro.le) o* )ain, lar,e quantities o* rando) eys. $ny
hea%ily used syste) )i,ht require )illions o* rando) characters on a re,ular
.asis. "upplyin, truly rando) characters in this %olu)e is a si,ni*icant tas.
2. E%en )ore dauntin, is the pro.le) o* ey distri.ution and protection. #or e%ery
)essa,e to .e sent9 a ey o* equal len,th is needed .y .oth sender and recei%er.
Thus9 a )a))oth ey distri.ution pro.le) e;ists.
2..0 $ transposition cipher in%ol%es a per)utation o* the plainte;t letters.
2..2 "te,ano,raphy in%ol%es concealin, the e;istence o* a )essa,e.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
2.. a. -o. $ chan,e in the %alue o* b shi*ts the relationship .et8een plainte;t letters
and cipherte;t letters to the le*t or ri,ht uni*or)ly9 so that i* the )appin, is
one-to-one it re)ains one-to-one.
b. 29 49 '9 &9 139 129 139 149 1'9 1&9 239 229 24. $ny %alue o* a lar,er than 25 is
equi%alent to a )od 2'.
c. The %alues o* a and 2' )ust ha%e no co))on positi%e inte,er *actor other than
1. This is equi%alent to sayin, that a and 2' are relati%ely pri)e9 or that the
,reatest co))on di%isor o* a and 2' is 1. To see this9 *irst note that E=a9 p> ? E=a9
q> =3 @ p @ q A 2'> i* and only i* a=p B q> is di%isi.le .y 2'. .. "uppose that a and
2' are relati%ely pri)e. Then9 a=p B q> is not di%isi.le .y 2'9 .ecause there is no
8ay to reduce the *raction a:2' and =p B q> is less than 2'. 2. "uppose that a and
2' ha%e a co))on *actor k C 1. Then E=a9 p> ? E=a9 q>9 i* q ? p D m: k E p.
2.2 There are 12 allo8a.le %alues o* a =19 39 59 79 /9 119 159 179 1/9 219 239 25>. There are 2'
allo8a.le %alues o* b9 *ro) 3 throu,h 25>. Thus the total nu).er o* distinct a**ine
Caesar ciphers is 12 2' ? 312.
2.0 $ssu)e that the )ost *requent plainte;t letter is e and the second )ost *requent
letter is t. -ote that the nu)erical %alues are e ? 44 B ? 14 t ? 1/4 + ? 23. Then 8e
ha%e the *ollo8in, equations:
1 ? =4a D b> )od 2'
23 ? =1/a D b> )od 2'
Thus9 1/ ? 15a )od 2'. By trial and error9 8e sol%e: a ? 3.
Then 1 ? =12 D b> )od 2'. By o.ser%ation9 b ? 15.
2.2 $ ,ood ,lass in the BishopFs hostel in the !e%ilFs seatGt8enty- one de,rees and
thirteen )inutesGnortheast and .y northG)ain .ranch se%enth li). east sideG
shoot *ro) the le*t eye o* the deathFs headG a .ee line *ro) the tree throu,h the
shot *i*ty *eet out. =*ro) The Gold Bug9 .y Ed,ar $llan 0oe>
-&-
2.3 a. The *irst letter t corresponds to $9 the second letter h corresponds to B9 e is C9 s
is !9 and so on. "econd and su.sequent occurrences o* a letter in the ey
sentence are i,nored. The result
ciphertext: SIDKHKDM AF HCRKIABIE SHIMC KD LFEAILA
plaintext: basilisk to leviathan blake is contact
b. It is a )onalpha.etic cipher and so easily .reaa.le.
c. The last sentence )ay not contain all the letters o* the alpha.et. I* the *irst
sentence is used9 the second and su.sequent sentences )ay also .e used until
all 2' letters are encountered.
2.6 The cipher re*ers to the 8ords in the pa,e o* a .oo. The *irst entry9 5349 re*ers to
pa,e 534. The second entry9 C29 re*ers to colu)n t8o. The re)ainin, nu).ers are
8ords in that colu)n. The na)es !5+HI$" and BI2I"T5-E are si)ply 8ords
that do not appear on that pa,e. Ele)entaryJ =*ro) The Valley of Fear9 .y "ir $rthur
Conan !oyle>
2.6 a.
2 & 13 7 / ' 3 1 4 5
C 2 K 0 T 5 H $ 6 I
B E $ T T 6 E T 6 I
2 ! 0 I I I $ 2 # 2
5 ( T 6 E I E # T 5
+ T " I ! E T 6 E I
K C E + ( T 6 E $ T
2 E T 5 - I H 6 T $
T " E L E - I # K 5
+ $ 2 E ! I " T 2 +
" T # + I B 2 I - H
T 7 5 # 2 I E - ! "
4 2 & 13 5 ' 3 7 1 /
- E T 7 5 2 1 " C +
T 2 # 6 E 6 # T I -
B 2 5 + K 2 T + " T
E $ E T 6 H I " 2 E
6 # T E $ T K 2 - !
I 2 5 I T $ 5 + H "
6 I I E T I - I B I
T I 6 I + 5 L E + #
E ! ( T C E " $ T 7
T I E ! ( - E ! I 2
$ 0 T " E T E 2 # 5
ISRNG BUTLF RRAFR LIDLP FTIYO NVSEE TBEHI HTETA
EYHAT TUCME HRGTA IOENT TUSRU IEADR FOETO LHMET
-/-
NTEDS IFWRO HUTEL EITDS
b. The t8o )atrices are used in re%erse order. #irst9 the cipherte;t is laid out in
colu)ns in the second )atri;9 tain, into account the order dictated .y the
second )e)ory 8ord. Then9 the contents o* the second )atri; are read le*t to
ri,ht9 top to .otto) and laid out in colu)ns in the *irst )atri;9 tain, into
account the order dictated .y the *irst )e)ory 8ord. The plainte;t is then read
le*t to ri,ht9 top to .otto).
c. $lthou,h this is a 8ea )ethod9 it )ay ha%e use 8ith ti)e-sensiti%e
in*or)ation and an ad%ersary 8ithout i))ediate access to ,ood cryptanalysis
=e.,.9 tactical use>. 0lus it doesnFt require anythin, )ore than paper and pencil9
and can .e easily re)e).ered.
2.7 "0+T-I1
2.8 0T B5$T 5-E 57E -I-E I5"T I- $CTI5- I- BI$C1ETT "T2$IT T75
(IIE" "7 (E2E"+ C5LE M C2E7 5# T7EILE M 2EN+E"T $-K
I-#52($TI5-
2..0 a.
I $ 2 H E
" T B C !
# 6 I:O 1 (
- 5 0 N +
L 7 M K P
b.
5 C + 2 E
- $ B ! #
H 6 I:O 1 I
( 0 N " T
L 7 M K P
2... a. +PTB!IHP0--7IHTHT+E25LI!B!+6#0E267N"2P
b. +PTB!IHP0--7IHTHT+E25LI!B!+6#0E267N"2P
c. $ cyclic rotation o* ro8s and: or colu)ns leads to equi%alent su.stitutions. In
this case9 the )atri; *or part a o* this pro.le) is o.tained *ro) the )atri; o*
0ro.le) 2.13a9 .y rotatin, the colu)ns .y one step and the ro8s .y three steps.
2..2 a. 25J 2
&4
-13-
b. Hi%en any 5;5 con*i,uration9 any o* the *our ro8 rotations is equi%alent9 *or a
total o* *i%e equi%alent con*i,urations. #or each o* these *i%e con*i,urations9
any o* the *our colu)n rotations is equi%alent. "o each con*i,uration in *act
represents 25 equi%alent con*i,urations. Thus9 the total nu).er o* unique eys
is 25J:25 ? 24J
2..0 $ )i;ed Caesar cipher. The a)ount o* shi*t is deter)ined .y the ey8ord9 8hich
deter)ines the place)ent o* letters in the )atri;.
2..2 a. !i**iculties are thin,s that sho8 8hat )en are.
b. Irrationally held truths )ay .e )ore har)*ul than reasoned errors.
2..3 a. 7e need an e%en nu).er o* letters9 so append a QqQ to the end o* the )essa,e.
Then con%ert the letters into the correspondin, alpha.etic positions:
( e e t ) e a t t h e u s u a l
13 5 5 23 13 5 1 23 23 & 5 21 1/ 21 1 12
0 l a c e a t t e n r a t h e r
1' 12 1 3 5 1 23 23 5 14 1& 1 23 & 5 1&
T h a n e i , h t o c l o c q
23 & 1 14 5 / 7 & 23 15 3 12 15 3 11 17
The calculations proceed t8o letters at a ti)e. The *irst pair:

C
1
C
2



_
,

9 4
5 7



_
,

13
5



_
,

mod26
137
100



_
,

mod26
7
22



_
,

The *irst t8o cipherte;t characters are alpha.etic positions 7 and 229 8hich
correspond to HL. The co)plete cipherte;t:
HL+IHL15!PK0+6E1O6+P7#P#7"O"!P(+!P(KCON(#77+N212
b. 7e *irst per*or) a )atri; in%ersion. -ote that the deter)inate o* the
encryption )atri; is =/ 7> B =4 5> ? 43. +sin, the )atri; in%ersion *or)ula
*ro) the .oo:

9 4
5 7

_
,

1
43
7 4
5 9

_
,

mod2623
7 4
5 9

_
,

mod26
161 92
115 9

_
,

mod26
5 12
15 25

_
,

6ere 8e used the *act that =43>


B1
? 23 in P
2'
. 5nce the in%erse )atri; has .een
deter)ined9 decryption can proceed. "ource: RIE7$33S.
2..6Consider the )atri; 5 8ith ele)ents
ij
to consist o* the set o* colu)n %ectors 1
j
9
8here:
-11-

5
k
11
L k
1n
M M M
k
n1
L k
nn





_
,



and

5
j

k
1j
M
k
nj





_
,



The cipherte;t o* the *ollo8in, chosen plainte;t n-,ra)s re%eals the colu)ns o* 5:
=B9 $9 $9 T9 $9 $> 1
1
=$9 B9 $9 T9 $9 $> 1
2
:
=$9 $9 $9 T9 $9 B> 1
n
2..6 a. 7 13
4
b. 7 13
4
c. 13
4
d. 13 13
4
e. 2
4
13
2
f. 2
4
=13
2
B 1> 13
g. 37'4&
h. 23533
i. 15724&
2..7 ey: legleglegle
plainte;t: explanation
cipherte;t: PBVWETLXOZR
2..8 a.
s e n d ) o r e ) o n e y
1& 4 13 3 12 14 17 4 12 14 13 4 24
/ 3 1 7 23 15 21 14 11 11 2 & /
1 4 14 13 / 3 12 1& 23 25 15 12 7
B E C 1 O ! ( " M P 0 ( 6
b.
c a s h n o t n e e d e d
2 3 1& 7 13 14 1/ 13 4 4 3 4 3
25 4 22 3 22 15 1/ 5 1/ 21 12 & 4
1 4 14 13 / 3 12 1& 23 25 15 12 7
B E C 1 O ! ( " M P 0 ( 6
2.20 your paca,e ready #riday 21st roo) three 0lease destroy this i))ediately.
-12-
2.2. a. Iay the )essa,e out in a )atri; & letters across. Each inte,er in the ey tells
you 8hich letter to choose in the correspondin, ro8. 2esult:
6e sitteth .et8een the cheru.i)s. The isles )ay .e ,lad
thereo*. $s the ri%ers in the south.
b. Nuite secure. In each ro8 there is one o* ei,ht possi.ilities. "o i* the cipherte;t
is &n letters in len,th9 then the nu).er o* possi.le plainte;ts is &
n
.
c. -ot %ery secure. Iord 0eter *i,ured it out. =*ro) The Nine Tailors>
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
0.. (ost sy))etric .loc encryption al,orith)s in current use are .ased on the #eistel
.loc cipher structure. There*ore9 a study o* the #eistel structure re%eals the
principles .ehind these )ore recent ciphers.
0.2 $ stream cipher is one that encrypts a di,ital data strea) one .it or one .yte at a
ti)e. $ bloc( cipher is one in 8hich a .loc o* plainte;t is treated as a 8hole and
used to produce a cipherte;t .loc o* equal len,th.
0.0 I* a s)all .loc si<e9 such as n ? 49 is used9 then the syste) is equi%alent to a
classical su.stitution cipher. #or s)all n9 such syste)s are %ulnera.le to a statistical
analysis o* the plainte;t. #or a lar,e .loc si<e9 the si<e o* the ey9 8hich is on the
order o* n 2
n
9 )aes the syste) i)practical.
0.2 In a product cipher9 t8o or )ore .asic ciphers are per*or)ed in sequence in such a
8ay that the *inal result or product is crypto,raphically stron,er than any o* the
co)ponent ciphers.
0.3 In diffsion 9 the statistical structure o* the plainte;t is dissipated into lon,-ran,e
statistics o* the cipherte;t. This is achie%ed .y ha%in, each plainte;t di,it a**ect the
%alue o* )any cipherte;t di,its9 8hich is equi%alent to sayin, that each cipherte;t
di,it is a**ected .y )any plainte;t di,its. Confsion sees to )ae the relationship
.et8een the statistics o* the cipherte;t and the %alue o* the encryption ey as
co)ple; as possi.le9 a,ain to th8art atte)pts to disco%er the ey. Thus9 e%en i* the
attacer can ,et so)e handle on the statistics o* the cipherte;t9 the 8ay in 8hich the
ey 8as used to produce that cipherte;t is so co)ple; as to )ae it di**icult to
deduce the ey. This is achie%ed .y the use o* a co)ple; su.stitution al,orith).
-13-
CHAPTER 3
BLOCK CIPHERS AND THE DATA ENCRYPTION
STANDARD
0.6 +loc( si9e: Iar,er .loc si<es )ean ,reater security =all other thin,s .ein, equal>
.ut reduced encryption: decryption speed. 5ey si9e: Iar,er ey si<e )eans ,reater
security .ut )ay decrease encryption: decryption speed. Nmber of ronds: The
essence o* the #eistel cipher is that a sin,le round o**ers inadequate security .ut
that )ultiple rounds o**er increasin, security. Sb(ey generation algorithm:
Hreater co)ple;ity in this al,orith) should lead to ,reater di**iculty o*
cryptanalysis. :ond fnction: $,ain9 ,reater co)ple;ity ,enerally )eans ,reater
resistance to cryptanalysis. -ast soft#are encryption*decryption: In )any cases9
encryption is e).edded in applications or utility *unctions in such a 8ay as to
preclude a hard8are i)ple)entation. $ccordin,ly9 the speed o* e;ecution o* the
al,orith) .eco)es a concern. &ase of analysis: $lthou,h 8e 8ould lie to )ae
our al,orith) as di**icult as possi.le to cryptanaly<e9 there is ,reat .ene*it in
)ain, the al,orith) easy to analy<e. That is9 i* the al,orith) can .e concisely and
clearly e;plained9 it is easier to analy<e that al,orith) *or cryptanalytic
%ulnera.ilities and there*ore de%elop a hi,her le%el o* assurance as to its stren,th.
0.6 The "-.o; is a su.stitution *unction that introduces nonlinearity and adds to the
co)ple;ity o* the trans*or)ation.
0.7 The a%alanche e**ect is a property o* any encryption al,orith) such that a s)all
chan,e in either the plainte;t or the ey produces a si,ni*icant chan,e in the
cipherte;t.
0.8 ;ifferential cryptanalysis is a technique in 8hich chosen plainte;ts 8ith particular
M52 di**erence patterns are encrypted. The di**erence patterns o* the resultin,
cipherte;t pro%ide in*or)ation that can .e used to deter)ine the encryption ey.
,inear cryptanalysis is .ased on *indin, linear appro;i)ations to descri.e the
trans*or)ations per*or)ed in a .loc cipher.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
0.. a. #or an n-.it .loc si<e are 2
n
possi.le di**erent plainte;t .locs and 2
n
possi.le
di**erent cipherte;t .locs. #or .oth the plainte;t and cipherte;t9 i* 8e treat the
.loc as an unsi,ned inte,er9 the %alues are in the ran,e 3 throu,h 2
n
B 1. #or a
)appin, to .e re%ersi.le9 each plainte;t .loc )ust )ap into a unique
cipherte;t .loc. Thus9 to enu)erate all possi.le re%ersi.le )appin,s9 the .loc
8ith %alue 3 can )ap into anyone o* 2
n
possi.le cipherte;t .locs. #or any
,i%en )appin, o* the .loc 8ith %alue 39 the .loc 8ith %alue 1 can )ap into
any one o* 2
n
B 1 possi.le cipherte;t .locs9 and so on. Thus9 the total nu).er
o* re%ersi.le )appin,s is =2
n
>J.
b. In theory9 the ey len,th could .e lo,
2
=2
n
>J .its. #or e;a)ple9 assi,n each
)appin, a nu).er9 *ro) 1 throu,h =2
n
>J and )aintain a ta.le that sho8s the
)appin, *or each such nu).er. Then9 the ey 8ould only require lo,
2
=2
n
>J .its9
.ut 8e 8ould also require this hu,e ta.le. $ )ore strai,ht*or8ard 8ay to
-14-
de*ine the ey is to ha%e the ey consist o* the cipherte;t %alue *or each
plainte;t .loc9 listed in sequence *or plainte;t .locs 3 throu,h 2
n
B 1. This is
8hat is su,,ested .y Ta.le 3.1. In this case the ey si<e is n 2n and the hu,e
ta.le is not required.
0.2 Because o* the ey schedule9 the round *unctions used in rounds / throu,h 1' are
)irror i)a,es o* the round *unctions used in rounds 1 throu,h &. #ro) this *act
8e see that encryption and decryption are identical. 7e are ,i%en a cipherte;t c.
Iet mF ? c. $s the encryption oracle to encrypt mF. The cipherte;t returned .y the
oracle 8ill .e the decryption o* c.
0.0 a. 7e need only deter)ine the pro.a.ility that *or the re)ainin, - B t plainte;ts
0
i
9 8e ha%e ER19 0
i
S E ER1F9 0
i
S. But ER19 0
i
S ? ER1F9 0
i
S *or all the re)ainin, 0
i

8ith pro.a.ility 1 B 1:= N B t>J.
b. 7ithout loss o* ,enerality 8e )ay assu)e the ER19 0
i
S ? 0
i
since E
K
=U> is taen
o%er all per)utations. It then *ollo8s that 8e see the pro.a.ility that a
per)utation on N B t o.Vects has e;actly tF *i;ed points9 8hich 8ould .e the
additional tF points o* a,ree)ent .et8een E=19 U> and E=1F9 U>. But a
per)utation on N B t o.Vects 8ith tF *i;ed points is equal to the nu).er o* 8ays
tF out o* N B t o.Vects can .e *i;ed9 8hile the re)ainin, N B t B tF are not *i;ed.
Then usin, 0ro.le) 3.4 8e ha%e that
0r=tF additional *i;ed points> ?

N t
tF



_
,
0r=no *i;ed points in - B t B tF o.Vects>
?

1
tF ( )J

1 ( )
k
kJ
k3
N t tF

7e see that this reduces to the solution to part =a> 8hen tF ? N B t.


0.2 Iet

S

n
.e the set o* per)utations on R39 19 . . .9 2
n
B 1S9 8hich is re*erred to as the
sy))etric ,roup on 2
n
o.Vects9 and let N ? 2
n
. #or 3 @ i @ N9 let !
i
.e all )appin,s

S

m *or 8hich W=i> ? i. It *ollo8s that X !


i
X ? =N B 1>J and

I
1i k
A
i
? =N B k>J.
The inclusion- e;clusion principle states that
0r=no *i;ed points in W> ?

1
NJ
N
k



_
,
N k ( )J 1 ( )
k
k3
N

?

1 ( )
k
k J
k3
N

? 1 B 1 D 1:2J B 1:3J D . . . D =B1>N 1: -J


-15-
? e
B1
D


"
1
NJ



_
,

Then since e
B1
3.3'&9 8e *ind that *or e%en s)all %alues o* N9 appro;i)ately
37Y o* per)utations contain no *i;ed points.
0.3
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
0.6 (ain ey 1 ? 111T111 =5' .its>
2ound eys 1
1
? 1
2
?T? 1
1'
? 1111..111 =4& .its>
Cipherte;t C ? 1111T111 ='4 .its>
Input to the *irst round o* decryption ?
I!
3
2!
3
? 2E
1'
IE
1'
? I0=C> ? 1111...111 ='4 .its>
I!
3
? 2!
3
? 1111...111 =32 .its>
5utput o* the *irst round o* decryption ? I!12!1
I!1 ? 2!
3
? 1111T111 =32 .its>
Thus9 the .its no. 1 and 1' o* the output are equal to Z1[.
2!
1
? I!
3
#=2!
3
9 1
1'
>
7e are looin, *or .its no. 1 and 1' o* 2!
1
=33 and 4& o* the entire output>.
Based on the analysis o* the per)utation 09 .it 1 o* #=2!
3
9 1
1'
> co)es *ro) the
*ourth output o* the "-.o; "49 and .it 1' o* #=2!
3
9 1
1'
> co)es *ro) the second
output o* the "-.o; "3. These .its are M52-ed 8ith 1[s *ro) the correspondin,
positions o* I!3.
Inside o* the *unction #9
-1'-
E=2!
3
> \ 1
1'
? 3333T333 =4& .its>9
and thus inputs to all ei,ht "-.o;es are equal to ]333333^.
5utput *ro) the "-.o; "4 ? ]3111^9 and thus the *ourth output is equal to Z1[9
5utput *ro) the "-.o; "3 ? ]1313^9 and thus the second output is equal to Z3[.
#ro) here9 a*ter the M529 the .it no. 33 o* the *irst round output is equal to Z3[9 and
the .it no. 4& is equal to Z1[.
0.6 In the solution ,i%en .elo8 the *ollo8in, ,eneral properties o* the M52 *unction
are used:
$ 1 ? $F
=$ B>F ? $F B ? $ BF
$F BF ? $ B
7here $F ? the .it8ise co)ple)ent o* $.
a. # =2
n
9 1
nD1
> ? .
7e ha%e
I
nD1
? 2
n
4 2
nD1
? I
n
# =2
n
9 1
nD1
> ? I
n
1 ? I
n
F
Thus
I
nD2
? 2
nD1
? I
n
F 4 2
nD2
? I
nD1
? 2
n
F
i.e.9 a*ter each t8o rounds 8e o.tain the .it co)ple)ent o* the ori,inal input9
and e%ery *our rounds 8e o.tain .ac the ori,inal input:
I
nD4
? I
nD2
F ? I
n
4 2
nD2
? 2
nD2
F ? 2
n
There*ore9
I
1'
? I
3
4 2
1'
? 2
3
$n input to the in%erse initial per)utation is 2
1'
I
1'
.
There*ore9 the trans*or)ation co)puted .y the )odi*ied !E" can .e
represented as *ollo8s:
C ? I0
B1
="7$0=I0=(>>>9 8here "7$0 is a per)utation e;chan,in, the position
o* t8o hal%es o* the input: "7$0=$9 B> ? =B9 $>.
This *unction is linear =and thus also a**ine>. $ctually9 this is a per)utation9 the
product o* three per)utations I09 "7$09 and I0
B1
. This per)utation is
ho8e%er di**erent *ro) the identity per)utation.
b. # =2
n
9 1
nD1
> ? 2
n
F
-17-
7e ha%e
I
nD1
? 2
n
4 2
nD1
? I
n
#=2
n
9 1
nD1
> ? I
n
2
n
F
I
nD2
? 2
nD1
? I
n
2
n
F
2
nD2
? I
nD1
#=2
nD1
9 1
nD2
> ? 2
n
< =I
n
2
n
F>F ? 2
n
I
n
2
n
FF ? I
n
I
nD3
? 2
nD2
? I
n
2
nD3
? I
nD2
# =2
nD2
9 1
nD3
> ? =I
n
\ 2
n
F> I
n
F ? 2
n
F . ? 2
n
i.e.9 a*ter each three rounds 8e co)e .ac to the ori,inal input.
I
15
? I
3
4 2
15
? 2
3

and
I
1'
? 2
3
=1>
2
1'
? I
3
2
3
F =2>
$n input to the in%erse initial per)utation is 2
1'
I
1'
.
$ *unction descri.ed .y =1> and =2> is a**ine9 as .it8ise co)ple)ent is a**ine9
and the other trans*or)ations are linear.
The trans*or)ation co)puted .y the )odi*ied !E" can .e represented as
*ollo8s:
C ? I0
B1
=#+-2=I0=(>>>9 8here #+-2=$9 B> ? =$ BF9 B>.
This *unction is a**ine as a product o* three a**ine *unctions.
In all cases decryption loos e;actly the sa)e as encryption.
0.7 a. #irst9 pass the '4-.it input throu,h 0C-1 =Ta.le 3.4a> to produce a 5'-.it result.
Then per*or) a le*t circular shi*t separately on the t8o 2&-.it hal%es. #inally9
pass the 5'-.it result throu,h 0C-2 =Ta.le 3.4.> to produce the 4&-.it K
1
.:
in .inary notation: 3333 1311 3333 3313 3113 3111
1331 1311 3133 1331 1313 3131
in he;adeci)al notation: 3 B 3 2 ' 7 / B 4 / $ 5
b. I
3
9 2
3
are deri%ed .y passin, the '4-plainte;t throu,h I0 =Ta.le 3.2a>:
I
3
? 1133 1133 3333 3333 1133 1133 1111 1111
2
3
? 1111 3333 1313 1313 1111 3333 1313 1313
c. The E ta.le =Ta.le 3.2c> e;pands 2
3
to 4& .its:
-1&-
E=2
3
> ? 31113 133331 313131 313131 311113 133331 313131 313131
d. $ ? 311133 313331 311133 113313 111333 313131 113311 113333
e.

S
1
00
=1113> ?

S
1
0
=14> ? 3 =.ase 13> ? 3333 =.ase 2>

S
2
01
=1333> ?

S
2
1
=&> ? 12 =.ase 13> ? 1133 =.ase 2>

S
3
00
=1113> ?

S
3
0
=14> ? 2 =.ase 13> ? 3313 =.ase 2>

S
4
10
=1331> ?

S
4
2
=/> ? 1 =.ase 13> ? 3331 =.ase 2>

S
5
10
=1133> ?

S
5
2
=12> ? ' =.ase 13> ? 3113 =.ase 2>

S
6
01
=1313> ?

S
6
1
=13> ? 13 =.ase 13> ? 1131 =.ase 2>

S
7
11
=1331> ?

S
7
3
=/> ? 5 =.ase 13> ? 3131 =.ase 2>

S
8
10
=1333> ?

S
8
2
=&> ? 3 =.ase 13> ? 3333 =.ase 2>
f. B ? 3333 1133 3313 3331 3113 1131 3131 3333
g. +sin, Ta.le 3.2d9 0=B> ? 1331 3313 3331 1133 3313 3333 1331 1133
h. 2
1
? 3131 1113 3331 1133 1113 1133 3113 3311
i. I
1
? 2
3
. The cipherte;t is the concatenation o* I
1
and 2
1
. "ource: R(EKE&2S
0.8 The reasonin, *or the #eistel cipher9 as sho8n in #i,ure 3.' applies in the case o*
!E". 7e only ha%e to sho8 the e**ect o* the I0 and I0
B1
*unctions. #or encryption9
the input to the *inal I0
B1
is 2E
1
'
|| IE
1'
. The output o* that sta,e is the cipherte;t.
5n decryption9 the *irst step is to tae the cipherte;t and pass it throu,h I0. Because
I0 is the in%erse o* I0
B1
9 the result o* this operation is Vust 2E
1'
|| IE
1'
9 8hich is
equi%alent to I!
3
|| 2!
3
. Then9 8e *ollo8 the sa)e reasonin, as 8ith the #eistel
cipher to reach a point 8here IE
3
? 2!
1'
and 2E
3
? I!
1'
. !ecryption is co)pleted
.y passin, I!
3
|| 2!
3
throu,h I0
B1
. $,ain9 .ecause I0 is the in%erse o* I0
B1
9 passin,
the plainte;t throu,h I0 as the *irst step o* encryption yields I!
3
|| 2!
3
9 thus
sho8in, that decryption is the in%erse o* encryption.
0..0 a. Iet us 8or this *ro) the inside out.
T
1'
=I
15
|| 2
15
> ? I
1'
|| 2
1'
T
17
=I
1'
|| 2
1'
> ? 2
1'
|| I
1'
I0 RI0
B1
=2
1'
|| I
1'
>S ? 2
1'
|| I
1'
T!
1
=2
1'
|| I
1'
> ? 2
15
|| I
15
b. T
1'
=I
15
|| 2
15
> ? I
1'
|| 2
1'
-1/-
I0 RI0
B1
=I
1'
|| 2
1'
>S ? I
1'
|| 2
1'
T!
1
=2
1'
|| I
1'
> ? 2
1'
|| I
1'
*=2
1'
9 1
1'
>
E I
15
|| 2
15
0... 0C-1 is essentially the sa)e as I0 8ith e%ery ei,hth .it eli)inated. This 8ould
ena.le a si)ilar type o* i)ple)entation. Beyond that9 there does not appear to .e
any particular crypto,raphic si,ni*icance.
0..2
2ound nu).er 1 2 3 4 5 ' 7 & / 13 11 12 13 14 15 1'
Bits rotated 3 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
0..0 a. The equality in the hint can .e sho8n .y listin, all 1-.it possi.ilities:
$ B
$ B =$ B>F $F B
3 3 3 1 1
3 1 1 3 3
1 3 1 3 3
1 1 3 1 1
7e also need the equality $ B ? $F BF9 8hich is easily seen to .e true. -o89
consider the t8o M52 operations in #i,ure 3.&. I* the plainte;t and ey *or an
encryption are co)ple)ented9 then the inputs to the *irst M52 are also
co)ple)ented. The output9 then9 is the sa)e as *or the unco)ple)ented
inputs. #urther do8n9 8e see that only one o* the t8o inputs to the second
M52 is co)ple)ented9 there*ore9 the output is the co)ple)ent o* the output
that 8ould .e ,enerated .y unco)ple)ented inputs.
b. In a chosen plainte;t attac9 i* *or chosen plainte;t M9 the analyst can o.tain K
1

? ER19 MS and K
2
? ER19 MFS9 then an e;hausti%e ey search requires only 2
55

rather than 2
5'
encryptions. To see this9 note that =K
2
>F ? ER1F9 MS. -o89 pic a
test %alue o* the ey T and per*or) ERT9 MS. I* the result is K
1
9 then 8e no8
that T is the correct ey. I* the result is =K
2
>F9 then 8e no8 that TF is the correct
ey. I* neither result appears9 then 8e ha%e eli)inated t8o possi.le eys 8ith
one encryption.
0..2The result can .e de)onstrated .y tracin, throu,h the 8ay in 8hich the .its are
used. $n easy9 .ut not necessary9 8ay to see this is to nu).er the '4 .its o* the ey
as *ollo8s =read each %ertical colu)n o* 2 di,its as a nu).er>:
2113355-1025554-0214434-1123334-0012343-2021453-0202435-0110454-
1031975-1176107-2423401-7632789-7452553-0858846-6836043-9495226-
-23-
The *irst .it o* the ey is identi*ied as 219 the second as 139 the third as 139 and so on.
The ei,ht .its that are not used in the calculation are unnu).ered. The nu).ers 31
throu,h 2& and 33 throu,h 57 are used. The reason *or this assi,n)ent is to clari*y
the 8ay in 8hich the su.eys are chosen. 7ith this assi,n)ent9 the su.ey *or the
*irst iteration contains 4& .its9 31 throu,h 24 and 33 throu,h 539 in their natural
nu)erical order. It is easy at this point to see that the *irst 24 .its o* each su.ey
8ill al8ays .e *ro) the .its desi,nated 31 throu,h 2&9 and the second 24 .its o*
each su.ey 8ill al8ays .e *ro) the .its desi,nated 33 throu,h 57.
0..3 #or 1 @ i @ 12&9 tae c
i
_39 1`
12&
to .e the strin, containin, a 1 in position i and
then <eros else8here. 5.tain the decryption o* these 12& cipherte;ts. Iet )
1
9
)
2
9 . . . 9 )
12&
.e the correspondin, plainte;ts. -o89 ,i%en any cipherte;t c 8hich
does not consist o* all <eros9 there is a unique none)pty su.set o* the c
i
[s 8hich 8e
can M52 to,ether to o.tain c. Iet I=c> _19 29 . . . 9 12&` denote this su.set. 5.ser%e

c
iIc ()
c
i

iIc ()
Em
i
( )E
iIc ()
m
i

_
,

Thus9 8e o.tain the plainte;t o* c .y co)putin,

iI c ( )
m
i
. Iet 0 .e the all-<ero strin,.
-ote that 0 ? 0 0. #ro) this 8e o.tain E=0> ? E=0 0> ? E=0> E=0> ? 0. Thus9 the
plainte;t o* c ? 0 is ) ? 0. 6ence 8e can decrypt e%ery c _39 1`
12&
.
0..6 a. This adds nothin, to the security o* the al,orith). There is a one-to-one
re%ersi.le relationship .et8een the 13-.it ey and the output o* the 013
*unction. I* 8e consider the output o* the 013 *unction as a ne8 ey9 then there
are still 2
13
di**erent unique eys.
b. By the sa)e reasonin, as =a>9 this adds nothin, to the security o* the al,orith).
0..6 s ? 8;y< + 8;y + 8y< + 8y + 8< + y< + 8 + ; + <
t ? 8;< + 8y< + 8< + ;< + y< + 8 + y
0..7 51
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
2.. $ grop is a set o* ele)ents that is closed under a .inary operation and that is
associati%e and that includes an identity ele)ent and an in%erse ele)ent.
-21-
CHAPTER 4
FINITE FIELDS
2.2 $ ring is a set o* ele)ents that is closed under t8o .inary operations9 addition and
su.traction9 8ith the *ollo8in,: the addition operation is a ,roup that is
co))utati%e4 the )ultiplication operation is associati%e and is distri.uti%e o%er the
addition operation.
2.0 $ field is a rin, in 8hich the )ultiplication operation is co))utati%e9 has no <ero
di%isors9 and includes an identity ele)ent and an in%erse ele)ent.
2.2 $ non<ero b is a divisor o* a i* a ? mb *or so)e m9 8here a9 b9 and m are inte,ers.
That is9 b is a divisor o* a i* there is no re)ainder on di%ision.
2.3 In )odular arith)etic9 all arith)etic operations are per*or)ed )odulo so)e
inte,er.
2.6 =.> 5rdinary polyno)ial arith)etic9 usin, the .asic rules o* al,e.ra. =2> 0olyno)ial
arith)etic in 8hich the arith)etic on the coe**icients is per*or)ed o%er a *inite
*ield4 that is9 the coe**icients are ele)ents o* the *inite *ield. =0> 0olyno)ial
arith)etic in 8hich the coe**icients are ele)ents o* a *inite *ield9 and the
polyno)ials are de*ined )odulo a polyno)ial #=$> 8hose hi,hest po8er is so)e
inte,er n.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
2.. a. nJ
b. 7e can do this .y e;a)ple. Consider the set "
3
. 7e ha%e _39 29 1` U _19 39 2` ? _29
39 1`9 .ut _19 39 2` U _39 29 1` ? _39 19 2`.
2.2 6ere are the addition and )ultiplication ta.les
D 3 1 2

3 1 2
3 3 1 2 3 3 3 3
1 1 2 3 1 3 1 2
2 2 3 1 2 3 2 1
a. Kes. The identity ele)ent is 39 and the in%erses o* 39 19 2 are respecti%ely 39 29 1.
b. -o. The identity ele)ent is 19 .ut 3 has no in%erse.
2.0 " is a rin,. 7e sho8 usin, the a;io)s in #i,ure 4.1:
=A.> Closure: The su) o* any t8o ele)ents in " is also in ".
=A2> $ssociati%e: " is associati%e under addition9 .y o.ser%ation.
=A0> Identity ele)ent: a is the additi%e identity ele)ent *or addition.
=A2> In%erse ele)ent: The additi%e in%erses o* a and . are . and a9 respecti%ely.
=A3> Co))utati%e: " is co))utati%e under addition9 .y o.ser%ation.
-22-
=?.> Closure: The product o* any t8o ele)ents in " is also in ".
=?2> $ssociati%e: " is associati%e under )ultiplication9 .y o.ser%ation.
=?0> !istri.uti%e la8s: " is distri.uti%e 8ith respect to the t8o operations9 .y
o.ser%ation.
2.2 The equation is the sa)e. #or inte,er a A 39 a 8ill either .e an inte,er )ultiple o* n
o* *all .et8een t8o consecuti%e )ultiples qn and =q D 1>n9 8here q A 3. The
re)ainder satis*ies the condition 3 @ r @ n.
2.3 In this dia,ra)9 q is a ne,ati%e inte,er.
0
@n @2n @0n qn a
n
r
=qA.>n
@. @2
2.6 a. 2 b. 3 c. 4 There are other correct ans8ers.
2.6 "ection 4.2 de*ines the relationship: a ? n a: n] D =a )od n>. Thus9 8e can de*ine
the )od operator as: a )od n ? a B n a: n].
a. 5 )od 3 ? 5 B 3 5:3 ] ? 2
b. 5 )od B3 ? 5 B =B3> 5:=B3>] ? B1
c. @5 )od 3 ? B5 B 3 =B5>:3 ] ? 1
d. @5 )od B3 ? B5 B =B3> =B5>:=B3>] ? B2
This e;a)ple is *ro) RH2$6/4S
2.7 a ? b
2.8 2ecall #i,ure 4.2 and that any inte,er a can .e 8ritten in the *or)
a ? qn D r
8here q is so)e inte,er and r one o* the nu).ers
39 19 29 . . .9 n B 1
+sin, the second de*inition9 no t8o o* the re)ainders in the a.o%e list are
con,ruent =)od n>9 .ecause the di**erence .et8een the) is less than n and
there*ore n does not di%ide that di**erence. There*ore9 t8o nu).ers that are not
con,ruent =)od n> )ust ha%e di**erent re)ainders. "o 8e conclude that n di%ides
=a B b> i* and only i* a and b are nu).ers that ha%e the sa)e re)ainder 8hen
di%ided .y n.
2..0 19 29 49 '9 1'9 12
2... a. This is the de*inition o* con,ruence as used in "ection 4.2.
-23-
b. The *irst t8o state)ents )ean
a B . ? n4 . B c ? n)
so that
a B c ? =a B .> D =. B c> ? n= D )>
2..2 a. Iet c ? a )od n and d ? . )od n. Then
c ? a D n4 d ? . D )n4 c B d ? =a B .> D = B )>n.
There*ore =c B d> ? =a B .> )od n
b. +sin, the de*initions o* c and d *ro) part =a>9
cd ? a. D n=. D )a D )n>
There*ore cd ? =a .> )od n
2..0 1
B1
? 19 2
B1
? 39 3
B1
? 29 4
B1
? 4
2..2 7e ha%e 1 1 =)od />4 13 1 =)od />4 13
2
13=13> 1=1> 1 =)od />4 13
nB1
1
=)od />. E;press - as a
3
D a
1
13
1
D T D a
nB1
13
nB1
. Then - a
3
D a
1
D T D a
nB1
=)od
/>.
2..3 a. ,cd=241439 1'7'2> ? ,cd=1'7'29 737&> ? ,cd=737&9 233'> ? ,cd=233'9 13'3> ?
,cd=13'39 '4'> ? ,cd ='4'9 '&> ? ,cd='&9 34> ? ,cd=349 3> ? 34
b. 35
2..6 a. 7e 8ant to sho8 that ) C 2r. This is equi%alent to qn D r C 2r9 8hich is
equi%alent to qn C r. "ince n C r9 8e )ust ha%e qn C r.
b. I* you study the pseudocode *or EuclidFs al,orith) in the te;t9 you can see that
the relationship de*ined .y EuclidFs al,orith) can .e e;pressed as
$
i
? q
iD1
$
iD1
D $
iD2
The relationship $
iD2
A $
i
:2 *ollo8s i))ediately *ro) =a>.
c. #ro) =.>9 8e see that $
3
A 2
B1
$
1
9 that $
5
A 2
B1
$
3
A 2
B2
$
5
9 and in ,eneral that
$
2VD1
A 2
BV
$
1
*or all inte,ers V such that 1 A 2V D 1 @ D 29 8here is the nu).er
o* steps in the al,orith). I* is odd9 8e tae V ? = D 1>:2 to o.tain - C = D
1>:29 and i* is e%en9 8e tae V ? :2 to o.tain - C :2. In either case A 2-.
2..6 a. &clid: ,cd=21529 7'4> ? ,cd=7'49 '24> ? ,cd='249 143> ? ,cd=1439 '4> ? ,cd='49
12> ? ,cd=129 4> ? ,cd=49 3> ? 4
Stein: $
1
? 21529 B
1
? 7'49 C
1
? 14 $
2
? 137'9 B
2
? 3&29 C
2
? 24 $
3
? 53&9 B
3
? 1/19
C
3
? 44 $
4
? 2'/9 B
4
? 1/19 C
4
? 44 $
5
? 7&9 B
5
? 1/19 C
5
? 44 $
5
? 3/9 B
5
? 1/19
C
5
? 44 $
'
? 1529 B
'
? 3/9 C
'
? 44 $
7
? 7'9 B
7
? 3/9 C
7
? 44 $
&
? 3&9 B
&
? 3/9 C
&
? 44
$
/
? 1/9 B
/
? 3/9 C
/
? 44 $
13
? 239 B
13
? 1/9 C
13
? 44 $
11
? 139 B
11
? 1/9 C
11
? 44
$
12
? 59 B
12
? 1/9 C
12
? 44 $
13
? 149 B
13
? 59 C
13
? 44 $
14
? 79 B
14
? 59 C
14
? 44
-24-
$
15
? 29 B
15
? 59 C
15
? 44 $
1'
? 19 B
1'
? 59 C
1'
? 44 $
17
? 49 B
17
? 19 C
17
? 44
$
1&
? 29 B
1&
? 19 C
1&
? 44 $
1/
? 19 B
1/
? 19 C
1/
? 44 ,cd=21529 7'4> ? 1 4 ? 4
b. EuclidFs al,orith) requires a Qlon, di%isionQ at each step 8hereas the "tein
al,orith) only requires di%ision .y 29 8hich is a si)ple operation in .inary
arith)etic.
2..7 a. I* $
n
and B
n
are .oth e%en9 then 2 ,cd=$
nD1
9 B
nD1
> ? ,cd=$
n
9 B
n
>. But C
nD1
?
2C
n
9 and there*ore the relationship holds.
I* one o* $
n
and B
n
is e%en and one is odd9 then di%idin, the e%en nu).er does
not chan,e the ,cd. There*ore9 ,cd=$
nD1
9 B
nD1
> ? ,cd=$
n
9 B
n
>. But C
nD1
? C
n
9 and
there*ore the relationship holds.
I* .oth $
n
and B
n
are odd9 8e can use the *ollo8in, reasonin, .ased on the
rules o* )odular arith)etic. Iet ! ? ,cd=$
n
9 B
n
>. Then ! di%ides X $
n
B B
n
X and
! di%ides )in=$
n
9 B
n
>. There*ore9 ,cd=$
nD1
9 B
nD1
> ? ,cd=$
n
9 B
n
>. But C
nD1
? C
n
9
and there*ore the relationship holds.
b. I* at least one o* $
n
and B
n
is e%en9 then at least one di%ision .y 2 occurs to
produce $
nD1
and B
nD1
. There*ore9 the relationship is easily seen to hold.
"uppose that .oth $
n
and B
n
are odd4 then $
nD1
is e%en4 in that case the
relationship o.%iously holds.
c. By the result o* =.>9 e%ery 2 iterations reduces the $B product .y a *actor o* 2.
The $B product starts out at A 2
2-
. There are at )ost lo,=2
2-
> ? 2- pairs o*
iterations9 or at )ost 4- iterations.
d. $t the %ery .e,innin,9 8e ha%e $
1
? $9 B
1
? B9 and C
1
? 1. There*ore C
1

,cd=$
1
9 B
1
> ? ,cd=$9 B>. Then9 .y =a>9 C
2
,cd=$
2
9 B
2
> ? C
1
,cd=$
1
9 B
1
> ?
,cd=$9 B>. Henerali<in,9 C
n
,cd=$
n
9 B
n
> ? ,cd=$9 B>. The al,orith) stops
8hen $
n
? B
n
. But9 *or $
n
? B
n
9 ,cd=$
n
9 B
n
> ? $
n
. There*ore9 C
n
,cd=$
n
9 B
n
> ?
C
n
$
n
? ,cd=$9 B>.
2..8 a. 323/
b. ,cd=43/329 24243> ? 34 E 19 so there is no )ultiplicati%e in%erse.
c. 553
-25-
2.20
D 3 1 2 3 4
3 3 1 2 3 4
1 1 2 3 4 3
2 2 3 4 3 1
3 3 4 3 1 2
4 4 3 1 2 3

3 1 2 3 4 % B%
%
B1
3 3 3 3 3 3 3 3 G
1 3 1 2 3 4 1 4 1
2 3 2 4 1 3 2 3 3
3 3 3 1 4 2 3 2 2
4 3 4 3 2 1 4 1 4
2.2. Iet " .e the set o* polyno)ials 8hose coe**icients *or) a *ield #. 2ecall that
addition is de*ined as *ollo8s: #or
f x ( ) a
i
x
i
i 0
n

; g x ( ) b
i
x
i
i 0
m

; n m
then addition is de*ined as:
f x ( ) + g x ( ) a
i
+b
i
( )x
i
i0
m

+ a
i
x
i
im+1
n

+sin, the a;io)s in #i,ure 4.19 8e no8 e;a)ine the addition operation:
=A.> Closure: The su) o* any t8o ele)ents in " is also in ". This is so
.ecause the su) o* any t8o coe**icients is also a %alid
coe**icient9 .ecause # is a *ield.
=A2> $ssociati%e: " is associati%e under addition. This is so .ecause
coe**icient addition is associati%e.
=A0> Identity ele)ent: 3 is the additi%e identity ele)ent *or addition.
=A2> In%erse ele)ent: The additi%e in%erse o* a polyno)ial *=;> a polyno)ial
8ith the coe**icients Ba
i
.
=A3> Co))utati%e: " is co))utati%e under addition. This is so .ecause
coe**icient addition is co))utati%e.
(ultiplication is de*ined as *ollo8s:
-2'-

f x ( )g x ( ) c
i
x
i
i0
n+m

8here
c
k
a
0
b
k
+a
1
b
k1
+L+a
k1
b
1
+a
k
b
0
In the last *or)ula9 8e treat a
i
as <ero *or i C n and b
i
as <ero *or i C m.
=?.> Closure: The product o* any t8o ele)ents in " is also in ". This is so
.ecause the product o* any t8o coe**icients is also a %alid
coe**icient9 .ecause # is a *ield.
=?2> $ssociati%e: " is associati%e under )ultiplication. This is so .ecause
coe**icient )ultiplication is associati%e.
=?0> !istri.uti%e la8s: " is distri.uti%e 8ith respect to the t8o operations9 .y the
*ield properties o* the coe**icients.
2.22 a. True. To see9 this consider the equation *or c

9 a.o%e9 *or ? n D )9 8here *=;>


and ,=;> are )onic. The only non<ero ter) on the ri,ht o* equation is a
n
.
)
9
8hich has the %alue 1.
b. True. 7e ha%e c
nD)
? a
n
.
)
E 3.
c. True 8hen ) E n4 in that case the hi,hest de,ree coe**icient is o* de,ree
)a;R)9nS. But *alse in ,eneral 8hen ) ? n9 .ecause the hi,hest-de,ree
coe**icients )i,ht cancel =.e additi%e in%erses>.
2.20 a. /;
2
D 7; D 7
b. 5;
3
D 7;
2
D 2; D '
2.22 a. 2educi.le: =; D 1>=;
2
D ; D 1>
b. Irreduci.le. I* you could *actor this polyno)ial9 one *actor 8ould .e either ; or
=; D 1>9 8hich 8ould ,i%e you a root o* ; ? 3 or ; ? 1 respecti%ely. By
su.stitution o* 3 and 1 into this polyno)ial9 it clearly has no roots.
c. 2educi.le: =; D 1>
4
2.23 a. 1
b. 1
c. ; D 1
d. ; D 7& "ource: R15BI/4S
-27-
2.26 0olyno)ial $rith)etic (odulo =$
2
D $ D 1>:
333 331 313 311
D 3 1 $ $ D 1
333 3 3 1 $ $ D 1
331 1 1 3 $ D 1 $
313 $ $ $ D 1 3 1
311 $ D 1 $ D 1 $ 1 3
333 331 313 311

3 1 $ $ D 1
333 3 3 3 3 3
331 1 3 1 $ $ D 1
313 $ 3 $ $ D 1 1
311 $ D 1 3 $ D 1 1 $
2.26 ;
2
D 1
2.27 Henerator *or H#=2
4
> usin, ;
4
D ; D 1
/o#er
:epresentation
/olynomial
:epresentation
+inary
:epresentation
;ecimal =Be4>
:epresentation
3 3 3333 3
g
3
=? g
15
>
1 3331 1
g
1
g 3313 2
g
2
g
2
3133 4
g
3
g
3
1333 &
g
4
g D 1 3311 3
g
5
g
2
D g
3113 '
g
'
g
3
D g
2
1133 12
g
7
g
3
D g D 1
1311 11
g
&
g
2
D 1
3131 5
g
/
g
3
D g
1313 13
g
13
g
2
D g D 1
3111 7
g
11
g
3
D g
2
D g
1113 14
g
12
g
3
D g
2
D g D 1
1111 15
-2&-
g
13
g
3
D g
2
D 1
1131 13
g
14
g
3
D 1
1331 /
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
3.. Secrity: $ctual security4 rando)ness4 soundness9 other security *actors.
Cost: Iicensin, require)ents4 co)putational e**iciency4 )e)ory require)ents.
Algorithm and "mplementation Characteristics: #le;i.ility4 hard8are and
so*t8are suita.ility4 si)plicity.
3.2 Heneral security4 so*t8are i)ple)entations4 restricted- space en%iron)ents4
hard8are i)ple)entations4 attacs on i)ple)entations4 encryption %s.
decryption4 ey a,ility4 other %ersatility and *le;i.ility4 potential *or instruction-
le%el parallelis).
3.0 The .asic idea .ehind po8er analysis is the o.ser%ation that the po8er consu)ed
.y a s)art card at any particular ti)e durin, the crypto,raphic operation is
related to the instruction .ein, e;ecuted and to the data .ein, processed.
3.2 2iVndael allo8s *or .loc len,ths o* 12&9 1/29 or 25' .its. $E" allo8s only a .loc
len,th o* 12& .its.
3.3 The "tate array holds the inter)ediate results on the 12&-.it .loc at each sta,e in
the processin,.
3.6 .. Initiali<e the "-.o; 8ith the .yte %alues in ascendin, sequence ro8 .y ro8. The
*irst ro8 contains _33`9 _31`9 _32`9 etc.9 the second ro8 contains _13`9 _11`9 etc.9
and so on. Thus9 the %alue o* the .yte at ro8 $9 colu)n y is _$y`.
2. (ap each .yte in the "-.o; to its )ultiplicati%e in%erse in the *inite *ield H#=2
&
>4
the %alue _33`is )apped to itsel*.
0. Consider that each .yte in the "-.o; consists o* & .its la.eled =b
7
& b
'
& b
5
& b
4
& b
3
&
b
2
& b
1
& b
3
>. $pply the *ollo8in, trans*or)ation to each .it o* each .yte in the "-
.o;:
b
i
'
b
i
b
i+4 ( )mod8
b
i+5 ( )mod 8
b
i+6 ( )mod 8
b
i+7 ( )mod 8
c
i
-2/-
CHAPTER 5
ADVANCED ENCRYPTION STANDARD
8here c
i
is the ith .it o* .yte c 8ith the %alue _'3`4 that is9 =c
7
c
'
c
5
c
4
c
3
c
2
c
1
c
3
> ?
=31133311>. The pri)e =F> indicates that the %aria.le is to .e updated .y the %alue
on the ri,ht.
3.6 Each indi%idual .yte o* State is )apped into a ne8 .yte in the *ollo8in, 8ay: The
le*t)ost 4 .its o* the .yte are used as a ro8 %alue and the ri,ht)ost 4 .its are used
as a colu)n %alue. These ro8 and colu)n %alues ser%e as inde;es into the "-.o; to
select a unique &-.it output %alue.
3.7 The *irst ro8 o* State is not altered. #or the second ro89 a 1-.yte circular le*t shi*t is
per*or)ed. #or the third ro89 a 2-.yte circular le*t shi*t is per*or)ed. #or the third
ro89 a 3-.yte circular le*t shi*t is per*or)ed.
3.8 12 .ytes.
3..0 (i;Colu)ns operates on each colu)n indi%idually. Each .yte o* a colu)n is
)apped into a ne8 %alue that is a *unction o* all *our .ytes in that colu)n.
3... The 12& .its o* State are .it8ise M52ed 8ith the 12& .its o* the round ey.
3..2 The $E" ey e;pansion al,orith) taes as input a 4-8ord =1'-.yte> ey and
produces a linear array o* 44 8ords =15' .ytes>. The e;pansion is de*ined .y the
pseudocode in "ection 5.2.
3..0 "u.Bytes operates on "tate9 8ith each .yte )apped into a ne8 .yte usin, the "-
.o;. "u.7ord operates on an input 8ord9 8ith each .yte )apped into a ne8 .yte
usin, the "-.o;.
3..2 "hi*t2o8s is descri.ed in the ans8er to Nuestion 5.&. 2ot7ord per*or)s a one-
.yte circular le*t shi*t on a 8ord4 thus it is equi%alent to the operation o* "hi*t2o8s
on the second ro8 o* "tate.
3..3 #or the $E" decryption al,orith)9 the sequence o* trans*or)ations *or decryption
di**ers *ro) that *or encryption9 althou,h the *or) o* the ey schedules *or
encryption and decryption is the sa)e. The equi%alent %ersion has the sa)e
sequence o* trans*or)ations as the encryption al,orith) =8ith trans*or)ations
replaced .y their in%erses>. To achie%e this equi%alence9 a chan,e in ey schedule
is needed.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
3.. 7e 8ant to sho8 that d=;> ? a=;> ; .=;> )od =;
4
D 1> ? 1. "u.stitutin, into
Equation =5.12> in $ppendi; 5$9 8e ha%e:
-33-

d
0
d
1
d
2
d
3






1
]
1
1
1
1

a
0
a
3
a
2
a
1
a
1
a
0
a
3
a
2
a
2
a
1
a
0
a
3
a
3
a
2
a
1
a
0






1
]
1
1
1
1
b
0
b
1
b
2
b
3






1
]
1
1
1
1

02 03 01 01
01 02 03 01
01 01 02 03
03 01 01 02






1
]
1
1
1
1
0E
09
0D
0B






1
]
1
1
1
1

1
0
0
0






1
]
1
1
1
1
But this is the sa)e set o* equations discussed in the su.section on the (i;Colu)n
trans*or)ation:
=_3E` U _32`> _3B` _3!` =_3/` U _33`> ? _31`
=_3/` U _32`> _3E` _3B` =_3!` U _33`> ? _33`
=_3!` U _32`> _3/` _3E` =_3B`U _33`> ? _33`
=_3B`U _32`> _3!` _3/` =_3E` U _33`> ? _33`
The *irst equation is %eri*ied in the te;t. #or the second equation9 8e ha%e _3/`U
_32`? 333133134 and _3!` U _33`? _3!` =_3!` U _32`> ? 33331131 33311313 ?
33313111. Then
_3/`U _32` ? 33313313
_3E` ? 33331113
_3B` ? 33331311
_3!` U _33` ? 33313111
33333333
#or the third equation9 8e ha%e _3!` U _32`? 333113134 and _3B`U _33`? _3B`
=_3B`U _32`> ? 33331311 33313113 ? 33311131. Then
_3!` U _32` ? 33311313
_3/` ? 33331331
_3E` ? 33331113
_3B`U _33` ? 33311131
33333333
#or the *ourth equation9 8e ha%e _3B`U _32`? 333131134 and _3E`U _33`? _3E`
=_3E` U _32`> ? 33331113 33311133 ? 33313313. Then
_3B`U _32` ? 33313113
_3!` ? 33331131
_3/` ? 33331331
_3E`U _33` ? 33313313
33333333
3.2 a. _31`
b. 7e need to sho8 that the trans*or)ation de*ined .y Equation 5.29 8hen
applied to _31`
B1
9 produces the correct entry in the "-.o;. 7e ha%e
-31-

1 0 0 0 1 1 1 1
1 1 0 0 0 1 1 1
1 1 1 0 0 0 1 1
1 1 1 1 0 0 0 1
1 1 1 1 1 0 0 0
0 1 1 1 1 1 0 0
0 0 1 1 1 1 1 0
0 0 0 1 1 1 1 1












1
]
1
1
1
1
1
1
1
1
1
1
1
0
0
0
0
0
0
0












1
]
1
1
1
1
1
1
1
1
1
1

1
1
0
0
0
1
1
0












1
]
1
1
1
1
1
1
1
1
1
1

1
1
1
1
1
0
0
0












1
]
1
1
1
1
1
1
1
1
1
1

1
1
0
0
0
1
1
0












1
]
1
1
1
1
1
1
1
1
1
1

0
0
1
1
1
1
1
0












1
]
1
1
1
1
1
1
1
1
1
1
The result is _7C`9 8hich is the sa)e as the %alue *or _31`in the "-.o; =Ta.le
5.4a>.
3.0 8=3> ? _33 33 33 33`4 8=1> ? _33 33 33 33`4 8=2> ? _33 33 33 33`4 8=3> ? _33 33 33 33`4
8=4> ? _'2 '3 '3 '3`4 8=5> ? _'2 '3 '3 '3`4 8='> ? _'2 '3 '3 '3`4 8=7> ? _'2 '3 '3 '3`
-32-
3.2
33 34 3& 3C 31 35 3/ 3! 7C 'B 31 !7
31 35 3/ 3! 33 34 3& 3C '3 #2 33 #E
32 3' 3$ 3E 33 37 3B 3# 7B C5 2B 7'
33 37 3B 3# 32 3' 3$ 3E 77 '# '7 $B
a b c
7C 'B 31 !7 75 &7 3# $2
#2 33 #E '3 55 E' 34 22
2B 7' 7B C5 3E 2E B& &C
$B 77 '# '7 13 15 5& 3$
d e
3.3 It is easy to see that ;
4
)od =;
4
D 1> ? 1. This is so .ecause 8e can 8rite:
;
4
? R1 =;
4
D 1>S D 1
2ecall that the addition operation is M52. Then9
;
&
)od =;
4
D 1> ? R;
4
)od =;
4
D 1>S R;
4
)od =;
4
D 1>S ? 1 1 ? 1
"o9 *or any positi%e inte,er a9 ;
4a
)od =;
4
D 1> ? 1. -o8 consider any inte,er i o*
the *or) i ? 4a D =i )od 4>. Then9
;
i
)od =;
4
D 1> ? R=;
4a
> =;
i )od 4
>S )od =;
4
D 1>
? R;
4a
)od =;
4
D 1>S R;
i )od 4
)od =;
4
D 1>S ? ;
i )od 4
The sa)e result can .e de)onstrated usin, lon, di%ision.
3.6 a. $dd2ound1ey
b. The (i;Colu)n step9 .ecause this is 8here the di**erent .ytes interact 8ith
each other.
c. The Byte"u. step9 .ecause it contri.utes nonlinearity to $E".
d. The "hi*t2o8 step9 .ecause it per)utes the .ytes.
e. There is no 8holesale s8appin, o* ro8s or colu)ns. $E" does not require this
step .ecause: The (i;Colu)n step causes e%ery .yte in a colu)n to alter e%ery
other .yte in the colu)n9 so there is not need to s8ap ro8s4 The "hi*t2o8 step
)o%es .ytes *ro) one colu)n to another9 so there is no need to s8ap colu)ns
"ource: These o.ser%ations 8ere )ade .y Oohn "a%ard
3.6 The pri)ary issue is to assure that )ultiplications tae a constant a)ount o* ti)e9
independent o* the %alue o* the ar,u)ent. This can .e done .y addin, no-
operation cycles as needed to )ae the ti)es uni*or).
3.7
-33-

e
0, j
e
1, j
e
2, j
e
3, j






1
]
1
1
1
1

S a
0, j [ ]
S a
1, j1 [ ]
S a
2, j2 [ ]
S a
3, j3 [ ]







1
]
1
1
1
1
1

k
0, j
k
1, j
k
2, j
k
3, j






1
]
1
1
1
1
3.8 Input ? '7 &/ $B C!.
5utput ?
1
1
1
1
]
1

1
1
1
1
]
1

'(
!B
&/
'7
2 1 1 3
3 2 1 1
1 3 2 1
1 1 3 2
?
1
1
1
1
]
1

+ + +
+ + +
+ + +
+ + +
2 &/ 3 '7
3 2 &/ '7
3 2 &/ '7
3 &/ 2 '7
'( !B
'( !B
'( !B
'( !B
?
1
1
1
1
]
1

+ + +
+ + +
+ + +
+ + +
&1 &/ /
4 4 &/ '7
' 3/ '7
&3
!B !
' (
'( )
'( !B ')
?
1
1
1
1
]
1

!
)F
3
45
2&
Leri*ication 8ith the In%erse (i; Colu)n trans*or)ation ,i%es
Input^ ?
1
1
1
1
]
1

1
1
1
1
]
1

!
)F
) ( B
B ) (
( B )
( B )
3
45
2&
/
/
/
/
?
1
1
1
1
]
1

+ + +
+ + +
+ + +
+ + +
) ! )F ( B
B ! ) )F (
( ! B )F )
! ( )F B )
3 / 45 2&
3 / 45 2&
3 45 / 2&
/ 3 45 2&
?
1
1
1
1
]
1

+ + +
+ + +
+ + +
+ + +
' (
) ( B (
B
! ( !B
' ' 54 23
4 ' 5 3
72 13 / 73
5 47 1
?
1
1
1
1
]
1

'(
!B
&/
'7
$*ter chan,in, one .it in the input9
Input[ ? 77 &/ $B C!9
and the correspondin, output
5utput[ ?
1
1
1
1
]
1

1
1
1
1
]
1

'(
!B
&/
77
2 1 1 3
3 2 1 1
1 3 2 1
1 1 3 2
?
1
1
1
1
]
1

+ + +
+ + +
+ + +
+ + +
2 &/ 3 77
3 2 &/ 77
3 2 &/ 77
3 &/ 2 77
'( !B
'( !B
'( !B
'( !B
?
1
1
1
1
]
1

+ + +
+ + +
+ + +
+ + +
&1 &/ 7
4 4 &/ 77
' &/ 77
&3
!B '
' (
'( )
'( !B ))
?
1
1
1
1
]
1

!
FF
3
55
3&
The nu).er o* .its that chan,ed in the output as a result o* a sin,le-.it chan,e in the input is 5.
3..0 5ey e4pansion:
73 ? 1313 3111 71 ? 3311 1311 72 ? 3331 1133 73 ? 3313 3111
74 ? 3111 3113 75 ? 3131 3331
:ond 0:
$*ter $dd round ey: 1133 1333 3131 3333
:ond .:
$*ter "u.stitute ni..les: 1133 3113 3331 1331
$*ter "hi*t ro8s: 1133 1331 3331 3113
$*ter (i; colu)ns: 1113 1133 1313 3313
$*ter $dd round ey: 1113 1133 1313 3313
:ond 2:
$*ter "u.stitute ni..les: 1111 3333 1333 3131
$*ter "hi*t ro8s: 3111 3331 3113 1331
$*ter $dd round ey: 3333 3111 3311 1333
3...

x
3
+1 x
x x
3
+1



1
]
1
1 x
2
x
2
1



1
]
1

1 0
0 1



1
]
1
To ,et the a.o%e result9 o.ser%e that =$
5
D $
2
D $> )od =$
4
D $ D 1> ? 3
-34-
3..2 The decryption process should .e the re%erse o* the encryption process.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
6.. 7ith triple encryption9 a plainte;t .loc is encrypted .y passin, it throu,h an
encryption al,orith)4 the result is then passed throu,h the sa)e encryption
al,orith) a,ain4 the result o* the second encryption is passed throu,h the sa)e
encryption al,orith) a third ti)e. Typically9 the second sta,e uses the decryption
al,orith) rather than the encryption al,orith).
6.2 This is an attac used a,ainst a dou.le encryption al,orith) and requires a no8n
=plainte;t9 cipherte;t> pair. In essence9 the plainte;t is encrypted to produce an
inter)ediate %alue in the dou.le encryption9 and the cipherte;t is decrypted to
produce an inter)ediation %alue in the dou.le encryption. Ta.le looup
techniques can .e used in such a 8ay to dra)atically i)pro%e on a .rute- *orce try
o* all pairs o* eys.
6.0 Triple encryption can .e used 8ith three distinct eys *or the three sta,es4
alternati%ely9 the sa)e ey can .e used *or the *irst and third sta,e.
6.2 There is no crypto,raphic si,ni*icance to the use o* decryption *or the second
sta,e. Its only ad%anta,e is that it allo8s users o* 3!E" to decrypt data encrypted
.y users o* the older sin,le !E" .y repeatin, the ey.
6.3 .. The encryption sequence should ha%e a lar,e period. 2.The eystrea) should
appro;i)ate the properties o* a true rando) nu).er strea) as close as possi.le. 0.
To ,uard a,ainst .rute- *orce attacs9 the ey needs to .e su**iciently lon,. The sa)e
considerations as apply *or .loc ciphers are %alid here. Thus9 8ith current
technolo,y9 a ey len,th o* at least 12& .its is desira.le.
6.6 I* t8o plainte;ts are encrypted 8ith the sa)e ey usin, a strea) cipher9 then
cryptanalysis is o*ten quite si)ple. I* the t8o cipherte;t strea)s are M52ed
to,ether9 the result is the M52 o* the ori,inal plainte;ts. I* the plainte;ts are te;t
strin,s9 credit card nu).ers9 or other .yte strea)s 8ith no8n properties9 then
cryptanalysis )ay .e success*ul.
6.6 The actual encryption in%ol%es only the M52 operation. 1ey strea) ,eneration
in%ol%es the )odulo operation and .yte s8appin,.
-35-
CHAPTER 6
MORE ON SYMMETRIC CIPHERS
6.7 In so)e )odes9 the plainte;t does not pass throu,h the encryption *unction9 .ut is
M52ed 8ith the output o* the encryption *unction. The )ath 8ors out that *or
decryption in these cases9 the encryption *unction )ust also .e used.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
6.. a. I* the ILs are ept secret9 the 3-loop case has )ore .its to .e deter)ined and is
there*ore )ore secure than 1-loop *or .rute *orce attacs.
b. #or so*t8are i)ple)entations9 the per*or)ance is equi%alent *or )ost
)easure)ents. 5ne-loop has t8o *e8er M52s per .loc. three-loop )i,ht
.ene*it *ro) the a.ility to do a lar,e set o* .locs 8ith a sin,le ey .e*ore
s8itchin,. The per*or)ance di**erence *ro) choice o* )ode can .e e;pected to
.e s)aller than the di**erences induced .y nor)al %ariation in pro,ra))in,
style.
#or hard8are i)ple)entations9 three-loop is three ti)es *aster than one-loop9
.ecause o* pipelinin,. That is: Iet 0
i
.e the strea) o* input plainte;t .locs9 M
i

the output o* the *irst !E"9 K
i
the output o* the second !E" and C
i
the output
o* the *inal !E" and there*ore the 8hole syste)Fs cipherte;t.
In the 1-loop case9 8e ha%e:
M
i
? !E"= M52= 0
i
9 C
i-1
> >
K
i
? !E"= M
i
>
C
i
? !E"= K
i
>
R8here C
3
is the sin,le ILS
I* 0
1
is presented at t?3 =8here ti)e is )easured in units o* !E" operations>9 M
1
8ill .e a%aila.le at t?19 K
1
at t?2 and C
1
at t?3. $t t?19 the *irst !E" is *ree to
do )ore 8or9 .ut that 8or 8ill .e:
M
2
? !E"= M52= 0
2
9 C
1
> >
.ut C
1
is not a%aila.le until t?39 there*ore M
2
can not .e a%aila.le until t?49 K
2
at
t?5 and C
2
at t?'.
In the 3-loop case9 8e ha%e:
M
i
? !E"= M52= 0
i
9 M
i-1
> >
K
i
? !E"= M52= M
i
9 K
i-1
` > >
C
i
? !E"= M52= K
i
9 C
i-1
> >
-3'-
R8here M
3
9 K
3
and C
3
are three independent ILsS
I* 0
1
is presented at t?39 M
1
is a%aila.le at t?1. Both M
2
and K
1
are a%aila.le at
t?4. M
3
9 K
2
and C
1
are a%aila.le at t?3. M
4
9 K
3
and C
2
are a%aila.le at t?4.
There*ore9 a ne8 cipherte;t .loc is produced e%ery 1 tic9 as opposed to e%ery
3 tics in the sin,le-loop case. This ,i%es the three-loop construct a throu,hput
three ti)es ,reater than the one-loop construct.
6.2 Instead o* CBC R CBC = CBC =M>>S9 use ECB R CBC = CBC =M>>S. The *inal IL 8as not
needed *or security. The lac o* *eed.ac loop pre%ents the chosen-cipherte;t
di**erential cryptanalysis attac. The e;tra ILs still .eco)e part o* a ey to .e
deter)ined durin, any no8n plainte;t attac.
6.0 The (erle-6ell)an attac *inds the desired t8o eys 1
1
and 1
2
.y *indin, the
plainte;t-cipherte;t pair such that inter)ediate %alue $ is 3. The *irst step is to
create a list o* all o* the plainte;ts that could ,i%e $ ? 3:
0
i
? !Ri9 3S *or i ? 3. 1. ... 9 2
5'
B 1
Then9 use each 0
i
as a chosen plainte;t and o.tain the correspondin, cipherte;ts C
i
:
C
i
? ERi9 0
i
S *or i ? 3. 1. ... 9 2
5'
B 1
The ne;t step is to calculate the inter)ediate %alue B
i
*or each C
i
usin, 1
3
? 1
1
? i.
B
i
? !Ri9 C
i
S *or i ? 3. 1. ... 9 2
5'
B 1
$ ta.le o* triples o* the *ollo8in, *or) is constructed: =0
i
or B
i
9 i9 flag>9 8here flag
indicates either a 0-type or B-type triple. -ote that the 25' %alues 0
i
are also
potentially inter)ediate %alues B. $ll 0
i
and B
i
%alues are placed in the ta.le9 and
the ta.le is sorted on the *irst entry in each triple9 and then search to *ind
consecuti%e 0 and B %alues such that B
i
? 0
V
. #or each such equality9 i9 j is a
candidate *or the desired pair o* eys 1
1
and 1
4
.
Each candidate pair o* eys is
tested on a *e8 other plainte;t-cipherte;t pairs to *ilter out *alse alar)s.
6.2 a. -o. #or e;a)ple9 suppose C
1
is corrupted. The output .loc 0
3
depends only
on the input .locs C
2
and C
3
.
b. $n error in 0
1
a**ects C
1
. But since C
1
is input to the calculation o* C
2
9 C
2
is
a**ected. This e**ect carries throu,h inde*initely9 so that all cipherte;t .locs are
a**ected. 6o8e%er9 at the recei%in, end9 the decryption al,orith) restores the
correct plainte;t *or .locs e;cept the one in error. Kou can sho8 this .y
-37-
8ritin, out the equations *or the decryption. There*ore9 the error only e**ects
the correspondin, decrypted plainte;t .loc.
6.3 -ine plainte;t characters are a**ected. The plainte;t character correspondin, to
the cipherte;t character is o.%iously altered. In addition9 the altered cipherte;t
character enters the shi*t re,ister and is not re)o%ed until the ne;t ei,ht characters
are processed.
-3&-
6.6
?ode &ncrypt ;ecrypt
ECB C
j
? E=K9 *
j
> j ? 19 T9 N *
j
? !=K9 '
j
> j ? 19 T9 N
CBC
'
1
? E=K9 R*
1
ILS>
'
j
? E=K9 R*
j
'
jB1
S> j ? 29 T9 N
*
1
? !=K9 '
1
> IL
*
j
? !=K9 '
j
> '
jB1
j ? 29 T9 N
C#B
'
1
? *
1
"
s
=ERK9 ILS>
'
j
? *
j
"
s
=ERK9 '
jB1
S>
*
1
? '
1
"
s
=ERK9 ILS>
*
j
? '
j
"
s
=ERK9 '
jB1
S>
5#B
'
1
? *
1
"
s
=ERK9 ILS>
'
j
? *
j
"
s
=E=K9 R'
jB1
*
jB1
S>>
*
1
? '
1
"
s
=ERK9 ILS>
*
j
? '
j
"
s
=E=K9 R'
jB1
*
jB1
S>>
CT2
'
j
? *
j
ERK9 'ounter D j B 1S *
j
? '
j
ERK9 'ounter D j B 1S
6.6 $*ter decryption9 the last .yte o* the last .loc is used to deter)ine the a)ount o*
paddin, that )ust .e stripped o**. There*ore there )ust .e at least one .yte o*
paddin,.
6.7 a. $ssu)e that the last .loc o* plainte;t is only + .ytes lon,9 8here + A 2%:&.
The encryption sequence is as *ollo8s =The description in 2#C 2343 has an
error4 the description here is correct.>:
.. Encrypt the *irst =N B 2> .locs usin, the traditional CBC technique.
2. M52 0
NB1
8ith the pre%ious cipherte;t .loc C
NB2
to create K
NB1
.
0. Encrypt K
NB1
to create E
NB1
.
2. "elect the *irst + .ytes o* E
NB1
to create C
N
.
3. 0ad 0
N
8ith <eros at the end and e;clusi%e-52 8ith E
NB1
to create K
N
.
6. Encrypt K
N
to create C
NB1
.
The last t8o .locs o* the cipherte;t are C
NB1
and C
N
.
b. 0
-B1
? C
-B2
!=K9 RC
-
|| MS>
0
-
|| M ? =C
-
|| 33T3> !=K9 RC
-B1
S>
0
-
? le*t-hand portion o* =0
-
|| M>
8here || is the concatenation *unction
6.8 a. $ssu)e that the last .loc =0
-
> has V .its. $*ter encryptin, the last *ull .loc
=0
-B1
>9 encrypt the cipherte;t =C
-B1
> a,ain9 select the le*t)ost V .its o* the
encrypted cipherte;t9 and M52 that 8ith the short .loc to ,enerate the output
cipherte;t.
-3/-
b. 7hile an attacer cannot reco%er the last plainte;t .loc9 he can chan,e it
syste)atically .y chan,in, indi%idual .its in the cipherte;t. I* the last *e8 .its
o* the plainte;t contain essential in*or)ation9 this is a 8eaness.
6..0 +se a ey o* len,th 255 .ytes. The *irst t8o .ytes are <ero4 that is 1R3S ? 1R1S ? 3.
Therea*ter9 8e ha%e: 1R2S ? 2554 1R3S ? 2544 T 1R255S? 2.
6... a. "i)ply store i9 V9 and "9 8hich requires & D & D =25' &> ? 23'4 .its
b. The nu).er o* states is R25'J 25'
2
S 2
1733
. There*ore9 1733 .its are required.
6..2 a. By tain, the *irst &3 .its o* , || c9 8e o.tain the initiali<ation %ector9 ,. "ince ,9 c9
k are no8n9 the )essa,e can .e reco%ered =i.e.9 decrypted> .y co)putin,
2C4=, || k> c.
b. I* the ad%ersary o.ser%es that ,
i
? ,
j
*or distinct i9 j then he: she no8s that the
sa)e ey strea) 8as used to encrypt .oth m
i
and m
j
. In this case9 the )essa,es
m
i
and m
j
)ay .e %ulnera.le to the type o* cryptanalysis carried out in part =a>.
c. "ince the ey is *i;ed9 the ey strea) %aries 8ith the choice o* the &3-.it ,9
8hich is selected rando)ly. Thus9 a*ter appro;i)ately

2
2
80
2
40
)essa,es
are sent9 8e e;pect the sa)e ,9 and hence the sa)e ey strea)9 to .e used )ore
than once.
d. The ey k should .e chan,ed so)eti)e .e*ore 2
43
)essa,es are sent.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
6.. I$-9 dial-in co))unications ser%er9 Internet9 8irin, closet.
6.2 7ith lin( encryption9 each %ulnera.le co))unications lin is equipped on .oth
ends 8ith an encryption de%ice. 7ith endCtoCend encryption9 the encryption
process is carried out at the t8o end syste)s. The source host or ter)inal encrypts
the data4 the data in encrypted *or) are then trans)itted unaltered across the
net8or to the destination ter)inal or host.
6.0 Identities o* partners. 6o8 *requently the partners are co))unicatin,. (essa,e
pattern9 )essa,e len,th9 or quantity o* )essa,es that su,,est i)portant
in*or)ation is .ein, e;chan,ed. The e%ents that correlate 8ith special
con%ersations .et8een particular partners
-43-
CHAPTER 7
CONFIDENTIALITY USING SYMMETRIC
ENCRYPTION
6.2 Tra**ic paddin, produces cipherte;t output continuously9 e%en in the a.sence o*
plainte;t. $ continuous rando) data strea) is ,enerated. 7hen plainte;t is
a%aila.le9 it is encrypted and trans)itted. 7hen input plainte;t is not present9
rando) data are encrypted and trans)itted. This )aes it i)possi.le *or an
attacer to distin,uish .et8een true data *lo8 and paddin, and there*ore
i)possi.le to deduce the a)ount o* tra**ic.
6.3 #or t8o parties $ and B9 ey distri.ution can .e achie%ed in a nu).er o* 8ays9 as
*ollo8s:
.. $ can select a ey and physically deli%er it to B.
2. $ third party can select the ey and physically deli%er it to $ and B.
0. I* $ and B ha%e pre%iously and recently used a ey9 one party can trans)it
the ne8 ey to the other9 encrypted usin, the old ey.
2. I* $ and B each has an encrypted connection to a third party C9 C can deli%er
a ey on the encrypted lins to $ and B.
6.6 $ session (ey is a te)porary encryption ey used .et8een t8o principals. $
master (ey is a lon,-lastin, ey that is used .et8een a ey distri.ution center and
a principal *or the purpose o* encodin, the trans)ission o* session eys. Typically9
the )aster eys are distri.uted .y noncrypto,raphic )eans.
6.6 $ nonce is a %alue that is used only once9 such as a ti)esta)p9 a counter9 or a
rando) nu).er4 the )ini)u) require)ent is that it di**ers 8ith each transaction.
6.7 $ ey distri.ution center is a syste) that is authori<ed to trans)it te)porary
session eys to principals. Each session ey is trans)itted in encrypted *or)9 usin,
a )aster ey that the ey distri.ution center shares 8ith the tar,et principal.
6.8 "tatistical rando)ness re*ers to a property o* a sequence o* nu).ers or letters9
such that the sequence appears rando) and passes certain statistical tests that
indicate that the sequence has the properties o* rando)ness. I* a statistically
rando) sequence is ,enerated .y an al,orith)9 then the sequence is predicta.le .y
anyone no8in, the al,orith) and the startin, point o* the sequence. $n
unpredicta.le sequence is one in 8hich no8led,e o* the sequence ,eneration
)ethod is insu**icient to deter)ine the sequence.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
6.. a. (ail-.a,,in, econo)i<es on data trans)ission ti)e and costs. It also reduces
the a)ount o* te)porary stora,e that each inter)ediate syste) )ust ha%e
a%aila.le to .u**er )essa,es in its possession. These *actors can .e %ery
si,ni*icant in electronic )ail syste)s that process a lar,e nu).er o* )essa,es.
2outin, decisions )ay eep )ail-.a,,in, in )ind. I)ple)entin, )ail-
.a,,in, adds sli,htly to the co)ple;ity o* the *or8ardin, protocol.
-41-
b. I* a standardi<ed sche)e such as 0H0 or ":(I(E is used9 then the )essa,e is
encrypted and .oth syste)s should .e equally secure.
6.2 .. The ti)in, o* )essa,e trans)issions )ay .e %aried9 8ith the a)ount o* ti)e
.et8een )essa,es ser%in, as the co%ert channel.
2. $ )essa,e could include a na)e o* a *ile4 the len,th o* the *ilena)e could
*unction as a co%ert channel.
0. $ )essa,e could report on the a)ount o* a%aila.le stora,e space4 the %alue
could *unction as a co%ert channel.
6.0 a. $ sends a connection request to B9 8ith an e%ent )arer or nonce =-a>
encrypted 8ith the ey that $ shares 8ith the 1!C. I* B is prepared to accept
the connection9 it sends a request to the 1!C *or a session ey9 includin, $Fs
encrypted nonce plus a nonce ,enerated .y B =-.> and encrypted 8ith the ey
that B shares 8ith the 1!C. The 1!C returns t8o encrypted .locs to B. 5ne
.loc is intended *or B and includes the session ey9 $Fs identi*ier9 and BFs
nonce. $ si)ilar .loc is prepared *or $ and passed *ro) the 1!C to B and
then to $. $ and B ha%e no8 securely o.tained the session ey and9 .ecause o*
the nonces9 are assured that the other is authentic.
b. The proposed sche)e appears to pro%ide the sa)e de,ree o* security as that o*
#i,ure 7./. 5ne ad%anta,e o* the proposed sche)e is that the9 in the e%ent that
B reVects a connection9 the o%erhead o* an interaction 8ith the 1!C is a%oided.
6.2 i> "endin, to the ser%er the source na)e $9 the destination na)e P =his o8n>9
and E=K
a
9 ->9 as i* $ 8anted to send hi) the sa)e )essa,e encrypted under
the sa)e ey 2 as $ did it 8ith B
ii> The ser%er 8ill respond .y sendin, E=K
.
9 -> to $ and P 8ill intercept that
iii> .ecause P no8s his ey K
.
9 he can decrypt E=K
.
9 ->9 thus ,ettin, his hands on
2 that can .e used to decrypt E=-9 #> and o.tain #.
6.3 7e ,i%e the result *or a ? 3:
19 39 /9 279 1/9 2'9 1'9 179 239 2/9 259 139 &9 249 139 339 2&9 229 49 129 59 159 149 119 29 '9 1&9
239 79 219 1
6.6 a. (a;i)u) period is 2
4B2
? 4
b. a )ust .e 5 or 11
c. The seed )ust .e odd
6.6 7hen m ? 2
k
9 the ri,ht- hand di,its o* /
n
are )uch less rando) than the le*t-hand
di,its. "ee R1-+T/&S9 pa,e 13 *or a discussion.
6.7 Iet us start 8ith an initial seed o* 1. The *irst ,enerator yields the sequence:
19 '9 139 &9 /9 29 129 79 39 59 49 119 19 . . .
-42-
The second ,enerator yields the sequence:
19 79 139 59 /9 119 129 '9 39 &9 49 29 19 . . .
Because o* the patterns e%ident in the second hal* o* the latter sequence9 )ost
people 8ould consider it to .e less rando) than the *irst sequence.
6.8 (any paca,es )ae use o* a linear con,ruential ,enerator 8ith m ? 2
k
. $s
discussed in the ans8er to 0ro.le) 5.'9 this leads to results in 8hich the ri,ht-hand
di,its are )uch less rando) than the le*t-hand di,its. -o89 i* 8e use a linear
con,ruential ,enerator o* the *ollo8in, *or):
/
nD1
? =a/
n
D c> )od m
then it is easy to see that the sche)e 8ill ,enerate all e%en inte,ers9 all odd inte,ers9
or 8ill alternate .et8een e%en and odd inte,ers9 dependin, on the choice *or a and
c. 5*ten9 a and c are chosen to create a sequence o* alternatin, e%en and odd
inte,ers. This has a tre)endous i)pact on the si)ulation used *or calculatin, W.
The si)ulation depends on countin, the nu).er o* pairs o* inte,ers 8hose ,reatest
co))on di%isor is 1. 7ith truly rando) inte,ers9 one-*ourth o* the pairs should
consist o* t8o e%en inte,ers9 8hich o* course ha%e a ,cd ,reater than 1. This ne%er
occurs 8ith sequences that alternate .et8een e%en and odd inte,ers. To ,et the
correct %alue o* W usin, CesaroFs )ethod9 the nu).er o* pairs 8ith a ,cd o* 1
should .e appro;i)ately '3.&Y. 7hen pairs are used 8here one nu).er is odd and
the other e%en9 this percenta,e co)es out too hi,h9 around &3Y9 thus leadin, to the
too s)all %alue o* W. #or a *urther discussion9 see !anilo8ic<9 2. Q!e)onstratin,
the !an,ers o* 0seudo- 2ando) -u).ers9Q S0G'S) Bulletin9 Oune 1/&/.
6..0 a. /air /robability
33
=3.5 B a>
2
? 3.25 B a D a
2
31
=3.5 B a> =3.5 D a> ? 3.25 B a
2
13
=3.5 D a> =3.5 B a> ? 3.25 B a
2
11
=3.5 D a>
2
? 3.25 D a D a
2
b. Because 31 and 13 ha%e equal pro.a.ility in the initial sequence9 in the
)odi*ied sequence9 the pro.a.ility o* a 3 is 3.5 and the pro.a.ility o* a 1 is 3.5.
c. The pro.a.ility o* any particular pair .ein, discarded is equal to the
pro.a.ility that the pair is either 33 or 119 8hich is 3.5 D 2a
2
9 so the e;pected
nu).er o* input .its to produce $ output .its is $:=3.25 B a
2
>.
d. The al,orith) produces a totally predicta.le sequence o* e;actly alternatin, 1Fs
and 3Fs.
6... a. #or the sequence o* input .its a
1
9 a
2
9 T9 a
n
9 the output .it b is de*ined as:
-43-
b ? a
1
a
2
T a
n
b. 3.5 B 2a
2
c. 3.5 B &a
4
d. The li)it as n ,oes to in*inity is 3.5.
6..2 Kes. The ea%esdropper is le*t 8ith t8o strin,s9 one sent in each direction9 and their
M52 is the secret ey.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
7.. $n inte,er p C 1 is a pri)e nu).er i* and only i* its only di%isors are b1 and bp.
7.2 7e say that a non<ero b di%ides a i* a ? mb *or so)e m9 8here a9 b9 and m are
inte,ers.
7.0 EulerFs totient *unction9 8ritten =n>9 is the nu).er o* positi%e inte,ers less than n
and relati%ely pri)e to n.
7.2 The al,orith) taes a candidate inte,er n as input and returns the result
Qco)positeQ i* n is de*initely not a pri)e9 and the result Qinconclusi%eQ i* n )ay or
)ay not .e a pri)e. I* the al,orith) is repeatedly applied to a nu).er and
repeatedly returns inconclusi%e9 then the pro.a.ility that the nu).er is actually
pri)e increases 8ith each inconclusi%e test. The pro.a.ility required to accept a
nu).er as pri)e can .e set as close to 1.3 as desired .y increasin, the nu).er o*
tests )ade.
7.3 I* r and n are relati%ely pri)e inte,ers 8ith n C 3. and i* =n> is the least positi%e
e;ponent m such that a
m
1 )od n9 then r is called a pri)iti%e root )odulo n.
7.6 The t8o ter)s are synony)ous.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
7.. a. 7e are assu)in, that p
n
is the lar,est o* all pri)es. Because / C p
n
9 / is not
pri)e. There*ore9 8e can *ind a pri)e nu).er p
m
that di%ides /.
b. The pri)e nu).er p
m
cannot .e any o* p
1
9 p
2
9 T9p
n
4 other8ise p
m
8ould di%ide
the di**erence / B p
1
p
2
Tp
n
? 19 8hich is i)possi.le. Thus9 m C n.
-44-
CHAPTER 8
INTRODUCTION TO NUMBER THEORY
c. This construction pro%ides a pri)e nu).er outside any *inite set o* pri)e
nu).ers9 so the co)plete set o* pri)e nu).ers is not *inite.
d. 7e ha%e sho8n that there is a pri)e nu).er Cp
n
that di%ides / ? 1 D p
1
p
2
Tp
n
9
so p
nD1
is equal to or less than this pri)e. There*ore9 since this pri)e di%ides M9
it is @ M and there*ore p
nD1
@ M.
7.2 a. ,cd=a9 .> ? d i* and only i* a is a )ultiple o* d and . is a )ultiple o* d and
,cd=a: d9 .: d> ? 1. The pro.a.ility that an inte,er chosen at rando) is a
)ultiple o* d is Vust 1:d. Thus the pro.a.ility that ,cd=a9 .> ? d is equal to 1: d
ti)es 1: d ti)es 09 na)ely9 0: d
2
.
b. 7e ha%e

0r ,cd a9 b ( ) d [ ]
d1

*
d
2
d1

*
1
d
2
d 1

2
'
1
To satis*y this equation9 8e )ust ha%e

*
'

2
? 3.'37/.
7.0 I* p 8ere any pri)e di%idin, n and n D 1 it 8ould also ha%e to di%ide
=n D 1> B n ? 1
7.2 #er)atFs Theore) states that i* p is pri)e and a is a positi%e inte,er not di%isi.le
.y p9 then a
pB1
1 =)od p>. There*ore 3
13
1 =)od 11>. There*ore
3
231
? =3
13
>
23
3 3 =)od 11>.
7.3 12
7.6 '
7.6 1
7.7 '
7.8 I* a is one o* the inte,ers counted in =n>9 that is9 one o* the inte,ers not lar,er than
n and pri)e to n9 the n B 1 is another such inte,er9 .ecause ,cd=a9 n> ? ,cd=) B a9
)>. The t8o inte,ers9 a and n B a9 are distinct9 .ecause a ? n B a ,i%es n ? 2a9 8hich
is inconsistent 8ith the assu)ption that ,cd=a9 n> ? 1. There*ore9 *or n C 29 the
inte,ers counted in =n> can .e paired o**9 and so the nu).er o* the) )ust .e
e%en.
7..0 5nly )ultiples o* p ha%e a *actor in co))on 8ith p
n
9 8hen p is pri)e. There are
Vust p
nB1
o* these @ p
n
9 so =p
n
> ? p
n
B p
nB1
.
7... a. =41> ? 439 .ecause 41 is pri)e
-45-
b. =27> ? =3
3
> ? 3
3
B 3
2
? 27 B / ? 1&
c. =231> ? =3> =7> =11> ? 2 ' 13 ? 123
d. =443> ? =2
3
> =5> =11> ? =2
3
B 2
2
> 4 13 ? 1'3
7..2 It *ollo8s i))ediately *ro) the result stated in 0ro.le) &.13.
7..0 totient
7..2 a. #or n ? 59 2
n
B 2 ? 339 8hich is di%isi.le .y 5.
b. 7e can re8rite the Chinese test as =2
n
B 2> 3 )od n9 or equi%alently9
2
n
2 =)od n>. By #er)atFs Theore)9 this relationship is true if n is pri)e
=Equation &.2>.
c. #or n ? 159 2
n
B 2 ? 3297''9 8hich is di%isi.le .y 15.
d. 2
13
? 1324 1 =)od 341>
2
343
? =2
13
>
34
=1 )od 341>
2
341
2 =)od 341>
7..3 #irst consider a ? 1. In step 3 o* TE"T=n>9 the test is if 1
q
)od n ? 1 then
return=Qinconclusi%eQ>. This clearly returns Qinconclusi%e.Q -o8 consider a ? n B 1.
In step 5 o* TE"T=n>9 *or V ? 39 the test is i* =n @ 1>
q
)od n ? n B 1 then
return=Qinconclusi%eQ>. This condition is )et .y inspection.
7..6 In "tep 1 o* TE"T=2347>9 8e set ? 1 and q ? 13239 .ecause =2347 B 1> ? =2
1
>=1323>.
In "tep 2 8e select a ? 2 as the .ase.
In "tep 39 8e ha%e a
q
)od n ? 2
1323
)od 2347 ? =2
11
>
/3
)od 2347 ? =234&>
/3
)od
2347 ? 1 and so the test is passed.
7..6 There are )any *or)s to this proo*9 and %irtually e%ery .oo on nu).er theory
has a proo*. 6ere 8e present one o* the )ore concise proo*s. !e*ine (
i
? (: )
i
.
Because all o* the *actors o* ( are pair8ise relati%ely pri)e9 8e ha%e ,cd=(
i
9 )
i
> ?
1. Thus9 there are solutions -
i
o*
-
i
(
i
1 =)od )
i
>
7ith these -
i
9 the solution ; to the set o* con,ruences is:
; a
1
-
1
(
1
D T D a

=)od (>
To see this9 8e introduce the notation ;
)
9 .y 8hich 8e )ean the least positi%e
residue o* ; )odulo ). 7ith this notation9 8e ha%e
;
)i
a
i
-
i
(
i
a
i
=)od )
i
>
-4'-
.ecause all other ter)s in the su))ation a.o%e that )ae up ; contain the *actor
)
i
and there*ore do not contri.ute to the residue )odulo )
i
. Because -
i
(
i
1
=)od )
i
>9 the solution is also unique )odulo (9 8hich pro%es this *or) o* the
Chinese 2e)ainder Theore).
7..7 7e ha%e ( ? 3 5 7 ? 1354 (:3 ? 354 (:5 ? 214 (:7 ? 15.
The set o* linear con,ruences
35.
1
1 =)od 3>4 21.
2
1 =)od 5>4 15.
3
1 =)od 7>
has the solutions .
1
? 24 .
2
? 14 .
3
? 1. Then9
; 2 2 35 D 3 1 21 D 2 1 15 233 =)od 135> ? 23
7..8 I* the day in question is the ;th =countin, *ro) and includin, the *irst (onday>9
then
; ? 1 D 21
1
? 2 D 31
2
? 3 D 41
3
? 4 D 1
4
? 5 D '1
5
? ' D 51
'
? 71
7
8here the 1
i
are inte,ers4 i.e.9
=1> ; 1 )od 24 =2> ; 2 )od 34 =3> ; 3 )od 44 =4> ; 4 )od 14 =5> ; 5 )od '4
='> ; ' )od 54 =7> ; 3 )od 7
5* these con,ruences9 =4> is no restriction9 and =1> and =2> are included in =3> and
=5>. 5* the t8o latter9 =3> sho8s that ; is con,ruent to 39 79 or 11 =)od 12>9 and =5>
sho8s the ; is con,ruent to 5 or 119 so that =3> and =5> to,ether are equi%alent to ;
11 =)od 12>. 6ence9 the pro.le) is that o* sol%in,:
; 11 =)od 12>4 ; ' )od 54 ; 3 )od 7
or ; B1 =)od 12>4 ; 1 )od 54 ; 3 )od 7
Then )
1
? 124 )
2
? 54 )
3
? 74 ( ? 423
(
1
? 354 (
2
? &44 (
3
? '3
Then9
; =B1>=B1>35 D =B1>1 21 D 2 3 '3 ? B4/ 371 =)od 423>
The *irst ; satis*yin, the condition is 371.
7.20 29 39 &9 129 139 179 229 23
-47-
7.2. a. ; ? 29 27 =)od 2/>
b. ; ? /9 24 =)od 2/>
c. ; ? &9 139 129 159 1&9 2'9 27 =)od 2/>
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
8.. /lainte4t: This is the reada.le )essa,e or data that is *ed into the al,orith) as
input. &ncryption algorithm: The encryption al,orith) per*or)s %arious
trans*or)ations on the plainte;t. /blic and private (eys: This is a pair o* eys
that ha%e .een selected so that i* one is used *or encryption9 the other is used *or
decryption. The e;act trans*or)ations per*or)ed .y the encryption al,orith)
depend on the pu.lic or pri%ate ey that is pro%ided as input. Cipherte4t: This is
the scra).led )essa,e produced as output. It depends on the plainte;t and the
ey. #or a ,i%en )essa,e9 t8o di**erent eys 8ill produce t8o di**erent
cipherte;ts. ;ecryption algorithm: This al,orith) accepts the cipherte;t and the
)atchin, ey and produces the ori,inal plainte;t.
8.2 $ userFs pri%ate ey is ept pri%ate and no8n only to the user. The userFs pu.lic
ey is )ade a%aila.le to others to use. The pri%ate ey can .e used to encrypt a
si,nature that can .e %eri*ied .y anyone 8ith the pu.lic ey. 5r the pu.lic ey can
.e used to encrypt in*or)ation that can only .e decrypted .y the possessor o* the
pri%ate ey.
8.0 &ncryption*decryption: The sender encrypts a )essa,e 8ith the recipientFs pu.lic
ey. ;igital signatre: The sender Qsi,nsQ a )essa,e 8ith its pri%ate ey. "i,nin,
is achie%ed .y a crypto,raphic al,orith) applied to the )essa,e or to a s)all
.loc o* data that is a *unction o* the )essa,e. 5ey e4change: T8o sides cooperate
to e;chan,e a session ey. "e%eral di**erent approaches are possi.le9 in%ol%in, the
pri%ate ey=s> o* one or .oth parties.
8.2 .. It is co)putationally easy *or a party B to ,enerate a pair =pu.lic ey *1
b
9 pri%ate
ey *-
b
>.
2. It is co)putationally easy *or a sender $9 no8in, the pu.lic ey and the
)essa,e to .e encrypted9 #9 to ,enerate the correspondin, cipherte;t:
' ? E=*1
b
9 #>
0. It is co)putationally easy *or the recei%er B to decrypt the resultin, cipherte;t
usin, the pri%ate ey to reco%er the ori,inal )essa,e:
-4&-
CHAPTER 9
PUBLIC-KEY CRYPTOGRAPHY AND RSA
# ? !=*-
b
9 C> ? !=*-
b
9 E=*1
b
9 #>>
2. It is co)putationally in*easi.le *or an opponent9 no8in, the pu.lic ey9 *1
b
9 to
deter)ine the pri%ate ey9 *-
b
.
3. It is co)putationally in*easi.le *or an opponent9 no8in, the pu.lic ey9 *1
b
9
and a cipherte;t9 '9 to reco%er the ori,inal )essa,e9 #.
8.3 $ oneC#ay fnction is one that )aps a do)ain into a ran,e such that e%ery
*unction %alue has a unique in%erse9 8ith the condition that the calculation o* the
*unction is easy 8hereas the calculation o* the in%erse is in*easi.le:
8.6 $ trapCdoor oneC#ay fnction is easy to calculate in one direction and in*easi.le to
calculate in the other direction unless certain additional in*or)ation is no8n.
7ith the additional in*or)ation the in%erse can .e calculated in polyno)ial ti)e.
8.6 .. 0ic an odd inte,er n at rando) =e.,.9 usin, a pseudorando) nu).er
,enerator>.
2. 0ic an inte,er a A n at rando).
0. 0er*or) the pro.a.ilistic pri)ality test9 such as (iller-2a.in. I* n *ails the test9
reVect the %alue n and ,o to step 1.
2. I* n has passed a su**icient nu).er o* tests9 accept n4 other8ise9 ,o to step 2.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
8.. This proo* is discussed in the CE"H report )entioned in Chapter / REIII//S.
a.

(3
5 2 1 4 5
1 4 3 2 2
3 1 2 5 3
4 3 4 1 4
2 5 5 3 1
b. $ssu)e a plainte;t )essa,e p is to .e encrypted .y $lice and sent to Bo.. Bo.
)aes use o* (1 and (39 and $lice )aes use o* (2. Bo. chooses a rando)
nu).er9 9 as his pri%ate ey9 and )aps .y (1 to ,et ;9 8hich he sends as his
pu.lic ey to $lice. $lice uses ; to encrypt p 8ith (2 to ,et <9 the cipherte;t9
8hich she sends to Bo.. Bo. uses to decrypt < .y )eans o* (39 yieldin, the
plainte;t )essa,e p.
c. I* the nu).ers are lar,e enou,h9 and (1 and (2 are su**iciently rando) to
)ae it i)practical to 8or .ac8ards9 p cannot .e *ound 8ithout no8in, .
8.2 a. n ? 334 =n> ? 234 d ? 34 C ? 2'.
b. n ? 554 =n> ? 434 d ? 274 C ? 14.
c. n ? 774 =n> ? '34 d ? 534 C ? 57.
d. n ? 1434 =n> ? 1234 d ? 114 C ? 13'.
-4/-
e. n ? 5274 =n> ? 4&34 d ? 3434 C ? 12&. #or decryption9 8e ha%e
12&
343
)od 527 ? 12&
25'
12&
'4
12&
1'
12&
4
12&
2
12&
1
)od 527
? 35 25' 35 131 47 12& ? 2 )od 527
? 2 )od 257
8.0 5
8.2 By trail and error9 8e deter)ine that p ? 5/ and q ? '1. 6ence =n> ? 5& ; '3 ? 34&3.
Then9 usin, the e;tended Euclidean al,orith)9 8e *ind that the )ultiplicati%e
in%erse o* 31 )odulu =n> is 3331.
8.3 "uppose the pu.lic ey is n ? pq9 e. 0ro.a.ly the order o* e relati%e to =p B 1>=q B 1>
is s)all so that a s)all po8er o* e ,i%es us so)ethin, con,ruent to
1 )od=p B 1>=q B 1>. In the 8orst case 8here the order is 2 then e and d =the pri%ate
ey> are the sa)e. E;a)ple: i* p ? 7 and q ? 5 then =p B 1>=q B 1> ? 24. I* e ? 5 then e
squared is con,ruent to 1 )od=p B 1>=q B 1>4 that is9 25 is con,ruent to 24 )od 1.
8.6 Kes. I* a plainte;t .loc has a co))on *actor 8ith n )odulo n then the encoded
.loc 8ill also ha%e a co))on *actor 8ith n )odulo n. Because 8e encode .locs9
8hich are s)aller than pq9 the *actor )ust .e p or q and the plainte;t .loc )ust
.e a )ultiple o* p or q. 7e can test each .loc *or pri)ality. I* pri)e9 it is p or q. In
this case 8e di%ide into n to *ind the other *actor. I* not pri)e9 8e *actor it and try
the *actors as di%isors o* n.
8.6 -o9 it is not sa*e. 5nce Bo. leas his pri%ate ey9 $lice can use this to *actor his
)odulus9 -. Then $lice can crac any )essa,e that Bo. sends.
6ere is one 8ay to *actor the )odulus:
Iet ? ed B 1. Then is con,ruent to 3 )od =-> =8here FF is the Euler totient
*unction>. "elect a rando) ; in the )ultiplicati%e ,roup P=->. Then ;

1 )od -9
8hich i)plies that ;
: 2
is a square root o* 1 )od -. 7ith 53Y pro.a.ility9 this is a
nontri%ial square root o* -9 so that
,cd=;
: 2
B 19-> 8ill yield a pri)e *actor o* -.
I* ;
: 2
? 1 )od -9 then try ;
: 4
9 ;
: &
9 etc...
This 8ill *ail i* and only i*

B1 *or so)e i. I* it *ails9 then choose a ne8 ;.
This 8ill *actor - in e;pected polyno)ial ti)e.
8.7 Consider a set o* alpha.etic characters _$9 B9 T9 P`. The correspondin, inte,ers9
representin, the position o* each alpha.etic character in the alpha.et9 *or) a set o*
)essa,e .loc %alues "( ? _39 19 29 T9 25`. The set o* correspondin, cipherte;t
-53-
.loc %alues "C ? _3
e
)od N9 1
e
)od N9 T9 25
e
)od N`9 and can .e co)puted .y
e%ery.ody 8ith the no8led,e o* the pu.lic ey o* Bo..
Thus9 the )ost e**icient attac a,ainst the sche)e descri.ed in the pro.le) is to
co)pute #
e
)od N *or all possi.le %alues o* #9 then create a loo-up ta.le 8ith a
cipherte;t as an inde;9 and the correspondin, plainte;t as a %alue o* the
appropriate location in the ta.le.
8.8 a. 7e consider n ? 2339 2359 2379 23/9 and 2419 and the .ase a ? 2:
n ? 233
233 B 1?2
3
2/9 thus ?39 q?2/
a
q
)od n ? 2
2/
)od 233 ? 1
test returns ]inconclusi%e^ =]pro.a.ly pri)e^>
n ? 235
235 B 1?2
1
1179 thus ?19 q?117
a
q
)od n ? 2
117
)od 235 ? 222
222 E 1 and 222 E 235 B 1
test returns ]co)posite^
n ? 237
237 B 1?2
2
5/9 thus ?29 q?5/
a
q
)od n ? 2
5/
)od 237 ? 1'7 E 1
1'7 E 237 B 1
1'7
2
)od 237 ? 1'3 E 237 B 1
test returns ]co)posite^
n ? 23/
23/ B 1?2
1
11/.
2
11/
)od 23/ ? 1
test returns ]inconclusi%e^ =]pro.a.ly pri)e^>
n ? 241
241 B 1?2
4
15
2
4
)od 241 ? 1'
1' E 1 and 1' E 241 B 1
1'
2
)od 241 ? 25' )od 241 ? 15
15 E 241 B 1
15
2
)od 241 ? 225 )od 241 ? 225
225 E 241 B 1
225
2
)od 241 ? 15
15 E 241 B 1
test returns ]inconclusi%e^ =]pro.a.ly pri)e^>
b. (?29 e?239 n?233 241?5'9153 there*ore p?233 and q?241
e ? 23 ? =13111>2
I 1 3
e
i
1 1
! 32 234& 2.!7..
-51-
c. Co)pute pri%ate ey =d9 p9 q> ,i%en pu.lic ey =e?239 n?233 241?5'9153>.
"ince n?233 241?5'91539 p?233 and q?241
=n> ? =p B 1>=q B 1> ? 559'&3
+sin, E;tended Euclidean al,orith)9 8e o.tain
d ? 23
B1
)od 55'&3 ? 1/93'7
d. 7ithout C2T: ( ? 219&11
1/93'7
)od 5'9153 ? 2
7ith C2T:
d
p
? d )od =p B 1> d
q
? d )od =q-1>
d
p
? 1/3'7 )od 232 ? 111 d
q
? 1/3'7 )od 243 ? 1'7
C
p
? C )od p
(
p
? C
p
d
p )od p ? 141
111
)od 233 ?2
C
q
? C )od q
(
q
? C
q
d
q )od q
(
q
? 121
1'7
)od 241 ? 2
( ? 2.
8..0 C ? =(
d
" )od -">
e
2 )od -2 ? "
e
2 )od -2
8here
" ? (
d
" )od -".
([ ? =C
d
2 )od -2>
e
" )od -" ? "[
e
" )od -" ?
8here
"[ ? C
d
2 )od -2.
The sche)e does not 8or correctly i* " E "[. This situation )ay happen *or a
si,ni*icant su.set o* )essa,es ( i* -
"
C -
2
. In this case9 it )i,ht happen that -
2
@
" A -
"
9 and since .y de*inition "[ A -
2
9 then " E "[9 and there*ore also ([ E (. #or
all other relations .et8een -
"
and -
2
9 the sche)e 8ors correctly =althou,h -
"
?
-
2
is discoura,ed *or security reasons>.
In order to resol%e the pro.le) .oth sides can use t8o pairs o* eys9 one *or
encryption and the other *or si,nin,9 8ith all si,nin, eys -
"H-
s)aller than the
encryption eys -
E-C
8... 3rd ele)ent9 .ecause it equals to the 1st squared9
5th ele)ent9 .ecause it equals to the product o* 1st and 2nd
7th ele)ent9 .ecause it equals to the cu.e o* 1st9
etc.
8..2 2e*er to #i,ure /.5 The pri%ate ey is the pair _d9 n`4 the pu.lic ey ; is the pair
_e9 n`4 the plainte;t p is (4 and the cipherte;t < is C. (1 is *or)ed .y calculatin, d
-52-
? e
-1
)od =n>. (2 consists o* raisin, ( to the po8er e =)od n>. (2 consists o*
raisin, C to the po8er d =)od n>.
8..0 Kes.
8..2 This al,orith) is discussed in the CE"H report )entioned in Chapter ' REIII//S9
and is no8n as Cocs al,orith).
a. Cocs )aes use o* the Chinese re)ainder theore) =see "ection &.4 and
0ro.le) &.13>9 8hich says it is possi.le to reconstruct inte,ers in a certain ran,e
*ro) their residues )odulo a set o* pair8ise relati%ely pri)e )oduli. In
particular *or relati%ely pri)e 0 and N9 any inte,er ( in the ran,e 3 @ ( A -
can .e the pair o* nu).ers ( )od 0 and ( )od N9 and that it is possi.le to
reco%er ( ,i%en ( )od 0 and ( )od N. The security lies in the di**iculty o*
*indin, the pri)e *actors o* -.
b. In 2"$9 a user *or)s a pair o* inte,ers9 d and e9 such that
de 1 )od ==0 B 1>=N B 1>>9 and then pu.lishes e and - as the pu.lic ey. Cocs
is a special case in 8hich e ? -.
c. The 2"$ al,orith) has the )erit that it is sy))etrical4 the sa)e process is
used .oth *or encryption and decryption9 8hich si)pli*ies the so*t8are needed.
$lso9 e can .e chosen ar.itrarily so that a particularly si)ple %ersion can .e
used *or encryption 8ith the pu.lic ey. In this 8ay9 the co)ple; process
8ould .e needed only *or the recipient.
d. The pri%ate ey is the pair 0 and N4 the pu.lic ey ; is -4 the plainte;t p is (4
and the cipherte;t < is C. (1 is *or)ed .y )ultiplyin, the t8o parts o* 9 0 and
N9 to,ether. (2 consists o* raisin, ( to the po8er - =)od ->. (3 is the
process descri.ed in the pro.le) state)ent.
8..3 1> $d%ersary M intercepts )essa,e sent .y $ to B9 i.e. R$9 E=0+
.
9 (>9 BS
2> M sends B RM9 E=0+
.
9 (>9 BS
3> B acno8led,es receipt .y sendin, M RB9 E=0+
;
9 (>9 MS
4> M decrypts E=0+
;
9 (> usin, his secret decryption ey9 thus ,ettin, (
8..6
i / & 7 ' 5 4 3 2 1 3
b
i
1 3 3 1 3 1 3 1 3 3
c 1 2 4 5 11 23 4' /3 1&' 372
f 5 25 '25 /37 5/5 5'/ 453 5/1 5/ 1313
8..6 #irst9 let us consider the al,orith) in #i,ure /.7. The .inary representation o* b is
read *ro) le*t to ri,ht =)ost si,ni*icant to least si,ni*icant> to control 8hich
operations are per*or)ed. In essence9 i* c is the current %alue o* the e;ponent a*ter
so)e o* the .its ha%e .een processed9 then i* the ne;t .it is 39 the e;ponent is
-53-
dou.led =si)ply a le*t shi*t o* 1 .it> or it is dou.led and incre)ented .y 1. Each
iteration o* the loop uses one o* the identities:

a
2c
)od n a
c
( )
2
)od n
a
2c+1
)od n a a
c
( )
2
)od n
i* b
i
3
i* b
i
1

The al,orith) preser%es the in%ariant that d ? a
c
)od n as it increases c .y
dou.lin,s and incre)entations until c ? b.
-o8 let us consider the al,orith) in the pro.le)9 8hich is adapted *ro) one in
R1-+T/&9 pa,e 4'2S. This al,orith) processes the .inary representation o* b *ro)
ri,ht to le*t =least si,ni*icant to )ost si,ni*icant>. In this case9 the al,orith)
preser%es the in%ariant that a
n
? d T
E
. $t the end9 E ? 39 lea%in, a
n
? d.
8..7 -ote that .ecause 2 ? r
e
)od n9 then r ? 2
d
)od n. Bo. co)putes:
t3 )od n ? r
B1
/
d
)od n ? r
B1
2
d
'
d
)od n ? '
d
)od n ? #
8..8
-54-
seed
DB
maskedDB
M
EM
padding
H(P)
P
maskedseed
MGF
MGF
8.20 a. By noticin, that ;
iD1
? ;
i
;9 8e can a%oid a lar,e a)ount o* reco)putation *or
the " ter)s.
algorithm 024
n9 i: inte,er4 ;9 poly%al: real4
a9 "9 po8er: array R3..133S of real4
begin
read=;9 n>4
po8erR3S :? 14 read=aR3S>4 "R3S :? aR3S4
for i :? 1 pto n do
-55-
begin
read=aRiS>4 po8erRiS :? ; po8erRi B 1S4
"RiS :? aRiS po8erRiS
endD
poly%al :? 34
for i 4? 3 pto n do poly%al :? poly%al D "RiS4
8rite =F%alue atF9 ;9 FisF9 poly%al>
end.
b. The hint9 no8n as 6ornerFs rule9 can .e 8ritten in e;panded *or) *or 0=;>:
0=;> ? == . . . =a
n
; D a
nB1
>; D a
nB2
>; D . . . D a
1
> D a
3
7e use this to produce the re%ised al,orith):
algorithm 024
n9 i: inte,er4 ;9 poly%al: real4
a: array R3..133S of real4
begin
read=;9 n>4
poly%al :? 34
for i :? 3 pto n do
begin
read=aRn B iS>4 poly%al :? poly%al ; aRn B 1S
endD
8rite =F%alue atF9 ;9 FisF9 poly%al>
end.
03 is a su.stantial i)pro%e)ent o%er 02 not only in ter)s o* ti)e .ut also in
ter)s o* stora,e require)ents.
8.2. /3 D 455 D 341 D 132 D 5' D &2 ? 1.15' 13
3
8.22 a. 8
B1
3 =)od 23>4 a ? =79 19 159 13>4 cipherte;t ? 1&.
b. 8
B1
3&7 =)od 4/1>4 a ? =2339 11&9 339 2'/9 2539 /9 1129 3'1>4 cipherte;t ? 357.
c. 8
B1
15 =)od 53>4 a ? =3/9 329 119 229 37>4 cipherte;t ? 11/.
d. 8
B1
1325 =)od /2/1>4 a ? =&3229 '4'39 75&79 7/&'9 '59 &3359 '5/29 7274>4
cipherte;t ? 33&'/.
8.20 To see this require)ent9 let us redo the deri%ation $ppendi; #9 e;pandin, the
%ectors to sho8 the actual arith)etic.
The sender de%elops a si)ple napsac %ector aF and a correspondin, hard
napsac a ? 8aF )od ). To send a )essa,e ;9 the sender co)putes and sends:
" ? a U 4 ?

a
i
$
i
-5'-
-o89 the recei%er can easily co)pute "F and sol%e *or 4:
"F ? 8
-1
" )od )
? 8
-1


a
i
$
i )od )
? 8
-1


%aF
i
)od m ( )$
i )od )
?

%
1
%aF
i
)od m ( )$
i
?

aF
i
$
i
)od )
Each o* the ;i has a %alue o* <ero or one9 so that the )a;i)u) %alue o* the
su))ation is

a
i
. I* ) C

a
i
9 then the )od ) ter) has no e**ect and 8e ha%e
"F ?

aF
i
$
i
This can easily .e sol%ed *or the ;
i
.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
.0.. .. The distri.ution o* pu.lic eys. 2. The use o* pu.lic-ey encryption to distri.ute
secret eys
.0.2 0u.lic announce)ent. 0u.licly a%aila.le directory. 0u.lic-ey authority. 0u.lic-
ey certi*icates
.0.0 .. The authority )aintains a directory 8ith a _na)e9 pu.lic ey` entry *or each
participant. 2. Each participant re,isters a pu.lic ey 8ith the directory authority.
2e,istration 8ould ha%e to .e in person or .y so)e *or) o* secure authenticated
co))unication. 0. $ participant )ay replace the e;istin, ey 8ith a ne8 one at
any ti)e9 either .ecause o* the desire to replace a pu.lic ey that has already .een
used *or a lar,e a)ount o* data9 or .ecause the correspondin, pri%ate ey has
.een co)pro)ised in so)e 8ay. 2. 0eriodically9 the authority pu.lishes the entire
directory or updates to the directory. #or e;a)ple9 a hard- copy %ersion )uch lie
a telephone .oo could .e pu.lished9 or updates could .e listed in a 8idely
circulated ne8spaper. 3. 0articipants could also access the directory
electronically. #or this purpose9 secure9 authenticated co))unication *ro) the
authority to the participant is )andatory.
-57-
CHAPTER 10
KEY MANAGEMENT; OTHER PUBLIC-KEY
CRYPTOSYSTEMS
.0.2 $ pu.lic-ey certi*icate contains a pu.lic ey and other in*or)ation9 is created .y
a certi*icate authority9 and is ,i%en to the participant 8ith the )atchin, pri%ate
ey. $ participant con%eys its ey in*or)ation to another .y trans)ittin, its
certi*icate. 5ther participants can %eri*y that the certi*icate 8as created .y the
authority.
.0.3 .. $ny participant can read a certi*icate to deter)ine the na)e and pu.lic ey o*
the certi*icateFs o8ner. 2. $ny participant can %eri*y that the certi*icate ori,inated
*ro) the certi*icate authority and is not counter*eit. 0. 5nly the certi*icate
authority can create and update certi*icates. 2. $ny participant can %eri*y the
currency o* the certi*icate.
.0.6 T8o parties each create a pu.lic-ey9 pri%ate- ey pair and co))unicate the
pu.lic ey to the other party. The eys are desi,ned in such a 8ay that .oth sides
can calculate the sa)e unique secret ey .ased on each sideFs pri%ate ey and the
other sideFs pu.lic ey.
.0.6 $n elliptic cur%e is one that is descri.ed .y cu.ic equations9 si)ilar to those used
*or calculatin, the circu)*erence o* an ellipse. In ,eneral9 cu.ic equations *or
elliptic cur%es tae the *or)
y
2
D a$y D by? $
3
D c$
2
D d$ D e
8here a9 b9 c9 d9 and e are real nu).ers and $ and y tae on %alues in the real
nu).ers
.0.7 $lso called the point at in*inity and desi,nated .y ". This %alue ser%es as the
additi%e identity in elliptic-cur%e arith)etic.
.0.8 I* three points on an elliptic cur%e lie on a strai,ht line9 their su) is ".
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.0.. a. 3
!
? 7
5
)od 71? 51
b. 3
B
? 7
12
)od 71? 4
c. K ? 4
5
)od 71? 33
.0.2 a. =11> ? 13
2
13
? 1324 ? 1 )od 11
I* you chec 2
n
*or n A 139 you 8ill *ind that none o* the %alues is 1 )od 11.
b. '9 .ecause 2
'
)od 11 ? /
c. K ? 3
'
)od 11? 3
-5&-
.0.0 #or e;a)ple9 the ey could .e

x
A
g
x
B
g
x
A
x
B
( )
g
. 5* course9 E%e can *ind that
tri%ially Vust .y )ultiplyin, the pu.lic in*or)ation. In *act9 no such syste) could
.e secure any8ay9 .ecause E%e can *ind the secret nu).ers ;
$
and ;
B
.y usin,
#er)at[s Iittle Theore) to tae g-th roots.
.0.2 $
B
? 39 $
!
? 59 the secret co).ined ey is =3
3
>
5
? 3
1
5 ? 1434&/37.
.0.3 .. !arth prepares *or the attac .y ,eneratin, a rando) pri%ate ey /
(
and then
co)putin, the correspondin, pu.lic ey 3
(
.
2. $lice trans)its 3
!
to Bo..
0. !arth intercepts 3
!
and trans)its 3
(
to Bo.. !arth also calculates

K2Y
A
( )
X
D
modq
2. Bo. recei%es 3
(
and calculates

K1Y
D
( )
X
B
modq
.
3. Bo. trans)its /
!
to $lice.
6. !arth intercepts /
!
and trans)its 3
(
to $lice. !arth calculates

K1Y
B
( )
X
D
modq.
6. $lice recei%es 3
(
and calculates

K2Y
D
( )
X
A
modq
.
.0.6 #ro) #i,ure 13.79 8e ha%e9 *or pri%ate ey M
B
9 BFs pu.lic ey is

K
B

M
B
)od q
.
.. +ser B co)putes

'
1
( )
/
B
)od q
k/
B
)od q.
But

K 3
B
( )
k
)od q
M
B
)od q
( )
k
)od q
M
B
)od q
"o step 1 ena.les user B to reco%er 1.
2. -e;t9 user B co)putes

'
2
K
1
( )
)od q K#K
1
( )
)od q # 9 8hich is the
desired plainte;t.
.0.6 a. =4/9 57>
b. C
2
? 2/
.0.7 a. #or a %ertical tan,ent line9 the point o* intersection is in*inity. There*ore 24 ? ".
b. 34 ? 24 D 4 ? " D 4 ? 4.
.0.8 7e use Equation =13.1>9 8hich de*ines the *or) o* the elliptic cur%e as y
2
? $
3
D a$
D b9 and Equation =13.2>9 8hich says that an elliptic cur%e o%er the real nu).ers
de*ines a ,roup i* 4a
3
D 27b
2
E 3.
a. #or y
2
? $
3
B $9 8e ha%e 4=B1>
3
D 27=3> ? B4 E 3.
b. #or y
2
? $
3
D $ D 19 8e ha%e 4=1>
3
D 27=1> ? 21 E 3.
.0..0 Kes9 since the equation holds true *or $ ? 4 and y ? 7:
7
2
? 4
3
B 5=4> D 5
-5/-
4/ ? '4 B 23 D 5 ? 4/
.0... a. #irst 8e calculate - ? * D 49 usin, Equations =13.3>.
? =&.5 B /.5>:=B2.5 D 3.5> ? B 1
$
-
? 1 D 3.5 D 2.5 ? 7
y
-
? B&.5 B =B3.5 B 7> ? 2
- ? =79 2>
b. #or - ? 2*9 8e use Equations =13.4>9 8ith a ? B3'
$
r
? R=3'.75 B 3'>:1/S
2
D 7 7
y
-
? R=3'.75 B 3'>:1/S=B3.5 B 7> B/.5 /./
.0..2 =4a
3
D 27b
2
> )od p ? 4=13>
3
D 27=5>
2
)od 17 ? 4'75 )od 17 ? 3
This elliptic cur%e does not satis*y the condition o* Equation =13.'> and there*ore
does not de*ine a ,roup o%er P
17
.
.0..0
;
=;
3
D ; D '> )od 11
square roots )od pc y
3 ' no
1 & no
2 5 yes 49 7
3 3 yes 59 '
4 & no
5 4 yes 29 /
' & no
7 4 yes 29 /
& / yes 39 &
/ 7 no
13 4 yes 29 /
.0..2 The ne,ati%e o* a point * ? =$
*
9 y
*
> is the point B* ? =$
*
9 By
*
)od p>. Thus
B0 ? =59/>4 BN ? =393>4 B2 ? =3911>
.0..3 7e *ollo8 the rules o* addition descri.ed in "ection 13.4. To co)pute 2H ? =29 7> D
=29 7>9 8e *irst co)pute
? =3 2
2
D 1>:=2 7> )od 11
? 13:14 )od 11 ? 2:3 )od 11 ? &
Then 8e ha%e
;
3
? &
2
B 2 B 2 )od 11 ? 5
y
3
? &=2 B 5> B 7 )od 11 ? 2
2H ? =59 2>
-'3-
"i)ilarly9 3H ? 2H D H9 and so on. The result:
2H ? =59 2> 3H ? =&9 3> 4H ? =139 2> 5H ? =39 '>
'H ? =79 /> 7H ? =79 2> &H ? =39 5> /H ? =139 />
13H ? =&9 &> 11H ? =59 /> 12H ? =29 4> 13H ? =29 7>
.0..6 a. 0
B
? n
B
H ? 7 =29 7> ? =79 2>. This ans8er is seen in the precedin, ta.le.
b. C
)
? _H9 0
)
D 0
B
`
? _3=29 7>9 =139 /> D 3=79 2>` ? _=&93>9 =139 /> D =39 5>` ? _=&9 3>9 =139 2>`
c. 0
)
? =139 2> B 7=&9 3> ? =139 2> B =39 5> ? =139 2> D =39 '> ? =139 />
.0..6 a. S D k3
!
? # B k$
!
G D k$
!
G ? #.
b. The i)poster ,ets $lice[s pu.lic %eri*yin, ey 3
!
and sends Bo. #9 k9 and S ?
# B k3
!
*or any k.
.0..7 a. S D k3
!
? # B $
!
'
1
D k3
!
? # B $
!
kG D k$
!
G ? #.
b. "uppose an i)poster has an al,orith) that taes as input the pu.lic G9 3
!
?
$
!
G9 Bo.[s '
1
? kG9 and the )essa,e # and returns a %alid si,nature 8hich
Bo. can %eri*y as S ? # B k3
!
and $lice can reproduce as # B $
!
'
1
. The
i)poster intercepts an encoded )essa,e '
m
? _k5G5 9 *
m
D k5*
!
` *ro) Bo. to
$lice 8here *
!
? n
!
G5 is $lice[s pu.lic ey. The i)poster ,i%es the al,orith)
the input G ? G5 9 3
!
? *
!
9 '
1
? k5G5 9 # ? *
m
D k5*
!
and the al,orith)
co)putes an S 8hich $lice could Q%eri*yQ as S ? *
m
D k5*
!
B n
!
k5G5 ? *
m
.
c. "peed9 lielihood o* unintentional error9 opportunity *or denial o* ser%ice or
tra**ic analysis.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
.... ?as'erade: Insertion o* )essa,es into the net8or *ro) a *raudulent source.
This includes the creation o* )essa,es .y an opponent that are purported to
co)e *ro) an authori<ed entity. $lso included are *raudulent acno8led,)ents
o* )essa,e receipt or nonreceipt .y so)eone other than the )essa,e recipient.
Content modification: Chan,es to the contents o* a )essa,e9 includin, insertion9
deletion9 transposition9 and )odi*ication. Se'ence modification: $ny
)odi*ication to a sequence o* )essa,es .et8een parties9 includin, insertion9
-'1-
CHAPTER 11
MESSAGE AUTHENTICATION AND HASH
FUNCTIONS
deletion9 and reorderin,. %iming modification: !elay or replay o* )essa,es. In a
connection- oriented application9 an entire session or sequence o* )essa,es could
.e a replay o* so)e pre%ious %alid session9 or indi%idual )essa,es in the
sequence could .e delayed or replayed. In a connectionless application9 an
indi%idual )essa,e =e.,.9 data,ra)> could .e delayed or replayed.
...2 $t the lo8er le%el9 there )ust .e so)e sort o* *unction that produces an
authenticator: a %alue to .e used to authenticate a )essa,e. This lo8er-le%el
*unction is then used as pri)iti%e in a hi,her- le%el authentication protocol that
ena.les a recei%er to %eri*y the authenticity o* a )essa,e.
...0 (essa,e encryption9 )essa,e authentication code9 hash *unction.
...2 Error control code9 then encryption.
...3 $n authenticator that is a crypto,raphic *unction o* .oth the data to .e
authenticated and a secret ey.
...6 $ hash *unction9 .y itsel*9 does not pro%ide )essa,e authentication. $ secret ey
)ust .e used in so)e *ashion 8ith the hash *unction to produce authentication.
$ ($C9 .y de*inition9 uses a secret ey to calculated a code used *or
authentication.
...6 #i,ure 11.5 illustrates a %ariety o* 8ays in 8hich a hash code can .e used to
pro%ide )essa,e authentication9 as *ollo8s: a. The )essa,e plus concatenated
hash code is encrypted usin, sy))etric encryption. b. 5nly the hash code is
encrypted9 usin, sy))etric encryption. c. 5nly the hash code is encrypted9
usin, pu.lic-ey encryption and usin, the senderFs pri%ate ey. d. I*
con*identiality as 8ell as a di,ital si,nature is desired9 then the )essa,e plus the
pu.lic-ey-encrypted hash code can .e encrypted usin, a sy))etric secret ey.
e. This technique uses a hash *unction .ut no encryption *or )essa,e
authentication. The technique assu)es that the t8o co))unicatin, parties share
a co))on secret %alue ". $ co)putes the hash %alue o%er the concatenation o* (
and " and appends the resultin, hash %alue to (. Because B possesses "9 it can
reco)pute the hash %alue to %eri*y. f. Con*identiality can .e added to the
approach o* =e> .y encryptin, the entire )essa,e plus the hash code.
...7 -o. "ection 11.3 outlines such attacs.
...8 .. 6 can .e applied to a .loc o* data o* any si<e.
2. 6 produces a *i;ed-len,th output.
0. 6=$> is relati%ely easy to co)pute *or any ,i%en $9 )ain, .oth hard8are and
so*t8are i)ple)entations practical.
2. #or any ,i%en %alue h9 it is co)putationally in*easi.le to *ind $ such that 6=$>
? h. This is so)eti)es re*erred to in the literature as the oneC#ay property.
3. #or any ,i%en .loc $9 it is co)putationally in*easi.le to *ind y E $ 8ith 6=y> ?
6=$>.
-'2-
6. It is co)putationally in*easi.le to *ind any pair =$9 y> such that 6=$> ? 6=y>.
....0 0roperty 5 in Nuestion 11./ de*ines #ea( collision resistance. 0roperty ' de*ines
strong collision resistance.
..... $ typical hash *unction uses a co)pression *unction as a .asic .uildin, .loc9
and in%ol%es repeated application o* the co)pression *unction.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.... -o. I* internal error control is used9 error propa,ation in the decipherin,
operation introduces too )any errors *or the error control code to correct.
...2 The CBC )ode 8ith an IL o* 3 and plainte;t .locs !19 !29 . . .9 !n and '4-.it
C#B )ode 8ith IL ? !1 and plainte;t .locs !29 !39 . . .9 !n yield the sa)e result.
...0 a. Kes. The M52 *unction is si)ply a %ertical parity chec. I* there is an odd
nu).er o* errors9 then there )ust .e at least one colu)n that contains an odd
nu).er o* errors9 and the parity .it *or that colu)n 8ill detect the error. -ote
that the 2M52 *unction also catches all errors caused .y an odd nu).er o*
error .its. Each 2M52 .it is a *unction o* a unique QspiralQ o* .its in the .loc o*
data. I* there is an odd nu).er o* errors9 then there )ust .e at least one spiral
that contains an odd nu).er o* errors9 and the parity .it *or that spiral 8ill
detect the error.
b. -o. The checsu) 8ill *ail to detect an e%en nu).er o* errors 8hen .oth the
M52 and 2M52 *unctions *ail. In order *or .oth to *ail9 the pattern o* error .its
)ust .e at intersection points .et8een parity spirals and parity colu)ns such
that there is an e%en nu).er o* error .its in each parity colu)n and an e%en
nu).er o* error .its in each spiral.
c. It is too si)ple to .e used as a secure hash *unction4 *indin, )ultiple )essa,es
8ith the sa)e hash *unction 8ould .e too easy.
...2 a. #or clarity9 8e use o%er.ars *or co)ple)entation. 7e ha%e:

EM
i
,H
i1
( )
EM
i
,H
i1
( )H
i1
EM
i
,H
i1
( )H
i1
There*ore9 the hash *unction o* )essa,e # 8ith initial %alue I is the sa)e as the
hash *unction *or )essa,e N 8ith initial %alue

I
*or any ,i%en I9 8here

MM
1
||M
2
||K||M
n
;NM
1
||M
2
||K||M
n
b. The sa)e line o* reasonin, applies 8ith the #s and 6s re%ersed in the
deri%ation.
-'3-
...3 a. It satis*ies properties 1 throu,h 3 .ut not the re)ainin, properties. #or
e;a)ple9 *or property 49 a )essa,e consistin, o* the %alue h satis*ies 6=h> ? h.
#or property 59 tae any )essa,e # and add the deci)al di,it 3 to the
sequence4 it 8ill ha%e the sa)e hash %alue.
b. It satis*ies properties 1 throu,h 3. 0roperty 4 is also satis*ied i* n is a lar,e
co)posite nu).er9 .ecause tain, square roots )odulo such an inte,er n is
considered to .e in*easi.le. 0roperties 5 and ' are not satis*ied .ecause B(
8ill ha%e the sa)e %alue as (.
c. /55
...6 I* you e;a)ine the structure o* a sin,le round o* !E"9 you see that the round
includes a one-8ay *unction9 *9 and an M52:
2
i
? I
iB1
*=2
iB1
9 1
i
>
#or !E"9 the *unction * is depicted in #i,ure 3.5. It )aps a 32-.it 2 and a 4&-.it 1
into a 32-.it output. That is9 it )aps an &3-.it input into a 32-.it output. This is
clearly a one-8ay *unction. $ny hash *unction that produces a 32-.it output could
.e used *or *. The de)onstration in the te;t that decryption 8ors is still %alid *or
any one-8ay *unction *.
...6 The opponent has the t8o-.loc )essa,e B19 B2 and its hash 2"$6=B19 B2>. The
*ollo8in, attac 8ill 8or. Choose an ar.itrary C1 and choose C2 such that:
C2 ? 2"$=C1> 2"$=B1> B2
then
2"$=C1> C2 ? 2"$=C1> 2"$=C1> 2"$=B1> B2
? 2"$=B1> B2
so
2"$6=C19 C2> ? 2"$R2"$=C1> C2>S ? 2"$R2"$=B1> B2S
? 2"$6=B19 B2>
...7 The statement is false. Such a function cannot be one-to-one because
the number of inputs to the function is of arbitrary, but the number of
unique outputs is 2
n
. Thus, there are multiple inputs that map into the
same output.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
-'4-
CHAPTER 12
HASH AND MAC ALGORITHMS
.2.. In littleCendian format9 the least si,ni*icant .yte o* a 8ord is in the lo8-address
.yte position. In bigCendian format9 the )ost si,ni*icant .yte o* a 8ord is in the
lo8-address .yte position.
.2.2 $ddition )odulo 2
'4
or 2
32
9 circular shi*t9 pri)iti%e Boolean *unctions .ased on
$-!9 529 -5T9 and M52.
.2.0 M529 addition o%er a *inite *ield9 and circular shi*ts.
.2.2 .. Crypto,raphic hash *unctions such as (!5 and "6$ ,enerally e;ecute *aster in
so*t8are than sy))etric .loc ciphers such as !E". 2. Ii.rary code *or
crypto,raphic hash *unctions is 8idely a%aila.le.
.2.3 To replace a ,i%en hash *unction in an 6($C i)ple)entation9 all that is required
is to re)o%e the e;istin, hash *unction )odule and drop in the ne8 )odule.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.2.. $ssu)e an array o* si;teen '4-.it 8ords 7R3S9 . . .9 7R15S9 8hich 8ill .e treated as
a circular queue. !e*ine ($"1 ? 3333333# in he;. Then *or round t:
s ? t ($"14
i* =t d 1'> then
7RsS ? 7RsS
3
=7R=s D 1> ($"1S>
7R=s D /> ($"1S
1
=7R=s D 14S ($"1S>
.2.2 7
1'
? 7
3

3
=7
1
> 7
/

1
=7
14
>
7
17
? 7
1

3
=7
2
> 7
13

1
=7
15
>
7
1&
? 7
2

3
=7
3
> 7
11

1
=7
1'
>
7
1/
? 7
3

3
=7
4
> 7
12

1
=7
17
>
.2.0 a. .. Interchan,e ;
1
and ;
4
4 ;
2
and ;
3
4 y
1
and y
4
4 and y
2
and y
3
.
2. Co)pute P ? M D K )od 2
32
.
0. Interchan,e <
1
and <
4
4 and <
2
and <
3
.
b. Kou )ust use the sa)e sort o* interchan,e.
.2.2 a. 5%erall structure:
-'5-
N 16 letters
M
1
M
2
M
N
F
IV =
0000
H
1
F


Message
H
2
16
H
N =
hash
code
16
F
16
16 letters 16 letters 16 letters
Padding
4
Co)pression *unction #:
H
i1 M
i
Column-wise mod 26 addition
Column-wise mod 26 addition
row-wise
rotations
H
i
b. B#NH
c. "i)ple al,e.ra is all you need to ,enerate a result:
$K6H!$$$$$$$$$$$$$$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$
-''-
.2.3 Henerator *or H#=2
&
> usin, ;
&
D ;
4
D ;
3
D ;
2
D 1. 0artial results:
/o#er
:epresentation
/olynomial
:epresentation
+inary
:epresentation
;ecimal =Be4>
:epresentation
3 3 33333333 33
g
3
=? g
127
>
1 33333331 31
g
1
g 33333313 32
g
2
g
2
33333133 34
g
3
g
3
33331333 3&
g
4
g
4
33313333 13
g
5
g
5
33133333 23
g
'
g
'
31333333 43
g
7
g
7
13333333 &3
g
&
g
4
D g
3
D g
2
D 1
33311131 1!
g
/
g
5
D g
4
D g
3
D g
33111313 3$
g
13
g
'
D g
5
D g
4
D g
2
31113133 74
g
11
g
7
D g
'
D g
5
D g
3
11131333 E&
g
12
g
7
D g
'
D g
3
D g
2
D 1
11331131 C!
g
13
g
7
D g
2
D g D 1
13333111 &7
g
14
g
4
D g D 1
33313311 13
.2.6
33 31 13 11 33 31 13 11
33 1 B / C 33 # 3 ! 7
31 ! ' # 3 31 B E 5 $
13 E & 7 4 13 / 2 C 1
11 $ 2 5 3 11 3 4 & '
E .o; E
B
1 .o;
.2.6 a. #or input 33: The output o* the *irst E .o; is 3331. The output o* the *irst E
B1

.o; is 1111. The input to 2 is 1113 and the output o* 2 is 3331. The input to the
second E .o; is 3333 and the output is 3331. The input to the second E
B1
.o; is
1113 and the output is 1333. "o the *inal output is 33311333 in .inary9 8hich is
1& in he;. This a,rees 8ith Ta.le 12.3a.
-'7-
b. #or input 55: The output o* the *irst E .o; is 3113. The output o* the *irst E
B1

.o; is 1113. The input to 2 is 1333 and the output o* 2 is 3113. The input to the
second E .o; is 3333 and the output is 3331. The input to the second E
B1
.o; is
1333 and the output is 1331. "o the *inal output is 33311331 in .inary9 8hich is
1/ in he;. This a,rees 8ith Ta.le 12.3a.
c. #or input 1E: The output o* the *irst E .o; is 1311. The output o* the *irst E
B1

.o; is 1333. The input to 2 is 3311 and the output o* 2 is 1131. The input to the
second E .o; is 3113 and the output is 1111. The input to the second E
B1
.o; is
3131 and the output is 1113. "o the *inal output is 1111113 in .inary9 8hich is in
he; #E. This a,rees 8ith Ta.le 12.3a.
.2.7 Treat the input to the "-.o; as t8o 4-.it %aria.les u and , and the output as the 4-
.it %aria.les uF and ,F. The "-.o; can .e e;pressed as =uF9 ,F> ? "=u9 ,>. +sin, #i,ure
12./9 8e can e;press this as:
uF ? ERE=u> rS9 ,F ? E
B1
RE
B1
=,> rS
8here r ? 2RE=u> E
B1
=,>S
.2.8 Consider the encryption E=6
iB1
9 #
i
>. 7e could 8rite the last round ey as K
13
?
E=-'9 6
iB1
>4 this quantity is M52ed onto the cipher state as the last encryption step.
-o8 tae a loo at the recursion: 6
i
? E=6
iB1
9 #
i
> #
i
. #or)ally applyin, this
construction to the Qey encryption lineQ 8e ,et 1F
13
? E=-'9 6
iB1
> 6
iB1
. +sin,
this %alue as the e**ecti%e last round ey *or)ally creates t8o interactin, lines =as
co)pared to the interactin, encryption lines>9 and results in the 7hirlpool sche)e9
8hich there*ore sho8s up as the natural choice *or the co)pression *unction. This
e;planation is taen *ro) the 7hirlpool docu)ent.
.2..0 7e use the de*inition *ro) "ection 11.3. #or a one-.loc )essa,e9 the ($C usin,
CBC-($C is T ? E=K9 />9 8here 1 is the ey and M is the )essa,e .loc. -o8
consider the t8o-.loc )essa,e in 8hich the *irst .loc is M and the second .loc
is / T. Then the ($C is E=K9 RT e / TfS> ? E=K9 /> ? T.
.2... 7e use #i,ure 12.12a .ut put the M52 8ith K
1
a*ter the *inal encryption. #or this
pro.le)9 there are t8o .locs to process. The output o* the encryption o* the *irst
)essa,e .loc is E=K9 0> ? CBC=K9 0> ? T
3
K
1
. This is M52ed 8ith the second
)essa,e .loc =T
3
T
1
>9 so that the input to the second encryption is =T
1
K
1
> ?
CBC=K9 .> ? E=K9 .>. "o the output o* the second encryption is E=K9 RE=K9 .>S> ?
CBC=K9 RCBC=K9 .>S> ? T
2
K
1
. $*ter the *inal M52 8ith K
1
9 8e ,et
L($C=K9 R0 || =T
3
T
1
>S> ? T
2
.
.2..2 a. In each case ='4 .its9 12& .its> the constant is the .inary representation o* the
irreduci.le polyno)ial de*ined in "ection 12.4. The t8o constants are
-'&-
2
12&
? 3
123
13333111 and 2
'4
? 3
5/
11311
b. 6ere is the al,orith) *ro) the -I"T docu)ent:
.. Iet + ? E=K9 3
.
>.
2. I* ("B
1
=+> ? 39 then K7 ? + AA 14
Else K
1
? =+ AA 1> -
b
4
0. I* ("B
1
=K
1
> ? 39 then K
2
? K
1
AA 14
Else K
2
? =K
1
AA 1> -b.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
.0.. "uppose that Oohn sends an authenticated )essa,e to (ary. The *ollo8in,
disputes that could arise: .. (ary )ay *or,e a di**erent )essa,e and clai) that it
ca)e *ro) Oohn. (ary 8ould si)ply ha%e to create a )essa,e and append an
authentication code usin, the ey that Oohn and (ary share. 2. Oohn can deny
sendin, the )essa,e. Because it is possi.le *or (ary to *or,e a )essa,e9 there is no
8ay to pro%e that Oohn did in *act send the )essa,e.
.0.2 .. It )ust .e a.le to %eri*y the author and the date and ti)e o* the si,nature. 2. It
)ust .e a.le to authenticate the contents at the ti)e o* the si,nature. 0. The
si,nature )ust .e %eri*ia.le .y third parties9 to resol%e disputes.
.0.0 .. The si,nature )ust .e a .it pattern that depends on the )essa,e .ein, si,ned. 2.
The si,nature )ust use so)e in*or)ation unique to the sender9 to pre%ent .oth
*or,ery and denial. 0. It )ust .e relati%ely easy to produce the di,ital si,nature.
2. It )ust .e relati%ely easy to reco,ni<e and %eri*y the di,ital si,nature. 3. It )ust
.e co)putationally in*easi.le to *or,e a di,ital si,nature9 either .y constructin, a
ne8 )essa,e *or an e;istin, di,ital si,nature or .y constructin, a *raudulent
di,ital si,nature *or a ,i%en )essa,e. 6. It )ust .e practical to retain a copy o* the
di,ital si,nature in stora,e.
.0.2 $ direct digital signatre in%ol%es only the co))unicatin, parties =source9
destination>. It is assu)ed that the destination no8s the pu.lic ey o* the source.
$ di,ital si,nature )ay .e *or)ed .y encryptin, the entire )essa,e 8ith the
senderFs pri%ate ey or .y encryptin, a hash code o* the )essa,e 8ith the senderFs
pri%ate ey. $n arbitrated digital signatre operates as *ollo8s. E%ery si,ned
)essa,e *ro) a sender M to a recei%er K ,oes *irst to an ar.iter $9 8ho su.Vects the
)essa,e and its si,nature to a nu).er o* tests to chec its ori,in and content. The
-'/-
CHAPTER 13
DIGITAL SIGNATURES AND AUTHENTICATION
PROTOCOLS
)essa,e is then dated and sent to K 8ith an indication that it has .een %eri*ied to
the satis*action o* the ar.iter.
.0.3 It is i)portant to per*or) the si,nature *unction *irst and then an outer
con*identiality *unction. In case o* dispute9 so)e third party )ust %ie8 the
)essa,e and its si,nature. I* the si,nature is calculated on an encrypted )essa,e9
then the third party also needs access to the decryption ey to read the ori,inal
)essa,e. 6o8e%er9 i* the si,nature is the inner operation9 then the recipient can
store the plainte;t )essa,e and its si,nature *or later use in dispute resolution.
.0.6 .. The %alidity o* the sche)e depends on the security o* the senderFs pri%ate ey. I*
a sender later 8ishes to deny sendin, a particular )essa,e9 the sender can clai)
that the pri%ate ey 8as lost or stolen and that so)eone else *or,ed his or her
si,nature. 2. $nother threat is that so)e pri%ate ey )i,ht actually .e stolen *ro)
M at ti)e T. The opponent can then send a )essa,e si,ned 8ith MFs si,nature and
sta)ped 8ith a ti)e .e*ore or equal to T.
.0.6 Simple replay: The opponent si)ply copies a )essa,e and replays it later.
:epetition that can be logged: $n opponent can replay a ti)esta)ped )essa,e
8ithin the %alid ti)e 8indo8. :epetition that cannot be detected: This situation
could arise .ecause the ori,inal )essa,e could ha%e .een suppressed and thus did
not arri%e at its destination4 only the replay )essa,e arri%es. +ac(#ard replay
#ithot modification: This is a replay .ac to the )essa,e sender. This attac is
possi.le i* sy))etric encryption is used and the sender cannot easily reco,ni<e
the di**erence .et8een )essa,es sent and )essa,es recei%ed on the .asis o*
content.
.0.7 .. $ttach a sequence nu).er to each )essa,e used in an authentication e;chan,e.
$ ne8 )essa,e is accepted only i* its sequence nu).er is in the proper order. 2.
0arty $ accepts a )essa,e as *resh only i* the )essa,e contains a ti)esta)p that9
in $Fs Vud,)ent9 is close enou,h to $Fs no8led,e o* current ti)e. This approach
requires that clocs a)on, the %arious participants .e synchroni<ed. 0. 0arty $9
e;pectin, a *resh )essa,e *ro) B9 *irst sends B a nonce =challen,e> and requires
that the su.sequent )essa,e =response> recei%ed *ro) B contain the correct nonce
%alue.
.0.8 7hen a senderFs cloc is ahead o* the intended recipientFs cloc.9 an opponent can
intercept a )essa,e *ro) the sender and replay it later 8hen the ti)esta)p in the
)essa,e .eco)es current at the recipientFs site. This replay could cause
une;pected results.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.0.. There are se%eral possi.le 8ays to respond to this pro.le). I* pu.lic-ey
encryption is allo8ed9 then o* course an ar.iter is not needed4 $ can send
-73-
)essa,e plus si,nature directly to B. I* 8e constrain the ans8er to con%entional
encryption9 then the *ollo8in, scenario is possi.le:
=.> M $: # || E=K
$a
9 R0(
$
|| 6=#>S>
=2> $ K: # || E=K
ay
9 R0(
$
|| 6=#>S>
$ can decrypt # || E=K
ay
9 R0(
$
|| 6=#>S> to deter)ine i* # 8as sent .y M.
.0.2 The use o* a hash *unction a%oids the need *or triple encryption.
.0.0 M and $9 8antin, to co))it *raud9 could disclose *-
$
and *-
a
9 respecti%ely9 and
clai) that these 8ere lost or stolen. The possi.ility o* .oth pri%ate eys .eco)in,
pu.lic throu,h accident or the*t is so unliely9 ho8e%er9 that the sender and
ar.itratorFs clai)s 8ould ha%e %ery little credi.ility.
.0.2 It is not so )uch a protection a,ainst an attac as a protection a,ainst error. "ince
N
a
is not unique across the net8or9 it is possi.le *or B to )istaenly send
)essa,e ' to so)e other party that 8ould accept N
a
.
.0.3
=.> $ B: 0(
!
|| N
a
=2> B 1!C: 0(
!
|| 0(
B
|| N
a
|| N
b
=0> 1!C B: E=*-
auth
9 R0(
!
|| *1
a
S> || E=*1
b
9 E=*-
auth
9 RN
a
|| N
b
|| K
s
|| 0(
!
|| 0(
B
S>>
=2> B $: E=*1
a
9 E=*-
auth
9 RN
a
|| N
b
|| K
s
|| 0(
!
|| 0(
B
S>>
=3> $ B: E=K
s
9 N
b
>
.0.6 a. $n unintentionally postdated )essa,e =)essa,e 8ith a cloc ti)e that is in the
*uture 8ith respect to the recipientFs cloc> that requests a ey is sent .y a
client. $n ad%ersary .locs this request )essa,e *ro) reachin, the 1!C. The
client ,ets no response and thins that an o)ission or per*or)ance *ailure has
occurred. Iater9 8hen the client is o**-line9 the ad%ersary replays the
suppressed )essa,e *ro) the sa)e 8orstation =8ith the sa)e net8or
address> and esta.lishes a secure connection in the clientFs na)e.
b. $n unintentionally postdated )essa,e that requests a stoc purchase could .e
suppressed and replayed later9 resultin, in a stoc purchase 8hen the stoc
price had already chan,ed si,ni*icantly.
.0.6 $ll three really ser%e the sa)e purpose. The di**erence is in the %ulnera.ility. In
Esage .9 an attacer could .reach security .y in*latin, N
a
and 8ithholdin, an
ans8er *ro) B *or *uture replay attac9 a *or) o* suppress- replay attac. The
attacer could atte)pt to predict a plausi.le reply in Esage 29 .ut this 8ill not
succeed i* the nonces are rando). In .oth +sa,e 1 and 29 the )essa,es 8or in
either direction. That is9 i* N is sent in either direction9 the response is ERK9 NS. In
-71-
Esage 09 the )essa,e is encrypted in .oth directions4 the purpose o* *unction * is
to assure that )essa,es 1 and 2 are not identical. Thus9 +sa,e 3 is )ore secure.
.0.7 Instead o* t8o eys e and d 8e 8ill ha%e T62EE eys u9 %9 and 8. They )ust .e
selected in such 8ay that u%8 ? 1 )od =->. =This can .e done e.,. .y selectin, u
and % rando)ly =.ut they ha%e to .e pri)e to =->> and then choosin, 8 such
that the equation holds.> The ey 8 is )ade pu.lic9 8hile u and % .eco)e the
*irst and the second si,natoryFs ey respecti%ely. -o8 the *irst si,natory si,ns
docu)ent ( .y co)putin, "1 ? (
u
)od - The second si,natory can %eri*y the
si,nature 8ith the help o* his ey % and pu.licly no8n 89 .ecause "1
%8
)od -
has to .e (. 6e then FaddsF his si,nature .y co)putin, "2 ? "1
%
)od - =that is "2
? (
u%
)od ->. $nyone can no8 %eri*y that "2 is really the dou.le si,nature o* (
=i.e. that ( 8as si,ned .y .oth si,natories> .ecause "2
8
)od - is equal to ( only
i* "2 ? (
u%
)od -.
.0.8 $ user 8ho produces a si,nature 8ith s ? 3 is inad%ertently re%ealin, his or her
pri%ate ey ; %ia the relationship:
s ? 3 ?
B1
R6=)> D ;r> )od q


; ?
-6 ) ( )
r
)od q
.0..0 $ userFs pri%ate ey is co)pro)ised i* is disco%ered.
.0... a. -ote that at the start o* step 49

. b
2
j
m
)od %
.The idea underlyin, this
al,orith) is that i* =b
m
)od %> E 1 and % ? 1 D 2
a
m is pri)e9 the sequence o*
%alues
b
m
)od %9 b
2m
)od %9 b
4m
)od %9 T
8ill end 8ith 19 and the %alue Vust precedin, the *irst appearance o* 1 8ill .e
% B 1. 7hyc Because9 i* % is pri)e9 then i* 8e ha%e .
2
)od % ? 19 then 8e
ha%e .
2
1 )od %. $nd i* that is true9 then . ? =% B 1> or . ? =% D 1>. 7e
cannot ha%e . ? =% D 1>9 .ecause on the precedin, step9 . 8as calculated )od
%9 so 8e )ust ha%e . ? =% B 1>. 5n the other hand9 i* 8e reach a point 8here .
? 19 and . 8as not equal to =% B 1> on the precedin, step9 then 8e no8 that
% is not pri)e.
b. This al,orith) is a si)pli*ied %ersion o* the (iller-2a.in al,orith). In .oth
cases9 a test %aria.le is repeatedly squared and co)puted )odulo the
possi.le pri)e9 and the possi.le *ails i* a %alue o* 1 is encountered.
.0..2 The si,ner )ust .e care*ul to ,enerate the %alues o* in an unpredicta.le
)anner9 so that the sche)e is not co)pro)ised.
-72-
.0..0 a. I* $l,orith) 1 returns the %alue g9 then 8e see that g
q
? 1 =)od p>. Thus9
ord= g> di%ides q. Because q is pri)e9 this i)plies that ord= g> _19 q`. 6o8e%er9
.ecause g E 19 8e ha%e that ord= g> E 19 and so it )ust .e that ord= g> ? q.
b. I* $l,orith) 2 returns the %alue ,9 then 8e see that

g
q
h
p1q
( )
q
h
p1
1modp ( ). Thus9 ord= g> di%ides q. Because q is pri)e9 this
i)plies that ord= g> _19 q`. 6o8e%er9 .ecause g E 19 8e ha%e that ord= g> E 19
and so it )ust .e that ord= g> ? q.
c. $l,orith) 1 8ors .y choosin, ele)ents o* P
p
until it *inds one o* order q.
"ince q di%ides p B 19 P
p
contains e;actly =q> ? q B 1 ele)ents o* order q.
Thus9 the pro.a.ility that g P
p
has order q is =q B 1>:= p B 1>. 7hen p ? 431/3
and q ? 157 this pro.a.ility is 15':431/2 . "o9 8e e;pect $l,orith) 1 to )ae
431/2:15' \ 25& loop iterations.
d. -o. I* p is 1324 .its and q is 1'3 .its9 then 8e e;pect $l,orith) 1 to require =q
B 1>:= p B 1> \ =2
1324
>:=2
1'3
> ? 2
&'4
loop iterations.
e. $l,orith) 2 8ill *ail to *ind a ,enerator in its *irst loop iteration only i* 1
h
=pB1> : q
=)od p>. This i)plies that ord=h> di%ides =p B 1>: q. Thus9 the nu).er
o* .ad choices *or h is the nu).er o* ele)ents o* P
p
8ith order di%idin,
=p B 1>: q:

d ()
d| p1 ( )/q

This su) is equal to =p B 1>: q. Thus9 the desired pro.a.ility is:

1
p1 ( )q
p1
1
1
q

q1
q

156
157
0.994
.0..2 a. To %eri*y the si,nature9 the user %eri*ies that =,
P
>
h
? ,
M
)od p.
b. To *or,e the si,nature o* a )essa,e9 I *ind its hash h. Then I calculate K to
satis*y Kh ? 1 )od =p-1>. -o8 ,
Kh
? ,9 so ,
MKh
? ,
M
)od p. 6ence =h9 ,
MK
> is
a %alid si,nature and the opponent can calculate ,
MK
as =,
M
>
K
.
.0..3 a. The recei%er %alidates the di,ital si,nature .y ensurin, that the *irst 5'-.it
ey in the si,nature 8ill encipher %alidation para)eter u1 into E=k19 u1> i* the
*irst .it o* # is 39 or that it 8ill encipher 11 into E=K19 11> i* the *irst .it o* #
is 14 the second 5'-.it ey in the si,nature 8ill encipher %alidation para)eter
u2 into E=k29 u2> i* the second .it o* # is 39 or it 8ill encipher 12 into E=K29
12> i* the second .it o* # is 194 and so on.
b. 5nly the sender9 8ho no8s the pri%ate %alues o* ki and Ki and 8ho
ori,inally creates ,i and Vi *ro) ui and 1i can disclose a ey to the recei%er.
$n opponent 8ould ha%e to disco%er the %alue o* the secret eys *ro) the
plainte;t-cipherte;t pairs o* the pu.lic ey9 8hich 8as co)putationally
in*easi.le at the ti)e that 5'-.it eys 8ere considered secure.
-73-
c. This is a one-ti)e syste)9 .ecause hal* o* the eys are re%ealed the *irst ti)e.
d. $ separate ey )ust .e included in the si,nature *or each .it o* the )essa,e
resultin, in a hu,e di,ital si,nature.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
.2.. The pro.le) that 1er.eros addresses is this: $ssu)e an open distri.uted
en%iron)ent in 8hich users at 8orstations 8ish to access ser%ices on ser%ers
distri.uted throu,hout the net8or. 7e 8ould lie *or ser%ers to .e a.le to
restrict access to authori<ed users and to .e a.le to authenticate requests *or
ser%ice. In this en%iron)ent9 a 8orstation cannot .e trusted to identi*y its users
correctly to net8or ser%ices.
.2.2 .. $ user )ay ,ain access to a particular 8orstation and pretend to .e another
user operatin, *ro) that 8orstation. 2. $ user )ay alter the net8or address o*
a 8orstation so that the requests sent *ro) the altered 8orstation appear to
co)e *ro) the i)personated 8orstation. 0. $ user )ay ea%esdrop on e;chan,es
and use a replay attac to ,ain entrance to a ser%er or to disrupt operations.
.2.0 .. 2ely on each indi%idual client 8orstation to assure the identity o* its user or
users and rely on each ser%er to en*orce a security policy .ased on user
identi*ication =I!>. 2. 2equire that client syste)s authenticate the)sel%es to
ser%ers9 .ut trust the client syste) concernin, the identity o* its user. 0. 2equire
the user to pro%e identity *or each ser%ice in%oed. $lso require that ser%ers
pro%e their identity to clients.
.2.2 Secre: $ net8or ea%esdropper should not .e a.le to o.tain the necessary
in*or)ation to i)personate a user. (ore ,enerally9 1er.eros should .e stron,
enou,h that a potential opponent does not *ind it to .e the 8ea lin. :eliable:
#or all ser%ices that rely on 1er.eros *or access control9 lac o* a%aila.ility o* the
1er.eros ser%ice )eans lac o* a%aila.ility o* the supported ser%ices. 6ence9
1er.eros should .e hi,hly relia.le and should e)ploy a distri.uted ser%er
architecture9 8ith one syste) a.le to .ac up another. %ransparent: Ideally9 the
user should not .e a8are that authentication is tain, place9 .eyond the
require)ent to enter a pass8ord. Scalable: The syste) should .e capa.le o*
supportin, lar,e nu).ers o* clients and ser%ers. This su,,ests a )odular9
distri.uted architecture.
.2.3 $ *ull-ser%ice 1er.eros en%iron)ent consists o* a 1er.eros ser%er9 a nu).er o*
clients9 and a nu).er o* application ser%ers.
-74-
CHAPTER 14
AUTHENTICATION APPLICATIONS
.2.6 $ real) is an en%iron)ent in 8hich: .. The 1er.eros ser%er )ust ha%e the user I!
=+I!> and hashed pass8ord o* all participatin, users in its data.ase. $ll users are
re,istered 8ith the 1er.eros ser%er. 2. The 1er.eros ser%er )ust share a secret
ey 8ith each ser%er. $ll ser%ers are re,istered 8ith the 1er.eros ser%er.
.2.6 Lersion 5 o%erco)es so)e en%iron)ental shortco)in,s and so)e technical
de*iciencies in Lersion 4.
.2.7 M.53/ de*ines a *ra)e8or *or the pro%ision o* authentication ser%ices .y the
M.533 directory to its users. The directory )ay ser%e as a repository o* pu.lic-ey
certi*icates. Each certi*icate contains the pu.lic ey o* a user and is si,ned 8ith
the pri%ate ey o* a trusted certi*ication authority. In addition9 M.53/ de*ines
alternati%e authentication protocols .ased on the use o* pu.lic-ey certi*icates.
.2.8 $ chain o* certi*icates consists o* a sequence o* certi*icates created .y di**erent
certi*ication authorities =C$s> in 8hich each successi%e certi*icate is a certi*icate
.y one C$ that certi*ies the pu.lic ey o* the ne;t C$ in the chain.
.2..0 The o8ner o* a pu.lic-ey can issue a certi*icate re%ocation list that re%oes one
or )ore certi*icates.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.2.. $n error in C
1
a**ects 0
1
.ecause the encryption o* C
1
is M52ed 8ith IL to produce
0
1
. Both C
1
and 0
1
a**ect 0
2
9 8hich is the M52 o* the encryption o* C
2
8ith the
M52 o* C
1
and 0
1
. Beyond that9 0
-B1
is one o* the M52ed inputs to *or)in, 0
-
.
.2.2 Iet us consider the case o* the interchan,e o* C
1
and C
2
. The ar,u)ent 8ill .e the
sa)e *or any other adVacent pair o* cipherte;t .locs. #irst9 i* C
1
and C
2
arri%e in
the proper order:
0
1
? ER19 C
1
S IL
0
2
? ER19 C
2
S C
1
0
1
? ER19 C
2
S C
1
ER19 C
1
S IL
0
3
? ER19 C
3
S C
2
0
2
? ER19 C
3
S C
2
ER19 C
2
S C
1
ER19 C
1
S IL
-o8 suppose that C
1
and C
2
arri%e in the re%erse order. Iet us re*er to the
decrypted .locs as N
i
.
N
1
? ER19 C
2
S IL
N
2
? ER19 C
1
S C
2
N
1
? ER19 C
1
S C
2
ER19 C
2
S IL
N
3
? ER19 C
3
S C
1
N
2
? ER19 C
3
S C
1
ER19 C
1
S C
2
ER19 C
2
S IL
-75-
The result is that N
1
E 0
1
4 N
2
E 0
2
4 .ut N
3
? 0
3
. "u.sequent .locs are clearly
una**ected.
.2.0 The pro.le) has a si)ple *i;9 na)ely the inclusion o* the na)e o* B in the si,ned
in*or)ation *or the third )essa,e9 so that the third )essa,e no8 reads:
$ B: $ _r
B
9 B`
.2.2 Tain, the eth root )od n o* a cipherte;t .loc 8ill al8ays re%eal the plainte;t9 no
)atter 8hat the %alues o* e and n are. In ,eneral this is a %ery di**icult pro.le)9
and indeed is the reason 8hy 2"$ is secure. The point is that9 i* e is too s)all9 then
tain, the nor)al inte,er eth root 8ill .e the sa)e as tain, the eth root )od n9
and tain, inte,er eth roots is relati%ely easy.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
.3.. $uthentication9 con*identiality9 co)pression9 e-)ail co)pati.ility9 and
se,)entation
.3.2 $ detached si,nature is use*ul in se%eral conte;ts. $ user )ay 8ish to )aintain a
separate si,nature lo, o* all )essa,es sent or recei%ed. $ detached si,nature o* an
e;ecuta.le pro,ra) can detect su.sequent %irus in*ection. #inally9 detached
si,natures can .e used 8hen )ore than one party )ust si,n a docu)ent9 such as
a le,al contract. Each personFs si,nature is independent and there*ore is applied
only to the docu)ent. 5ther8ise9 si,natures 8ould ha%e to .e nested9 8ith the
second si,ner si,nin, .oth the docu)ent and the *irst si,nature9 and so on.
.3.0 a. It is pre*era.le to si,n an unco)pressed )essa,e so that one can store only the
unco)pressed )essa,e to,ether 8ith the si,nature *or *uture %eri*ication. I* one
si,ned a co)pressed docu)ent9 then it 8ould .e necessary either to store a
co)pressed %ersion o* the )essa,e *or later %eri*ication or to reco)press the
)essa,e 8hen %eri*ication is required. b. E%en i* one 8ere 8illin, to ,enerate
dyna)ically a reco)pressed )essa,e *or %eri*ication9 0H0Fs co)pression
al,orith) presents a di**iculty. The al,orith) is not deter)inistic4 %arious
i)ple)entations o* the al,orith) achie%e di**erent tradeo**s in runnin, speed
%ersus co)pression ratio and9 as a result9 produce di**erent co)pressed *or)s.
6o8e%er9 these di**erent co)pression al,orith)s are interopera.le .ecause any
%ersion o* the al,orith) can correctly deco)press the output o* any other
%ersion. $pplyin, the hash *unction and si,nature a*ter co)pression 8ould
constrain all 0H0 i)ple)entations to the sa)e %ersion o* the co)pression
al,orith).
-7'-
CHAPTER 15
ELECTRONIC MAIL SECURITY
.3.2 2'4 con%erts a ra8 &-.it .inary strea) to a strea) o* printa.le $"CII characters.
Each ,roup o* three octets o* .inary data is )apped into *our $"CII characters.
.3.3 7hen 0H0 is used9 at least part o* the .loc to .e trans)itted is encrypted. I* only
the si,nature ser%ice is used9 then the )essa,e di,est is encrypted =8ith the
senderFs pri%ate ey>. I* the con*identiality ser%ice is used9 the )essa,e plus
si,nature =i* present> are encrypted =8ith a one-ti)e sy))etric ey>. Thus9 part
or all o* the resultin, .loc consists o* a strea) o* ar.itrary &-.it octets. 6o8e%er9
)any electronic )ail syste)s only per)it the use o* .locs consistin, o* $"CII
te;t.
.3.6 E-)ail *acilities o*ten are restricted to a )a;i)u) )essa,e len,th.
.3.6 0H0 includes a *acility *or assi,nin, a le%el o* trust to indi%idual si,ners and to
eys.
.3.7 2#C &22 de*ines a *or)at *or te;t )essa,es that are sent usin, electronic )ail.
.3.8 (I(E is an e;tension to the 2#C &22 *ra)e8or that is intended to address so)e
o* the pro.le)s and li)itations o* the use o* "(T0 ="i)ple (ail Trans*er
0rotocol> or so)e other )ail trans*er protocol and 2#C &22 *or electronic )ail.
.3..0 ":(I(E ="ecure: (ultipurpose Internet (ail E;tension> is a security
enhance)ent to the (I(E Internet e-)ail *or)at standard9 .ased on technolo,y
*ro) 2"$ !ata "ecurity.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.3.. C#B a%oids the need to add and strip paddin,.
.3.2 This is Vust another *or) o* the .irthday parado; discussed in $ppendi; 11$. Iet
us state the pro.le) as one o* deter)inin, 8hat nu).er o* session eys )ust .e
,enerated so that the pro.a.ility o* a duplicate is ,reater than 3.5. #ro) Equation
=11.'> in $ppendi; 11$9 8e ha%e the appro;i)ation:

#or a 12&-.it ey9 there are 2
12&
possi.le eys. There*ore

.3.0 $,ain9 8e are dealin, 8ith a .irthday- parado; pheno)enon. 7e need to
calculate the %alue *or:
-77-
0=n9 k> ? 0r Rat least one duplicate in k ite)s9 8ith each ite) a.le to tae on
one o* n equally liely %alues .et8een 1 and nS
In this case9 ? - and n ? 2
'4
. +sin, equation =11.5> o* $ppendi; 1$:

0 2
'4
9 N
( )
1
2
'4
J
2
'4
N ( )J2
'4 k
> 1 e

N =N 1 [ ]
2
'5
.3.2 a. -ot at all. The )essa,e di,est is encrypted 8ith the senderFs pri%ate ey.
There*ore9 anyone in possession o* the pu.lic ey can decrypt it and reco%er
the entire )essa,e di,est.
b. The pro.a.ility that a )essa,e di,est decrypted 8ith the 8ron, ey 8ould
ha%e an e;act )atch in the *irst 1' .its 8ith the ori,inal )essa,e di,est is
2
B1'
.
.3.3 7e trust this o8ner9 .ut that does not necessarily )ean that 8e can trust that 8e
are in possession o* that o8nerFs pu.lic ey.
.3.6 It certainly pro%ides )ore security than a )onoalpha.etic su.stitution. Because
8e are treatin, the plainte;t as a strin, o* .its and encryptin, ' .its at a ti)e9 8e
are not encryptin, indi%idual characters. There*ore9 the *requency in*or)ation is
lost9 or at least si,ni*icantly o.scured.
.3.6 !E" is unsuita.le .ecause o* its short ey si<e. T8o-ey triple !E"9 8hich has a
ey len,th o* 112 .its9 is suita.le. $E" is also suita.le.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
.6.. Secre branch office connectivity over the "nternet: $ co)pany can .uild a
secure %irtual pri%ate net8or o%er the Internet or o%er a pu.lic 7$-. This
ena.les a .usiness to rely hea%ily on the Internet and reduce its need *or pri%ate
net8ors9 sa%in, costs and net8or )ana,e)ent o%erhead. Secre remote access
over the "nternet: $n end user 8hose syste) is equipped 8ith I0 security
protocols can )ae a local call to an Internet ser%ice pro%ider =I"0> and ,ain
secure access to a co)pany net8or. This reduces the cost o* toll char,es *or
tra%elin, e)ployees and teleco))uters. &stablishing e4tranet and intranet
connectivity #ith partners: I0"ec can .e used to secure co))unication 8ith
other or,ani<ations9 ensurin, authentication and con*identiality and pro%idin, a
ey e;chan,e )echanis). &nhancing electronic commerce secrity: E%en thou,h
-7&-
CHAPTER 16
IP SECURITY
so)e 7e. and electronic co))erce applications ha%e .uilt-in security protocols9
the use o* I0"ec enhances that security.
.6.2 $ccess control4 connectionless inte,rity4 data ori,in authentication4 reVection o*
replayed pacets =a *or) o* partial sequence inte,rity>4 con*identiality
=encryption>4 and li)ited tra**ic *lo8 con*identiality
.6.0 $ security association is uniquely identi*ied .y three para)eters: Secrity
/arameters "nde4 =S/">: $ .it strin, assi,ned to this "$ and ha%in, local
si,ni*icance only. The "0I is carried in $6 and E"0 headers to ena.le the
recei%in, syste) to select the "$ under 8hich a recei%ed pacet 8ill .e processed.
"/ ;estination Address: Currently9 only unicast addresses are allo8ed4 this is the
address o* the destination endpoint o* the "$9 8hich )ay .e an end user syste)
or a net8or syste) such as a *ire8all or router. Secrity /rotocol "dentifier:
This indicates 8hether the association is an $6 or E"0 security association.
$ security association is nor)ally de*ined .y the *ollo8in, para)eters:
Se'ence Nmber Conter: $ 32-.it %alue used to ,enerate the "equence
-u).er *ield in $6 or E"0 headers9 descri.ed in "ection 1'.3 =required *or all
i)ple)entations>. Se'ence Conter $verflo#: $ *la, indicatin, 8hether
o%er*lo8 o* the "equence -u).er Counter should ,enerate an audita.le e%ent
and pre%ent *urther trans)ission o* pacets on this "$ =required *or all
i)ple)entations>. AntiC:eplay Windo#: +sed to deter)ine 8hether an in.ound
$6 or E"0 pacet is a replay9 descri.ed in "ection 1'.3 =required *or all
i)ple)entations>. AB "nformation: $uthentication al,orith)9 eys9 ey
li*eti)es9 and related para)eters .ein, used 8ith $6 =required *or $6
i)ple)entations>. &S/ "nformation: Encryption and authentication al,orith)9
eys9 initiali<ation %alues9 ey li*eti)es9 and related para)eters .ein, used 8ith
E"0 =required *or E"0 i)ple)entations>. ,ifetime of this Secrity Association: $
ti)e inter%al or .yte count a*ter 8hich an "$ )ust .e replaced 8ith a ne8 "$
=and ne8 "0I> or ter)inated9 plus an indication o* 8hich o* these actions should
occur =required *or all i)ple)entations>. "/Sec /rotocol ?ode: Tunnel9 transport9
or 8ildcard =required *or all i)ple)entations>. These )odes are discussed later in
this section. /ath ?%E: $ny o.ser%ed path )a;i)u) trans)ission unit
=)a;i)u) si<e o* a pacet that can .e trans)itted 8ithout *ra,)entation> and
a,in, %aria.les =required *or all i)ple)entations>.
.6.2 %ransport mode pro%ides protection pri)arily *or upper- layer protocols. That is9
transport )ode protection e;tends to the payload o* an I0 pacet. %nnel mode
pro%ides protection to the entire I0 pacet.
.6.3 $ replay attac is one in 8hich an attacer o.tains a copy o* an authenticated
pacet and later trans)its it to the intended destination. The receipt o* duplicate9
authenticated I0 pacets )ay disrupt ser%ice in so)e 8ay or )ay ha%e so)e
other undesired consequence.
.6.6 .. I* an encryption al,orith) requires the plainte;t to .e a )ultiple o* so)e
nu).er o* .ytes =e.,.9 the )ultiple o* a sin,le .loc *or a .loc cipher>9 the
-7/-
0addin, *ield is used to e;pand the plainte;t =consistin, o* the 0ayload !ata9
0addin,9 0ad Ien,th9 and -e;t 6eader *ields> to the required len,th. 2. The E"0
*or)at requires that the 0ad Ien,th and -e;t 6eader *ields .e ri,ht ali,ned
8ithin a 32-.it 8ord. Equi%alently9 the cipherte;t )ust .e an inte,er )ultiple o*
32 .its. The 0addin, *ield is used to assure this ali,n)ent. 0. $dditional paddin,
)ay .e added to pro%ide partial tra**ic *lo8 con*identiality .y concealin, the
actual len,th o* the payload.
.6.6 %ransport adFacency: 2e*ers to applyin, )ore than one security protocol to the
sa)e I0 pacet9 8ithout in%oin, tunnelin,. This approach to co).inin, $6 and
E"0 allo8s *or only one le%el o* co).ination4 *urther nestin, yields no added
.ene*it since the processin, is per*or)ed at one I0"ec instance: the =ulti)ate>
destination. "terated tnneling: 2e*ers to the application o* )ultiple layers o*
security protocols e**ected throu,h I0 tunnelin,. This approach allo8s *or
)ultiple le%els o* nestin,9 since each tunnel can ori,inate or ter)inate at a
di**erent I0"ec site alon, the path.
.6.7 I"$1(0 .y itsel* does not dictate a speci*ic ey e;chan,e al,orith)4 rather9
I"$1(0 consists o* a set o* )essa,e types that ena.le the use o* a %ariety o* ey
e;chan,e al,orith)s. 5aley is the speci*ic ey e;chan,e al,orith) )andated *or
use 8ith the initial %ersion o* I"$1(0.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.6.. a. "mmtable: Lersion9 Internet 6eader Ien,th9 Total Ien,th9 Identi*ication9
0rotocol =This should .e the %alue *or $6.>9 "ource $ddress9 !estination
$ddress =8ithout loose or strict source routin,>. -one o* these are chan,ed .y
routers in transit.
?table bt predictable : !estination $ddress =8ith loose or strict source
routin,>. $t each inter)ediate router desi,nated in the source routin, list9 the
!estination $ddress *ield is chan,ed to indicate the ne;t desi,nated address.
6o8e%er9 the source routin, *ield contains the in*or)ation needed *or doin,
the ($C calculation.
?table =9eroed prior to "CG calclation> : Type o* "er%ice =T5">9 #la,s9
#ra,)ent 5**set9 Ti)e to Ii%e =TTI>9 6eader Checsu). T5" )ay .e altered
.y a router to re*lect a reduced ser%ice. #la,s and #ra,)ent o**set are altered i*
an router per*or)s *ra,)entation. TTI is decreased at each router. The 6eader
Checsu) chan,es i* any o* these other *ields chan,e.
b. "mmtable: Lersion9 0ayload Ien,th9 -e;t 6eader =This should .e the %alue
*or $6.>9 "ource $ddress9 !estination $ddress =8ithout 2outin, E;tension
6eader>
?table bt predictable : !estination $ddress =8ith 2outin, E;tension
6eader>
?table =9eroed prior to "CG calclation> : Class9 #lo8 Ia.el9 6op Ii)it
-&3-
c. I0%' options in the 6op- .y-6op and !estination E;tension 6eaders contain a
.it that indicates 8hether the option )i,ht chan,e =unpredicta.ly> durin,
transit.
?table bt predictable: 2outin,
Not Applicable: #ra,)entation occurs a*ter out.ound I0"ec processin, and
reasse).ly occur .e*ore in.ound I0"ec processin, 9 so the #ra,)entation
E;tension 6eader9 i* it e;ists9 is not seen .y I0"ec.
.6.2 #ro) 2#C 2431
IPv4 Header Fields Outer Header at
Encapsulator
Inner Header at
Decapsulator
version 4 (1) no change
header length constructed no change
TOS copied from inner header
(5)
no change
total length constructed no change
ID constructed no change
Flags constructed, DF (4) no change
Fragment offset constructed no change
TTL constructed decrement (2)
protocol AH, ESP, routing header no change
checksum constructed no change
source address constructed (3) no change
destination address constructed (3) no change
options never copied no change
IPv6 Header Fields Outer Header at
Encapsulator
Inner Header at
Decapsulator
version 6 (1) no change
class copied or configured (6) no change
flow id copied or configured no change
length constructed no change
next header AH, ESP, routing header no change
hop count constructed (2) decrement (2)
source address constructed (3) no change
dest address constructed (3) no change
extension headers never copied no change
.. The I0 %ersion in the encapsulatin, header can .e di**erent *ro) the %alue in
the inner header.
2. The TTI in the inner header is decre)ented .y the encapsulator prior to
*or8ardin, and .y the decapsulator i* it *or8ards the pacet.
-&1-
0. src and dest addresses depend on the "$9 8hich is used to deter)ine the dest
address9 8hich in turn deter)ines 8hich src address =net inter*ace> is used to
*or8ard the pacet.
2. con*i,uration deter)ines 8hether to copy *ro) the inner header =I0%4 only>9
clear or set the !#.
3. I* Inner 6dr is I0%49 copy the T5". I* Inner 6dr is I0%'9 )ap the Class to T5".
6. I* Inner 6dr is I0%'9 copy the Class. I* Inner 6dr I0%49 )ap the T5" to Class.
.6.0 7e sho8 the results *or I0%44 I0%' is si)ilar.
.6.2 This order o* processin, *acilitates rapid detection and reVection o* replayed or
.o,us pacets .y the recei%er9 prior to decryptin, the pacet9 hence potentially
reducin, the i)pact o* denial o* ser%ice attacs. It also allo8s *or the possi.ility
o* parallel processin, o* pacets at the recei%er9 i.e.9 decryption can tae place in
parallel 8ith authentication.
.6.3 a. The $,,ressi%e E;chan,e type.
b. =C1K
I
9 C1K
2
> 6!2
=51g1EKM> 6!2
=H20> 0
,
;
9 ,
y
> 1E
=E6$59 E6$"> T
=-I!0> 6!2
=I!
I
9 I!
2
> I!
-&2-
=-
I
9 -
2
> -5-CE
="
1I
RMS9 "
12
RMS> "IH
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
.6.. The ad%anta,e o* usin, "/Sec =#i,ure 17.1a> is that it is transparent to end users
and applications and pro%ides a ,eneral-purpose solution. #urther9 I0"ec includes
a *ilterin, capa.ility so that only selected tra**ic need incur the o%erhead o* I0"ec
processin,. The ad%anta,e o* usin, SS, is that it )aes use o* the relia.ility and
*lo8 control )echanis)s o* TC0. The ad%anta,e applicationCspecific secrity
services =#i,ure 17.1c> is that the ser%ice can .e tailored to the speci*ic needs o* a
,i%en application.
.6.2 ""I handshae protocol4 ""I chan,e cipher spec protocol4 ""I alert protocol4 ""I
record protocol.
.6.0 Connection: $ connection is a transport =in the 5"I layerin, )odel de*inition>
that pro%ides a suita.le type o* ser%ice. #or ""I9 such connections are peer-to-peer
relationships. The connections are transient. E%ery connection is associated 8ith
one session. Session: $n ""I session is an association .et8een a client and a
ser%er. "essions are created .y the 6andshae 0rotocol. "essions de*ine a set o*
crypto,raphic security para)eters9 8hich can .e shared a)on, )ultiple
connections. "essions are used to a%oid the e;pensi%e ne,otiation o* ne8 security
para)eters *or each connection.
.6.2 Session identifier: $n ar.itrary .yte sequence chosen .y the ser%er to identi*y an
acti%e or resu)a.le session state. /eer certificate: $n M53/.%3 certi*icate o* the
peer. Compression method: The al,orith) used to co)press data prior to
encryption. Cipher spec: "peci*ies the .ul data encryption al,orith) =such as
null9 !E"9 etc.> and a hash al,orith) =such as (!5 or "6$-1> used *or ($C
calculation. It also de*ines crypto,raphic attri.utes such as the hashgsi<e. ?aster
secret: 4&-.yte secret shared .et8een the client and ser%er. "s resmable: $ *la,
indicatin, 8hether the session can .e used to initiate ne8 connections.
.6.3 Server and client random: Byte sequences that are chosen .y the ser%er and client
*or each connection. Server #rite ?AC secret: The secret ey used in ($C
operations on data sent .y the ser%er. Client #rite ?AC secret: The secret ey
used in ($C operations on data sent .y the client. Server #rite (ey: The
con%entional encryption ey *or data encrypted .y the ser%er and decrypted .y
the client. Client #rite (ey: The con%entional encryption ey *or data encrypted
.y the client and decrypted .y the ser%er. "nitiali9ation vectors: 7hen a .loc
-&3-
CHAPTER 17
WEB SECURITY
cipher in CBC )ode is used9 an initiali<ation %ector =IL> is )aintained *or each
ey. This *ield is *irst initiali<ed .y the ""I 6andshae 0rotocol. Therea*ter the
*inal cipherte;t .loc *ro) each record is preser%ed *or use as the IL 8ith the
*ollo8in, record. Se'ence nmbers: Each party )aintains separate sequence
nu).ers *or trans)itted and recei%ed )essa,es *or each connection. 7hen a
party sends or recei%es a chan,e cipher spec )essa,e9 the appropriate sequence
nu).er is set to <ero. "equence nu).ers )ay not e;ceed 2
'4

B 1.
.6.6 Confidentiality: The 6andshae 0rotocol de*ines a shared secret ey that is used
*or con%entional encryption o* ""I payloads. ?essage "ntegrity: The 6andshae
0rotocol also de*ines a shared secret ey that is used to *or) a )essa,e
authentication code =($C>.
.6.6 #ra,)entation4 co)pression4 add ($C4 encrypt4 append ""I record header.
.6.7 Cardholder: In the electronic en%iron)ent9 consu)ers and corporate purchasers
interact 8ith )erchants *ro) personal co)puters o%er the Internet. $ cardholder
is an authori<ed holder o* a pay)ent card =e.,.9 (asterCard9 Lisa> that has .een
issued .y an issuer. ?erchant: $ )erchant is a person or or,ani<ation that has
,oods or ser%ices to sell to the cardholder. Typically9 these ,oods and ser%ices are
o**ered %ia a 7e. site or .y electronic )ail. $ )erchant that accepts pay)ent
cards )ust ha%e a relationship 8ith an acquirer. "sser: This is a *inancial
institution9 such as a .an9 that pro%ides the cardholder 8ith the pay)ent card.
Typically9 accounts are applied *or and opened .y )ail or in person. +lti)ately9 it
is the issuer that is responsi.le *or the pay)ent o* the de.t o* the cardholder.
Ac'irer: This is a *inancial institution that esta.lishes an account 8ith a
)erchant and processes pay)ent card authori<ations and pay)ents. (erchants
8ill usually accept )ore than one credit card .rand .ut do not 8ant to deal 8ith
)ultiple .ancard associations or 8ith )ultiple indi%idual issuers. The acquirer
pro%ides authori<ation to the )erchant that a ,i%en card account is acti%e and
that the proposed purchase does not e;ceed the credit li)it. The acquirer also
pro%ides electronic trans*er o* pay)ents to the )erchantFs account. "u.sequently9
the acquirer is rei).ursed .y the issuer o%er so)e sort o* pay)ent net8or *or
electronic *unds trans*er. /ayment gate#ay: This is a *unction operated .y the
acquirer or a desi,nated third party that processes )erchant pay)ent )essa,es.
The pay)ent ,ate8ay inter*aces .et8een "ET and the e;istin, .ancard pay)ent
net8ors *or authori<ation and pay)ent *unctions. The )erchant e;chan,es "ET
)essa,es 8ith the pay)ent ,ate8ay o%er the Internet9 8hile the pay)ent
,ate8ay has so)e direct or net8or connection to the acquirerFs *inancial
processin, syste). Certification athority =CA>: This is an entity that is trusted to
issue M.53/%3 pu.lic-ey certi*icates *or cardholders9 )erchants9 and pay)ent
,ate8ays. The success o* "ET 8ill depend on the e;istence o* a C$ in*rastructure
a%aila.le *or this purpose. $s 8as discussed in pre%ious chapters9 a hierarchy o*
C$s is used9 so that participants need not .e directly certi*ied .y a root authority.
.6.8 $ dual si,nature is used to si,n t8o concatenated docu)ents each 8ith its o8n
hash code. The purpose o* the dual si,nature is to lin t8o )essa,es that are
-&4-
intended *or t8o di**erent recipients. In this case9 the custo)er 8ant to send the
order in*or)ation =5I> to the )erchant and the pay)ent in*or)ation =0I> to the
.an. The )erchant does not need to no8 the custo)erFs credit card nu).er9
and the .an does not need to no8 the details o* the custo)erFs order.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.6.. The chan,e cipher spec protocol e;ists to si,nal transitions in cipherin, strate,ies9
and can .e sent independent o* the co)plete handshae protocol e;chan,e.
.6.2 a. +rte -orce Cryptanalytic Attac(: The con%entional encryption al,orith)s
use ey len,ths ran,in, *ro) 43 to 1'& .its.
b. 5no#n /lainte4t ;ictionary Attac(: ""I protects a,ainst this attac .y not
really usin, a 43-.it ey9 .ut an e**ecti%e ey o* 12& .its. The rest o* the ey is
constructed *ro) data that is disclosed in the 6ello )essa,es. $s a result the
dictionary )ust .e lon, enou,h to acco))odate 2
12&
entries.
c. :eplay Attac(: This is pre%ented .y the use o* nonces..
d. ?anCinCtheC?iddle Attac(: This is pre%ented .y the use o* pu.ic-ey
certi*icates to authenticate the correspondents.
e. /ass#ord Sniffing: +ser data is encrypted.
f. "/ Spoofing: The spoo*er )ust .e in possession o* the secret ey as 8ell as the
*or,ed I0 address..
g. "/ BiFac(ing: $,ain9 encryption protects a,ainst this attac..
h. S1N -looding: ""I pro%ides no protection a,ainst this attac.
.6.0 ""I relies on an underlyin, relia.le protocol to assure that .ytes are not lost or
inserted. There 8as so)e discussion o* reen,ineerin, the *uture TI" protocol to
8or o%er data,ra) protocols such as +!09 ho8e%er9 )ost people at a recent
TI" )eetin, *elt that this 8as inappropriate layerin, =*ro) the ""I #$N>.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
.7.. ?as'erader: $n indi%idual 8ho is not authori<ed to use the co)puter and 8ho
penetrates a syste)Fs access controls to e;ploit a le,iti)ate userFs account.
?isfeasor: $ le,iti)ate user 8ho accesses data9 pro,ra)s9 or resources *or 8hich
such access is not authori<ed9 or 8ho is authori<ed *or such access .ut )isuses his
or her pri%ile,es. Clandestine ser: $n indi%idual 8ho sei<es super%isory control
o* the syste) and uses this control to e%ade auditin, and access controls or to
suppress audit collection.
-&5-
CHAPTER 18
INTRUDERS
.7.2 $neC#ay encryption: The syste) stores only an encrypted *or) o* the userFs
pass8ord. 7hen the user presents a pass8ord9 the syste) encrypts that
pass8ord and co)pares it 8ith the stored %alue. In practice9 the syste) usually
per*or)s a one-8ay trans*or)ation =not re%ersi.le> in 8hich the pass8ord is
used to ,enerate a ey *or the encryption *unction and in 8hich a *i;ed-len,th
output is produced. Access control: $ccess to the pass8ord *ile is li)ited to one
or a %ery *e8 accounts.
.7.0 .. I* an intrusion is detected quicly enou,h9 the intruder can .e identi*ied and
eVected *ro) the syste) .e*ore any da)a,e is done or any data are co)pro)ised.
E%en i* the detection is not su**iciently ti)ely to pree)pt the intruder9 the sooner
that the intrusion is detected9 the less the a)ount o* da)a,e and the )ore quicly
that reco%ery can .e achie%ed. 2. $n e**ecti%e intrusion detection syste) can ser%e
as a deterrent9 so actin, to pre%ent intrusions. 0. Intrusion detection ena.les the
collection o* in*or)ation a.out intrusion techniques that can .e used to
stren,then the intrusion pre%ention *acility.
.7.2 Statistical anomaly detection in%ol%es the collection o* data relatin, to the
.eha%ior o* le,iti)ate users o%er a period o* ti)e. Then statistical tests are
applied to o.ser%ed .eha%ior to deter)ine 8ith a hi,h le%el o* con*idence
8hether that .eha%ior is not le,iti)ate user .eha%ior. :leC+ased ;etection
in%ol%es an atte)pt to de*ine a set o* rules that can .e used to decide that a ,i%en
.eha%ior is that o* an intruder.
.7.3 Conter: $ nonne,ati%e inte,er that )ay .e incre)ented .ut not decre)ented
until it is reset .y )ana,e)ent action. Typically9 a count o* certain e%ent types is
ept o%er a particular period o* ti)e. Hage: $ nonne,ati%e inte,er that )ay .e
incre)ented or decre)ented. Typically9 a ,au,e is used to )easure the current
%alue o* so)e entity. "nterval timer: The len,th o* ti)e .et8een t8o related
e%ents. :esorce tili9ation: Nuantity o* resources consu)ed durin, a speci*ied
period.
.7.6 7ith rleCbased anomaly detection9 historical audit records are analy<ed to
identi*y usa,e patterns and to ,enerate auto)atically rules that descri.e those
patterns. 2ules )ay represent past .eha%ior patterns o* users9 pro,ra)s9
pri%ile,es9 ti)e slots9 ter)inals9 and so on. Current .eha%ior is then o.ser%ed9
and each transaction is )atched a,ainst the set o* rules to deter)ine i* it con*or)s
to any historically o.ser%ed pattern o* .eha%ior. :leCbased penetration
identification uses rules *or identi*yin, no8n penetrations or penetrations that
8ould e;ploit no8n 8eanesses. 2ules can also .e de*ined that identi*y
suspicious .eha%ior9 e%en 8hen the .eha%ior is 8ithin the .ounds o* esta.lished
patterns o* usa,e. Typically9 the rules used in these syste)s are speci*ic to the
)achine and operatin, syste). $lso9 such rules are ,enerated .y Qe;pertsQ rather
than .y )eans o* an auto)ated analysis o* audit records.
.7.6 6oneypots are decoy syste)s that are desi,ned to lure a potential attacer a8ay
*ro) critical syste)s.
-&'-
.7.7 The salt is co).ined 8ith the pass8ord at the input to the one-8ay encryption
routine.
.7.8 Eser edcation: +sers can .e told the i)portance o* usin, hard- to-,uess
pass8ords and can .e pro%ided 8ith ,uidelines *or selectin, stron, pass8ords.
CompterCgenerated pass#ords: +sers are pro%ided pass8ords ,enerated .y a
co)puter al,orith). :eactive pass#ord chec(ing: the syste) periodically runs
its o8n pass8ord cracer to *ind ,uessa.le pass8ords. The syste) cancels any
pass8ords that are ,uessed and noti*ies the user. /roactive pass#ord chec(ing: a
user is allo8ed to select his or her o8n pass8ord. 6o8e%er9 at the ti)e o*
selection9 the syste) checs to see i* the pass8ord is allo8a.le and9 i* not9 reVects
it.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.7.. Iet 7B equal the e%ent _8itness reports Blue ca.`. Then:

0r Blue 7B
[ ]

0r 7B Blue [ ]0r Blue [ ]


0r 7B Blue
[ ]
0r Blue [ ]+ 0r 7B Hreen
[ ]
0r Hreen [ ]

3. & ( ) 3. 15 ( )
3. & ( ) 3.15 ( ) + 3. 2 ( ) 3. &5 ( )
3. 41
This e;a)ple9 or so)ethin, si)ilar9 is re*erred to as Qthe VurorFs *allacy.Q
.7.2 a. T ?

2'
4
2
seconds ? '3.5 hours
b. E;pect 13 tries *or each di,it. T ? 13 4 ? 52 seconds.
.7.0 a. p ? r
k
b. p ?

r
k
r
p
r
k +p
c. p ? r
p
.7.2 a. T ? =21 5 21>
2
? 49&'29325
b. p ? 1:T 2 13
B7
.7.3 There are /5
13
' 13
1/
possi.le pass8ords. The ti)e required is:

' 13
1/
pass8ords
'. 4 13
'
pass8ords : second
/. 4 13
12
seconds
? 3339 333 years
-&7-
.7.6 a. "ince 0+
a
and 02
a
are in%erses9 the %alue 02
a
can .e checed to %alidate that 0
a
8as correctly supplied: "i)ply tae so)e ar.itrary .loc M and %eri*y that M ?
!=02a9 ER0+a9 MS>.
b. "ince the *ile : etc: pu.licey is pu.licly reada.le9 an attacer can ,uess 0 =say
0F> and co)pute 02
aF
? !=0F9 ER09 02
a
S>. no8 he can choose an ar.itrary .loc K
and chec to see i* K ? !=02
a
9 ER0+
a
9 KS>. I* so9 it is hi,hly pro.a.le that 0F ? 0.
$dditional .locs can .e used to %eri*y the equality.
.7.6 Kes.
.7.7 7ithout the salt9 the attacer can ,uess a pass8ord and encrypt it. I* $-K o* the
users on a syste) use that pass8ord9 then there 8ill .e a )atch. 7ith the salt9 the
attacer )ust ,uess a pass8ord and then encrypt it once *or each user9 usin, the
particular salt *or each user.
.7.8 It depends on the si<e o* the user population9 not the si<e o* the salt9 since the
attacer presu)a.ly has access to the salt *or each user. The .ene*it o* lar,er salts
is that the lar,er the salt9 the less liely it is that t8o users 8ill ha%e the sa)e salt.
I* )ultiple users ha%e the sa)e salt9 then the attacer can do one encryption per
pass8ord ,uess to test all o* those users.
.7..0 a. I* there is only one hash *unction = ? 1>9 8hich produces one o* - possi.le
hash %alues9 and there is only one 8ord in the dictionary9 then the pro.a.ility
that an ar.itrary .it .
i
is set to 1 is Vust 1:-. I* there are hash *unctions9 let
us assu)e *or si)plicity that they produce distinct hash *unctions *or a
,i%en 8ord. This assu)ption only introduces a s)all )ar,in o* error. Then9
the pro.a.ility that an ar.itrary .it .
i
is set to 1 is : -. There*ore9 the
pro.a.ility that .
i
is equal to 3 is 1 B : -. The pro.a.ility that a .it is le*t
unset a*ter ! dictionary 8ords are processed is Vust the pro.a.ility that each
o* the ! trans*or)ations set other .its:

0r b
i
3 [ ] 1
k
N



_
,

(
This can also .e interpreted as the e;pected *raction o* .its that are equal to 3.
b. $ 8ord not in the dictionary 8ill .e *alsely accepted i* all .its tested are
equal to 1. -o89 *ro) part =a>9 8e can say that the e;pected *raction o* .its in
the hash ta.le that are equal to one is 1 B . The pro.a.ility that a rando)
8ord 8ill .e )apped .y a sin,le hash *unction onto a .it that is already set is
the pro.a.ility that the .it ,enerated .y the hash *unction is in the set o* .its
equal to one9 8hich is Vust 1 B . There*ore9 the pro.a.ility that the hash
*unctions applied to the 8ord 8ill produce .its all o* 8hich are in the set o*
.its equal to one is =1 B >

.
c. 7e use the appro;i)ation =1 B ;> e
-;
.
-&&-
.7... The syste) enciphers *iles 8ith a )aster syste) ey 1(9 8hich is stored in so)e
secure *ashion. 7hen +ser i atte)pts to read *ile #9 the header o* # is decrypted
usin, 1( and +ser iFs read pri%ile,e is checed. I* the user has read access9 the
*ile is decrypted usin, 1( and the reencrypted usin, +ser iFs ey *or
trans)ission to +ser i. 7rite is handled in a si)ilar *ashion.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
.8.. $ %irus )ay use co)pression so that the in*ected pro,ra) is e;actly the sa)e
len,th as an unin*ected %ersion.
.8.2 $ portion o* the %irus9 ,enerally called a mutation engine9 creates a rando)
encryption ey to encrypt the re)ainder o* the %irus. The ey is stored 8ith the
%irus9 and the )utation en,ine itsel* is altered. 7hen an in*ected pro,ra) is
in%oed9 the %irus uses the stored rando) ey to decrypt the %irus. 7hen the
%irus replicates9 a di**erent rando) ey is selected.
.8.0 $ dor)ant phase9 a propa,ation phase9 a tri,,erin, phase9 and an e;ecution
phase
.8.2 .. "earch *or other syste)s to in*ect .y e;a)inin, host ta.les or si)ilar
repositories o* re)ote syste) addresses. 2.Esta.lish a connection 8ith a re)ote
syste). 0. Copy itsel* to the re)ote syste) and cause the copy to .e run.
.8.3 This syste) pro%ides a ,eneral-purpose e)ulation and %irus-detection syste).
The o.Vecti%e is to pro%ide rapid response ti)e so that %iruses can .e sta)ped out
al)ost as soon as they are introduced. 7hen a ne8 %irus enters an or,ani<ation9
the i))une syste) auto)atically captures it9 analy<es it9 adds detection and
shieldin, *or it9 re)o%es it9 and passes in*or)ation a.out that %irus to syste)s
runnin, a ,eneral anti%irus pro,ra) so that it can .e detected .e*ore it is allo8ed
to run else8here.
.8.6 Beha%ior- .locin, so*t8are inte,rates 8ith the operatin, syste) o* a host
co)puter and )onitors pro,ra) .eha%ior in real-ti)e *or )alicious actions. The
.eha%ior .locin, so*t8are then .locs potentially )alicious actions .e*ore they
ha%e a chance to a**ect the syste).
.8.6 $ denial o* ser%ice =!o"> attac is an atte)pt to pre%ent le,iti)ate users o* a
ser%ice *ro) usin, that ser%ice. 7hen this attac co)es *ro) a sin,le host or
net8or node9 then it is si)ply re*erred to as a !o" attac. $ )ore serious threat
-&/-
CHAPTER 19
MALICIOUS SOFTWARE
is posed .y a !!o" attac. In a !!o" attac9 an attacer is a.le to recruit a
nu).er o* hosts throu,hout the Internet to si)ultaneously or in a coordinated
*ashion launch an attac upon the tar,et.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
.8.. The pro,ra) 8ill loop inde*initely once all o* the e;ecuta.le *iles in the syste)
are in*ected.
.8.2 ! is supposed to e;a)ine a pro,ra) 0 and return T2+E i* 0 is a co)puter %irus
and #$I"E i* it is not. But CL calls !. I* ! says that CL is a %irus9 then CL 8ill
not in*ect an e;ecuta.le. But i* ! says that CL is not a %irus9 it in*ects an
e;ecuta.le. ! al8ays returns the 8ron, ans8er.
A ANSWERS NSWERS TO TO Q QUESTIONS UESTIONS
20.. .. $ll tra**ic *ro) inside to outside9 and %ice %ersa9 )ust pass throu,h the
*ire8all. This is achie%ed .y physically .locin, all access to the local net8or
e;cept %ia the *ire8all. Larious con*i,urations are possi.le9 as e;plained later in
this section. 2. 5nly authori<ed tra**ic9 as de*ined .y the local security policy9 8ill
.e allo8ed to pass. Larious types o* *ire8alls are used9 8hich i)ple)ent %arious
types o* security policies9 as e;plained later in this section. 0. The *ire8all itsel* is
i))une to penetration. This i)plies that use o* a trusted syste) 8ith a secure
operatin, syste).
20.2 Service control: !eter)ines the types o* Internet ser%ices that can .e accessed9
in.ound or out.ound. The *ire8all )ay *ilter tra**ic on the .asis o* I0 address and
TC0 port nu).er4 )ay pro%ide pro;y so*t8are that recei%es and interprets each
ser%ice request .e*ore passin, it on4 or )ay host the ser%er so*t8are itsel*9 such as
a 7e. or )ail ser%ice. ;irection control: !eter)ines the direction in 8hich
particular ser%ice requests )ay .e initiated and allo8ed to *lo8 throu,h the
*ire8all. Eser control: Controls access to a ser%ice accordin, to 8hich user is
atte)ptin, to access it. This *eature is typically applied to users inside the *ire8all
peri)eter =local users>. It )ay also .e applied to inco)in, tra**ic *ro) e;ternal
users4 the latter requires so)e *or) o* secure authentication technolo,y9 such as is
pro%ided in I0"ec. +ehavior control: Controls ho8 particular ser%ices are used.
#or e;a)ple9 the *ire8all )ay *ilter e-)ail to eli)inate spa)9 or it )ay ena.le
e;ternal access to only a portion o* the in*or)ation on a local 7e. ser%er.
20.0 Sorce "/ address: The I0 address o* the syste) that ori,inated the I0 pacet.
;estination "/ address: The I0 address o* the syste) the I0 pacet is tryin, to
-/3-
CHAPTER 20
FIREWALLS
reach. Sorce and destination transportClevel address: The transport le%el =e.,.9
TC0 or +!0> port nu).er9 8hich de*ines applications such as "-(0 or TEI-ET.
"/ protocol field: !e*ines the transport protocol. "nterface: #or a router 8ith three
or )ore ports9 8hich inter*ace o* the router the pacet ca)e *ro) or 8hich
inter*ace o* the router the pacet is destined *or.
20.2 .. Because pacet *ilter *ire8alls do not e;a)ine upper- layer data9 they cannot
pre%ent attacs that e)ploy application- speci*ic %ulnera.ilities or *unctions. #or
e;a)ple9 a pacet *ilter *ire8all cannot .loc speci*ic application co))ands4 i* a
pacet *ilter *ire8all allo8s a ,i%en application9 all *unctions a%aila.le 8ithin that
application 8ill .e per)itted. 2. Because o* the li)ited in*or)ation a%aila.le to
the *ire8all9 the lo,,in, *unctionality present in pacet *ilter *ire8alls is li)ited.
0acet *ilter lo,s nor)ally contain the sa)e in*or)ation used to )ae access
control decisions =source address9 destination address9 and tra**ic type>. 0. (ost
pacet *ilter *ire8alls do not support ad%anced user authentication sche)es. 5nce
a,ain9 this li)itation is )ostly due to the lac o* upper- layer *unctionality .y the
*ire8all. 2. They are ,enerally %ulnera.le to attacs and e;ploits that tae
ad%anta,e o* pro.le)s 8ithin the TC0:I0 speci*ication and protocol stac9 such
as net%ork layer address spoofing. (any pacet *ilter *ire8alls cannot detect a
net8or pacet in 8hich the 5"I Iayer 3 addressin, in*or)ation has .een
altered. "poo*in, attacs are ,enerally e)ployed .y intruders to .ypass the
security controls i)ple)ented in a *ire8all plat*or). 3. #inally9 due to the s)all
nu).er o* %aria.les used in access control decisions9 pacet *ilter *ire8alls are
suscepti.le to security .reaches caused .y i)proper con*i,urations. In other
8ords9 it is easy to accidentally con*i,ure a pacet *ilter *ire8all to allo8 tra**ic
types9 sources9 and destinations that should .e denied .ased on an or,ani<ationFs
in*or)ation security policy.
20.3 $ traditional pac(et filter )aes *ilterin, decisions on an indi%idual pacet .asis
and does not tae into consideration any hi,her layer conte;t. $ statefl
inspection pac(et filter ti,htens up the rules *or TC0 tra**ic .y creatin, a
directory o* out.ound TC0 connections9 as sho8n in Ta.le 23.2. There is an entry
*or each currently esta.lished connection. The pacet *ilter 8ill no8 allo8
inco)in, tra**ic to hi,h- nu).ered ports only *or those pacets that *it the pro*ile
o* one o* the entries in this directory
20.6 $n application- le%el ,ate8ay9 also called a pro;y ser%er9 acts as a relay o*
application- le%el tra**ic.
20.6 $ circuit-le%el ,ate8ay does not per)it an end- to-end TC0 connection4 rather9 the
,ate8ay sets up t8o TC0 connections9 one .et8een itsel* and a TC0 user on an
inner host and one .et8een itsel* and a TC0 user on an outside host. 5nce the
t8o connections are esta.lished9 the ,ate8ay typically relays TC0 se,)ents *ro)
one connection to the other 8ithout e;a)inin, the contents. The security *unction
consists o* deter)inin, 8hich connections 8ill .e allo8ed.
-/1-
20.7 The screened host fire#all! singleC homed bastion con*i,uration =#i,ure 23.2a>9
the *ire8all consists o* t8o syste)s: a pacet-*ilterin, router and a .astion host4
the latter per*or)s authentication and pro;y *unctions. In the sin,le-ho)ed
con*i,uration Vust descri.ed9 i* the pacet-*ilterin, router is co)pletely
co)pro)ised9 tra**ic could *lo8 directly throu,h the router .et8een the Internet
and other hosts on the pri%ate net8or. The screened host fire#all! dalChomed
bastion con*i,uration physically pre%ents such a security .reach. In the screened
sbnet fire#all con*i,uration9 t8o pacet-*ilterin, routers are used9 one .et8een
the .astion host and the Internet and one .et8een the .astion host and the
internal net8or. This con*i,uration creates an isolated su.net8or9 8hich )ay
consist o* si)ply the .astion host .ut )ay also include one or )ore in*or)ation
ser%ers and )ode)s *or dial-in capa.ility.
20.8 $ sbFect is an entity capa.le o* accessin, o.Vects. Henerally9 the concept o*
su.Vect equates 8ith that o* process. $ny user or application actually ,ains access
to an o.Vect .y )eans o* a process that represents that user or application. $n
obFect is anythin, to 8hich access is controlled. E;a)ples include *iles9 portions
o* *iles9 pro,ra)s9 and se,)ents o* )e)ory.
20..0 #or each o.Vect9 an access control list lists users and their per)itted access ri,hts.
$ capability tic(et speci*ies authori<ed o.Vects and operations *or a user.
20... No read p: $ su.Vect can only read an o.Vect o* less or equal security le%el. No
#rite do#n: $ su.Vect can only 8rite into an o.Vect o* ,reater or equal security
le%el.
20..2 Complete mediation: The security rules are en*orced on e%ery access9 not Vust9
*or e;a)ple9 8hen a *ile is opened. "solation: The re*erence )onitor and
data.ase are protected *ro) unauthori<ed )odi*ication. Gerifiability: The
re*erence )onitorFs correctness )ust .e pro%a.le. That is9 it )ust .e possi.le to
de)onstrate )athe)atically that the re*erence )onitor en*orces the security
rules and pro%ides co)plete )ediation and isolation.
20..0 The Co))on Criteria =CC> *or In*or)ation Technolo,y and "ecurity E%aluation
is an international initiati%e .y standards .odies in a nu).er o* countries to
de%elop international standards *or speci*yin, security require)ents and
de*inin, e%aluation criteria.
A ANSWERS NSWERS TO TO P PROBLEMS ROBLEMS
20.. It 8ill .e i)possi.le *or the destination host to co)plete reasse).ly o* the
pacet i* the *irst *ra,)ent is )issin,9 and there*ore the entire pacet 8ill .e
discarded .y the destination a*ter a ti)e-out.
20.2 7hen a TC0 pacet is *ra,)ented so as to *orce interestin, header *ields out o*
the <ero-o**set *ra,)ent9 there )ust e;ist a *ra,)ent 8ith #5 equal to 1. I* a
-/2-
pacet 8ith #5 ? 1 is seen9 con%ersely9 it could indicate the presence9 in the
*ra,)ent set9 o* a <ero-o**set *ra,)ent 8ith a transport header len,th o* ei,ht
octets !iscardin, this one-o**set *ra,)ent 8ill .loc reasse).ly at the recei%in,
host and .e as e**ecti%e as the direct )ethod descri.ed a.o%e.
20.0 I* the routerFs *ilterin, )odule en*orces a )ini)u) *ra,)ent o**set *or *ra,)ents
that ha%e non-<ero o**sets9 it can pre%ent o%erlaps in *ilter para)eter re,ions o*
the transport headers.
20.2 The purpose o* the Qno 8rite do8nQ rule9 or h-property is to address the pro.le)
o* TroVan horse so*t8are. 7ith the h-property9 in*or)ation cannot .e
co)pro)ised throu,h the use o* a TroVan horse. +nder this property9 a pro,ra)
operatin, on .ehal* o* one user cannot .e used to pass in*or)ation to any user
ha%in, a lo8er or disVoint access class.
20.3 !rae is not authori<ed to read the strin, directly9 so the no-read- up rule 8ill
pre%ent this. "i)ilarly9 !rae is not authori<ed to assi,n a security le%el o*
sensiti%e to the .ac-pocet *ile9 so that is pre%ented as 8ell.
-/3-

You might also like