2021 sem.

1 — IFN652 Assessment 1 Module 2

Symmetric-key Cryptography and Analysis

This assignment is worth 30 marks, plus 6 marks of extra credit (or “bonus marks”). The due date for
submission will be no earlier than 14 full days following release, as specified on the Blackboard submission site.

Submission. All answers sought in this assignment are specific solutions to individually randomised chal-
lenges. Submit all your answers as a singe ASCII text file to be uploaded via the Blackboard assignment
item named “Assignment 2”.

Your solution file must start, on the first line, with your 8-digit QUT ID number followed by a space then your
full name, as specified below.

On each subsequent line provide your answer to each of question (or part thereof), making sure to follow the
exact specifications given in each question.

Your answer file must be encoded as a plain text (ASCII) without extra formatting of any kind, visible or
hidden. Do not break up long lines.

I recommend you use a programmer’s editor for this assignment, e.g., something you’d use to edit the source
code of a C programme or LaTeX document; or use a general-purpose plain text editor such as nano or emacs.
Only use a rich-text editor or word processor at your own risk, if you can make absolutely certain that you
can control exactly what will be written in the file, and in particular prevent your editor from embedding
extraneous characters that you cannot see or edit.

Challenges. You must have obtained the assignment paper since you are reading it, but you also need to
download the accompanying ZIP file — challenges.zip — available on Blackboard alongside this document.
The ZIP file contains 1000 directories with names from 000 to 999. Yours is the one whose name is the last
three digits of your QUT student ID number (e.g., if your ID is 01234567, your challenge folder is 567). Be
sure to use your own folder, and include your student ID and full name in your answer file as instructed below.

0 General information about the challenges and your answer file

All the individualised practical problem solving tasks you will need to solve in this assignment are given in a
single file, named XYZ.txt within the archive, where XYZ are the last three digits of your QUT ID.

You will provide all answers for your individual challenges in a single file to be uploaded on Blackboard. Your
answer file must begin with the following line, indicating your 8-digit numeric QUT ID (include any leading 0
but exclude any letters), followed by a space then your full name as shown on your ID, in the following way:

01234567 Ms. Gwendolyn Hippolyta STUDENT

In the above and the rest of this assignment, a box surrounding one line of monospace-font text is meant to be
an example of a line of text you should include (suitably tailored to your case, of course) in your answer file.
1 Stream ciphers: linear feedback shift registers

Your challenge file contains the specification of an LFSR, given in the same format as in the following example:

Question 1 (id:XYZ)
L= 7
T= 1010011
S= 1101000

This specification designates the unique LFSR of length L= 7, with taps at positions denoted by the bit vector
T= 1100101, and initial state denoted by the bit vector S= 0001011, as per the following drawing,

out ←− | 1 | 1 | 0 | 1 | 0 | 0 | 0 | ←−
↓ ↓ ↓ ↓ EE
⊕—————–⊕————————–⊕——–⊕———–E

which would then output the sequence,

out= 1 1 0 1 0 0 0 1 1 0 ...

Using your assigned LFSR (not the one above!), answer the following questions:

a. Find the first 75 bits of the sequence produced by your LFSR. Write out your answer as a single line in
your answer file, exactly in the following format (note the lowercase a and the single space in ‘1a ’):

1a 110100011000100111001010011010010111101011101110001111001100100100010101011
Marking criteria: 3 marks for an exactly correct answer; 2 marks for an answer with one single mistake;
1 mark for two mistakes; 0 mark for more mistakes or a missing answer.

b. Determine the period of the sequence produced by your LFSR from your starting state. Write out your
answer in decimal on a single line in your answer file, prefixed with ‘1b ’, as in this (fake) example:

1b 12

Marking criteria: 3 marks for a correct answer; 0 mark for an incorrect or missing answer.
c. Is the period you got the largest possible for an LFSR of that size? Do not answer that; instead, figure out
the largest possible period for an LFSR with a register of L bits, for your value of L, and write out your
answer in decimal prefixed with ‘1c ’, on a separate line in your answer file, as in this (fake) example:

1c 789
Marking criteria: 1 mark for a correct answer; 0 mark for an incorrect or missing answer.
Note that all the example answers given above, are factually incorrect, but correctly formatted.

Page 2
2 Stream ciphers: cryptanalysis

Your challenge file for this question contains two binary ciphertexts, denoted C’ and C, created using the same
stream cipher using the same key (and no IV). The ciphertexts are 48 characters long, each. You are also given
the first 32 characters of the plaintext, denoted P’, corresponding to the first of the two ciphertexts, i.e., C’.
All of this should appear as follows (albeit with different strings):

Question 2 (id:XYZ)
P’= 00110011001100110011001100110011
C’= 000000001111111100000000111111110000000011111111
C = 000011110000111100001111000011110000111100001111

a. Recover the first 32 characters of plaintext corresponding to C. Write out your answer in your answer file,
as a single line starting with ‘2a ’ followed by the 32 digits 0/1 of your answer, as such (fake values):

2a 01010011000011110000000011111111
Marking criteria: 1 mark for an exactly correct answer; 0 mark in all other cases.
b. ? Knowing furthermore that the keystream generator for this cipher was a single LFSR with a register of
between 5 and 10 bits (inclusive), determine the remaining 16 bits of the plaintext corresponding to C.
To be clear: your 32-bit answer to the previous question, concatenated with your 16-bit answer to this
question, should make the whole plaintext corresponding to the 48-bit ciphertext C. Although you will
most certainly need to work out the previous question in order to solve this one, the two answers will
be marked independently. Provide your answer for this one as a single line in your answer file, in the
following format (fake values):

2b 0001001100001111
Hint: this is a substantially more difficult question, and you are not required nor expected to solve it to
get full marks on the assignment; this is for extra credit. The Berlekamp-Massey algorithm is your friend.
Marking criteria: 4 bonus marks for an exactly correct answer; 0 mark otherwise; no partial credit here.

3 Block ciphers: basic usage and analysis

This question involves the use of the DES and AES128 ciphers in the most basic mode (i.e., in ECB mode).
Your individual data in your challenge file will contain a number of fields, presented similarly as the following:

Question 3 (id:XYZ)
DESkey= 0123456789abcdef
AESkey= 0123456789abcdef0123456789abcdef
P0= QQQQQQQQUUUUUUUUTTTTTTTTqqqqqqqquuuuuuuuttttttttQUTQUTQUTQUTQUTQ
P1= qqqqqqqquuuuuuuuttttttttQQQQQQQQUUUUUUUUTTTTTTTTqutqutqutqutqutq
P2= QQQQQQQQqqqqqqqqUUUUUUUUuuuuuuuuTTTTTTTTttttttttQuTqUtQuTqUtQuTq
C3= 77dc6d23de5ec6ddb109fd803eb2d05e43d7a757c7ca1e5759310b280c36c878220badc2e1722177e41ec4b812fcbe6377dc6d23de5ec6ddb109fd803eb2d05e
C4= 44cf29aab5b6541fc719fd593524cc8d03a7d825366dc49e077cce1b6d26e76905ada3b2c556c6a7b9d6c16af2ef21e744cf29aab5b6541fc719fd593524cc8d

Page 3
 The first two items (after the question and ID numbers), denoted DESkey and AESkey, are respectively a 64-bit
DES key 1 and a 128-bit AES key, both encoded in hexadecimal as 16- and 32-hex-digit strings respectively.
Following those, are three 64-byte (or 512-bit) plaintexts denoted P0, P1, P2 and written out as plain text strings
of 64 characters with no newlines at the end. Finally, there are two 64-byte ciphertexts C3 and C4, encoded as
128 hex digits each, and described further down in parts c–f.

a. Encrypt the first plaintext P0 using your assigned DES key, and present the result in hexadecimal in your
answer file, giving all 128 hex digits prefixed with ‘3a ’ all on the same line, as in the following example
(which here is correct for the plaintext P0 and DES key given as examples).
3a 31e6eacfccdb6102d7165de8760b03688d64caa14c51990dceef47990c89983b0c6ee85b8051c29a0b95d429cb28af3a0f1b9d1637f72a46cb9784ebc9469c61

b. Encrypt the same plaintext P0 using your assigned AES key, and give the result in hexadecimal in your
answer file, on a single line prefixed with ‘3b ’, as in the following example (which here is also correct for
the example plaintext P0 and AES key given in the example question data).
3b d654a05a67eacb2ed6ccc90140c5e2eee08adbf66ce513157a3af451772907681c0905be6157cb271f241ca331ba0e83fc7542e5c831cd5b4edfe78104c38059

c. Knowing that the (hex-encoded) ciphertext C3 is also a DES-ECB encryption of P0, but with a different
unknown key, can you transform C3 into a DEC-ECB ciphertext that would decrypt, under the same
unknown key, into the plaintext P1? If so, write out ‘3c ’ followed by your (hex-encoded) transformed
ciphertext on a single line in your answer file. If not, write out ‘3c infeasible’ as your answer.
d. Same question, but now seeking to transform C3 into a valid DEC-ECB encryption of P2 (instead of P1)
under the unknown key. Prefix your answer with ‘3d ’.
e. Similar question, where you are told that the (hex-encoded) ciphertext C4 is an AES128-ECB encryption
of P0 under an unknown key, and you are to either transform C4 into a valid AES128-ECB encryption of
P1 under that unknown key, or indicate ‘infeasible’ if you cannot do it. Prefix your answer with ‘3e ’.
f. Same question, but seeking to transform C4 into a valid AES128-ECB encryption of P2 (instead of P1)
under the unknown key. Prefix your answer with ‘3f ’.

Your answers to subparts c–f above should each consist of a single line in your answer file, of either one of the
following two forms (with fake values for illustration) — making sure to use the correct prefix for each subpart:

either 3c infeasible or

3c 77dc6d23de5ec6ddb109fd803eb2d05e43d7a757c7ca1e5759310b280c36c878220badc2e1722177e41ec4b812fcbe6377dc6d23de5ec6ddb109fd803eb2d05e

Marking criteria: 10 marks for the whole question, to be earned as follows. Subparts a–b: 1 mark for an
exactly correct answer; 0 mark for an incorrect or missing answer. Subparts c–f: 2 marks for an exactly correct
answer; 0 mark for an incorrect of missing answer.

Note: if the correct answer is ‘infeasible’ in any subpart(s) c–f, such will be the only answer that earns the 2
marks for that subpart, even if you manage to solve the question by brute-forcing the key or cracking the cipher
itself... but if you manage that, be sure to let me know! :)

Hint: the answers given in a and b above are correct for the example given. Use them to verify that your DES
and AES encryption software works as expected, and that you are using it correctly (e.g., if using openssl, set
it to use the right mode, to take an actual hex key as input rather than a password, and to disable padding).
Ensure you are using your software correctly, before proceeding with this question.
1 Recall that the effective key strength of DES is 56 bits, but the standard and most encryption software including CrypTool

and OpenSSL use a redundant DES key encoding of 64 bits, which is what is given in your file. Your can verify against the values
given as answers to subparts a–b, which are correct for the example data, that your software works in the same way.

Page 4
 4 Block-cipher modes of operation for confidentiality

Your challenge data for this question consists of a 128-bit AES key and 128-bit IV, both given in hex, and a
64-byte very repetitive ASCII plaintext string (note: no newline at the end of it), as in the following example:

Question 4 (id:XYZ)
K4= 0123456789abcdef0123456789abcdef
IV= fedcba9876543210fedcba9876543210
P4= ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZ

a. Using your individual key and IV, encrypt the above plaintext using AES128 in CBC mode. Record the
ciphertext (removing the IV from the ciphertext if present) as a 128-hex-digit string prefixed with ‘4a ’.
b. Using your individual key and IV, encrypt the above plaintext using AES128 in CFB mode. Record the
ciphertext (removing the IV from the ciphertext if present) as a 128-hex-digit string prefixed with ‘4b ’.
c. Using your individual key and IV, encrypt the above plaintext using AES128 in OFB mode. Record the
ciphertext (removing the IV from the ciphertext if present) as a 128-hex-digit string prefixed with ‘4c ’.
2
Your answer to each subpart a–c should look like the following (which is correct for 4a in this example):
4a 5cea599e265078a54f17d41921613bb21b5d2054f5bc3597c1e967880110ad23e71c624d47fe9e67d809f8f20e020723b9b1f3d5587e893f9582e20192e9dd4e

d. Now take the AES-CBC ciphertext you obtained in (a) above, and set the first 2 bytes of the first ciphertext
(not IV) block to two zero-valued bytes (0000 in hex). Then decrypt with your key and IV. Compare
the resulting plaintext with the plaintext you started with. In your answer file, record the number of
plaintext bytes that would be corrupted from this 2-byte ciphertext alteration. Use prefix ‘4d ’ to answer.
e. Do as in (d) above, but with the AES-CFB ciphertext you obtained in (b). Use prefix ‘4e ’ to answer.
f. Do as in (d) above, but with the AES-OFB ciphertext you obtained in (b). Use prefix ‘4f ’ to answer.
g. Now take the AES-CBC ciphertext you obtained in (a) above, and remove (i.e., strip, not replace) its first
full block of ciphertext. Decrypt the result with your key and IV. Compare the resulting plaintext with
the plaintext you started with. In your answer file, record the number of plaintext blocks that have been
lost or altered in any way by this corruption. Use prefix ‘4g ’ to answer.
h. Do as in (g) above, but with the AES-CFB ciphertext you obtained in (b). Use prefix ‘4h ’ to answer.
i. Do as in (g) above, but with the AES-OFB ciphertext you obtained in (b). Use prefix ‘4i ’ to answer.
Your answer to each subpart d–i should be of the following form (here shown for 4g, with a fake value):
4g 5
j. Based on your results, which of the above three modes of operations would you not use for encrypting live
entertainment broadcasts? Indicate your answer as one of ‘CBC’, ‘CFB’, ‘OFB’, with prefix ‘4g ’.
k. Based on your results, which of these modes of operations would you not use for encrypting payment
orders (assuming no further authentication)? Answer with one of ‘CBC’, ‘CFB’, ‘OFB’, with prefix ‘4h ’.
Your answer to each subpart j–k should be of the following form (here shown for 4j, with a fake entry):
4j ECB

Marking criteria: 10 marks for this question, attributed as: 1 mark per correct answer in each subpart a–i;
0.5 mark per correct answer in each subpart j–k; 0 mark for each incorrect or missing answer.
2 This was created using OpenSSL. If your software does not also omit the IV from the ciphertext, you’ll have to do it manually.

Page 5
5 Block-cipher mode of operation for message authentication

Your challenge data for this question consists of: K5, a 128-bit AES key given in hex; M5, a 16-byte ASCII
message (with no newline at the end of it, as usual); M6, another 16-bytes ASCII message; and finally T’, some
AES128-CBC-MAC tag, all presented as in the following example (with values for illustration only):

Question 5 (id:XYZ)
K5= 0123456789abcdef0123456789abcdef
M5= ABCDEFGHIJKLMNOP
M6= ABCDEFGHQRSTUVWX
T’= 61d78258eb1abd6fff479d1dabb6103b

a. Calculate the AES128-CBC-MAC message authentication tag for the message M5 using the key K5.
For this, assume that the IV is fixed to the constant 16-byte string of all zero-valued bytes (in hex:
00000000000000000000000000000000). Give your answer as a 32-hex-digit string with prefix ‘5a ’ as in:

5a 07dc4f3769b8c90a852bbe5682352c6a
Now, let’s figure out how an incorrect use of CBC-MAC with a non-fixed IV can lead to a forgery attack.
b. First, figure out which IV one would need to use to obtain the same tag as your found in (a) above, if
the message was a string of 16 zero bytes (in hex: 00000000000000000000000000000000) instead of M5.
Write your answer as a 32-hex-digit string with prefix ‘5b ’ as in (here shown with a fake value):

5b 365e00237d91c5e9b391b92cdeb0b8af
c. Next, expand your attack to obtain an IV, which, when used in AES128-CBC-MAC on the message M6,
will produce yet again the same tag as you got in (a). Write your answer as a 32-hex-digit string with
prefix ‘5c ’ as in (again, using a fake value):

5c 80e9b76b9b6b11e613cbcb6815183333

d. Finally, generalise your attack so that it works without needing the key. To demonstrate you were
successful, assume that the tag T’ (given in hex in your challenge data) was obtained through AES128-
CBC-MAC on message M5 using the all-zero IV and an unknown key, and figure out what IV should be
used to obtain the same tag T’ on message M6. Write your answer as a 32-hex-digit string with prefix ‘5d
’ as in (fake value):

5d bda70149919ba30064f0c82b606be318

Marking criteria: 2 marks, as one each for each exactly correct answer in subparts a–b; plus 2 bonus marks,
as one each for each exactly correct answer in subparts c–d.

End of paper. Good luck!

In the appendix on the next page is an example of correctly formatted answer file (but with fictitious data for
illustration only).

Page 6
A ASCII answer file template (with example data)
01234567 Ms.\ Gwendolyn Hippolyta STUDENT

1a 110100011000100111001010011010010111101011101110001111001100100100010101011
1b 12
1c 789

2a 01010011000011110000000011111111
2b 0001001100001111

3a 31e6eacfccdb6102d7165de8760b03688d64caa14c51990dceef47990c89983b0c6ee85b8051c29a0b95d429cb28af3a0f1b9d1637f72a46cb9784ebc9469c61
3b d654a05a67eacb2ed6ccc90140c5e2eee08adbf66ce513157a3af451772907681c0905be6157cb271f241ca331ba0e83fc7542e5c831cd5b4edfe78104c38059
3c 77dc6d23de5ec6ddb109fd803eb2d05e43d7a757c7ca1e5759310b280c36c878220badc2e1722177e41ec4b812fcbe6377dc6d23de5ec6ddb109fd803eb2d05e
3d infeasible
3e 77dc6d23de5ec6ddb109fd803eb2d05e43d7a757c7ca1e5759310b280c36c878220badc2e1722177e41ec4b812fcbe6377dc6d23de5ec6ddb109fd803eb2d05e
3f infeasible

4a 5cea599e265078a54f17d41921613bb21b5d2054f5bc3597c1e967880110ad23e71c624d47fe9e67d809f8f20e020723b9b1f3d5587e893f9582e20192e9dd4e
4b 5cea599e265078a54f17d41921613bb21b5d2054f5bc3597c1e967880110ad23e71c624d47fe9e67d809f8f20e020723b9b1f3d5587e893f9582e20192e9dd4e
4c 5cea599e265078a54f17d41921613bb21b5d2054f5bc3597c1e967880110ad23e71c624d47fe9e67d809f8f20e020723b9b1f3d5587e893f9582e20192e9dd4e
4d 55
4e 55
4f 55
4g 5
4h 5
4i 5
4j ECB
4k ECB

5a 07dc4f3769b8c90a852bbe5682352c6a
5b 365e00237d91c5e9b391b92cdeb0b8af
5c 80e9b76b9b6b11e613cbcb6815183333
5d bda70149919ba30064f0c82b606be318

Page 7