92 SecRer Key Crverocnarity 36 ess 3.6 RCA A tong random (or pseso cor) string used to encrypt a message with a simple @ operations owas come-ne pad. A stream cipher generates aone-tie pad and apis i 0 team of Piointext th. TRA a ues cipher designed hy Ron Rives. RCS was a trade secret, st was “ted” in tong As a eal thas been extensnelyataleet! ais considered secure as fong. a8 you discard te rst ew Gy 256) octets of te goversted pad “Fhe alr ic an exttemely simple (and fox) generator of puendo-rindom steams of “ctets The ey cate fom 10.256 ces Even wth mini Key (single nll ote) the gn trated prcwloratidom steam passes al he usual randoranes tests and so makes a fine pseudo ‘anos amber geertor—Iy've used it for tat purpose an numerous oeasins). RCS Keeps 258 Stes of atte information, 256 octets of hich ae a pecrasation oF. 1.295 ta sina com pe rm the key and thon alered each pa tts generat The hoon page 93 pves a complete C implementation of RCH onetime pa peneration, 3.7 HOMEWORK 1. Come up wthas efficient an encoding ax you cunt specitya completely general onetvone rapping been 64: pt Sales and 64-bit out alae. “Token cards display @ amber that changes peril, pehsps every minute. Fach such sevice hs 8 unique socet hy. A human can prove possession of priculr such device by tering the displayed number into computer system. The computer sytem knows the secret ys ofeach authorized dovice Hom would you design sucha doves? A. to ans OES Reson the erage enceegt a qaiewlarqaintent Mock to garewar ciphenent och? 4. Make an argument aso hy the nial permutation ofthe bits ofthe DES Key cau any secity vale. 5. Suppose the DES mang function mapped every 32-bit value to 2eo, earls ft ‘of te apt, What Sanction would DES then compute? 6 ‘heal the $6 is of he DES hey wed an equal number of times inthe? Speci. i of he Kj, which bits ate ao sed114 Moves oF Opersniow 45 SSS ith CBC done onthe inside, ny change cpt bck» completly and eprediably ‘bls all plaigex blocks fom othe end ofthe message This makes CBC dane onthe oe mow seer, and pers would thetfore have ben a beter choice. However, smn poole wool fri aig of sphere ck ci ct gute ts ere eto he message Teed ‘cfr dat he enryption scheme be seltsynchroniing which math aster some rll ee ‘sof gabled blocks, the pit! wil tu decrypting propery ean. Thee ae sso sie vec "iy flaws with CBC onthe inside if he atacer can spy chen pastes and IV nd eee he ouput “Anather advange of CBC on he insides prfomance.Wih CC onthe inside spo De ae he me as muck ardwateandppctine the enotions so hat at ne [encryption With CRC on the oti, ths is ot posible ‘One reason tat people choose CBC on te utside despite its disadvantages is hat EDE nero can be consiered a iow sett hey bck encyption scheme that ae 112 hey, This can hen be used wit ay ofthe cing method (OF, ECR, CFB, CTR a wells CDC, 4.5 HOMEWORK 1. What pseodosandom block steam i generate y fit OFB with woak DES key? ‘Te pseudo steno locks peer hy 64-bit OFB must xctuly repeat since ‘# most 2 urn blocks canbe general). Will K{IV] noensaiy be the fat beck be repeated? Lets sume you do DS dole encryption by enering with Kan ding DES in decry. mode wih. Does the same tack work swith debe encryption wih and? He how cout be made wart? 4) Wha pace! method or inding ite of keys tht maps a sen planet toa gen siohenex using EDE? Hint Ise themectinshe-mille tuck of $34.12 Encore Tice with Teo Kes 5._Les sume that someone des ple encryption y vi EEE wih CHC on te nie Sup Dose m stacker modes bit x of ciphertext Bock n. How dec ths aft he seeped inex? © Consider the following aerative med of ening messge. T encrypts menage, ‘eth scr for digs CDC deep. To yp mesg, tess | aceHomework 11558 Homework 143 wee working Igovithin yas iy reasonable nesige—has ng security of ‘Then the best tobe secure i D4 Message 1) for data x patsy ith ropes) pro- Although there fered the same ward. the hey 10 the sthe extension deal, HMAC cedsize omput ho bits eo S12 128 bits of 160 0512 bits I ey 0 | Ges’) 1 HMAC Key, message) Figure 5-10, ntsc thea s the padded key with a constant string of oetets oF value 36 eoncatenatesit with the mes padded key with different constant Sing of octets of value Seg, concatenates that with the result of the frst ‘goto be protected and computes message dl ure with RSA alone on & long message would be too slow (presumably using cipher block chaining). Suppose we could do division quickly, Would it be reasons ‘compute an RSA signature on along message by first finding what the message equals, mod nad signing tha? Message digests are reasonably fst but here's a much faster function to compute, Take yo message, divide it into [28-bit chunks, and ® all the chunks together to get a 128-bit result Do the st var message digest on the result. Is this a gol message digest function?Homework 145 neans of gen- ould Tike 10 ges, he will ay be of the ‘y before itis 5 will be of | ff psunes goo 128-pi mesg sige Ft, Assume ri pair vl do the sige dies snd you'd ike to find message that has a message digest of d. Given that thre sre many more 2000-bit messages tht map to a particular 128-bt message digest han TOD. mesages, would you theoretically have wo test fewer 2000-it messages o find one hts amessape digest of dthan if yon were to test LO00-bit messages? 8, Why do we expect that a randomly chosen 100-bit number will have about the same number of is and 0 bits? For you statistics fans, calculate the mean and standard deviation ofthe onstant was umber of I bits.) rd two mes. ing the hast of the hash, ‘ption block, ‘tions? Flint: Fur purposes ofthis exercise, we will deine random as having all elements equally likely 10 be chosen. So a function that selects a 100-bit number will be random if every 100-bit num- Feris equally likely to be chosen, Using this definition, if we look atthe function “#” and we Je two inpats, x and y, then the ourpur will be random if at least one of x and y are random. Fe instance, y can always be SI, and yet the output will be random if is random, For the following functions, find sufficient conditions for x, »; and z under whieh the output will be | number of Sa: same digest e 18) multiple of ay Lxay)vexAz) [the selection function) Inay)vexacivivac) [the majority function} 18) yeay-2) 15. Prove that the function (xay)®(xnz}@(yA2) and the function (xayvéraz)vn ‘equivalent. (Sorry—this isn't too relevant to cryptography, but we'd stumbled on two differ- ‘nt ersion of tis function in different documentation and we had to think about it for a bit to realize they were the same, We figured you should have the same fun) Do this by +I specifies evifications ‘hich speci ad test how Iput, oF test ‘ous simpli end al Ib. We mentioned in §5.2.2 Computing « MAC with a Hash that using MD4(K yale) as a MAC {snot secure. This is nota problem if MD2 is used instead of MDS, Why is that the case? each ot tha M7 In§523.1 Generating a One-Time Pad, we generate a pseudo-random stream of MD-sized blocks. This stream must eventually repeat (since only 212 gfferent blocks can be gener: ka ed), Will the first block necessarily be the first to be repeated? How does this compare to OFB (see Chapter 4 Modes of Operation Homework Problem 2)? 1. How do you decrype the encryption specified in $5.2.3.2 Mixing tn she Plaines? untion by.= MOLE > ing what would happen Ce pi 6.1 INTROD “Tis chap de apn vork fea for an ie ble