1.

Given is a protocol in which the sender performs the following operation:

y = e[(M||H(k2||M)), k1] where, M is the message, H is a hash function, e is an
encryption algorithm, ‘||’ denotes simple concatenation, and k1, k2 are secret keys
which are only known to the sender and the receiver.
Assume that the sender and the receiver know concatenation and de-concatenation
structure. Provide a step-by-step description of what the receiver does upon reception
of y.

2. Could we see which Certificate Authorities have their Trusted Root present in
Browsers? We have been already validated by one Certificate Authorities; do we still
have to be validated by another CA? Justify your answer.

3. Difficulty of breaking RSA cipher is because of the difficulty of factorizing large

numbers. To what do we owe the difficulty of breaking the Diffie-Hellman cipher?

4. Find at least one intermediate certification authority’s certificate and one trusted root
certification authority’s certificate on your computer (e.g., in the browser) and explain
it in detail about it. Why it is desirable to revoke the certificate before it expires?

5. The AES standard allows for key lengths of 128 bits, 192 bits, and 256 bits. Most
implementations today use 128 bits but it is expected that companies will start
marketing implementations that use 192 bits or even 256 bits before the end of this
decade. Can you give a practical reason why a 192-bit or a 256-bit shared secret
would provide more security than a 128-bit shared secret?

6. Compute the SHA-1 of the string "Amrita School of Engineering".

7. You might think that one way to strengthen the use of the DES is to encrypt messages
twice (using different keys). But double encryptions are subject to a “meet in the
middle attack.”

Let’s use the notation C = E (P, K) to indicate that plaintext P is encrypted under
cipher symmetric encryption function E by key K to produce ciphertext C. We’ll also
use D as the cipher symmetric decryption function, so P = D (C, K).

Now, the idea of double encryption is to use C = E (E (P, K1), K2). But the problem
is that if we have a known-plaintext attack (where we know P and C) we can compute
a table E (P, K) for all possible values K and also a table D (C, K) for all possible
values K. We then look for a collision. This is the “meet in the middle attack.”

(a) Show that performing a meet in the middle attack takes approximately twice as
long as the worst-case exhaustive search of single encryption and four times as long
as the expected-case exhaustive search of single encryption.

8. Suppose that someone suggests the following way to securely confirm that the two of
you are both in possession of the same secret key. You create a random bit string the
length of the key, XOR it with the key, and send the result over the channel. Your
partner XORs the incoming block with the key and sends it back. You check, and if
what you receive is your original random string, you have verified that your partner
has the same secret key. Is this scheme secure?
9. An RSA public-key is a pair (n, e) where n = pq is the product of two primes.
RSAn,e(m) = me mod n
Alice, Bob, and Carol use RSA public-keys (nA,3), (nB,3), and (nC,3), respectively.
David wants to send the same message ‘m’ to the three of them.
So, David computes
yA = m3 mod nA
yB = m3 mod nB
yC =m3 mod nC and sends the ciphertexts yi to the respective users.

Show how an eavesdropper Eve can now compute the message ‘m’ even without
knowing any of the secret keys of Alice, Bob, and Carol.

10. You have a copy of Anthony Joseph’s certificate chain: his certificate is signed by the
EECS department; the EECS department’s certificate is signed by UC Berkeley; UC
Berkeley’s certificate is signed by Verisign. Whose public keys do you need to know
in advance in order to obtain the correct public key for Anthony?

11. In general, in a block cipher, we replace N bits from the plaintext with N bits of
ciphertext. What defines an ideal block cipher? Whereas it is true that the relationship
between the input and the output is completely random for an ideal block cipher, it
must nevertheless be invertible for decryption to work. That implies that the mapping
between the input blocks and the output blocks must be one-to-one. If we had to
express this mapping in the form of a table lookup, what will be the size of the table?

12. What aspect of the Needham-Schroeder Key Distribution Protocol gives each of the
two parties A and B (who want to communicate securely with each other) the
confidence that no third-party C is masquerading as the other? What is a nonce and
why is it used in the Needham-Schroeder protocol?

13. As you now know, in the RSA algorithm a message M is encrypted by calculating: C
= Me (mod n) where n is the modulus. Assume that you are using a 1024-bit RSA
algorithm (meaning that the modulus is of size 1024 bits) for encrypting your
messages. Now let’s say that your enemy knows that your business partners are in the
habit of communicating with you with very short messages — messages that involve
very small values of M compared to the size of the n = p × q modulus.
Since the enemy will know your public key, he will know that what your business
partner has sent you is C = M e where ‘e’ is the public exponent that the enemy would
know about. Assuming for the sake of convenience that e = 3, why can’t the enemy
decrypt the confidential message intended for you by just taking the cube root of C?

14. The necessary condition for the encryption key ‘e’ is that it be coprime to the totient
of the modulus. But, in practice, what is ‘e’ typically set to and why? From the public
key, we know the modulus n and the encryption integer e. If a bad guy could figure
out the totient of the modulus, would that amount to breaking the code?
15. Consider a Feistel cipher with four rounds that use the round function F (R i−1, Ki) =
Ri−1 ⊕ Ki. The plaintext is denoted P = (L0, R0) and the corresponding ciphertext is C
= (L4, R4). What is the ciphertext C in terms of L0, R0, and the subkey?

16. Suppose that Alice encrypts the plaintext blocks P0, P1, P2, P3, P4, P5 using CBC
mode and shared symmetric key K, producing ciphertext blocks C0, C1, C2, C3, C4,
C5. She sends the ciphertext to Bob along with the initialization vector IV. Suppose
that a transmission error flips a bit in block C2, resulting in block X. Which blocks
can Bob decrypt correctly?

17. This question deals with the RSA public-key cryptosystem. Alice’s public key is (N,
e) = (33, 3). Her private key is d = 7. (You do not need to simplify your results for this
problem.)
(a) Encrypt the message M = 19 with Alice’s public key, i.e., find {19} Alice.
(b) Decrypt the ciphertext C = 29 encrypted with Alice’s private key. In other words,
calculate [29] Alice.

18. Alice and Bob wish to create a secure connection, so they use the Diffie-Hellman key
exchange. They select the public values of p = 43 and g = 9.
(a) Alice chooses a secret value of a = 3. Calculate her initial message to Bob.
(b) Bob responds with 10. Calculate the shared secret value.
(c) The Diffie-Hellman key exchange has an important vulnerability. Describe how
Trudy might intercept communication between Alice and Bob if they are not
careful. What measures can they take to defend against this attack?

19. A sequence of plaintext blocks M1…, M8 is encrypted using DES into a sequence of
ciphertext blocks. Where an IV is used, it is numbered C 0. A transmission error occurs
and one bit in ciphertext block C 3 changes its value. As a consequence, the receiver
obtains after decryption a corrupted plaintext block sequence M’ 1…., M’8. For the
discussed modes of operation (ECB, CBC, CFB, OFB, CTR), how many bits do you
expect to be wrong in each block M’i?

20. There are three typical ways to use nonce as challenges. Suppose Na is a nonce
generated by A, A and B share key K, and f () is a function (such as an increment).
The three usages are:

Describe the situations for which each usage is appropriate.

21. (i) What aspect of the Needham-Schroeder Key Distribution Protocol gives each of
the two parties A and B (who want to communicate securely with each other) the
confidence that no third-party C is masquerading as the other?
(ii) What is a nonce and why is it used in the Needham-Schroeder protocol?

22. Consider the following protocol with the goal of key establishment. Here N A is a
nonce chosen by A, TB is a timestamp from the clock at S, and K AB is the session key
chosen by server S. IDA and IDB are identity strings for A and B respectively. K AS and
KBS are key-encrypting keys initially shared between S and A, and between S and B
respectively. The notation {X}K denotes authenticated encryption of X with key K.

i.A → S: IDA, IDB, NA

ii.S → A: {Ks, IDB, NA}KAS , {KAB, IDA, TB}KBS
iii.A → B: {KAB, IDA, TB}KBS

a. What is the purpose of including the identity ID B in the first part of message 2?
What
an attack could happen if it was not included?
b. Suppose that an attacker can control the clock at B and set it to any chosen value.
Explain how this allows such an attacker can launch a replay attack on the
protocol.

23. When using the RSA algorithm to form a digital signature, the output is a value
s = h (m)d mod n for a suitable hash function h. The message m and s are sent to the
verifier.
a. Given a valid public exponent e and the modulus n, how does the verifier check the
signature?
b. Suppose now that the hash function is not used, so the signature for a message is
simply s = md mod n.
Explain how an attacker can construct a valid signature and message, without seeing
any other signature.

24. Each node N of a network is been assigned a unique secret key K n. This key is used to
secure communications between the node and a trusted server. That is, all the keys are
stored on a server. User A, wishing to send a secret message M to user B, initiates the
following protocol:

i. A generates a random number R and sends to the server his name A, destination B,
and EKa[R]
ii. The server responds by sending EKb[R] to A
iii. A sends ER[M] together with EKb[R] to B.
iv. B knows Kb, thus decrypts EKb[R] to get R and will subsequently use R to decrypt
ER[M] to get M.
Analyze this protocol. Is it safe?

25. Consider a one-way authentication technique based on asymmetric encryption:

 a. Explain the protocol.
b. What type of attack is this protocol susceptible to?
26. Consider a one-way authentication technique based on asymmetric encryption:

a. Explain the protocol.

b. What type of attack is this protocol susceptible to?