CSEN 1001
Computer and
Network
Security
Amr El Mougy
Alaa Gohar
Heba Anwar
**Slides are attributed to William Stallings
Revision Lecture
Q1: Cryptography Theory
For this problem, assume that Alice wants to send a single message M to Bob. To do so, Alice and Bob can potentially use a
number of different approaches and cryptographic technologies, which we will describe using the following terminology:
M
sK
AESπ πΎ
PRNGπ πΎ
Plaintext for a single message
Symmetric cryptography key
Symmetric-key encryption using AES-256 in CBC mode, with the key sk
Bit-stream from a cryptographically strong pseudo-random number generator, seeded with sk
SHA256
AES-EMACπ πΎ
KA
πΎπ΄β1
KB
πΎπ΅β1
EK
SignπΎβ1
SHA-256 hash function
Keyed MAC function, using the key sk
Aliceβs public key
Aliceβs corresponding private key
Bobβs public key
Bobβs corresponding private key
Public-key encryption using RSA with the public key K
Public-key decryption using RSA with the private half of K. For its use as a building block for a digital signature, you do not
need to worry about padding issues.
You can assume that the public keys have been securely distributed, so Alice and Bob know their correct values.
Symmetric keys have not been exchanged.
Consider the following properties that Alice and Bob might desire their communication to have: Confidentiality, Integrity,
and Non-Repudiation. For each of the following possible communication approaches, Mention (and explain why) which
of these properties will securely hold (or not hold) in the presence of Mallory, a Man In The Middle (MITM) attacker.
Mention None if none of the properties hold. If an approach fails entirely (will not result in Bob being able to read a given
message M), mention Broken. Note that β||β denotes concatenation.
(a) Alice generates a new symmetric key sK and sends to Bob: πΈπΎπ΄ (π πΎ ), πΈπΎπ΅ (π πΎ ), M XOR PRNGπ πΎ
(b) Alice generates a new symmetric key sK and sends to Bob: πΈπΎπ΄ (π πΎ ), πΈπΎπ΅ (π πΎ ), AESπ πΎ (M).
(c) Alice sends to Bob: πΈπΎπ΄ (M), SignπΎβ1 SHA256 π
π΄
(d) Alice and Bob privately exchange a symmetric key sK in advance. Alice later uses this key to send to Bob: AESπ πΎ (M),
AESEMACπ πΎ (SHA256(M))
(e) Alice generates a new symmetric key sK and sends to Bob: πΈπΎπ΄ (π πΎ ), πΈπΎπ΅ (π πΎ ), SignπΎβ1 π πΎ , AESπ πΎ (M)
π΄
Q1: Solution
a) This scheme only provides Confidentiality. While Bob cannot recover π πΎ from πΈπΎπ΄ (π πΎ ) (because Bob lacks Aliceβs
private key), he can do so from πΈπΎπ΅ (π πΎ ). The encryption using M XOR PRNGπ πΎ is the same as a stream cipher, which
will indeed provide confidentiality. However, without a separate MAC, the communication lacks integrity, and because
Alice does not sign her message, it also lacks non-repudiation. Note that confidentiality for multiple messages is
undermined by the lack of use of an Initialization Vector. However, the problem framing specifically discusses Alice
sending a single message.
b) The only difference between this scheme and the previous one is the use of AES rather than the stream cipher. By itself,
AES does not provide integrity, so this scheme likewise only provides Confidentiality.
c) Broken: to decrypt with this scheme, Bob needs to possess Aliceβs private key.
d) This scheme provides Confidentiality (via the use of AES) and Integrity (via use of the keyed MAC function). It does
not provide non-repudiation because the integrity/authentication component does not demonstrate possession of Aliceβs
private key. That said, a legitimate criticism of this approach is the reuse of the same key for encryption and the MAC
computation, which may make it easier to break the secret key.
e) The crucial insight for this problem is that Aliceβs signature over sK allows Mallory to recover sK simply by computing
πΈπΎπ΄ (SignπΎπ΄β1 π πΎ ), which Mallory can easily do since KA is well-known. Given possession of sK, all of the properties
fail to hold: Mallory can read the message and can alter it, so there is no confidentiality and no integrity. There is no
non-repudiation, either; all that the signature can demonstrate is that Alice signed sK, but not that she signed M.
However, Bob can still recover M. Therefore this scheme is marked None, rather than Broken.
Q2: RSA
Alice wants to send an encrypted message to Bob using RSA, but doesn't know his public
key. So, she sends Bob an email asking for the key. Bob replies with his RSA public key
(e;N). However, the active adversary intercepts the message and changes one bit in e from 0
to 1, so Alice receives an email claiming that Bobs public key is (eβ;N), where eβ differs from
e in one bit (the adversary does this in such a way so as to keep the desired properties of the
RSA algorithm after the change). Alice encrypts m with this key and sends it to Bob. Of
course, Bob cannot decrypt, since the message was encrypted with the wrong key. So he
resends his key and asks Alice to send the encrypted message again, which she does. The
adversary eavesdrops to the whole communication without interfering further. Describe how
he can now recover m. Hint: If gcd(a, b) = 1 then you can find x, y such that ax + by = 1
Q2: Solution
The adversary has eavesdropped and thus knows π =
ππ
mod N and
πβ²
=
β²
π
π πππ
He also knows e and eβ and furthermore, gcd(e; eβ) = 1. So the adversary can find
integers x and y such that
ex + eβy = 1:
Hence,
π₯
π¦
π . πβ² = π
ππ₯+π β² π¦
πππ π = π
π.
Q3: Hash Algorithms
a) Given are two protocols in which the sender's party performs the following operation:
Protocol A:
π¦ = ππ1 (π₯||π»(π2 | π₯ )
where x is the message, H is a hash function such as SHA-1, e is a symmetric-key encryption algorithm, β||β
denotes simple concatenation, and π1 , π2 are secret keys which are only known to the sender and the receiver.
Protocol B:
π¦ = ππ (π₯||π πππππ (π» π₯ ))
where k is a shared secret key, and πππ is a private key of the sender (not shared with the receiver).
Provide a step-by-step description (e.g., with an itemized list) of what the receiver does upon
reception of y and state whether each protocol achieves confidentiality and/or integrity and/or non-repudiation
Q3: Solution
a) Protocol A performs the following:
1. Decryption of y using symmetric key π1
ππ1 π¦ = π₯||π»(π2 ||π₯)
2. Concatenate π2 and x, where π2 is 2nd secret key (shared).
3. Compute hash of π2 ||π₯, that is π»(π2 ||π₯).
4. Compare computed hash value with the one obtained in 1.
Protocol B performs the following:
1. Decrypt as in 1A, ππ π¦ = π₯||π πππππ π» π₯ using shared symmetric key k.
2. Compute H(x)
3. Feed H(x) and π πππππ π» π₯ into verification algorithm, check if signature on H(x) is valid. Verication algorithm needs public key
of the sender.
b) For protocol A we have:
Confidentiality: YES through encryption
Integrity: YES through hashing; changing y lead to invalid pair xβ and π»(π2 ||π₯β²).
Non-repudiation: NO, both Alice (sender) and Bob (receiver) can generate valid message: π¦ = ππ1 (π₯||π»(π2 | π₯ )
For protocol B we have:
Confidentiality: YES through encryption
Integrity: YES through signing; changing y lead to invalid pair xβ and π πππππ π» π₯β²
Non-repudiation: YES, only sender can send a message with valid signature.
Q4: Cryptography Theory
Consider the following listings of certificates
Who is the CA?
For how long is this certificate valid?
What is the subjectβs public key (e, n)?
How can you tell is this certificate indeed belongs to this certificate request?
Q4: Solution
Dr. Wahab.
Oct 11 2006 β Oct 11 2007.
(65537, 00:9b:5eβ¦..)
Same public key
Q5: Key Distribution
The following authenticated key agreement protocol is given:
1: A ο B: gx mod p
2: B ο A: gy mod p || Ek (SignB (gy mod p || gx mod p))
3: A ο B: Ek (SignA (gx mod p || gy mod p))
We assume that the parties have agreed on a (g; p) pair for Diffie-Hellman key exchange, that each user has RSA keys
for digital signatures and that they have agreed on a symmetric block cipher E for use in subsequent encryption.
Furthermore, k is the agreed secret key (the result of the Diffie-Hellman exchange) and SignA and SignB denotes Aβs
and Bβs signature operations, respectively. Describe in details (as a list) Aβs and Bβs actions at receipt of messages 2 and
3 and what beliefs they have at that stage (i.e. at this stage, do they believe that the other side is authentic?). Are A and
B successfully authenticated to each other after protocol run? Note that β||β denotes a concatenation operation.
Q5: Solution
After receiving X = gx mod p as message 1, B can choose a y and compute k = Xy mod p as the session key. He then computes Y = gy mod
p, signs (Y || X) and encrypts it using key k. At this stage, B has no reason to believe that the received message was actually from A.
After receiving (Y || c) as message 2, A can compute k = Yx mod p. Then k is the agreed common key, so she can use this to decrypt c,
getting s. Finally, she verifies that s is Bβs signature on (Y || X). A can now conclude that the sender of message 2 knows:
ο·
k, since he could encrypt using it.
ο·
Bβs signing key, since he could produce the signature s.
ο·
X and y, the discrete log of Y (since A successfully decrypted c using k = Yx, but anybody else could only have computed k as Xy).
ο·
(Y || X), since he signed it; this knowledge must be recent, since it includes X, which A herself chose just before sending message 1.
From this evidence, A believes that the sender of message 2 is B and that therefore A and B share k. After receiving cβ as message 3, B
decrypts it and verifies that the plaintext is Aβs signature on (X || Y). From similar reasoning as above, B concludes that the sender of
message 3 is A and that A and B share k.
Q6: Symmetric Encryption
AES is a block cipher that does not have any known weaknesses. In the following system, AES is used to design a high
speed encryption algorithm for WiFi. Specifically, the client and access point share a 128-bit key k, and encryption of a
128-bit packet m is done by choosing a random, 40-bit IV and sending
IV, AESk (IV) β m
(The IV is padded with trailing 0s to a length of 128 bits.) Is this a secure way to do encryption (Justify your answer).
If the IV were instead a 40-bit counter that is encrypted each time a message needs to be encrypted, would the security
improve?
Q6: Solution
No. The problem is that the IV still repeats too frequently: a repeated IV is expected to occur after only 220 packets are
encrypted, and this allows an attacker to figure out some information about the encrypted packets. Even worse, an
attacker may observe all IVs after a short amount of time, and (if the underlying plaintext is known for those packets)
build a table of (IV; AESk(IV)) pairs.
One could argue that it is slightly better, since repeated IVs now only occur after 240 packets are encrypted. (This is still
not good enough for adequate security, though.) One could argue that it is worse, because (assuming known plaintext is
encrypted) the attacker now gets all (IV; AESk(IV)) pairs after 240 packets are encrypted. Also, if the counter is reset upon
initialization, low IVs will repeat very frequently.
Q7: Key Distribution
Consider the following key exchange protocol:
1. Aο S
2. Sο B
A, {ππ΄ , π΅, πΎπ΄π΅ }πΎπ΄π
{ππ , π΄, πΎπ΄π΅ }πΎπ΅π
A generates session key πΎπ΄π΅ and sends it to server S. The protocol uses timestamps T. Design a Man In The
Middle (MITM) attack against this protocol.
Q7: Solution
© Copyright 2025 Paperzz