IERG4130 2012 Spring Homework1 Suggested Solution

HU, Pili February 27, 2012

Abstract This article provides suggested solution of IERG4130-2012spring HW1. Any solution with reasonable argument can be accepted. Note that some section is marked with an asterisk(*), to indicate its supplementary. If you have any problems, please contact Pili.

Contents
1 Q0 Recent News[15 Marks] 1.1 Question . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1.2 Suggested Solution1 . . . . . . . . . . . . . . . . . . . . . . . 2 Q1 2.1 2.2 2.3 Meet-in-the-middle Attack[25 Marks] Question . . . . . . . . . . . . . . . . . . . . . . Review of MITMA Procedure(classical DES-56) Suggested Solution1 . . . . . . . . . . . . . . . 2.3.1 Basic Assumption . . . . . . . . . . . . 2.3.2 (a) . . . . . . . . . . . . . . . . . . . . . 2.3.3 (b) . . . . . . . . . . . . . . . . . . . . . 2.3.4 (c) . . . . . . . . . . . . . . . . . . . . . 2.4 *Suggested Solution2 . . . . . . . . . . . . . . . 2.4.1 (a) . . . . . . . . . . . . . . . . . . . . . 2.4.2 (b) . . . . . . . . . . . . . . . . . . . . . 2.4.3 (c) . . . . . . . . . . . . . . . . . . . . . 2.5 *Eective Key Length Analysis of MIMTA . . Cipher Block Loss and Corruption[20 Question . . . . . . . . . . . . . . . . . . . . Generalized Analysis . . . . . . . . . . . . . Suggested Solution1 . . . . . . . . . . . . . 3.3.1 (a) . . . . . . . . . . . . . . . . . . . 3.3.2 (b) . . . . . . . . . . . . . . . . . . . 3.3.3 (c) . . . . . . . . . . . . . . . . . . . 3.3.4 (d) . . . . . . . . . . . . . . . . . . . 3.3.5 (e) . . . . . . . . . . . . . . . . . . . Marks] . . . . . . . . . . . . . . . . . . . . 3 3 3 3 3 4 5 5 5 6 6 6 6 6 7 7 8 8 9 11 11 11 11 11 11 11 11 12 12 13 13 13 14 14 14

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

. . . . . . . . . . . .

3 Q2 3.1 3.2 3.3

Marks] . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

4 Q3 CBC Collision[20 4.1 Question . . . . . . . 4.2 Suggested Solution1 4.2.1 (a) . . . . . . 4.2.2 (b) . . . . . . 5 Q3 5.1 5.2 5.3 5.4

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

Attack XOR Protocol[20 Marks] Question . . . . . . . . . . . . . . . . . Suggested Solution1 . . . . . . . . . . Suggested Solution2 . . . . . . . . . . Remarks . . . . . . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

1
1.1

Q0 Recent News[15 Marks]

Question

Write a summary for a recent news about some Cyber Security incident. Discuss how it was done what the security issue is why it is important the lesson learnt how it can be prevented ... Write NO MORE THAN 300 words, and please also submit a copy of the news or the corresponding URL.

1.2

Suggested Solution1

Pick up any recent news you like. Note the essential parts you should provide are: A copy of the news or corresponding URL. Each line listed in the problem statement.

2
2.1

Q1 Meet-in-the-middle Attack[25 Marks]

Question

Consider the meet-in-the-middle attack of double DES, with 64-bit data blocks and two 56-bit keys. (a) If a pair of key produces the same output in the middle stage, we call it a collision(may or may not be the right pair of keys). Whats the average number of collisions if we only check the key against one plaintext and ciphertext pair, (P1, C1)? (b) If an additional pair of known plaintext and ciphertext, (P2, C2), is given, whats the average number of collisions for both pair1 and pair2? That is, a key pair (K1, K2) satises EK1 (P1)=DK2 (C1) EK1 (P2)=DK2 (C2) simultaneously.

 (c) Weve calculated the number of average collisions in the two situations above. Note that only one pair of keys out of so many collisions is right. How can we identify the true keys based on the above results ? (Hint: what if more plaintext/ciphertext pairs are provided)

2.2

Review of MITMA Procedure(classical DES-56)

Figure 1: MITMA, Sorting

Figure 2: MITMA, Mathcing Given a known pair, (P1,C1), the attack proceeds as follows. First, encrypt P1 for all 256 possible key values. Store the encrypted output of the 1st-stage DES together with its corresponding key in a table, say T1, and then sort the table T1 by the values of the encrypted output of the 1st-stage DES. Next, decrypt C1 using all 256 possible key values and put the decrypted output together with its corresponding key in another table 4

T2, sorted by the decrypted value. Go down the sorted tables T1 and T2 (which only requires the order of 257 steps instead of (256 256 ) because the tables are sorted already !). If an encrypted output value of an entry in T1 matches the decrypted output value of an entry in T2, record the keys for these pair of entries accordingly, say Ka and Kb. We can consider (Ka,Kb) to be a 112-bit candidate key for the 2-DES. The searching algorithm after sorting: (time complexity 2*N) 1. I = 1, J = 1 2. IF T1(I) == T2(J) THEN report a collision; I ++, J ++; ELSE IF T1(I) > T2(J) THEN J ++ ; ELSE I ++ ; END IF 3. IF I <= N AND J <= N THEN goto 2 For a given 112-bit(56+56) candidate key, test it against a new known plaintext-ciphertext pair, say (P2,C2), or even (P3,C3). If the 112-bit candidate key can produce the match for the 2 (or 3) known plaintext-ciphertext pairs, accept it as the correct key.

2.3
2.3.1

Suggested Solution1
Basic Assumption

We assume that encrypted data is uniformly distributed in the data space. Possible number of output for encryption is 264 . So the probability of each output is 21 . Also, we assume the output of dierent key pairs is indepen64 dent. 2.3.2 (a)

For each pair of keys, say (Ka , Kb ), the probability that EKa (P ) = DKb (C) is 21 (uniform assumption). This is the probability of collision for a given 64 key pair. The number of possible key pairs (Ka , Kb ) is (256 )2 . Thus the expected number of collision is 1 = 248 264 This means well almost for sure observe a false key pair, which still induces a matching in the middle stage, if we only check the key against one (Plaintext, Ciphertext) pair. (256 )2 5

2.3.3

(b)

For each pair of keys, say (Ka , Kb ), the probability of collision for both (P1, C1) and (P2, C2) is 21 21 (key pair independency assumption). Thus 64 64 the expected number of collisions will be (256 )2 1 1 1 64 = 16 64 2 2 2

This means if we check a key pair against two (Plaintext, Ciphertext) pairs. The probability of nding a false key pair is drastically reduced. 2.3.4 (c)

From the above calculation, we know that the more (plaintext, chipertext) pairs you check each candidate key pairs against, the less likely youll get a false-positive pair(namely, the false key produces the right output). Empirically speaking, after getting a pile of candidate key pairs, well check those candidates against 2-3 additional know (plaintext, ciphertext) pairs.

2.4

*Suggested Solution2

NOTICE: this section may provide you with more insight into the problem. It is not required, so you can skip it or read it based on your interest. 2.4.1 (a)

To simplify the solution, we can consider the MITMA as a black box, which would provide us with a set of candidate keys. Lets denote key-length as k, and data-length as d. This black box would search a 22k space eciently(in O(2k+1 ) time), and give possible pairs (Ka, Kb). Distribute 22k elements in a 2d space would result in an average collision rate at every point: Number of elements Size of space 2k 2 2d

P {collision at some place} = = 2.4.2 (b)

(1) (2)

Lets extend the deduction in (a). If more (Plaintext, Ciphertext) pairs are given, say n. We can cascade these data blocks to be a larger one. Then the encryption process can be thought of as: P = (P 1, P 2, . . . , P n) Encryption C = (C1, C2, . . . , Cn) 6 (3)

Finding a collision for n (Plaintext, Ciphertext) pairs is equivalent to nding a collision for ( P , C ), where the data-space is of size 2dn . Plug this into eqn(1), we get: Number of elements Size of space 2k 2 2nd

P {collision for n pairs} = =

(4) (5)

eqn(5) suggests that with the increase of tested (Plaintext, Ciphertext) pairs, the collision rate is sharply reduced. FYI, from the deduction above, we can conclude that the collision rate is independent of how you get the key(Meet-in-the-middle Attack, or even you randomly pick a key and nd it ts the given (P,C) pair). The only thing matters is the ratio of key-space to eective data-space. 2.4.3 (c)

Please refer to Suggested Solution 1.

2.5

*Eective Key Length Analysis of MIMTA

NOTICE: this section may provide you with more insight into the problem. It is not required, so you can skip it or read it based on your interest. The main task of computing the eective key-length for 2-DES is to solve the Cracking Time. For example. In order to crack DES, exhaustive enumeration over all possible keys would cost 256 unit time. If you use the same approach to crack 2-DES, time consumption will be 2112 unit. This is to say, the eective key length with respect to the brute force attack is 112-bit for 2DES. If you nd more ecient ways to crack it, the eective key length would thus be reduced. First, consider the sorting-based process of MIMA, time consumption parts can be: (Let k be the key-length, and n be the table size) part1. Encrypt for all possible Ka and Decrypt for all possible Kb. O(2k + 2k = 2k+1 ) part2. Sort two tables. O(n log n; n = 2k )=O(k2k + k2k = 2k2k ) part3. Scan through the tables to nd candidates. O(2k+1 ) (This is the classical structure of MIMA, but later youll see that there are alternatives for part2 and part3) Then the question is to nd which part is dominant. By specifying the dominant component, we can construct the following arguments: 7

 EKL=k +1 57 . This happens when part1 or part3 is dominant. For part1, if the only tool at hand is an ordinary PC, we know software encryption and decryption of DES is slow. Thus part1 becomes dominant. For part3, its less likely to become dominant. This is because unit operations of part2 and part3 are both comparison. EKL=k + log 2k 62.81 . This happens when part2 is dominant. For part2, the time consumption is lowerbounded by sorting algorithm. Classical internal sorting algorithm like quick-sort and mergesort can reach the lowerbound of O(n log n). Note that DES encryption/decryption can be implemented much more eciently in hardware. Here we assume the cost of encryption/decryption and comparison(unit operation of sorting) are close. This leads to the situation of part2 being dominant. EKL=[k + 1, k + log 2k] . Note that the above two are just extreme cases, so any solution within the range is possible. Next, we consider non-sorting-based MITMA. If we have abundant memory, the attack can be like this: part1. Encrypt for all possible Ka and Decrypt for all possible Kb. O(2k + 2k = 2k+1 ) (same as sorting-based MIMA) part2. For the encryption output of i-th key, store it in a huge array, say A[Ci ] = K1,i , where Ci = EncryptK1,i (P ). Time consumption is O(2k ). part3. For each decryption output, say X, lookup A[X]. If it is not NULL, then a collision(candidate key pair) is found. Time consumption is O(2k ). In this case, eective key length for 2DES is k + 1. The memory needed is 2n unit, which is very large. BTW, if we consider the initialization stage of this non-sorting based scheme, additional 2n time is needed. In practice, which is the most eective way is still a question. This section only walks you through the simple theoretical analysis.

3
3.1

Q2 Cipher Block Loss and Corruption[20 Marks]

Question

Alice uses AES-128 and one of the modes of operation to encrypt twenty data blocks, P1 P2 P3 . . . P20, to get cipher blocks, C1 C2 C3 . . . C20. The IV together with the cipher blocks are then transmitted to Bob through an unreliable channel. In the following cases, what will Bob get when he 8

decrypts the received cipher blocks with the same mode of operation as Alice uses? Note: the block size and key size of AES-128 are both 128 bits. When we say missing, by default, the receiver dont know the block is missing. He will assume the sequence is in the same order as the sender transmitted. (a) CBC is used ; IV is deleted, C1 is treated as IV ; C5 and C6 are deleted ; C14 to C20 are truncated(the last block actually received is C13). (b) CFB-16 is used; The entire C4 (16-bit of it) is missing and Bob treats the received C5 to be C4, C6 be C5, . . . (c) OFB-64 is used; The entire C10 (64-bit of it) is missing and Bob treats the received C11 to be C10, C12 be C11, . . . (d) CTR is used; C9 is corrupted. (e) Please conclude one general rule each for CBC, CFB-s, OFB-s, CTR, when Block Ck is corrupted: CBC: CFB-s: OFB-s: CTR: Block Ck is missing: CBC: CFB-s: OFB-s: CTR:

3.2

Generalized Analysis

Related slides: Cryptography, P47P58 This problem is composed of several concrete cases and then followed by a general one. As long as we can solve the last subproblem, others would be trivial. You may like to draw a sketch for (a)(d) rst, and that will help you make a conclusion of (e). Lets clarify two denitions rst: Block Corruption(BC). A block is said to be corrupted if part of its bit-sequence is ipped. Block Loss(BL). If the receiver is aware of the loss of block, the situation is the same as Block Corruption. You simply need to regard the lost block as an arbitrarily corrupted block at its original place. If the receiver is not aware of the loss of block, the received sequence would be [IV, C1 , C2 , . . . , Ck1 , Ck+1 , . . . , Cn ], where Ck is the lost block. We refer Block Loss to the latter situation by default.

For BL of Ck , First, block Pk is not recoverable, this is obvious according to the denition. Whether it inuences decryption of other blocks depends: (Let B denotes the size of shift register) CBC. Unrecoverable block is Pk+1 . In CBC mode, a cipher block only inuences its direct successor. CFB-s. If you want to decrypt block Cm , the sequence [Cm B , Cm B +1 , . . . , Cm1 ]
s s

must be stored in the shift register correspondingly. The rst block after Ck that can be decrypted is Ck+ B +1 . So, block
s

[Pk+1 , Pk+2 , . . . , Pk+ B ]

s

is not recoverable. OFB-s. [Pk , Pk+1 , . . . , Pn ] is not recoverable, because the rest of the received sequence is shifted from the point of k. Those blocks will all be XORed with a fault cipher output. CTR. [Pk , Pk+1 , . . . , Pn ] is not recoverable. The reason is same as OFB-s. For BC of Ck . First, block Pk is not recoverable, this is obvious according to the denition. Whether it inuences decryption of other blocks depends: (Let B denotes the size of shift register) CBC. Unrecoverable block is Pk+1 . In CBC mode, a cipher block only inuences its direct successor. CFB-s. Note that theres a shift register which depends on received cipher block. The corrupted block(s-bit) will only lose eect after B s rounds, where B is the size of the shift-register. Block [Pk+1 , Pk+2 , . . . , Pk+ B ]
s

is not recoverable. OFB-s. Note that OFB is a kind of stream cipher. Decryption doesnt depend on previous received cipher blocks. Thus no other blocks are inuenced. CTR. Note that decryption only depends on counter and current block. Thus no other blocks are inuenced. In this problem, the unit cipher used in operation modes is AES-128, whose block length, namely the length of shift register is 128. We need to plug B = 128 into above results. 10

3.3
3.3.1

Suggested Solution1
(a) P2 , . . . , P4 , P8 , . . . , P13

3.3.2

(b) P1 , P2 , P3 , P13 , . . . , P20

3.3.3

(c) P1 , . . . , P 9

3.3.4

(d) P1 , . . . , P8 , P10 , . . . , P20

If the receiver know a block is missing, the situation is similar to corruption. Results of CFB are identical for both corruption and loss. 3.3.5 (e)

Conclusion: Block Ck is corrupted: CBC: Pk , Pk+1 is unrecoverable. CFB-s: [Pk , Pk+1 , . . . , Pk+ B ] is not recoverable. s OFB-s: only Pk is unrecoverable. CTR: only Pk is unrecoverable. Block Ck is missing: CBC: Pk , Pk+1 is unrecoverable. CFB-s: [Pk , Pk+1 , . . . , Pk+ B ] is not recoverable. s OFB-s: [Pk , Pk+1 , . . . , Pn ] is not recoverable. CTR: [Pk , Pk+1 , . . . , Pn ] is not recoverable.

4
4.1

Q3 CBC Collision[20 Marks]

Question

Recall the Cipher Block Chaining (CBC) mode of DES as depicted below: In particular, Ci = EK (Pi Ci1 )for i 2, where EK (.) represents the DES encryption operation using K as the key. (a) [10 marks] Suppose we use the CBC mode of DES with a key K to encrypt a large le of M blocks long and some pairs of the output cipher blocks, say, Cj and Ck , turn out to be identical (and this is observed by

11

Figure 3: CBC Illustration an outside attacker as all of the cipher output blocks are generally exposed to the attacker). Due to such observation, what information regarding the plaintext blocks Pj and Pk is being leaked to the attacker? (Hint: you may consider what the attacker can say about the expression: Pj Pk given the above observation). (b) [10 marks] In general, when a block cipher with a block size of n bits is applied to encrypt a large le of M blocks long, using the CBC mode, how many pairs of colliding output cipher blocks as described in (a) should we expect on average ?

4.2
4.2.1

Suggested Solution1
(a)

From the problem description, we have the following relationships: Cj = EK (Pj Cj1 ) (6) (7)

Ck = EK (Pk Ck1 ) If Cj = Ck , we can derive the following relationships: EK (Pj Cj1 ) = EK (Pk Ck1 ) Pj Cj1 = Pk Ck1 Pj Pk = Cj1 Ck1

(8) (9) (10)

Note that both Cj1 and Ck1 are known to the attacker, thus the value of Cj1 Ck1 is known. Although we can not derive what Pj and Pk is 12

exactly from the single observation, a certain information is leaked(eqn(10)). If we have large amount of observations, we can get more statistical information. 4.2.2 (b)

Like the way we deal with previous problems, we make some assumptions to simplify this problem: 1. Output of this block cipher is uniformly distributed. 2. Although CBC mode makes the sequence of cipher blocks related with each other, we assume the output of each block is independent. 3. Further more, we assume whether one pair of output is identical is independent from other pairs. For an n-bit block cipher, there are 2n dierent outcomes. The probability that two outputs are identical is: 1 2n Out of M blocks, the number of dierent pairs is:
2 CM =

M (M 1) 2

With the pair independency assumption, we can compute the average number of colliding output cipher blocks in the following way: {Number of Collisions} = {Collision Probability for One Pair} {Number of Pairs} 1 M (M 1) = (11) 2n 2

5
5.1

Q3 Attack XOR Protocol[20 Marks]

Question

Someone suggests the following way to conrm that you and your friend are both in possession of the same(secret) key. You can create a random bit string with length equal to that of the key; XOR it with the key, and send the result over the communication channel to your friend. Your friend XORs the incoming block with the key(which should be the same as your key) and sends it back. You check, and if what you receive is your original random string, you have veried that your friend has the same secret key, yet neither of you have transmitted the key. Is there a aw in this scheme? Explain. 13

5.2

Suggested Solution1

One possible way to attack this protocol is by sning, and we can get the following relationship: P K =C where P is the random sequence and C is what you sent to your friend. Note that on successful authentication your friend should sent P back. Thus the attacker knows both P and C, and then reveal the key: K =P C

5.3

Suggested Solution2

This protocol is vulnerable even without the existence of active communication between you and your friend. The attacker rst generate a random number, say P , and send this number directly to your friend. Of course, your friend can not distinguish this forged query, since it is in the authentication stage. Your friend should follow the protocol specication to prove he owns the key. So hell send back C =P K The attacker is now able to reveal the key by simple XOR.

5.4

Remarks

XOR is a powerful and simple building block in mechanism design. However, you should use it with great care.

Acknowledgements
Thanks to professor and other tutors in this class.

14