Cryptography Final Exam
What is the difference between data integrity (i.e., the integrity of data in transit) and non-repudiation?
Data integrity ensures the message is the same as it was when it was sent. Non-repudiation means that the message was sent and received by the parties involved.
What is confusion? What is diffusion? Why do we need them? Do stream ciphers (such as RC4) have diffusion?
Diffusion -- statistical structure of the plaintext is dissipated into long-range statistics of the ciphertext. This is achieved by having each plaintext digit affect the value of many ciphertext digits. Confusion -- seeks to make the relationship between the statistics of the ciphertext and the value of the encryption key as complex as possible, to thwart an attempt to recover the key.
The details of ECB, CBC, CFB, CTR, and OFB: how do they (including encryption and decryption) work?
Electronic Codebook Each block of plaintext bits is encoded independently using the same key CBC the input to encryption algorithm is the XOR of the next block of plaintext and the preceding block of ciphertext. CFB Input is processed s bits at a time. Preceding ciphertext is used as input to the encryption algorithm to produce pseudo random output which is XORed with plaintext to produce next unit of ciphertext. Output Feedback: similar to CFB, except that the input to the encryption algorithm is the preceding encryption output and full blocks are used. Counter CTR each block of plaintext is XORed with an encrypted counter. The counter is incremented for each subsequent block.
Data confidentiality: How to achieve data confidentiality? How to protect the confidentiality of bulk data (say 1 Giga bytes)?
Encryption
MAC vs. symmetric-key encryption: Compare MAC with symmetric encryption like AES-128
Encryption provides confidentiality, a MAC provides integrity. Using encryption alone makes your messages vulnerable to a ciphertext only attack. An example will make it more clear. Say you send a message that says: M = "transfer 100$ to account 591064" The sender, with the symmetric key, can encrypt the message and send E(M). No one should be able to send a valid message other than the holder of the key. You have confidentiality covered. But an attacker could alter the ciphertext to make it say something else when decrypted. Obviously, the larger the message and the more structure it has, the harder it gets to carry out in practice. Now if you use a MAC along with encryption, you will be able to detect changes to the cipher text because the MAC will not compute. In our example, if you use the same key for encryption and MAC, then you can change your message to: M = "transfer 100$ to account 591064|a46c0db15acdd36b4e92a82e5dc6c14f" and encrypt it, again sending E(M). The hash is encrypted (that's your MAC), the message is encrypted (for confidentiality). That way, you make it computationally impossible to alter the cipher text and come up with a valid message, even if your message is a single, random byte. Choosing the best hash, encryption and key length is another story. In conclusion: Encryption does not provide integrity by itself MAC (integrity) does not provide confidentiality by itself You often have to combine cryptographic primitives to achieve many security properties.
What is brute-force attack? What do you need to know in order to mount brute- force attacks?
Exhaustive effort to gain access to a system, trying all possibilities. On average, half of all possible keys must be tried to be successful. Some degree of knowledge about the expected plaintext is needed, and some way of distinguishing plaintext from garble is also needed.
What does Kerckhoffs' assumption/principle tell us? Why is it important?
"a cryptosystem should be secure even if everything about the system, except the key, is public knowledge."
RSA encryption: How does RSA encryption work? RSA key generation, encryption, and decryption. How large should a RSA key be?
2048 bit key
CCA and CCA2: What are the differences between chosen-ciphertext attacks (CCA) and adaptive chosen-ciphertext attacks (also called CCA2)?
A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption. Adaptive chosen-ciphertext attack
MAC vs. regular checksum: Compare MAC with regular checksum (like CRC32)
A cryptographic hash function is a completely public, deterministic hash function which everybody can compute over arbitrary inputs. It takes as input a sequence of bits (any sequence of bits; some hash functions are formally limited to inputs of, say, less 264 bits, aka "2 millions of terabytes") and outputs values in a rather small space, typically a sequence of bits with a fixed size (e.g. always 160 bits with the standard hash function SHA-1). Good cryptographic hash functions respect some conditions which boil down to, informally, that they mix input data so thoroughly that we cannot figure it out afterwards. A message authentication code is an algorithm which takes as input a message and a secret key and produces a fixed-sized output which can be later on verified to match the message; the verification also requires the same secret key. Contrary to hash functions where everything is known and attackers are fighting against mathematics, MAC make sense in models where there are entities with knowledge of a secret. What we expect from a good MAC is unforgeability: it should be infeasible to compute a pair message+MAC value which successfully verifies with a given key K without knowing K exactly and in its entirety.
How does one-time pad (OTP) work? How secure is it? How practical is it?
A random key as long as the message is created and used once to encrypt/decrypt. OTP is presumed to be unbreakable, but is not practical. Large quantities of random keys must be created. Key distribution and protection is a problem.
Why modes of operation? Since we already have AES-256, why do we need modes of operation like CBC?
A technique used for enhancing the effect of a cryptographic algorithm or adapting the algorithm for an application such as applying a block cipher to a sequence of data blocks or a data stream.
MAC vs. digital signature: What are the differences between MAC and digital signature? Since we already have digital signature schemes, why do we still need MAC?
Both protect integrity, but MAC does not offer protection for non-repudiation between the two parties.
CBC versus CTR: Compare CBC and CTR. For each of them give its advantages and disadvantages. Be concise.
CBC is appropriate for encrypting messages of length greater than b bits because of the chaining mechanism. CTR is just as secure as the others, and provides more efficiency. CTR mode requires only the implementation of the encryption algorithm and not the decryption algorithm.
Cryptographic hash function: What is a cryptographic hash function? Why do we need it?
Cryptographic hash function is an algorithm for which it is computationally infeasible to find either a data object that maps to a pre-specifies hash result or two data objects that map to the same hash result. Hash functions are used to see if data objects have changed.
Hybrid encryption: What is hybrid encryption? Why do we need it?
Hybrid encryption is a mode of encryption that merges two or more encryption systems. It incorporates a combination of asymmetric and symmetric encryption to benefit from the strengths of each form of encryption. These strengths are respectively defined as speed and security
How does Triple DES work? What is its key size? How secure is it?
In 3DES, the DES algorithm is run through three times with three keys, however it is only considered secure if three separate keys are used. Still secure if three separate keys are used.
What is information-theoretic security? What is computational security? What are their differences?
Information-theoretic security means that any algorithm (even unbounded) has a negligible probability of breaking the security property (in the security parameter). This is the same as unconditional security. computationally secure. Said of a cipher that cannot be broken with the current computer technology within a period short enough to be practicable.
If you can verify a digital certificate sent to you over the Internet by a remote entity, what does that verification tell you? Does it tell you that the remote entity is Alice (the verified digital certificate says Alice)? Why?
It tells you that the certificate has been verified by the CA, as it has been signed with the CA's private key. You can verify this with the CA's public key.
Kerberos: What is the major security drawback of the Kerberos authentication system?
Kerberos has strict time requirements, which means the clocks of the involved hosts must be synchronized within configured limits. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail.
How does DES work? The details of DES encryption, decryption, and key scheduling? What are DES's key size, data block size, and number of rounds? How secure is it?
Key size: 56 bites Plaintext size: 64 bits 16 Rounds 64 bit plaintext passes through initial permutation that rearranges the bits to produce permutated input. Then 16 rounds of the same function with permutations and substitutions. The output of the last round has 64 bits that area function of the input plaintext and the key. The left and right halves of the output are swapped to produce the pre output. Finally, the preoutput is passed through a permutation that is the inverse of the initial permutation function to produce the 64-bit ciphertext. DES is not secure due to its 56 bit key length.
STRONG data integrity: How to achieve STRONG data integrity (against active adversaries) in general? Is encryption with redundancy (like CRC and LRC) is a good solution for strong data integrity?
MAC is how to achieve strong data integrity. Using strong hash functions can provide integrity as well so the receiving party can check to see if the messages are the same.
Digital certificate: Is there any secret information stored in a digital certificate? Should we keep digital certificate secret?
No private information is found in a cert, they should not be kept secret. In fact, they can be posted on the internet for others to use if needed.
Standard Diffie-Hellman: How does the standard Diffie-Hellman protocol work? Is it secure against passive eavesdroppers? Is it secure against active attacks?
Not secure against passive eavesdroppers, not secure against active attacks alone. It offers no form of authentication.
Digital certificate, private key and smartcard: Which of them, digital certificate or private key, should be stored in a smartcard and never leave the Smartcard?
Private Key.
What security services does cryptography provide? What security services does cryptography not provide?
Provides: Confidentiality Integrity Authentication Non Repudiation Does Not Provide: 1. Access Control
Why public key encryption: Since we already have fast encryption schemes like AES, why do we need public key encryption schemes like RSA?
Public key cryptography increase security and can provide means for authentication when used appropriately. There is no need to share and risk having a symmetric key stolen.
Plain RSA: How secure is plain RSA-3072? Is it secure against probable message attacks? What is semantic security?
RSA is susceptible to: 1. Brute Force 2. Mathematical Attack (factoring) 3. timing attacks 4. Hardware fault-based attack 5. Chosen ciphertext attack. In cryptography, a semantically secure cryptosystem is one where only negligible information about the plaintext can be feasibly extracted from the ciphertext.
Public key distribution: How do we reliably distribute public keys?
Secure algorithms (such as Diffie-Hellman)
How does a stream cipher like RC4 work?
Stream ciphers encrypt plaintext one byte at a time, although it may be designed to operate on one bit at a time or on units larger than a byte.
How does AES-256 work? The details of AES encryption, decryption, and key scheduling? What are AES's key size, data block size, and the number of rounds? How secure is AES?
The cipher takes a plaintext block size of 128 bits or 16 bytes. Key length can be 128, 192, or 256. The input is a 128-bit block. 128 has 10 rounds, 192, 12 rounds, 256 14 rounds.
The security of MAC: How do we evaluate the security of MAC schemes? What are Brute-force attacks, known-message attacks, chosen-message attacks, and adaptive chosen-message attacks?
The desired security property of a MAC is Computation Resistance: given one or more MAC pairs, it is infeasible to compute any text-MAC pair.
Link-level encryption vs. end-to-end encryption: What are the differences between link encryption and end-to-end encryption?
The main difference between link encryption and end-2-end (peer-2-peer) encryption is the type of data that is encrypted, as mentioned above. In end-2-end encryption, only the data or payload is encrypted. Metadata like headers, addresses, etc. are unencrypted and remain visible for others. In link encryption, a security tunnel is established, and data is transferred via this secure tunnel so that no one can read the data traveling the client to the server and vice versa. However, once the data reaches the server side, it is decrypted and becomes readable thus unprotected.
PRNG: LCM and BBS: Our CNS textbook discusses both LCM and BBS. Neither of them is suitable for real-world applications. Why?
They are not truly "random" and thus run the risk of being found out or detected, such as the seed being discovered.
Encrypt the hash with a private key? In our textbook and a couple of other books, the wording of "encrypt the hash with a private key" is commonly used. Is the operation really encryption? If the DSA digital signature algorithm is used, does this wording make sense as DSA does not provide encryption/decryption?
This is not encryption. This is digitally signing.
How does the ideal block cipher (also called true random cipher) work? How useful is it?
This is where the ideal cipher model comes into play. In the ideal cipher model, we just pretend the block cipher is a random permutation for every key. Furthermore, we treat these permutations as independent. We assume that if an attacker wants to know what happens when a block is encrypted under a given key, he has to go to the work of computing it himself. He can't infer anything about the output by encrypting other blocks, or the same block under a different key. (Exception: Given a fixed key, no two inputs will produce the same output. So the attacker can rule out that possibility, but that's it.)
Randomness generation: How to generate a random secret like an AES-256 key and a random prime?
Use an input source that is random, (entropy source) sound/video input, disk drives, keystrokes etc.
Digital signature: What is digital signature?
Verifies the author and the date and time of the signature. It must authenticate the contents at the time of the signature. It must be verifiable by third parties to resolve disputes.