A. Decrypt y. Provide the decrypted plaintext. [20%]
(As the exercise states, this is textbook deterministic RSA, i.e., you encrypt numbers and decrypt numbers modulo n).
Explain your reasoning and method that you used to solve this question. You do not need to include your code, but you do need to explain your approach.
B. 1. Some WEP-promotion campaign says that WEP encryption enforces a total of 40 + 24 = 64 bits security strength. What do you think about this statement? Justify your answer. [3%]
2. Explain how the receiver B uses K to extract the original message M upon receipt of (IV, C). [3%]
3. In some implementations, the 24-bit IV is assigned at random to each frame. Show that it leads to a serious security problem, when large amount of data are sent/received. Propose a better solution.
4. Now we examine another security issue of WEP. Assume that an adversary sitting in-themiddle between A and B has intercepted one frame of traffic data (IV, C) from A destined for B. Show that the adversary, who does not know K and does not bother to find K, can easily compute a valid C’ (C 0 6= C) such that he can send the modified data (IV, C0 ) to B without fear of detection.
How many different choices of such C 0 does he have?
Which property of cryptography is violated here?
What would you say security-wise about the fact that L is linear and used as it is in WEP?
Don’t forget that the attackers know the systems (which are considered to have public specs). I.e., the attacker here knows the lengths of inputs/outputs, etc.
C. 1. Let j be the smallest index such that the jth bit of Ki is 1. In iteration i, we consider the values of X and X? in step 3. Show that X? = X ⊕ (1 − Xj )Ki [4%] ) we have to compare the bits in X and X0 , starting with the most significant ones. Think how to X and X0 compare bit by bit. At which position is there a first difference?]
2. In iteration i, let X and X? be the values of these variables before step 4, and Xnew be the value of X after step Show that Xnew = X ⊕ (Li ? X?)Ki . [4%]
3. Given that the procedure returns X, and X varies w.r.t. K as per point (b) above, it can be shown that EKL(X) is an affine cipher. This means that we have: EKL(X) = (M ×X)⊕c for some bit-matrix M, with × being multiplication of the bitmatrix with the bit-vector X, and c being some constant bitstring depending on KL.
Given this information, propose a way to break this symmetric encryption scheme.
Describe this way in words, i.e., no implementation is necessary. [7%]
[Hint: breaking the scheme means you should be able to decrypt some new ciphertext. I.e., this would be to recover X out of (M × X) ⊕ c for some X you do not already know.
What would you need in order to be able to do that? Can you get this thing you would need? If you can, then describe how and you are done.]
D.1. Why do we want to secure the session with symmetric encryption instead of asymmetric encryption? [2%]
2. Assuming that all the messages in the protocol given in Figure 1 are authenticated, explain why the subsequent connections are confidential and authenticated. [6%]
3. If the first connection is not authenticated, explain what an active adversary can do to break the intended security of this system as you understand it. [6%]
4. Why does the SSH client need to warn the user (i.e., the person using this SSH client), when the public key has changed? [4%]
5. Given the points above, why would you say that SSH is useful?
E. 1. Model the protocol Π in Scyther. Explain your modelling choices. How have you modelled the private channel between T and R ? Include the Scyther model (i.e. the .spdl file) as a separate file with your submission.
2. Check the following security goals in Scyther: – agreement on message m between S, R, and T; – synchronisation between S, R, and T;
Express these 3-party goals as best you can.
Explain your modelling and findings.
3. If you find any attack in the above, modify the protocol and check the modification does indeed stop the attack.
4. Apart from the results of the analysis you do in Scyther, do you think the protocol Π is an appropriate solution for the 3-party problem presented? Could you improve on it, from any viewpoint, security or otherwise? Explain your answer.