Cryptography And Network Security 5th Edition William Stallings - Solutions

a. Consider the following hash function. Messages are in the form of a sequence of numbers inThe hash value is calculated asfor some predefined value . Does this hash function satisfy any of the requirements for a hash function listed in Table 11.1? Explain your answer.b. Repeat part (a) for the
It is possible to use a hash function to construct a block cipher with a structure similar to DES. Because a hash function is one way and a block cipher must be reversible (to decrypt), how is it possible?
Now consider the opposite problem: using an encryption algorithm to construct a oneway hash function. Consider using RSA with a known key. Then process a message consisting of a sequence of blocks as follows: Encrypt the first block, XOR the result with the second block and encrypt again, etc. Show
Suppose H( ) is a collision-resistant hash function that maps a message of arbitrary bit length into an -bit hash value. Is it true that, for all messages x, x′ with x ≠ x′ we have H(x) Z H(x′) Explain your answer.
In Figure 11.11, it is assumed that an array of 80 64-bit words is available to store the values of Wt so that they can be precomputed at the beginning of the processing of a block. Now assume that space is at a premium. As an alternative, consider the use of a 16-word circular buffer that is
For SHA-512, show the equations for the values of W16,W17,W18 and W19.
State the value of the padding field in SHA-512 if the length of the message isa. 1919 bitsb. 1920 bitsc. 1921 bits
State the value of the length field in SHA-512 if the length of the message isa. 1919 bitsb. 1920 bitsc. 1921 bits
Suppose a1a2a3a4 are the 4 bytes in a 32-bit word. Each ai can be viewed as an integer in the range 0 to 255, represented in binary. In a big-endian architecture, this word represents the integerIn a little-endian architecture, this word represents the integera. Some hash functions, such as MD5,
This problem introduces a hash function similar in spirit to SHA that operates on letters instead of binary data. It is called the toy tetragraph hash (tth).2 Given a message consisting of a sequence of letters, tth produces a hash value consisting of four letters. First, tth divides the message
Develop a table similar to Table 4.9 for GF(28) with m(x) = x8 + x4 + x3 + x2 + 1. Table 4.9 Generator for GF(2) using x + x + 1 Power Representation Polynomial Representation 0 g(=g') "o "oo oo oo 0 1 g +99 g+1 g + g g+8+1 g + 1 Binary Representation 000 001 010 100 011 110 111 101 Decimal (Hex)
Show the E and E-1 mini-boxes in Table N.2 in the traditional S-box square matrix format, such as that of Table 5.4. Table 5.4 AES Example Start of Round 01 89 fe 76 23 ab de 54 45 cd ba 32 67 ef 98 10 0e ce f2 d9 36 72 6b 2b 34 25 17 55 ae b6 4e 88 65 74 70 75 5c 7b b4 9a of c0 4d c7 e8 do ff e8
Verify that Figure N.5 is a valid implementation of the S-box shown in Table N.2a. Do this by showing the calculations involved for three input values: 00, 55, 1E.
Provide a Boolean expression that defines the S-box functionality of Figure N.5.
Whirlpool makes use of the construction Now notice that the key schedule for Whirlpool resembles encryption of the cipher key under a pseudo-key defined by the round constants, so that the core of the hashing process could be formally viewed as two interacting encryption lines. Consider the
What types of attacks are addressed by message authentication?
What two levels of functionality comprise a message authentication or digital signature mechanism?
What are some approaches to producing message authentication?
When a combination of symmetric encryption and an error control code is used for message authentication, in what order must the two functions be performed?
What is a message authentication code?
What is the difference between a message authentication code and a one-way hash function?
In what ways can a hash value be secured so as to provide message authentication?
Is it necessary to recover the secret key in order to attack a MAC algorithm?
What changes in HMAC are required in order to replace one underlying hash function with another?
If \(\mathrm{F}\) is an error-detection function, either internal or external use (Figure 12.2) will provide error-detection capability. If any bit of the transmitted message is altered, this will be reflected in a mismatch of the received FCS and the calculated FCS, whether the FCS function is
The data authentication algorithm, can be defined as using the cipher block chaining (CBC) mode of operation of DES with an initialization vector of zero (Figure 12.7). Show that the same result can be produced using the cipher feedback mode. Time = 1 Time = 2 D D (64 bits) HI DES DES K-> encrypt
At the beginning of Section 12.6, it was noted that given the CBC MAC of a oneblock message \(X\), say \(T=\operatorname{MAC}(K, X)\), the adversary immediately knows the CBC MAC for the two-block message \(X \|(X \oplus T)\) since this is once again \(T\). Justify this statement.
In this problem, we demonstrate that for CMAC, a variant that XORs the second key after applying the final encryption doesn't work. Let us consider this for the case of the message being an integer multiple of the block size. Then, the variant can be expressed as \(\operatorname{VMAC}(K,
In the discussion of subkey generation in CMAC, it states that the block cipher is applied to the block that consists entirely of 0 bits. The first subkey is derived from the resulting string by a left shift of one bit and, conditionally, by XORing a constant that depends on the block size. The
Listed three general approaches to authenticated encryption: MtE, EtM, and E\&M.a. Which approach is used by CCM?b. Which approach is used by GCM?
Show that the GHASH function calculates\[\left(X_{1} \cdot H^{m}ight) \oplus\left(X_{2} \cdot H^{m-1}ight) \oplus \cdots \oplus\left(X_{m-1} \cdot H^{2}ight) \oplus\left(X_{m} \cdot Hight)\]
Draw a figure similar to Figure 12.11 that shows authenticated decryption. IV encode Jo A = Ass. Data KE incr OF K. Jo Plaintext GCTR C = Ciphertext GHASH GCTR MSB 0 [len(A)]64 Tag Figure 12.11 Galois Counter-Message Authentication Code (GCM) [len(C)]
Alice want to send a single bit of information (a yes or a no) to Bob by means of a word of length 2. Alice and Bob have four possible keys avialable to perform message authentication. The following matrix shows the 2-bit word sent for each message under each key:a. The preceding matrix is in a
List two disputes that can arise in the context of message authentication.
What are the properties a digital signature should have?
What requirements should a digital signature scheme satisfy?
What is the difference between direct and arbitrated digital signature?
In what order should the signature function and the confidentiality function be applied to a message, and why?
What are some threats associated with a direct digital signature scheme
Dr. Watson patiently waited until Sherlock Holmes finished. "Some interesting problem to solve, Holmes?" he asked when Holmes finally logged out."Oh, not exactly. I merely checked my e-mail and then made a couple of network experiments instead of my usual chemical ones. I have only one client now
DSA specifies that if the signature generation process results in a value of \(s=0\), a new value of \(k\) should be generated and the signature should be recalculated. Why?
What happens if a \(k\) value used in creating a DSA signature is compromised?
The DSS document includes a recommended algorithm for testing a number for primality.1. [Choose \(\boldsymbol{w}\) ] Let \(w\) be a random odd integer. Then \((w-1)\) is even and can be expressed in the form \(2^{a} m\) with \(m\) odd. That is, \(2^{a}\) is the largest power of 2 that divides
With DSS, because the value of \(k\) is generated for each signature, even if the same message is signed twice on different occasions, the signatures will differ. This is not true of RSA signatures. What is the practical implication of this difference?
Consider the problem of creating domain parameters for DSA. Suppose we have already found primes \(p\) and \(q\) such that \(q \mid(p-1)\). Now we need to find \(g \in \mathbf{Z}_{p}\) with \(g\) of order \(q \bmod p\). Consider the following two algorithms:a. Prove that the value returned by
It is tempting to try to develop a variation on Diffie-Hellman that could be used as a digital signature. Here is one that is simpler than DSA and that does not require a secret random number in addition to the private key.Public elements: \(\quad q\) prime number\[\alpha \quad \alpha
An early proposal for a digital signature scheme using symmetric encryption is based on the following. To sign an \(n\)-bit message, the sender randomly generates in advance \(2 n\) 56-bit cryptographic keys:\[k 1, K 1, k 2, K 2, \ldots, k n, K n\]which are kept private. The sender prepares in
List ways in which secret keys can be distributed to two communicating parties. (2) IDA, E(Ka, Na), IDB, E(Kb, N) B Key Distribution Center (KDC) (3) E(Kb. [KS, IDA, Nb]), E(Kas [KS, IDB, Nal) Figure 14.17 Figure for Problem 14.1 (1) A, E(Ka, Na) (4) E(Kas [Ks. IDB, Nal)- A
What is the difference between a session key and a master key?
What is a nonce?
What is a key distribution center?
What are two different uses of public-key cryptography related to key distribution?
List four general categories of schemes for the distribution of public keys.
What are the essential ingredients of a public-key directory?
What is a public-key certificate?
What are the requirements for the use of a public-key certificate scheme?
What is the purpose of the X.509 standard?
What is a chain of certificates?
How is an X.509 certificate revoked?
One local area network vendor provides a key distribution facility, as illustrated in Figure 14.17.a. Describe the scheme.b. Compare this scheme to that of Figure 14.3.What are the pros and cons? (2) IDA, E(Ka, Na), IDB, E(Kb, N) B Key Distribution Center (KDC) (3) E(Kb. [KS, IDA, Nb]), E(Kas [KS,
“We are under great pressure, Holmes.” Detective Lestrade looked nervous. “We have learned that copies of sensitive government documents are stored in computers of one foreign embassy here in London. Normally these documents exist in electronic form only on a selected few government computers
The 1988 version of X.509 lists properties that RSA keys must satisfy to be secure given current knowledge about the difficulty of factoring large numbers. The discussion concludes with a constraint on the public exponent and the modulus :It must be ensured that e > log2(n) to prevent attack by
Find at least one intermediate certification authority’s certificate and one trusted root certification authority’s certificate on your computer (e.g. in the browser). Print screenshots of both the general and details tab for each certificate.
NIST defines the term cryptoperiod as the time span during which a specific key is authorized for use or in which the keys for a given system or application may remain in effect. One document on key management uses the following time diagram for a shared secret key.Explain the overlap by giving an
Consider the following protocol, designed to let A and B decide on a fresh, shared session key K′AB. We assume that they already share a long-term key KAB.a. We first try to understand the protocol designer’s reasoning:—Why would A and B believe after the protocol ran that they share K′AB.
What are the core components of a PKI? Briefly describe each component.
Explain the problems with key management and how it affects symmetric cryptography.
What is the effect of adding the instruction EMKi EMK;: X E(KMH; X) i = 0, 1
Suppose N different systems use the IBM Cryptographic Subsystem with host master keys KMH[i](i = 1, 2, . . . N). Devise a method for communicating between systems without requiring the system to either share a common host master key or to divulge their individual host master keys.
The principal objective of the IBM Cryptographic Subsystem is to protect transmissions between a terminal and the processing system. Devise a procedure, perhaps adding instructions, which will allow the processor to generate a session key KS and distribute it to Terminal i and Terminal j without
Give examples of replay attacks.
List three general approaches to dealing with replay attacks.
What is a suppress-replay attack?
What problem was Kerberos designed to address?
What are three threats associated with user authentication over a network or Internet?
List three approaches to secure user authentication in a distributed environment.
What four requirements were defined for Kerberos?
What entities constitute a full-service Kerberos environment?
In the context of Kerberos, what is a realm?
What are the principal differences between version 4 and version 5 of Kerberos?
We outlined the public-key scheme proposed in [WOO92a] for the distribution of secret keys. The revised version includes IDA in steps 5 and 6.What attack, specifically, is countered by this revision?
The protocol referred to in Problem 15.1 can be reduced from seven steps to five, having the following sequence:1. A → B:2. A → KDC:3. KDC → B:4. B → A:5. A → B:Show the message transmitted at each step.Problem 15.1We outlined the public-key scheme proposed in [WOO92a] for the
Reference the suppress-replay attack described in Section 15.2 to answer the following.a. Give an example of an attack when a party’s clock is ahead of that of the KDC.b. Give an example of an attack when a party’s clock is ahead of that of another party.
There are three typical ways to use nonces as challenges. Suppose Na is a nonce generated by A, A and B share key K, and f() is a function (such as an increment). The three usages areDescribe situations for which each usage is appropriate. Usage 1 (1) AB: Na (2) BA: E(K, N) Usage 2 (1) AB: E(K, N)
Show that a random error in one block of ciphertext is propagated to all subsequent blocks of plaintext in PCBC mode.
Suppose that, in PCBC mode, blocks Ci and Ci+1 are interchanged during transmission. Show that this affects only the decrypted blocks Pi and Pi+1 but not subsequent blocks.
In addition to providing a standard for public-key certificate formats, X.509 specifies an authentication protocol.The original version of X.509 contains a security flaw.The essence of the protocol is as follows.where tA and are timestamps, rA and rB are nonces and the notation indicates that the
Consider a one-way authentication technique based on asymmetric encryption:a. Explain the protocol.b. What type of attack is this protocol susceptible to? A B: B A: A B: IDA R E(PR, R)
Consider a one-way authentication technique based on asymmetric encryption:a. Explain the protocol.b. What type of attack is this protocol susceptible to? A B: B A: A B: IDA E(PUa, R) R
In Kerberos, when Bob receives a Ticket from Alice, how does he know it is genuine?
In Kerberos, when Bob receives a Ticket from Alice, how does he know it came from Alice?
In Kerberos, when Alice receives a reply, how does she know it came from Bob (that it’s not a replay of an earlier message from Bob)?
In Kerberos, what does the Ticket contain that allows Alice and Bob to talk securely?
What are the advantages of each of the three approaches shown in Figure 16.1? HTTP FTP TCP IP/IPSec SMTP HTTP FTP SSL or TLS TCP IP SMTP S/MIME Kerberos SMTP HTTP UDP (a) Network level (b) Transport level Figure 16.1 Relative Location of Security Facilities in the TCP/IP Protocol Stack IP TCP (c)
What is the difference between an SSL connection and an SSL session?
List and briefly define the parameters that define an SSL session state.
List and briefly define the parameters that define an SSL session connection.
What steps are involved in the SSL Record Protocol transmission?
What is the purpose of HTTPS?
For what applications is SSH useful?

Showing 100 - 200 of 498

Cryptography And Network Security 5th Edition William Stallings - Solutions

Step by Step Answers