Digital Encryption Standard - Research Paper Example

Computer Security Answer all the questions below clearly a. Which do you think has a better resistance to cryptanalysis, CBC-3DES-EDE mode or Blowfish? Justify your answer. Answer: Blowfish offers better resistance to cryptanalysis compared to 3DES. Justification: Digital Encryption Standard (DES) is a symmetric block cipher that encrypts and decrypts data in 64-bit blocks using a 56-bit key. In DES, the main algorithm is repeated 16 times to produce the ciphertext. This increase in the number of rounds ensures high level of security against cryptanalysis. Due to its short key length (56) 3DES was developed. 3DES or triple DES is even more secure in the fact that it encrypts data three times with different key for at least one of the 3 passes giving it cumulative key size of 112-168 bits. However, fixed S boxes and slow execution makes it unsatisfactory. On the other hand, bblowfish is a symmetric block cipher and operates in 64-bit block size and a variable key length - from 32 bits to 448bits with 16-round Feistel cipher and uses large key-dependent S-boxes. Moreover it encrypts data on a 32-bit processor at the rate of 18 clock cycles/byte and can run in less than 5K of memory. It is easy to implement b. What Key value will leave S’, the permutation of S in the RC4 initialization phase, unchanged? Explain your solution clearly Answer: K = [0 256 255 254 253 252 251 ….. 2] or K = [256 256 255 254 253 252 251 ….. 2] for N=256 Justification: The algorithm used in RC4 initialization phase is a key scheduling algorithm(KSA). This algorithm takes the secret key K of length l as the input and begins with the initialization of the internal state S to set it as identity permutation and then uses the key K to generate a random permutation. Thus the algorithm can be summed up as Initialization: For i = 0 to N – 1 S[i] = i j = 0 Generate Random Permutation: For i = 0 to N – 1 j = (j + S[i] + K[i mod l]) mod N Swap(S[i], S[j]) Upon initialization, the internal state S would be [0 1 2 3 … N-1]. During the next step, the value of j is calculated as j = (j + S[i] + K[i mod l]) mod N. Upon swapping value in S[i] becomes value in S[j] and vice versa. From this, it is clear that, only way to keep the initial permutation state unchanged is to keep the value of i and j equal. In order to do that, the value of k should be chosen in such a way that, whenever j is calculated using this formula, it always needs to be equal to the value of i. Upon investing the formula, if we make the values within the bracket i.e j = (j + S[i] + K[i mod l]) mod N equal to N+ i, then upon Mod the result will be equal to i. Upon analysis, we can say(in this case): S[i] = i and hence the component inside the bracket becomes j+i+K[i], since the value of j depends on itself which in turn depends on the previous value of S[i] (=i) we can say that j will increment to a minimum value of i+(i-1) (Except for i=0) for each iteration. Hence 2i-1+K = N+i. Assuming N =256, we can say K should be equal to 257-i except for i=0, in which case it can be either 256 or 0 to achieve the desired result. Now K takes: K = [0 256 255 254 253 252 251 ….. 2] Calculation: First iteration: For i=0 , j = 0 +0 +0 = 0 , on swapping, S[0],S[0] – no change (Internal state of S remains 0 1 2 3 4 …N-1) Second iteration: For i=1, j = (0+1+256) Mod 256 =1, on swapping, S[1],S[1] – no change (Internal state of S remains 0 1 2 3 4 …N-1) Third iteration: For i =2, j = (1+2+255) Mod 256 =2, on swapping, S[2],S[2] – no change (Internal state of S remains 0 1 2 3 4 …N-1) And so on…. On the end of all iterations, the Internal state of S remains [0 1 2 3 4 …N-1]. c. Is it possible to perform encryption operations in parallel on multiple blocks of plaintext in DES CBC mode? Is it possible for decryption? Justify your answer. Answer: It is not possible to perform encryption operations in parallel on multiple blocks of plaintext in DES CBC mode because in Ciber-Block-Chaining(CBC) mode each block of plaintext is XORed with the previous ciphertext block before being encrypted and hence each ciphertext block is dependent on all plaintext blocks processed up to that point. So, encryptions can only be performed sequentially. However, during decryption, a plaintext block can be recovered or decrypted from two adjacent blocks. Hence Parallel operation is possible during decryption. d. If M’ is the bitwise complement of M and K’ is the bitwise complement of K, what can you say about the relationship between DESK’(M’) and DESK(M)? Prove your answer. Answer: DESK’(M’) =( DESK(M))’ For each round of DES with key K and message M yields sub-computations Li and Ri, where L and R are the Left and Right components of the text, then each round of DES with key K and message M yields sub-computations Li and Ri. Also, we must have L1 as a sub-computation with K and M, since this value is R0, which is simply the corresponding permutation of the bits from M as R0 is of bits in M. Now, we need to show that R1 is the correct sub-computation with K and M. To prove this, we will first show that if Z = X  Y, then Z = X  Y. To see this, simply note that we must flip every bit in Z to get Z, i.e, Z  (11...11) = Z, where (11..11) simply represents a bit string of all 1s of the same length as Z. Solving the right hand side of the second equation: X  Y = (X  (11..11)  Y) = (X  Y)  (11..11) = Z  (11..11) = Z. Now, we must use this result to prove R1 = (L0)  F( (R0) , (K1) ). Consider F( (R0) , (K1) ): This computation consists of computing E((R0))  (K1)= [E(R0)]  (K1). Now, lets simplify this calculation again: [E(R0)]  (K1) = [E(R0)  (11..11)]  [K1  (11..11)] = [E(R0)  K1]  [(11..11)  (11..11)] = [E(R0)  K1]  [(00..00)] =[E(R0)  K1], the same input to the S-boxes when using M and K. Thus, we have shown that F( (R0) , (K1) ) = F( (R0) , (K1) ). So, we have (L0)  F( (R0) , (K1) ) = (L0)  F( (R0) , (K1) ) = [(L0)  F( (R0) , (K1) )] = R1, as desired. The proof for showing that all the other Lis and Ris follow the same pattern is identical to this proof. Thus, Y = DESK(M), then Y = DESK(M). e. How does the result from (d) affect the key space in a bruteforce attack? Answer: Bruteforce attack is a type of cryptanalysis which involves systematic checking all possible keys until the correct one is found. This may sometimes transverse the entire key space. The complementation property derived above (d) can be analyzed as: If C denotes the ciphertext and P the plaintext, then we can say DESK(M))=C and DESK’(M’)=C’. This clearly means that in DES each round can operate on one half only, reducing the keyspace by 2. Thus the work for a brute force attack could also be reduced by a factor of 2 (or a single bit) under a chosen-plaintext assumption. 2) Answer the following questions briefly a. What is the difference between a message authentication code and a digital signature? Answer: Message authentication code (MAC) use symmetric encryption methods to protect the sent hash, which uses one private session key and both the sender and receiver must have a copy of the same. Though MAC makes sure that data does not change, it does not ensure whether the data has come from the actual sender. To avoid such fra udulent data, digital signature uses public/private asymmetric keys. Since the two keys of asymmetric encryption are mathematically related to each other one key can be used to verify that the encryption was done with the other key. With digital signatures the sender encrypts the hash using their private key while the receiver verifies the digital signature using the sender’s public key. Since the public key is more freely available then anyone can verify the message’s source. b. What exactly is a certificate chain? Answer: A certificate chain is a sequence of certificates, where each certificate in the chain is signed by the subsequent certificate. c. Is the KXORM function, which takes in a message M and key K gives back their XOR, a good cryptographic hash function? Why or why not? Answer: K XOR M hash function is a simple algorithm and works well on most input data. However, the internal state, the variable h, is not combined enough to achieve avalanche. Moreover, a single XOR is not effective at permuting the internal state, so the resulting distribution, even though better than the additive and multiplicative hashes, is still not very good. d. Is the following cipher legitimate? For any given plaintext letter with index p, substitute it with the ciphertext letter whose index is c = E([a, b], p) = (ap+b) mod 26, where a and b are two integers representing the key. Why or why not? Answer: Ciphertext obtained by using the given cipher c = E([a, b], p) = (ap+b) mod 26 would not be legitimate because the mod 26 clearly pictures that the ciphertext can only have 26 symbols. This results in less keyspace which inturn increases the vulnerability to various attacks. e. A and B use Diffie-Helman for key exchange. Considering q=71 and g=7. If A’s private key is 5 and B’s private key is 12, what are the public keys of A and B? What is the shared key? Answer: a = 5 A = ga mod q = 75 mod 71 = 51 b = 12 B = gb mod q = 712 mod 71 = 4 keya = B a mod q = 45 mod 71 = 30 keyb = A B mod q = 5112 mod 71 = 30 f. What is (209)? Show your work to get the answer. Answer: (209) = 205 Totient function  (n) is the number of positive integers less than n and relatively prime to n. Relatively prime means with no factors in common with n. Here, numbers relatively prime to 209 = all number except 1, 11, 19 and 209 itself. g. What is the purpose of an Authenticator in Kerberos? What is the purpose of a Ticket? Answer: An authenticator in Kerberos holds the current time, a checksum, and an optional encryption key, encrypted with the session key from the accompanying ticket. The Kerberos ticket which is a certificate issued by an authentication server, encrypted using the server key, contains the random session key that will be used for authentication of the principal to the verifier, the name of the principal to whom the session key was issued, and an expiration time after which the session key is no longer valid. h. In the S/Key challenge-response mechanism, why not share k between sender and receiver rather than kn? Answer: In order to make the system immune to dictionary attacks. kn is randomly selected and will never be visible to the attacker in plain text even if the message is correctly deciphered. i. Would you consider “key stroke dynamics” as a remote authentication mechanism (i.e. authentication across a network)? Why or why not? Answer: Keystroke dynamics is the process of analyzing the way a user types at a terminal by monitoring the keyboard inputs thousands of times per second in an attempt to identify user’s habitual typing patterns which includes inter key times (latency periods between keystrokes) and hold times (durations between the hit and release moments of key hold) to provide a unique feature/identifier/signature for authenticating an individuals identity. Keystroke patterns combined with other security schemes can provide a very powerful and effective means of authentication and verification of computer users. j. If you were the designer of a virus and you decided to make it encrypted, would you use AES (one of the strongest symmetric-key cryptosystems) or your own proprietary XOR based encryption mechanism? Justify your selection. Answer: Anti-Virus often looks for known sequences of code to identify computer viruses (known as virus signatures) that are unique to each virus. Using existing cryptosystems to encrypt would have high possibility that it can be detected. Hence it is better to self encrypt viruses using own encryption mechanism. k. In general, which do you think can provide better protection against Trojan horses: Access Control Lists or Capabilities? Justify your answer. Answer: Access control lists provide superior access review and superior revocation on a per-object basis while capabilities provides them on a per-subject basis. Since we have totally moved out from subject based systems to object based, ACL is the best choice to protect again viruses in many operating systems. However, Capabilities provide for finer grained least privilege control with respect to subjects, especially dynamic short-lived subjects created for specific tasks. Since Trojan horses allows a process to run using the privileges of the owner of the process rather than the one running it, Capabilities should be best choice when privilege control is concerned as it provides the least privilege control. l. Is a forward search attack possible in RC4? Why or why not? Answer: Forward search attack is a type of dictionary attack which uses a dictionary of plaintext/ciphertext encrypted with all possible keys for decrypting the message. This type of attack is used when the key space is relatively small and predictable. Since the key space is very less limited to 256, forward search attack is very well possible in RC4. m. In general, how would you protect against a message reordering attack when a classical cryptosystem is used to encrypt data sent between Alice and Bob? Answer: If each entry has a timestamp, then we can ensure that no message reordering has taken place. n. True or false: Non-repudiation is to ensure that Eve cannot replay messages signed by Alice and sent to Bob or messages signed by Bob and sent to Alice. Justify your answer Answer: True. Non-repudiation is a mechanism to prove that the sender really sent this message. Hence Eve cannot replay it. o. Order the following according to their use during the phases of an attack: rootkit, Cheops, NMAP, Metasploit, Nessus, Kismet? Identify which phase each will be used. Answer: Kismet - Phase 1 - Reconnaissaance Nmap/Cheops/Nessus/Metasploit-Phase 2 - Scanning Phase 3 - Gaining Access RootKit - Phase 4 - Maintaining Access Phase 5 - Covering Tracks 3) Your role is to help define the password policy for the new Blackboard system within GWU. The system should allow the user to choose a password with a length of at least 7 characters. The security policy considers that an attacker can test 500,000 passwords per second. The security policy requires passwords to expire once they have a probability of 0.05 of being guessed. Considering that it is better from the user’s perspective to have passwords that lasts longer, determine which of the scenarios below you would use (justify your selection): a. Password characters are alphanumeric characters (“A” through “Z”, “a” through “z”, and “0” through “9”). Also, 8 bits of salt are used by the system. b. Password characters are ASCII characters 1 to 127, inclusive. Answer: Option (b) would be a right decision because we have 127 combinations of characters to choose from which increases the number of possible passwords thereby decreasing the probability of guessing. Whereas allowing only alphanumeric characters will give no more than (26+26+10+1 salt byte) 63 combinations. 4) (10pts) Consider the key management protocol below. Is it susceptible to replay attacks? Justify your answer. Alice  Bob : Alice Bob  Alice : { Alice } kBob Alice  Cathy : { Alice, Bob, r1, { Alice } kBob } kAlice Cathy  Alice : { Alice, Bob, r1-1, ksession} kAlice || {Alice, ksession } kBob Alice  Bob : { Alice, ksession } kBob Answer: From the given protocol, we can interpret that: Alice  Bob : Alice Alice initiates communication with Bob. Bob  Alice : { Alice } kBob Bob sends reply which consist of message send by Alice encrypted using Bob’s key. Alice  Cathy : { Alice, Bob, r1, { Alice } kBob } kAlice Alice contacts Cathy with messages from Alice, Bob and the encrypted message sent by Bob all encrypted using Alice’s Key Cathy  Alice : { Alice, Bob, r1-1, ksession} kAlice || {Alice, ksession } kBob Alice deciphers the message from Cathy and gets the session key for communication with Bob. By analysis the factor r1, she founds r1-1 is there in the message and confirms that Cathy only has sent this message. Alice  Bob : { Alice, ksession } kBob Alice communicates with her message encrypted with the session key which is then encrypted with Bob’s key. Though the protocol used for the communication between Alice and Cathy is effective, the communication between Bob and Alice is weak and highly susceptible for replay attacks. This is because, initial contact by Alice to Bob is either encrypted using Alice’s key or used any random number. Hence there is no assurance that the reply was from Bob. If the reply was not from Bob but from Eve(some attacker replaying the message), then Alice would be getting the session key for communication with Eve and not for Bob. Later, when Alice communicates using the session key, she would actually be communicating with Eve and not Bob. On the other hand, during the communication between Alice and Cathy, Alice sends the message encrypted using Alice’s Key along with a random number. Cathy replies her message giving a session key. When Alice deciphers Cathy’s message, she can verify for the random number (here it would be r1-1) and confirms that the message was only from Cathy. If Eve would have interpreted the message, then would have not known what to reply for r1. Thus, replay would fail. Read More