(Review questions) Cryptography

Due No Due Date
Points None

Cryptography

The last output block in CBC-mode encryption depends on all the earlier blocks of the message. Changing any message block, therefore, would change the last output block. But it is told in the class that it is not sufficient for integrity. Why is it so? To provide integrity, a scheme should ensure that an attacker cannot come up with a valid message, tag pair without having access to the key. So, given a (small) list of messages $LaTeX: m_{1\:},\:m_2,\:...$ and corresponding tags $LaTeX: t_1,\:t_2,\:...$ computed using CBC mode encryption as mentioned above using a hidden key, can you create a valid message, tag pair for a new message, without knowing the key? You can assume that you can pick the messages you want the tag for.
Consider a New-AES-CBC mode encryption technique, that works almost like the normal CBC mode, except for the following change. The key size is 256 bit instead of 128 bit. And instead of picking a random initialization vector (IV), it uses half of the key as IV. The IV is then not prepended to the ciphertext, because it is already part of the key and the recipient already has it. Is this New-AES-CBC cipher mode secure? If yes, why? If not, can you give an attack on this mode?
1. Related question: What will go wrong if the IV is set to NULL? For full credit need to show an attack that recovers a plaintext (or part of it) in a chosen-plain text attack (CPA) attack.
Given a plaintext, do you think encrypting iteratively increases the security guarantees? If E denotes an encryption algorithm and m is the message, do you think E(k1, E(k1, m)) stronger than E(k1, m)? Why or why not? A slightly related question: 3DES is a technique which applies the DES algorithm 3 times to the same data block. The steps involved are encrypt-decrypt-encrypt: E(k1, D(k2, E(k1, m))). Can you think of a reason why a decrypt operation is used instead of an encrypt-encrypt-encrypt?
What are the advantages and disadvantages of counter mode over the CBC mode of encryption?
Among the different crypto operations, which ones would you like to be fast and why: encryption, MAC, hashing, digital signature? For each primitive, give scenarios where you want an operation to be fast (or slow), if applicable.
Suppose c is one block long string and a and b are strings that are a multiple of the block length. Let M(a||c) = M(b||c), where M is secure CBC-MAC. Then I claim: M(a||d) = M(b||d) for any one-block string d. Prove me wrong, or explain why this claim is true.
Authenticated Encryption (AE)
1. What are the security requirements for a secure authenticated encryption scheme? (Hint: it should be a union of the security requirements of a secure encryption scheme and a secure MAC.)
2. Why MAC-and-Encrypt way of combining encryption and MAC is not secure?
3. Refer to the authenticated encryption with associated data (AEAD), can you give two examples of the associated data that you think should not be encrypted but need to be authenticated?
How will Alice and Bob share a secret key? Here is an approach, analyze it's security. Bob has a public key pk, which Alice got from the "internet telephone directory". Alice generates a random 256-bit key k, encrypts k using textbook RSA encryption procedure, and send the ciphertext c to Bob. Bob then decrypts c using the secret key (sk) it holds and obtains the k. What are the security issues with this approach of key negotiation? Give two possible attacks on this. Hint: Can Eve pretend to be Alice to Bob? Can Eve manage to get them to pick an insecure key k'?

Rubric

Title:

Title

Title
Criteria	Ratings	Pts
Description of criterion threshold: 5 pts Edit criterion description Delete criterion row	5 to >0 pts Full Marks blank 0 to >0 pts No Marks blank_2 This area will be used by the assessor to leave comments related to this criterion.	pts / 5 pts --