1 / 10

Exercises 2013-04-18

Exercises 2013-04-18. Information Security Course Eric Laermans – Tom Dhaene. Exercise 1 (1). RSA PKCS#1 v1.5 “Million Message Attack” (MMA): illustration of principle Given C (= M e mod n ), n and e M formatted according to PKCS#1 v1.5 ( M = 00||02||PS||00||D)

ona
Download Presentation

Exercises 2013-04-18

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Exercises2013-04-18 Information Security Course Eric Laermans – Tom Dhaene

  2. Exercise 1 (1) • RSA PKCS#1 v1.5 • “Million Message Attack” (MMA): illustration of principle • Given • C (= Me mod n), n and e • M formatted according to PKCS#1 v1.5 (M = 00||02||PS||00||D) • error message from victim if decryption of C’ fails because of erroneous formatting • Question • find a strategy to recover M • hint: think of the multiplicative properties of RSA Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans

  3. Exercise 1 (2) • RSA-formatting: MMA • illustration using more limited formatting • Given • formatting: M = 0010xxxx • n = 187; e = 3; C = 81 • Question • find M • hint: 32 ≤ M ≤ 47 Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans

  4. Exercise 2 • ElGamal • Given • in ElGamal-encryption or –signature, and also in DSA, a unique and secret random value k is used • Question • what happens if an attacker knows k? • what are the consequences if the random value k is reused: • in ElGamal-encryption? • in ElGamal-signature? • in DSA? Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans

  5. Exercise 3 • ElGamal • Given: • RSA-signatures exhibit the issue of “existential forgery”, i.e. given some messages with their corresponding RSA-signatures, it is possible to generate new signed messages using RSA’s multiplicative properties, without requiring knowledge about the private key • Question: • is there a similar problem with ElGamal-signatures? Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans

  6. Exercise 4 • ElGamal • Given: • in ElGamal-encryption of –signature, and in DSA, a unique and secret random value k is used • Question: • how could the owner of the private key used in the digital signature add hidden information without the person receiving the signature noticing? • such a technique is called a “subliminal channel” • can you find a way to use (a small part) of this subliminal channel without needing to use the private key for this purpose? (harder) Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans

  7. Exercise 5 • Hash functions • Given • a hash function with a hash value of n bits, e.g. 128 bits • a limited storage capacity (N1 hash values), e.g. 1 TB • you may assume N1≪ 2n/2 • Question: • how many hash computations are required to find two messages with identical hash values with a given probability P (e.g. 95%)? • compute this with the given values • suppose a modern PC can compute 10 million hash values per second, how much time would be required? Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans

  8. Exercise 6 • Hash functions • Given: • a competition at XKCD to generate a hash value with as many bits as possible corresponding to the bits of a givcen hash value (Skein-1024-1024) • Skein is 1 of the 5 finalists for SHA-3, used here with a 1024 bit hash value and 1024 bit internal state • winner was CMU, with only 384 wrong bits on 1024 (i.e. 640 corresponding bits) • Question: • compute if this result is an indication of some weakness in the weak collision resistance for the hash algorithm used • i.e. compute how many hash values should typically be generated to obtain a hash value with at most 384 bits (on 1024) differing from the bits of the original hash values, assuming that hash values are uniformly randomly distributed • does this seem a feasible number? Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans

  9. Exercise 6 • Hash functions • Hints: • NCk = N!/(k!(N–k)!) • number of combinations of k elementes from a group of N • for k sufficiently small w.r.t. N • ∑(j:0..k . NCj ) ≈ (N–k–1)/(N–2*k–1)* NCk • for k more in the neighbourhood of N/2 • ∑(j:0..k . NCj ) ≈ CDF_Norm(N/2,sqrt(N)/2) (k+½) • central limit theorem • CDF_Norm(mean, stdev) (x) = Φ((x–mean)/stdev) • Φ(x) = ½ + ½ *erf(x/sqrt(2)) • erf(x) ≈ 1–(a1*t+ a2*t²+ a3*t³)*exp(-x²) • with t=1/(1+p*x) • with p=0,47047 and a1=0,3480242 and a2=-0,0958798 and a3=0,7478556 • best approximation is minimum of both Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans

  10. Exercise 7 • Hash functions • Given • 11,4 million 1024 bit RSA-keys, of which the prime factors were generated randomly • Question • estimate the probability that at least two keys in this set have a common prime factor • Note • according to http://eprint.iacr.org/2012/064.pdf however 26965 keys shared a prime factor with another RSA-key Information Security Vakgroep Informatietechnologie – IBCN – Eric Laermans

More Related