6.1 What is triple encryption? Get solution
6.2 What is a meet-in-the-middle attack? Get solution
6.3 How many keys are used in triple encryption? Get solution
6.4 Why is the middle portion of 3DES a decryption rather than an encryption? Get solution
6.5 List important design considerations for a stream cipher. Get solution
6.6 Why is it not desirable to reuse a stream cipher key? Get solution
6.7 What primitive operations are used in RC4? Get solution
6.8 Why do some block cipher modes of operation only use encryption while others use both encryption and decryption? Get solution
Problems
6.1 You want to build a hardware device to do block encryption in the cipher block chaining (CBC) mode using an algorithm stronger than DES. 3DES is a good candidate. Figure 6.10 shows two possibilities, both of which follow from the definition of CBC. Which of the two would you choose:
a. For security?
For performance?
Figure 6.10. Use of Triple DES in CBC Mode
6.2 Can you suggest a security improvement to either option in Figure 6.10, using only three DES chips and some number of XOR functions? Assume you are still limited to two keys. Get solution
6.3 The Merkle-Hellman attack on 3DES begins by assuming a value A = 0 of (Figure 6.1b). Then, for each of the 256 possible values of K1, the plaintext P that produces A = 0 is determined. Describe the rest of the algorithm. Get solution
6.4 With the ECB mode of DES, if there is an error in a block of the transmitted ciphertext, only the corresponding plaintext block is affected. However, in the CBC mode, this error propagates. For example, an error in the transmitted C1 (Figure 6.4) obviously corrupts P1 and P2.
a. Are any blocks beyond P2 affected?
b. Suppose that there is a bit error in the source version of P1. Through how many ciphertext blocks is this error propagated? What is the effect at the receiver? Get solution
6.5 If a bit error occurs in the transmission of a ciphertext character in 8-bit CFB mode, how far does the error propagate? Get solution
6.6 Fill in the remainder of this table:
CBC-Pad handles plaintext of any length. The ciphertext is longer then the plaintext by at most the size of a single block.
Padding is used to assure that the plaintext input is a multiple of the block length. It is assumed that the original plaintext is an integer number of bytes. This plaintext is padded at the end by from 1 to bb bytes, where bb equals the block size in bytes. The pad bytes are all the same and set to a byte that represents the number of bytes of padding. For example, if there are 8 bytes of padding, each byte has the bit pattern 00001000. Why not allow zero bytes of padding? That is, if the original plaintext is an integer multiple of the block size, why not refrain from padding? Get solution
6.8 Padding may not always be appropriate. For example, one might wish to store the encrypted data in the same memory buffer that originally contained the plaintext. In that case, the ciphertext must be the same length as the original plaintext. A mode for that purpose is the ciphertext stealing (CTS) mode. Figure 6.11a shows an implementation of this mode.
a. Explain how it works.
b. Describe how to decrypt Cn-1 and Cn Get solution
6.9 Figure 6.11b shows an alternative to CTS for producing ciphertext of equal length to the plaintext when the plaintext is not an integer multiple of the block size.
a. Explain the algorithm.
Explain why CTS is preferable to this approach illustrated in Figure 6.11b.
6.10 What RC4 key value will leave S unchanged during initialization? That is, after the initial permutation of S, the entries of S will be equal to the values from 0 through 255 in ascending order. Get solution
6.11 RC4 has a secret internal state which is a permutation of all the possible values of the vectoSr and the two indices i and j.
a. Using a straightforward scheme to store the internal state, how many bits are used?
Suppose we think of it from the point of view of how much information is represented by the state. In that case, we need to determine how may different states there are, than take the log to the base 2 to find out how many bits of information this represents. Using this approach, how many bits would be needed to represent the state? Get solution
6.12 Alice and Bob agree to communicate privately via email using a scheme based on RC4, but want to avoid using a new secret key for each transmission. Alice and Bob privately agree on a 128-bit key k. To encrypt a message m, consisting of a string of bits, the following procedure is used:
1. Choose a random 80-bit valuev
2. Generate the ciphertext c = RC4(v || k) m
3. Send the bit string (v || C)
a. Suppose Alice uses this procedure to send a message m to Bob. Describe how Bob can recover the message m from (v || C) using k.
b. If an adversary observes several values (v1 || C1), (v2 || C2), ... transmitted between Alice and Bob, how can he/she determine when the same key stream has been used to encrypt two messages?
c. Approximately how many messages can Alice expect to send before the same key stream will be used twice? Use the result from the birthday paradox described in Appendix 11A [Equation (11.7)].
d. What does this imply about the lifetime of the keyk (i.e., the number of messages that can be encrypted usingk )? Get solution
