SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 1 (Symmetric Cryptography)
This sentence has been encoded using a caesar cipher. Can you find out the original message?
N pelcgbtencuvp flfgrz fubhyq or frpher rira vs rirelguvat nobhg gur flfgrz,
rkprcg gur xrl, vf choyvp xabjyrqtr.
Copyright By PowCoder代写 加微信 powcoder
(a) Decode the message and explain how you figured out the key.
一个加密系统应该是安全的,即使 除了密钥之外,关于该系统的所有信息都是公开的
(b) Take a look at the contents of the plain text message. What does it say and why is it important?
该消息指出了加密系统的一个理想属性。公开的加密算法允许检测和修补漏洞。相比之下,隐蔽性安全是非常不可
取的,因为如果加密系统是保密的,那么发生关键性漏洞的风险要高得多。
1.2 Substitution Cipher
The following (english) text has been encrypted using a substitution cipher where every letter of the alphabet is mapped to an arbitrary but fixed other letter. Every non-letter symbol remains the same.
hun cninxh znlnybqgnxh bw lscrbjd gnhubzd bw gbzjyshrbx djiu sd qig sxz qqg
turiu nfiusxkn asxztrzhu wbc drkxsy-hb-xbrdn cshrb usd rxhnxdrwrnz hun rxhncndh
rx s knxncsy hunbcv bw ibggjxrishrbx. s asdrd wbc djiu s hunbcv rd ibxhsrxnz
rx hun rgqbchsxh qsqncd bw xvejrdh1 sxz uschynv2 bx hurd djapnih. rx hun
qcndnxh qsqnc tn tryy nfhnxz hun hunbcv hb rxiyjzn s xjganc bw xnt wsihbcd, rx
qschrijysc hun nwwnih bw xbrdn rx hun iusxxny, sxz hun dslrxkd qbddrayn zjn hb
hun dhshrdhrisy dhcjihjcn bw hun bcrkrxsy gnddskn sxz zjn hb hun xshjcn bw hun
wrxsy zndhrxshrbx bw hun rxwbcgshrbx. hun wjxzsgnxhsy qcbayng bw ibggjxrishrbx
rd hush bw cnqcbzjirxk sh bxn qbrxh nrhunc nfsihyv bc sqqcbfrgshnyv s gnddskn
dnynihnz sh sxbhunc qbrxh. wcnejnxhyv hun gnddsknd usln gnsxrxk; hush rd hunv
cnwnc hb bc scn ibccnyshnz siibczrxk hb dbgn dvdhng trhu inchsrx quvdrisy bc
ibxinqhjsy nxhrhrnd. hundn dngsxhri sdqnihd bw ibggjxrishrbx scn rccnynlsxh hb
hun nxkrxnncrxk qcbayng. hun drkxrwrisxh sdqnih rd hush hun sihjsy gnddskn rd bxn
dnynihnz wcbg s dnh bw qbddrayn gnddsknd. hun dvdhng gjdh an zndrkxnz hb bqncshn
wbc nsiu qbddrayn dnynihrbx, xbh pjdh hun bxn turiu tryy sihjsyyv an iubdnx drxin
hurd rd jxoxbtx sh hun hrgn bw zndrkx. rw hun xjganc bw gnddsknd rx hun dnh rd
wrxrhn hunx hurd xjganc bc sxv gbxbhbxri wjxihrbx bw hurd xjganc isx an cnkscznz
sd s gnsdjcn bw hun rxwbcgshrbx qcbzjinz tunx bxn gnddskn rd iubdnx wcbg hun dnh,
syy iubrind anrxk nejsyyv yronyv. sd tsd qbrxhnz bjh av uschynv hun gbdh xshjcsy
iubrin rd hun ybkscrhugri wjxihrbx. syhubjku hurd znwrxrhrbx gjdh an knxncsyrmnz
ibxdrzncsayv tunx tn ibxdrznc hun rxwyjnxin bw hun dhshrdhrid bw hun gnddskn
sxz tunx tn usln s ibxhrxjbjd csxkn bw gnddsknd, tn tryy rx syy isdnd jdn sx
nddnxhrsyyv ybkscrhugri gnsdjcn.
(a) Why is it harder to break this cipher compared to the one from task 1? Explain why such a cipher is still easy to break and briefly describe how an attack could possibly look like in this scenario.
Solution: The original message is: A cryptographic system should be secure even if everything about the system, except the key, is public knowledge. The key is 13 and can be derived by brute forcing all 25 (or 26 if we count 0) possible keys.
Solution: The message states a desirable property of cryptographic systems. A public encryption algorithm allows for flaws to be detected and patched. In contrast, security by obscurity is highly discouraged because the risk of critical flaws is much higher if cryptographic systems are kept secret.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 1 (Symmetric Cryptography)
尽管这两种密码都只替代单个字母,但这种密码的密钥空间要比凯撒密码大得多。最有希望的方法是字母频率分
析。英语中最频繁的字母比其他字母更有可能在给定的片段中频繁出现。一旦最频繁的字符被解密,单字开始变
得越来越可读,揭开了新字母的映射。这个步骤可以重复进行,直到整个文本被解密。
(b) Perform the attack you chose in a and try to decrypt the given text. Who is the author of the text? 执行你在a中选择的攻击并尝试解密给定的文本。该文本的作者是谁?
该文本的作者是克劳德-香农。利用一些基本的shell命令,可以在一个现场演示中展示解密。例子:
1.3 Quick Questions (Mixed Topics)
(a) One-Time-Pad is a perfect cipher (if applied correctly). What does it mean for a cipher to be perfect and why is it rarely used?
(b) The BedenkenSecond GmbH suggests to implement OTP by using a 256 bit value as a seed for a pseudo random number generator and only share the seed among the encrypting parties. How do you rate the security of this procedure?
由此产生的加密不是OTP,因为生成的密钥不是随机的。加密的强度在很大程度上取决于所使用的伪随机数发生器 的质量。
Solution: Even though both ciphers only substitute single letters, the key space of this cipher is much larger than for the caesar cipher. The most promising approach to begin with is a letter frequency analysis. The most frequent letters in the english language are more likely to appear often in the given snippet than other letters. Once the most frequent characters have been decrypted, single words start to become more and more readable, unveiling the mapping of new letters. This step can be repeated until the entire text is decrypted.
Solution: The author of the text is . The decryption can be shown in a live demo, leveraging some basic shell commands. Example:
cat ciphertext.txt | grep -o “[a-z]” | sort | uniq -c | sort -rnk 1
Solution: The issue is the key exchange. For OTP, the key must be random, non-repetitive and at least as long as the encrypted message. Exchanging these keys via a secure channel is impractical.
Solution: The resulting encryption is not an OTP, because the generated key is not random. The strength of the encryption heavily depends on the quality of the used pseudo random number generator.
(c) Assume the SFL instructors have met every single student in person to exchange a personalized, random and non repetitive keys with everyone. After the exam, these keys are used to inform everyone about the outcome of the exam (passed or failed). You are able to intercept the following messages:
0010110100001000
01111101100001
00101110000001
0101011011001101
0000101110110110
11110110101101
0010110110111010
Your own exam has the ID 007 and you have passed the exam. Which information can you gain?
即使使用了OTP,我们的领域知识也允许我们对信息进行解码。OTP泄露的一个信息是传输信息的长度。在我们的案例
中,我们知道只有两种结果是可能的,通过的考试是用16比特编码的,而失败的考试只用14比特编码。 2/4
Solution: Even though an OTP is used, our domain specific knowledge allows us to decode the messages. One information that OTP does leak is the length of the transmitted message. In our case, we know that only two outcomes are possible and that a passed exam is encoded in 16 bit while a failed exam is encoded in only 14 bit.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 1 (Symmetric Cryptography)
BedenkenSecond有限公司利用AES对客户的姓名和疫苗接种情况进行加密,并发放包含密码文本的证书,从而提供数字 疫苗接种证书。该公司向你询问,为了使他们的系统正常运行,他们是应该保持加密密钥的私密性,还是将其公开。你的 回答是什么?
(d) The BedenkenSecond GmbH makes use of AES to provide digital vaccination certificates by encrypting the name and vaccination status of their customers and handing out certificates which contain the cipher text. The company reaches out to you and asks you whether they should keep their encryption key private or make it public in order for their system to work. What’s your answer?
在ECB模式下,每一 个2比特的纯文本块都 被映射到一个2比特的 密码文本 块。有22=4个可能的 块,所以必须 有4!=24个可能的映 射。由于映射来自于 密钥,例如,一个4位 的密钥只能 有24=16个可能的 值,它最多可以产 生16个不同的映 射。然而,一个8位的 密钥不允许 有28=256个不同的映 (f) 射,因为只有24个可 以选择。因此,必须 有不同的密钥来产生 相同的映射。这个密 码的有效密钥长度不 能超
过log2(24)≈4.58比 特。
In literature, you often find the distinction between key length and effective key length. Explain the difference using a block cipher with 2 bit blocks and various lengths of keys. You can assume ECB mode if this makes it easier to explain.
Assume you found a security vulnerability in a software product. In which way would you handle the situation in order to comply with §202 StGB?
Solution: Symmetric encryption does not provide authenticity and is therefore not suited for this task! If the keys are public, everyone will be able to fake certificates, but if the keys are private, nobody will be able to verify the certificates.
Solution: In ECB mode, every plain text block of 2 bit is mapped to a cipher text block of 2 bit. There are 22 = 4 possible blocks, so there must be 4! = 24 possible mappings. Since the mapping is derived from the key and, e.g., a 4 bit key can only have 24 = 16 possible values, it can generate up to 16 different mappings.
However, an 8 bit key does not allow for 28 = 256 different mappings, since there are only 24 to choose from. Therefore, there must be different keys which generate the same mapping. The effective key length of this cipher can never exceed log2(24) ≈ 4.58 bit.
Solution: Disclaimer: We are no lawyers!
The preferred way of dealing with security vulnerabilities is responsible disclosure, which includes informing the developers and providing them enough time to patch the issue before disclosing it publicly. However, depending on the exact scenario, courts can still find someone guilty of violating §202 StGB even after a responsible disclosure. Within the boundaries of current legislation, there is no guaranteed protection for reporters of security vulnerabilities.
解决方案。免责声明:我们不是律师! 处理安全漏洞的首选方式是负责任的披露,这包括通知开发人员,并在公开披露之前给他们足够
的时间来修补问题。然而,根据具体的情况,即使在负责任的披露之后,法院仍然可以认定某人违反了《刑法》第202条。在目前的
立法范围内,对安全漏洞的报告者没有保证的保护。
1.4 Cipher Modes
(a) CBC uses Fk(x) for encryption and Fk(x)−1 for decryption. Could we swap the order and use Fk(x)−1 for encryption and Fk(x) for decryption?
(b) Your classmate suggests to fix weaknesses of ECB and invents a CBC-like encryption mode. He defines the encryption as follows: ci = enc(mi) = Fk(mi) ⊕ Fk(mi−1). For i = 0, an IV is used instead of Fk(mi−1).
Solution: Yes, that would work, as the order in which two functions that are inverse to each other are called does not matter.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 1 (Symmetric Cryptography)
How would decryption dec(ci) look like, assuming an inverse function F−1? k
Solution: Decryption works as follows:
m1 =F−1(c1 ⊕IV)
m2 =F−1(c1 ⊕c2 ⊕IV) k
m3 =F−1(c1 ⊕c2 ⊕c3 ⊕IV) k
mi =F−1(c1 ⊕c2 ⊕…⊕ci ⊕IV) k
Assume m1 equals m3. Can you spot this based on the ciphertexts (and IV)?
Solution: This is not immediately visible in c1 and c3, but interestingly m1 = m3 can be spotted if c2 and c3 are equal:
=⇒(c1 ⊕IV)=(c3 ⊕(c2 ⊕c1 ⊕IV))
⇔c3 ⊕ c2 = 0 ⇔c3 = c2
Would you prefer this mode over ECB? If so, why? If not, why not?
与ECB相比,该模式并没有带来任何额外的安全优势。然而,相比之下,由于引入了新的依赖关系,现在更难并行地进 行解密(或加密)了。虽然有可能平行运行所有区块的加密或解密,但必须执行许多⊕操作来解密晚期区块。
Solution: The mode does not bring any additional security benefit over ECB. In contrast, however, it is now harder to perform decryption (or encryption) in parallel, as new dependencies were introduced. While it would be possible to run encryption or decryption for all blocks in parallel, many ⊕ operations have to be performed to decrypt late blocks.
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com