University of Bath
DEPARTMENT OF COMPUTER SCIENCE EXAMINATION
CM30173: Cryptography
MOCK
Full marks will be given for correct answers to THREE questions. If you opt to answer more than the specified number of questions, you should clearly identify which of your answers you wish to have marked. In cases where you have failed to identify the correct number of answers the marker is only obliged to consider the answers in the order they appear up to the number of answers required.
CM30173 MOCK
CM30173 MOCK
CM30173 MOCK 2.
1. The University of Wessex is concerned about the security of exam papers and demands that they must all be encrypted. With only weeks before the first exams must be written the lecturers need a plan.
(a) Two lecturers, Ann and Bob, need to work on an exam paper together, they’ve sorted out the storage but then Bob finds out he has to spend a month in the Arctic circle on an important research project. Its pretty cold out and no one has arrived to install phones in the buildings there, in addition, Bob knows that the shared computer on site is old and slow with only a satellite link. Bob is leaving in a few hours so Ann and he meet up to arrange matters. Ann is concerned that Bob will be working on a shared computer — how can she be certain that she is speaking to him?
What options do Ann and Bob have for securing their discussion about exam questions? Explain the advantages and disadvantages of each method and which technologies you would use. [10]
(b) The exam papers are finished but they need to be checked by the external examiners. Professor White needs to send his finished exam to the external. Since the external lives in Australia Professor White can’t pass the paper to him by hand and the University refuses to pay the fee for a secure courier.
Professor White hasn’t met the external but has his phone number and work address and phones him, the external suggests sending the paper by secure e-mail but says that he needs a way to verify that the paper which arrives is from Professor White. Professor White needs to satisfy himself that he sending the paper to the right person and that no one can read the exam paper in transit. Explain precisely how you would solve their problems and what technologies you would use. [10]
CM30173 MOCK continued
CM30173 MOCK continued 3.
2.
(a) Describe the AES encryption algorithm, explaining how it is made up from S-boxes, permutations, linear transformations and boolean operations. [7]
(b) Before AES was developed it was suggested that the security of DES could be increased by using DES twice with two different keys:
eDES (eDES (x))
k2 k1
What would be the cost of finding the keys by exhaustive key search? Describe a faster known plaintext attack that would recover both the keys.
Explain how to use DES multiple times to increase security. [8]
(c) An additional mode of operation called counter mode was approved for use with AES. To encrypt a message x = x1x2 . . . of blocks of length m we choose a counter ctr which is a bitstring of length m. Construct a sequence of bitstrings of length m:
3.
Encrypt blocks:
Explain the advantages of this mode of operation.
[5]
Ti =ctr+i−1 (mod2m)
yi = xi ⊕ ek(Ti) i ≥ 1
i≥1.
(a) Define the term message authentication code (MAC). Describe how a block cipher such as DES can be used to produce CBC-MAC. [7]
(b) Describe how an unkeyed hash function can be formed by iteration of a compression function. What is Merkle-Damg ̊ard strengthening? [6]
(c) Alice needs to design a MAC, she has an unkeyed iterated hash function h and she proposes to use MACk(x) = h(k∥x). Assuming that h includes no preprocessing step, what do you think of this idea? What if h does include a preprocessing step? [7]
CM30173 MOCK continued
CM30173 MOCK continued 4.
4.
(a) Describe ElGamal including parameter generation, encryption and decryption. [7]
(b) Prove that decryption returns the input plaintext in ElGamal. [2]
(c) Alice decides that generating a new random number for each message she encrypts with ElGamal takes too long and that instead she will change the number every so often. What do you think of this idea? [4]
(d) Describe PGP. In what ways does it fail to meet the definition of a public key infrastructure? [7]
5.
(a) Describe the basic RSA signature scheme. [6]
(b) Define the terms existential forgery and selective forgery. [2]
(c) What is the multiplicative property of RSA? Using the multiplicative property show that you can produce existential forgeries of RSA signatures. What mechanisms could be used
to protect against this?
(d) Prove that, to split n it suffices to find x, y ∈ Z such that
[6]
[6]
EHC
CM30173 MOCK
x2 ≡ y2 x ̸≡ ±y
(mod n) (mod n)