SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 1 (Symmetric Cryptography)
This sentence has been encoded using a caesar cipher. Can you find out the original message?
N pelcgbtencuvp flfgrz fubhyq or frpher rira vs rirelguvat nobhg gur flfgrz,
rkprcg gur xrl, vf choyvp xabjyrqtr.
Copyright By PowCoder代写 加微信 powcoder
(a) Decode the message and explain how you figured out the key.
(b) Take a look at the contents of the plain text message. What does it say and why is it important?
1.2 Substitution Cipher
The following (english) text has been encrypted using a substitution cipher where every letter of the alphabet is mapped to an arbitrary but fixed other letter. Every non-letter symbol remains the same.
hun cninxh znlnybqgnxh bw lscrbjd gnhubzd bw gbzjyshrbx djiu sd qig sxz qqg
turiu nfiusxkn asxztrzhu wbc drkxsy-hb-xbrdn cshrb usd rxhnxdrwrnz hun rxhncndh
rx s knxncsy hunbcv bw ibggjxrishrbx. s asdrd wbc djiu s hunbcv rd ibxhsrxnz
rx hun rgqbchsxh qsqncd bw xvejrdh1 sxz uschynv2 bx hurd djapnih. rx hun
qcndnxh qsqnc tn tryy nfhnxz hun hunbcv hb rxiyjzn s xjganc bw xnt wsihbcd, rx
qschrijysc hun nwwnih bw xbrdn rx hun iusxxny, sxz hun dslrxkd qbddrayn zjn hb
hun dhshrdhrisy dhcjihjcn bw hun bcrkrxsy gnddskn sxz zjn hb hun xshjcn bw hun
wrxsy zndhrxshrbx bw hun rxwbcgshrbx. hun wjxzsgnxhsy qcbayng bw ibggjxrishrbx
rd hush bw cnqcbzjirxk sh bxn qbrxh nrhunc nfsihyv bc sqqcbfrgshnyv s gnddskn
dnynihnz sh sxbhunc qbrxh. wcnejnxhyv hun gnddsknd usln gnsxrxk; hush rd hunv
cnwnc hb bc scn ibccnyshnz siibczrxk hb dbgn dvdhng trhu inchsrx quvdrisy bc
ibxinqhjsy nxhrhrnd. hundn dngsxhri sdqnihd bw ibggjxrishrbx scn rccnynlsxh hb
hun nxkrxnncrxk qcbayng. hun drkxrwrisxh sdqnih rd hush hun sihjsy gnddskn rd bxn
dnynihnz wcbg s dnh bw qbddrayn gnddsknd. hun dvdhng gjdh an zndrkxnz hb bqncshn
wbc nsiu qbddrayn dnynihrbx, xbh pjdh hun bxn turiu tryy sihjsyyv an iubdnx drxin
hurd rd jxoxbtx sh hun hrgn bw zndrkx. rw hun xjganc bw gnddsknd rx hun dnh rd
wrxrhn hunx hurd xjganc bc sxv gbxbhbxri wjxihrbx bw hurd xjganc isx an cnkscznz
sd s gnsdjcn bw hun rxwbcgshrbx qcbzjinz tunx bxn gnddskn rd iubdnx wcbg hun dnh,
syy iubrind anrxk nejsyyv yronyv. sd tsd qbrxhnz bjh av uschynv hun gbdh xshjcsy
iubrin rd hun ybkscrhugri wjxihrbx. syhubjku hurd znwrxrhrbx gjdh an knxncsyrmnz
ibxdrzncsayv tunx tn ibxdrznc hun rxwyjnxin bw hun dhshrdhrid bw hun gnddskn
sxz tunx tn usln s ibxhrxjbjd csxkn bw gnddsknd, tn tryy rx syy isdnd jdn sx
nddnxhrsyyv ybkscrhugri gnsdjcn.
(a) Why is it harder to break this cipher compared to the one from task 1? Explain why such a cipher is still easy to break and briefly describe how an attack could possibly look like in this scenario.
Solution: The original message is: A cryptographic system should be secure even if everything about the system, except the key, is public knowledge. The key is 13 and can be derived by brute forcing all 25 (or 26 if we count 0) possible keys.
Solution: The message states a desirable property of cryptographic systems. A public encryption algorithm allows for flaws to be detected and patched. In contrast, security by obscurity is highly discouraged because the risk of critical flaws is much higher if cryptographic systems are kept secret.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 1 (Symmetric Cryptography)
Solution: Even though both ciphers only substitute single letters, the key space of this cipher is much larger than for the caesar cipher. The most promising approach to begin with is a letter frequency analysis. The most frequent letters in the english language are more likely to appear often in the given snippet than other letters. Once the most frequent characters have been decrypted, single words start to become more and more readable, unveiling the mapping of new letters. This step can be repeated until the entire text is decrypted.
(b) Perform the attack you chose in a and try to decrypt the given text. Who is the author of the text?
1.3 Quick Questions (Mixed Topics)
(a) One-Time-Pad is a perfect cipher (if applied correctly). What does it mean for a cipher to be perfect and why is it rarely used?
(b) The BedenkenSecond GmbH suggests to implement OTP by using a 256 bit value as a seed for a pseudo random number generator and only share the seed among the encrypting parties. How do you rate the security of this procedure?
(c) Assume the SFL instructors have met every single student in person to exchange a personalized, random and non repetitive keys with everyone. After the exam, these keys are used to inform everyone about the outcome of the exam (passed or failed). You are able to intercept the following messages:
Solution: The author of the text is . The decryption can be shown in a live demo, leveraging some basic shell commands. Example:
cat ciphertext.txt | grep -o “[a-z]” | sort | uniq -c | sort -rnk 1
Solution: The issue is the key exchange. For OTP, the key must be random, non-repetitive and at least as long as the encrypted message. Exchanging these keys via a secure channel is impractical.
Solution: The resulting encryption is not an OTP, because the generated key is not random. The strength of the encryption heavily depends on the quality of the used pseudo random number generator.
Exam ID 001
Outcome 0010110100001000 01111101100001 00101110000001 0101011011001101 0000101110110110 11110110101101 0010110110111010
Your own exam has the ID 007 and you have passed the exam. Which information can you gain?
Solution: Even though an OTP is used, our domain specific knowledge allows us to decode the messages. One information that OTP does leak is the length of the transmitted message. In our case, we know that only two outcomes are possible and that a passed exam is encoded in 16 bit while a failed exam is encoded in only 14 bit.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 1 (Symmetric Cryptography)
(d) The BedenkenSecond GmbH makes use of AES to provide digital vaccination certificates by encrypting the name and vaccination status of their customers and handing out certificates which contain the cipher text. The company reaches out to you and asks you whether they should keep their encryption key private or make it public in order for their system to work. What’s your answer?
(e) In literature, you often find the distinction between key length and effective key length. Explain the difference using a block cipher with 2 bit blocks and various lengths of keys. You can assume ECB mode if this makes it easier to explain.
(f) Assume you found a security vulnerability in a software product. In which way would you handle the situation in order to comply with §202 StGB?
1.4 Cipher Modes
(a) CBC uses Fk(x) for encryption and Fk(x)−1 for decryption. Could we swap the order and use Fk(x)−1 for encryption and Fk(x) for decryption?
(b) Your classmate suggests to fix weaknesses of ECB and invents a CBC-like encryption mode. He defines the encryption as follows: ci = enc(mi) = Fk(mi) ⊕ Fk(mi−1). For i = 0, an IV is used instead of Fk(mi−1).
Solution: Symmetric encryption does not provide authenticity and is therefore not suited for this task! If the keys are public, everyone will be able to fake certificates, but if the keys are private, nobody will be able to verify the certificates.
Solution: In ECB mode, every plain text block of 2 bit is mapped to a cipher text block of 2 bit. There are 22 = 4 possible blocks, so there must be 4! = 24 possible mappings. Since the mapping is derived from the key and, e.g., a 4 bit key can only have 24 = 16 possible values, it can generate up to 16 different mappings.
However, an 8 bit key does not allow for 28 = 256 different mappings, since there are only 24 to choose from. Therefore, there must be different keys which generate the same mapping. The effective key length of this cipher can never exceed log2(24) ≈ 4.58 bit.
Solution: Disclaimer: We are no lawyers!
The preferred way of dealing with security vulnerabilities is responsible disclosure, which includes informing the developers and providing them enough time to patch the issue before disclosing it publicly. However, depending on the exact scenario, courts can still find someone guilty of violating §202 StGB even after a responsible disclosure. Within the boundaries of current legislation, there is no guaranteed protection for reporters of security vulnerabilities.
Solution: Yes, that would work, as the order in which two functions that are inverse to each other are called does not matter.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 1 (Symmetric Cryptography)
How would decryption dec(ci) look like, assuming an inverse function F−1? k
Solution: Decryption works as follows:
m1 =F−1(c1 ⊕IV)
m2 =F−1(c1 ⊕c2 ⊕IV) k
m3 =F−1(c1 ⊕c2 ⊕c3 ⊕IV) k
mi =F−1(c1 ⊕c2 ⊕…⊕ci ⊕IV) k
Assume m1 equals m3. Can you spot this based on the ciphertexts (and IV)?
Solution: This is not immediately visible in c1 and c3, but interestingly m1 = m3 can be spotted if c2 and c3 are equal:
=⇒(c1 ⊕IV)=(c3 ⊕(c2 ⊕c1 ⊕IV))
⇔c3 ⊕ c2 = 0 ⇔c3 = c2
Would you prefer this mode over ECB? If so, why? If not, why not?
Solution: The mode does not bring any additional security benefit over ECB. In contrast, however, it is now harder to perform decryption (or encryption) in parallel, as new dependencies were introduced. While it would be possible to run encryption or decryption for all blocks in parallel, many ⊕ operations have to be performed to decrypt late blocks.