CM30173
University of Bath
DEPARTMENT OF COMPUTER SCIENCE
EXAMINATION
CM30173
May 2010
No calculators may be brought in and used.
Full marks will be given for correct answers to THREE questions.
Only the best three answers will contribute towards the assessment.
Examiners will attach importance to the number of
well-answered questions.
CM30173
CM30173 2.
1. (a) Alice uses an automated stock trading service to trade FTSE-100 shares by sending
one of a limited range of messages according to a fixed format: an account
number, followed by the word “Buy” or “Sell”, a three letter stock code, and
the size of the trade in multiples of 100. Describe a way for Alice to achieve
confidentiality and data integrity of these messages, and any potential security
weaknesses (describing the associated attacks) and how they can be avoided. Discuss
the infrastructure requirements and efficiency of your solution, bearing in mind the
nature of communication (many, short messages at unpredictable intervals). You
may assume that an attacker knows Alice’s account number, and by observing
the market closely, can associate transactions with the messages which caused
them. [10]
(b) The stock trading service also has an online transaction service, with a password
system to protect accounts. It has outsourced the processing of transactions to
another company where there is a risk of data theft by employees, and so they
cannot be trusted with the passwords. How can passwords be verified for online
transactions? What should the be done if it is discovered that data has been
compromised at the transaction-processing company? [5]
(c) A newswire service provides live financial data to the stock traders. They are
concerned that a third party may intercept and alter or forge these bulletins, in
order to profit from the resulting rise or fall in prices. Describe a way in which the
newswire and its users can establish the integrity and authenticity of their data.
How practical is it? What kind of attacks should it be secure against?
[5]
CM30173 continued
CM30173 continued 3.
2. (a) Draw a diagram of a substitution-permutation network and explain how it can be
used to encrypt a block of plaintext. [6]
(b) Suppose Alice and Bob use a SPN to encrypt 16 bit plaintext blocks in which each
S-box operates on 4 bit inputs (which may be represented as single hex digits) in
the following way:
0 1 2 3 4 5 6 7 8 9 A B C D E F
7 9 A B C D E F 0 1 2 3 4 5 6 8
Why is this a poor choice of S-box? Describe an attack to obtain the key used
by Alice and Bob which would exploit its vulnerabilities, identifying the resources
required. [8]
(c) Describe briefly three modes of operation for a block cipher (other than electronic
code book). Which is least susceptible to error propagation during encryption?
Which would you use if speed of encryption was paramount?
[6]
3. (a) Explain how a keyed hash function may be derived from an unkeyed hash
function. [6]
(b) What is a collision for an unkeyed hash function? When is an unkeyed hash function
computationally secure against collision attack, and how hard is an attack in this
case? [4]
(c) Suppose Bob encrypts a message m using CBC, and then computes a MAC using
CBC with the same key. Why is this not secure against existential forgery? [4]
(d) Show that any attacker who knows two pairs (x, hk(x)) and (y, hk(y)) of messages
and their authentication codes can perform an existential forgery of a third
pair. [6]
CM30173 continued
CM30173 continued 4.
4. (a) Using 187 as a modulus for RSA encryption, and 7 as the public key exponent,
calculate the private key exponent.
[6]
(b) Use the public key to encrypt the plaintext m = 3, and use the private key to
decrypt the ciphertext c = 2 [4]
(c) Suppose Alice, Abigail and Anna all have public keys with exponent e = 3, which
Bob uses to encrypt the same message to send to each of them. Show how an
attacker can obtain the key by intercepting these encrypted messages.
[6]
(d) Describe a further potential weakness of RSA encryption, and it how it may be
avoided. [4]
5. (a) Describe the El-Gamal digital signature scheme, including key generation, signature
generation and verification. [6]
(b) Prove that the signature generated by the signing algorithm is accepted according
to the verification procedure. [6]
(c) Why is a public unkeyed hash function used as part of the scheme? What property
is required of this function, to make it difficult to forge signatures? [4]
(d) Explain why the system is considered to be secure, if used correctly. How can
security be maintained when repeatedly signing messages using a single key? [4]
JDL/RJB CM30173