Cryptography Flashcards

Question

Key distribution for asymmetric cryptography: concept and problem

Answer 1

- the private key should never be disclosed - the public one should be distributed as widely as possible Problem: who guarantees the binding between the public key and the identity that owns it? solutions: 1. OOB 2. the public key is distributed by means of a public-key certificate

Answer 2

**KEY AGREEMENT ALGORITHM** - first public-key algorithm invented - A and B choose / agree two public integers p (prime, large) and g (generator) such that: 1 < g < p (typically g=2, 3, or 5) - length of DH key = number of bits of p - A arbitrarily chooses an integer x>0 and computes: X=g^x mod p - B arbitrarily chooses an integer y>0 and computes: Y=g^y mod p - A and B exchange (publish) X and Y - A computes K_A =Y^x mod p - B computes K_B =X^y mod p - result: K_A = K_B = g^{xy} mod p characteristics and problems: - resistant to the sniffing attack: if the attacker sniffs A and B he cannot get to know the key because he also needs x and y - if the attacker can manipulate the data then it is possible to make a man-in-the-middle attack; in this case it requires pre-authentication. One common approach is the use of digital certificates for DH keys. MQV (Menezes-Qu-Vanstone) is an extension of the Diffie-Hellman protocol that incorporates authentication directly into the exchange process, enhancing its security against MITM attacks.

Answer 3

Instead of using modular arithmetic, the operations are executed on the surface of a 2D (elliptic) curve. in this way the problem of discrete logarithm on such a curve is more complex than the problem in modular arithmetic and this leads to use shorter keys (about 1/10). - digital signature = ECDSA - key agreement = ECDH - authenticated key agreement = ECMQV - key distribution = ECIES (EC Integrated Encryption Scheme)

Answer 4

If someone intercepts an encrypted communication he cannot read it but he can modify it -> INTEGRITY IS ABOUT DETECTION

Answer 5

A message digest is a **fixed-length “summary”** of the message to be protected (of any length) It must be: * fast to compute * impossible or very difficult to invert * difficult to create “collisions” The digest is often used to avoid performing operations on the whole message, especially when the message is very large (e.g. because public-key cryptography is very slow) Digest can be calculated in many ways, but usually via a CRYPTOGRAPHIC hash function

Answer 6

- split the message M in N blocks M_1 ...M_N - iteratively apply a base function (f) V_k =f(V_{k-1}, M_k) with V_0 =IV and h=V_N THE DIGEST IS THE RESULT OF THE LAST ITERATION

Answer 7

**name block digest definition notes** **MD2** 8 bit 128 bit RFC-1319 obsolete **MD4** 512 bit 128 bit RFC-1320 obsolete **MD5** 512 bit 128 bit RFC-1321 obsolete **RIPEMD-160** 512 bit 160 bit ISO/IEC 10118-3 old + rare **SHA-1** 512 bit 160 bit FIPS 180-1 sufficient **SHA-224** 512 bit 224 bit FIPS 180-2, FIPS 180-3 good **SHA-256** 512 bit 256 bit FIPS 180-2, FIPS 180-3 good **SHA-384** 512 bit 384 bit FIPS 180-2, FIPS 180-3 good **SHA-512** 512 bit 512 bit FIPS 180-2, FIPS 180-3 good **SHA-3** 1152-576 224-512 FIPS 202, FIPS 180-4 excellent

Answer 8

- md1 = h(m1) - md2 = h(m2) if m1 ≠ m2 then we’d like to have md1 ≠ md2 to avoid aliasing If the algorithm is well designed and generates a digest of N bits, then the probability of aliasing is: P_A = 1 / (2^N_bit) Thus, digests with many bits are required (because statistical events are involved)

Answer 9

This is related to the message digest. A N-bit digest algorithm is insecure when more than 2**(N/2) digests are generated because the probability to have two messages with the same digest is P_A ~ 50%

Answer 10

A cryptosystem is “balanced” when the encryption and digest algorithms have the same resistance: - SHA-256 and SHA-512 have been designed for use respectively with AES-128 and AES-256 - note: SHA-1 (i.e. SHA-160) matched Skipjack-80

Answer 11

A cryptographic key must be random (each bit has 50% probability to be 0 or 1) but users typically insert passwords (or better passphrases) guessable and not random. To solve this problem we can use a key derivation function: - K = KDF(P, S, I) where - P = password or passphrase - S = salt (to make K difficult to guess given P) - I = number of iterations of the base function (to slow down the computation and make life complex for attackers) There are some KDF based upon cryptographic hash functions. An example is PBKDF2: it uses SHA-1, |S| > 64, I ≥ 1000 Another examples is HKDF, based on HMAC

Answer 12

PBKDF2 can be attacked because the number of iterations may be large but this requires only a lot of computation but not a lot of RAM

Answer 13

PBKDF2 can be attacked because C may be large but this requires only a lot of computation but not a lot of RAM. Hence it can be attacked by ASIC or GPU -> we need to increase the RAM needed for the attack -> public competition launched in 2013 The winner was Argon2

Answer 14

**They are codes** - to guarantee the integrity of messages, a code is added to the message: MIC (Message Integrity Code) - often integrity is not useful without authentication, thus the code (ensuring both security properties) is named: MAC (Message Authentication Code) - to avoid replay attacks, a unique identifier can be added to the message: MID (Message IDentifier)

Answer 15

Data are sent along with a digest calculated not only on data themselves but also on a shared secret key. - (sender) d = digest( K, M ) - (transmission) M || d - (receiver) d' = digest( K, M ) - (verification) if ( d == d' ) then OK else ALARM! Only who knows the key can compare the transmitted digest with the digest calculated on the received data. Advantages: - only one operation (digest) - few additional data - authentication + integrity

Answer 16

authentication + integrity

Answer 17

HMAC is a keyed digest that is BASED ON a base hash function. HMAC provides: integrity through digest and DATA authentication (but not of the sender since anyone could have sent that hash) base hash function H: - B byte block - L byte output, with B > L definitions: - ipad = 0x36 repeated B times - opad = 0x5C repeated B times - if |K|>B then K'=H(K) else K'=K - if |K'|

Answer 18

It is a MAC (keyed digest) variant which exploits a block-oriented symmetric encryption algorithm, in CBC mode with NULL IV, taking as MAC the last encrypted block - message M split in N blocks M_1 ...M_N - iterations: V0 = 0 for (k=1...N) do Vk = enc (K, M_k XOR V_{k-1} ) - cbc-mac = VN DES-based CBC-MAC was the Data Authentication Algorithm (standard FIPS 113, ANSI X9.17) It is secure **only for fixed-length messages**, for other cases use CMAC or OMAC Possible attack against variable-length messages: t = E-cbc-mac( K, M ) and t' = E-cbc-mac( K, M' ) then I can create M'' with t'' = E-cbc-mac( K, M'' )' ... without knowing K (!!!) Proof: - if I create M'' = M||(M'1 xort)||M'2 ||...||M'N then I get t'' = E-cbc-mac( K, M'' ) = t' because xor-ing the first block of M' with t will actually delete its contribution

Answer 19

hypothesis: - secrecy = symmetric encryption with K1 - integrity = keyed-digest (MAC) with K2 **authenticate-and-encrypt (A&E)** - enc(K1,p) || mac(K2 ,p) - must always decrypt before checking integrity (possible DoS attack) - may leak info about the plaintext - used by SSH - insecure unless performed in a single step **authenticate-then-encrypt (AtE)** - enc(K1 ,p||mac(K2 ,p)) - must always decrypt before checking integrity (possible DoS attack) - used by SSL and TLS - secure only with CBC or stream encryption **encrypt-then-authenticate (EtA)** - enc(K1,p)||mac(K2 ,enc(K1,p)) - can avoid decryption if MAC is wrong - used by IPsec - the most secure of the three ... but beware of implementation errors -> always include IV and algorithms in the MAC computation **The best one is Authenticated Encryption** **The normal encryption modes are subject to chosen-ciphertext attacks when used on-line**: - the attacker modifies a ciphertext - then observes if the receiver signals an error or not (e.g. padding oracle or decryption oracle attack)

Answer 20

It is a single operation for confidentiality and authentication/integrity -> same data for the two properties Advantages: * it just needs one key and one algorithm * better speed * less error likelihood in combining the two functions **Why? The normal encryption modes are subject to chosen-ciphertext attacks when used on-line**: * the attacker modifies a ciphertext * then observes if the receiver signals an error or not (e.g. padding oracle or decryption oracle attack) So we need to verify the integrity of the ciphertext before decrypting it

Answer 21

**Infinite Garble Extension** is a less common **mode of application** **that operates as** **Authenticated Encryption** and that provides **confidentiality, authN and integrity in one step.** It is similar to CBC but an error in one block influences **ALL** the following blocks. Good because we can just look at the last block to see if everything is ok. The last block is called tag. TODO

Answer 22

**AD is a way to use AE.** The header of the message is called associated data. * confidentiality: just for the payload * authN: for both the payload and the header AEAD is based on a nonce and on a key. The result is a message with the following fields: header - nonce - payload - tag

Answer 23

GCM CCM OCB 2.0 EAX

Answer 24

GCM defined for algorithms with **128-bit block** **(C, T) = algo_GCM_enc(K, IV, P, A):** * IV size [ 1 ... 264 bits ] (96 bits is most efficient) * P size [0...239 –256bits] * A (associated authenticated data) size [ 0 ... 264 bits ] * C has the same size as P * T is the authentication tag with size [ 0 ... 128 bits ] -> for encryption, GCM generates ciphertext + authentication tag **P = algo_GCM_dec(K, IV, C, A, T)** * P is the original plaintext (if authentication is OK) or a special value FAIL if the authentication check failed -> for decryption, first computes authentication tag and only if it matches the one in input then the ciphertext is decrypted Features: * on-line single-pass AEAD * parallelizable * used by TLS, present in openssl

Answer 25

CCM = Counter-mode with CBC-MAC. CCM is defined for algorithms with 128-bit block 1. first an authentication tag of (plaintext + associated data) is computed by CBC-MAC 2. then the plaintext and the tag are (separately) encrypted in CTR mode Features: - off-line double-pass, - the slowest one -> note: double-pass is 2x slower than one-pass (in software)

Answer 26

**GCM**: the most popular, on-line single-pass AEAD, parallelizable, used by TLS, present in openssl * for encryption, generates ciphertext + authentication tag * for decryption, first computes authentication tag and only if it matches the one in input then the ciphertext is decrypted * fast on Intel architecture (~4 cycle/byte) using AES-NI for encryption and PCLMULQDQ for the tag **OCB 2.0**: the fastest one, on-line single-pass AEAD, GPL patented so scarcely used, now free but for military uses **EAX**: on-line double-pass AEAD, slow but small (uses just the encryption block) so very good for constrained systems **CCM**: off-line double-pass, the slowest one *note: double-pass is 2x slower than one-pass (in software)*

Answer 27

Competition launched for AEAD lightweight algorithms. The winner was ASCON: usable for encryption, AEAD, hashing

Answer 28

NOT to replace AES or SHA3, just for lightweight env See page 87 of 02_crypto_v3

Answer 29

It means that also a digest (encrypted with the private key of the sender -> digital signature) is sent along with the data. 1. (signer S) H = enc( S.SK, hash( M ) ) 2. (transmission) M || H 3. (verifier V) X = dec( S.PK, H ) 4. (verification) if ( X == hash( M ) ) then OK else ALARM! Those who know the public key can compare the transmitted digest with the digest calculated on the received data **DIGITAL SIGNATURE !!!**

Answer 30

1. (signer S) H = enc( S.SK, hash( M ) ) 2. (transmission) M || H 3. (verifier V) X = dec( S.PK, H ) 4. (verification) if ( X == hash( M ) ) then OK else ALARM!

Answer 31

By means of a shared secret: - useful only for the receiver - cannot be used as a proof without disclosing the secret key - not useful for non repudiation By means of asymmetric encryption: - being slow it is applied to the digest only - can be used as a formal proof - can be used for non repudiation - = digital signature

Answer 32

- digital signature = authentication + integrity - handwritten signature = authentication - thus the digital signature is better, because it is tightly bound to the data - note: each user does not have a digital signature but a private key, which can be used to generate an infinite number of digital signatures (one for each different document)

Answer 33

It is a data structure used to securely bind a public key to some attributes. Typically it binds a key to an identity but other associations are possible too (e.g. IP address) It is digitally signed by the issuer: the Certification Authority (CA), has a limited lifetime and can be revoked on request both by the user and the issuer

Answer 34

X.509: - v1, v2 (ISO) - v3 (ISO + IETF) non X.509: - PGP - SPKI (IETF) PKCS#6: - RSA, partly compatible with X.509 - obsolete

Answer 35

* version * serial number * signature algorithm: used by the CA to sign the certificate * issuer: the entity that emitted the certificate * validity * subject: the identity associated to the public key specified in the certificate * subject Public Key Info: information about the public key * CA digital signature

Answer 36

It is the infrastructure, technical and administrative, put in place for the creation, distribution and revocation of public key certificates it becomes necessary to have an infrastructure (hierarchical?) for certification and distribution of public- key certificates

Answer 37

Any certificate can be revoked before its expiration date: - on request by the owner (subject) - autonomously by the creator (issuer) When a signature is verified, the receiver must check that the certificate was valid at signature time -> this kind of check is the responsibility of the receiver (relying party, RP) A certificate revocation can be checked via: CRL (Certificate Revocation List) - list of revoked certificates - signed by the CA or by a delegated party - certificate validity since it was issued OCSP (On-line Certificate Status Protocol) - response containing information about the certificate status - signed by the server - certificate validity at the current time

Answer 38

* version * signature algorithm * issuer * thisUpdate: time of the signature of this certificate. The check has to be done against this time * list of pairs (certificate - revocationDate) * CA digital signature

Answer 39

Cryptographic performance does not depend on RAM but on CPU (architecture and instruction set) and cache size It is not a problem on clients (except when not very powerful, e.g. IoT, or they are overloaded by local applications) but it can become a problem on the servers and/or on the network nodes (e.g. router): a possible solution is to use cryptographic accelerators (HSM, Hardware Security Module). There are special-purpose accelerators tied to a protocol (e.g. TLS, IPsec) or generic ones (e.g. AES, RSA)

Answer 40

Commercial National Security Algorithm Suite It includes the following algorithms: - (symmetric encryption) AES-256, (flow) mode CTR (low bandwidth) or GCM (high bandwidth) - (hash) SHA-384 - (key agreement) ECDH e ECMQV - (digital signature) ECDSA - EC on the curve P-384 For legacy systems: - (key agreement) DH-3072 - (key exchange, digital signature) RSA-3072 - new quantum-resistant algorithms expected by 2022

Answer 41

NO! You cannot separate them.

Answer 42

**HMAC** guarantees: - integrity through digest - data authentication (but** not of the sender** since anyone could have sent that hash) The **digital signature** in addition provides **authentication of the sender** because the hash is encrypted using his private key, and there is an X.509 certificate that certifies his identity

Answer 43

Integrity is defined as the **property that indicates whether a data has undergone manipulation**; some possible attacks on the integrity of a message or packet are those of the MITM type, which can modify packets in the connection

Answer 44

We have: - 20B (160 bits) for the SHA-1 digest - 1kb for plaintext - and Assuming AES-128-CTS encryption (therefore no padding): we have: 128B (1024 bit) AES symmetric key encrypted with the sender's Kpri and 128B (1024 bit) Kpub of the sender = 1300 B total

Answer 45

- DSA: is an asymmetric cryptography algorithm that does exponential on one side and logarithm on the other; it is used only for digital signature (therefore no encryption), since the function it uses if applied on plaintext would cause data loss - RC-4: stream-type symmetric encryption algorithm, which is applied to a continuous bit stream: the basic operation is that source and destination agree on a seed used to encrypt and decrypt - RIPEMD: cryptographic hash algorithm; considered excellent but hardly used - RSA: is an asymmetric block cipher algorithm that generates its KEYS using two exponents; the choice of these exponents is fundamental for the quality of the final result (in particular, the product of the two exponents must be less than the size of the block to be encrypted)

Answer 46

Block algorithms encrypt the main file by dividing it into blocks and encrypting each in a more or less separate way with the key according to the chosen algorithm; stream algorithms apply to a continuous bit stream: **the basic operation is that source and destination agree on a seed used to encrypt and decrypt**. Stream algorithms tend to be faster than block algorithms since they perform a simple XOR, but require constant synchronization between sender and receiver (this does not make them good for internet transmissions); by comparison, the block algorithms are significantly slower given the various operations that must be performed to match the data to the size of the blocks (such as padding), but yes, they are very suitable for the transmission of internet packets

Answer 47

Stream algorithms tend to be faster than block algorithms since they perform a simple XOR, but they require constant synchronization between sender and receiver (this does not make them good for internet transmissions), as well as the fact that block algorithms are significantly slower given the various operations that must be performed to match the data to the block sizes (such as padding)

Answer 48

DES has 64bit blocks (8 bytes), so 28 <32/8 = 4 8 byte blocks plus one block of the same size for the IV, in total (4 + 1) * 8 = 40byte

Answer 49

I create a key with K = pbkdf (pwd, sale, itc), and use IPsec in tunnel mode on corporate gateways to have data integrity and sender authentication; assuming that the files to be exchanged are particularly sensitive, we recommend the use of the VPN-B cyphersuite to also have confidentiality on the data

Answer 50

3DES has 64bit blocks (8 bytes), so 84 <88/8 = 11 blocks of 8 bytes plus one block of the same size for the IV, in total (11 + 1) * 8 = 96 bytes

Answer 51

3DES has 64bit blocks (8 bytes), so 1500 # 8 = 4 bytes in the last block which need 8-4 = 4 bytes of padding to fill it, so in total the file will be 1500 + 4 = 1504byte

Answer 52

parallelization!!! CBC is a block cipher algorithm that encrypts each block n after the first by XORing it with the result of step n-1 (for the first step, instead, an initialization vector IV is used, which in transmission can be sent hidden or even in clear) Advantages and disadvantages: + No swapping attacks + No known plain text attacks - Propagation of errors in case of loss and error in transmission of a block - No CPU parallelization CTR is a method for transmitting files smaller than a block size: data is divided into groups, and each group is mixed with a nonce + counter which is incremented for each group (the nonce must be identical to the destination) The main disadvantage is that clearing a block causes the counter to be desynchronized

Answer 53

n = nonce + counter k = DH digest = hmac_sha256 (k, P || n) c = P || digest || n

Answer 54

You have to encrypt with the public keys of B and C and sign with your private and distribute the public key of A, then: - C receives: AES_128 (Kpub_c, M) || HMAC-SHA256 (AES_128 (Kpub_c, M), Kpri_a) || Kpub_a - B receives: AES_128 (Kpub_b, M) || HMAC-SHA256 (AES_128 (Kpub_b, M), Kpri_a) || Kpub_a

Answer 55

In a solution of this type, a digest calculated not only on the data, but also on a secret (key) is sent and only those who know K can calculate the digest on the received data and compare it with the transmitted digest. This solution is widely used in the network environment. Security Properties: + integrity: if the plaintext data are modified, the kdR keyed-digest calculated on the received data will be different from the received kdF keyed-digest; + authentication: only those who know the secret key can have generated a keyed- digest corresponding to the data; - confidentiality: the data are sent in clear text; - non-repudiation: it is not possible to determine which peer generated the data. Advantages and disadvantages: + amount of data transmitted: the keyed-digest is very small compared to the data; + computation time: hash algorithms are quick to execute; + **implementation: a single hash algorithm is sufficient to ensure both confidentiality and authentication.** - partial integrity: collisions can occur, since it is theoretically impossible to identify all possible changes

Answer 56

**Keyed-digest**: a digest calculated not only on the data, but also on a secret (key) is sent and only those who know K can calculate the digest on the data received and compare them with the digest transmitted. This solution is widely used in the network environment. Security Properties: + integrity: if the plaintext data is modified, the kdR keyed-digest calculated on the received data will be different from the received kdF keyed-digest; + authentication: only those who know the secret key can have generated a keyed- digest corresponding to the data; - confidentiality: the data are sent in clear text; - non-repudiation: it is not possible to determine which peer generated the data. Advantages and disadvantages: + amount of data transmitted: the keyed-digest is very small compared to the data; + computation time: hash algorithms are quick to execute; + implementation: a single hash algorithm is sufficient to ensure both confidentiality and authentication. - **partial integrity**: collisions may occur, since it is theoretically impossible to identify all possible changes **Digital signature**: a digest is calculated with a cryptographic algorithm and associated with a data object so that any recipient of the data can use the signature to verify the origin and integrity of the data Security Properties: + integrity: if the plaintext data are modified, the MDR digest calculated on the received data will be different from the received and decrypted MDF digest; + authentication: only those who know the private key can have generated a digital signature corresponding to the data; - confidentiality: the data are sent in clear text; + non-repudiation: the sender cannot deny having signed the data, as long as his public key is provided by a public key certificate. Advantages and disadvantages: + **little additional data** - **inapplicable to a real time data flow**

Answer 57

SHA-1 was an overall good algorithm, but also extremely attached. In fact, a group of Chinese researchers managed to find collisions with only 2 ^ 69 calculations. SHA-2 was later popularized. As a quick fix after the SHA-1 attack, the SHA-2 family was created by lengthening the digest, similar to what happened between DES and 3DES.

Answer 58

SHA, RC4, AES_ECB, AES_CBC

Answer 59

3DES, DES, AES, RC4

Answer 60

Elliptic Curve Cryptography (ECC) **uses two-dimensional elliptic curve arithmetic**, instead of one-dimensional modular arithmetic. From a conceptual point of view, instead of using numbers (which are points on a straight line) we take the Cartesian space, and the values that are valid are only the points that satisfy the equation of an elliptic curve. The discrete logarithm problem on a curve is more complex to solve for bad guys than the discrete logarithm problem in modular arithmetic, so the keys for ECC can be shorter (about 1/10) for a comparable level of security , reducing the storage requirements on embedded devices. Some examples of use are the ECDSA (Elliptic Curve DSA) for digital signature, and the ECDH (Elliptic Curve DH) for the key agreement.

Answer 61

The **problem of the discrete logarithm on a curve** is more complex to solve for bad guys than the problem of the discrete logarithm in modular arithmetic, therefore: 1) The keys for the ECC can be shorter (about 1/10) for a comparable level of security 2) For the good ones all the algorithms require **only two elementary operations** that give as result of the points

Answer 62

The MAC consists of the last block of ciphertext **resulting from the application of a symmetric block cipher algorithm in CBC mode, with null initialization vector IV **(confidentiality is not necessary): **all** ciphertext blocks are **thrown away except the last one**, which is taken as MAC) the recipient can encrypt the received data with the same encryption algorithm and compare the last resulting ciphertext block with the received ciphertext block.

Answer 63

Because the keys to the ECC can be shorter (about 1/10) for a comparable level of security, reducing the storage requirements on embedded devices.

Answer 64

The ability to parallelize the CPU in the calculation, as any group can be encrypted without having to encrypt the previous groups (random access).

Answer 65

If you concatenate another block in the queue, the digest will be different and the coupon will not notice it, so the digest will be changed in some way without knowing the shared key.

Answer 66

A double application of encryption algorithms is generally never used, which is why it is avoided, as it would not significantly increase the level of security. Furthermore, the double application of encryption algorithms is subject to a known-plaintext attack, called meet-in-the-middle, which allows data to be decrypted with at most 2^{N + 1} attempts (for N-bit keys) . In short, it doubles the computation time but the key length increases by just one bit.

Answer 67

Keyed-digest because it is the fastest technique, hash fast and uses only one operation. Signing cannot be done on a data stream. Encryption is slow

Answer 68

We are talking about replay attacks only, so it is sufficient to guarantee Integrity with a keyed digest based on a symmetric key (agreed at the beginning of the session or better generated pseudo-randomly from a shared secret): d = kd (K || n || M || K) sending M || n || d In KD I put K at the extremes in order to avoid prefix and postfix attacks

Answer 69

k = DH, key gen-in-law d = HMAC_SHA256 (k, M), create message digest for integrity and authentication X = M || d, send message + digest

Answer 70

Through symmetric key algorithms, using the password as the key

Answer 71

AES has 128bit block, 12 ascii characters then 8bit each is 96bit plus 16bit salt is 112bit, so less than block which would lead me to use CTR

Answer 72

Since an RSA-2048 private key is used the signature size will be 2048bit

Answer 73

It depends on the size of the RSA key. Assuming it is 2048 bits, the signature will also be 2048 bits long

Answer 74

Those with an asymmetric key (such as RSA), since no secret must be sent to make them work

Answer 75

CTS is a technique that allows you to use block algorithms without padding. The bytes of the previous block are added to the last block, removing them from the penultimate block. To avoid standard padding, a part of the ciphertext already encrypted is used as padding. That is, for large files, it is not dramatic, as it only affects the last two blocks. It is useful when you cannot / want to increase the size of the data after encryption.

Answer 76

Attempting to maintain or increase the security of a system by keeping the design or construction of a security mechanism secret. Some do not consider it a good defense method because in an open system it is easier to find and announce possible vulnerabilities.

Answer 77

Authenticated encryption (AE) algorithms combine encryption and keyed-digest in a single operation: + confidentiality and authentication (and integrity) with a single algorithm and a single key; + higher speed; + lower risk of implementation errors. AE is becoming an increasingly growing need at the application level (eg. For e- mail messages). AE algorithms can be: * AEAD or not: some authenticated data can be left unencrypted; * single-pass or double-pass: a double-pass algorithm needs to store the results of the first pass for further calculations) it is at least twice slower than a one-pass algorithm if implemented in software; * on-line or off-line: the data can be taken as it arrives from the wire or all must first be saved. Normal encryption schemes are prone to chosen-ciphertext (oracle) attacks when used online: 1. the attacker modifies a ciphertext; 2. the attacker observes whether the receiver reports an error or not.

Answer 78

Diffie-Hellman (DH) was the first algorithm to use the concept of publishing something (the numbers p and g), and therefore in this sense it is often referred to as the first public key algorithm invented. DH is not a method to distribute the key, but to agree on the key: 1. sender X and receiver X choose or agree on two public integers, a generator g (typically 2, 3 or 5) and a prime number p (large), such that p> g> 1 2. X arbitrarily chooses an integer x> 0 (large), and computes A = gx mod p 3. Y arbitrarily chooses an integer y> 0 (large), and computes B = gy mod p 4. X sends (publishes) the calculated value A to Y; 5. Y sends (publishes) the calculated value B to X; 6. X receives B, and calculates KA = Bx mod p 7. Y receives A, and calculates KB = Ay mod p 8. for the property of powers, the values KA and KB, calculated independently from X and Y, are equal and constitute the secret key KAB: KA= (gy) x mod p, KB = (gx) y mod p → KA = KB = gxy mod p = KAB The main problem of this algorithm lies in the key agreement phase: however, in the event that the attacker is able to manipulate the data in transit, he can then sniff the traffic between the parties to manipulate them. This operation is completely transparent to the sender and the receiver: they have no way of knowing that beyond the protected channel there is no counterpart but there is the attacker, the keys they believe they have agreed are different, and data was manipulated. It is therefore **necessary to protect the exchanged keys through a pre-authentication process** using: * **certificates for DH keys**; * **Authenticated Variant Protocols of DH**

Answer 79

sha1 because it is a digest algorithm while the others are encryption

Answer 80

(Professor's answer) 1) symmetric: C = enc (K, P), P = dec (K, C); advantages: fast, simple key generation disadvantages: key distribution 2) asymmetrical: disadvantages: slow, key generation, key distribution