Exam Question Revision Notes

Question 1

Why is RSA rarely used to encrypt data?

Answer 1

• RSA is slow and computationally intensive
• RSA uses large keys (2048+ bits), which becomes less efficient for large data
• RSA is deterministic without padding, so it is weaker without safeguards

Question 2

What is an example of a pseudorandom number generator that is not suitable for cryptography?

Answer 2

The Linear Congruential Generator (LCG)

Question 3

Why is Linear Congruential Generator not cryptographically secure?

Answer 3

If an attacker knows a few output values, then they can determine the internal state and predict all future values.

Question 4

How is second preimage resistance defined?

Answer 4

Second preimage resistance:
Given a message, it should be computationally hard to find a different message m’, which isn’t the same as the original message, such that:
Hashed first message = Hashed second message

Question 5

How is preimage resistance defined?

Answer 5

Preimage Resistance:
Given a hash value, it should be computationally hard to find a message such that H(message) = hash

Question 6

How is collision resistance defined?

Answer 6

Collision resistance:
Given any two messages, it should be impossible to find two messages that are not equal but have the same hash:
m1, m2 -> H(m1) should not equal H(m2)

Question 7

What cryptographic examples are there that could be weakened due to collisions in the hash function?

Answer 7

• SHA-1
• MD5
• RSA

Question 8

How could hash collisions affect RSA?

Answer 8

If collisions are easy, then an attacker can create a different message that, when hashed is the exact same as the original message, and then pass it through the digital signature process using RSA. The message will then appear valid, and they will have a forged, yet signed, message

Question 9

In the context of GF(x), what do the operators: + and * mean?

Answer 9

+ = Bitwise XOR applied e.g. 0 and 1 = 1, 0 and 0 OR 1 and 1 = 0
* = Actually multiply the values together in decimal format, then re-convert back into binary.

Question 10

Is perfect secrecy needed in practice?

Answer 10

No, so long as the algorithm remains computationally secure and is combined with good key management, then it is suitable enough for the real world.

Question 11

Why is the One Time Pad (OTP) not used in practice, despite having perfect secrecy?

Answer 11

• Requires a unique key for every single message
• Each key needs to be the exact same length as the message
• Key management is incredibly tricky for the amount of keys OTP would require for sustained service

Question 12

How does the padding scheme PKCS7 work?

Answer 12

PKCS7 works by taking a message, and adding padding on to the end of it, either to increase its size to fit the block, or to double its size so as to fit two blocks.
It will add as many bytes as required by the encryption scheme, and the value in each byte will be set to the amount of bytes the scheme has to fill in. Example: If 6 bytes needed to be added, then each byte will have their value set to 06, hex for 6 in decimal.

Question 13

How does the receiver recognise padded bytes when using PKCS7?

Answer 13

The last byte will tell the receiver how many bytes of padding there are, and therefore how many to remove before decryption.

Question 14

What benefits does Galois Counter Mode (GCM) contain?

Answer 14

• Authentication is built in by providing confidentiality and integrity
• Parallelisable encryption: GCM can encrypt multiple blocks at once
• No padding needed due to it working on Counter Mode

Question 15

What are some drawbacks of Galois Counter Mode (GCM)?

Answer 15

• More complex implementation
• Nonce re-use is catastrophic to security
• May not be ideal on devices without AES hardware acceleration

Question 16

How can DES decrypt data even though its S-Boxes are invertible?

Answer 16

DES is built on a Feistel network. This means that the round function that includes the S-Boxes doesn’t need to be invertible. The overall encryption process remains reversible because only one half of the data is transformed in each round, and the result is XORed with the other half. For decryption, you apply the same operations, but in reverse order using the sub-keys in the opposite sequence.

Question 17

Why are Elliptic Curves preferred in modern systems compared to modular arithmetic as the basis for a discrete logarithm problem?

Answer 17

• It is more efficient and has stronger security properties
• Uses significantly smaller key sizes
• Stronger security per bit due to cyclic groups and maximum order generators
• Resist attacks better on the Discrete Logarithm Problem in elliptic curve groups

Question 18

How do you perform an equation with the point of infinity included in Elliptic Curves?

Answer 18

Ignore it entirely, and figure out the inversion of the point. In the example. POI - P, where P = (4, 2), you simply convert point y to a minus, then work out the value of it after modulus has been applied. Then you have your point

Question 19

How is Diffie-Hellman vulnerable to Man-In-The-Middle attacks?

Answer 19

Diffie-Hellman’s key exchange is unauthenticated, as there is no inherent mechanism to verify that the party you’re exchanging keys with is legitimate.

Question 20

How could you attack Diffie-Hellman with a man-in-the-middle attack?

Answer 20

• Attacker intercepts public key of person 1
• Sends their own E value to person 2
• Person 2 sends back their B value, which is intercepted
• Attacker sends their own F value to person 1
• Attacker now lets each party calculate using their keys, whilst also holding a copy of both

Question 21

How can you defend against a man-in-the-middle attack?

Answer 21

Use authenticated key exchanges i.e. incorporate digital signatures or use public certificates/PKI to verify identities

Question 22

How can a private key be calculated from the public key in RSA?

Answer 22

Using the public key (n, e), the private key (d) is calculated such that:
d * e is equivalent to 1 mod Euler’s Totient(n)

Question 23

Is it practical to calculate the private key as an attacker in RSA?

Answer 23

For small keys, it is computationally feasible using methods such as General Number Field Sieve (GNFS)
For large keys, it is computationally infeasible. In RSA, the average key size is 2048 bits or longer, so it should be unbreakable.

Question 24

What are the main differences between probabilistic encryption schemes and deterministic schemes?

Answer 24

Deterministic - Always produces the same ciphertext for the same plaintext and key

Probabilistic - Introduce randomness into the process, ensuring the same plaintext encrypted multiple times yields different ciphertexts.

Question 25

What are some properties of probabilistic encryption schemes?

Answer 25

- Randomised outputs, even with identical inputs of plaintext key pairs, the output ciphertext varies - Semantic security - Is indistinguishable from other outputs - Non-deterministic mapping - No mapping from plaintext to ciphertext

Question 26

What are some properties of deterministic encryption schemes?

Answer 26

- Repeatability: For a fixed key and message, the ciphertext is always the same - Predictability: If an attacker knows or guesses the plaintext, they can confirm it by comparing ciphertexts - Not semantically secure: Due to repeated results when using same parameters

Question 27

Why is Extended Euclidean used in mathematical concepts?

Answer 27

It can be used to easily find the multiplicative inverse for the number that has modulo being applied to it e.g. finding the multiplicative inverse of 15 mod 52

Question 28

What is the Euclidean algorithm used for in cryptographical systems?

Answer 28

It is used to identify if a number has a multiplicative inverse, and if it does, then to apply the Extended Euclidean algorithm to find it and use it for further calculations.

Question 29

What is an example of an Authenticated Encryption (AEAD) Scheme and how does it implement authentication?

Answer 29

Galois Counter Mode: Implements authentication by including an authentication tag that is defined from using arithmetic in GF(2^128).

Question 30

How does AEAD provide benefits over a normal symmetric cipher?

Answer 30

AEAD provides message authenticity, as well as incorporating confidentiality and integrity into its scheme.

Question 31

How is AES a better alternative than Triple DES?

Answer 31

- Significantly faster - Better key management - Higher resistance to attacks such as Differential Cryptanalysis

Question 32

What are some drawbacks with Triple DES?

Answer 32

- Vulnerable to man-in-the-middle attacks, due to effective 112-bit security - Much slower than most alternatives, due to the three uses of DES

Question 33

What is Perfect Forward Secrecy?

Answer 33

Perfect Forward Secrecy is the term surrounding the situation where, if an attacker compromises a future communication between two parties, then the previous communications are still secure.

Question 34

How is Perfect Forward Secrecy typically implemented?

Answer 34

It's implemented through the use of session/ephemeral keys, which are generated through the use of current session data.

Question 35

What is an example of a communication scheme that incorporates Perfect Forward Secrecy?

Answer 35

Elliptic Curve Diffie-Hellman (ECDH) - Uses ephemeral keys

Question 36

If an elliptic curve is not a standard curve, then what possible security issue might exist?

Answer 36

- Attacks using small subgroup attacks. If an attacker can cause a system to operate on a point from a subgroup of small order, then they may gather partial information regarding private keys

Question 37

If a generator is used for a standard elliptic curve that is not a maximum order generator, what security issue could arise from this?

Answer 37

- If the generator is not a maximum point order generator, then the generator will not span the full cyclic subgroup of the curve, causing the effective key space to be reduced. - It also opens the door to certain types of attacks, such as Polland's Rho or invalid curve attacks

Question 38

What does RSA's security rely on?

Answer 38

The Integer Factorisation Problem (IFP), which represents the difficulty in factoring n, p and q from RSA into it's prime components to calculate Euler(n), which in turn, is used to calculate the private key.

Question 39

How could an attacker attempt to calculate the private key in RSA?

Answer 39

An attacker would have to calculate Euler(n), so as to satisfy the equation: d * e is equivalent to 1 mod (Euler(n)) As such, to calculate Euler(n), you need to find the factors of N = p * q, which invokes the Integer Factorisation Problem, which is computationally infeasible.

Question 40

What makes an LCG weak and not suitable as a PRNG for cryptographic systems?

Answer 40

- Deterministic and are thus predictable, which makes them unsuitable for cryptographic systems - LCGs are also linear (clue in the name), and therefore allow attackers to predict the next value after only a few outputs.

Question 41

What makes a CSPRNG suited for cryptographic purposes?

Answer 41

- Use unpredictable seeds - Produce output that is non-linear - Resistant to reverse-engineering

Question 42

What are Message Authentication Code's use cases? (MACs)

Answer 42

Commonly used in symmetric protocols

Question 43

What do MACs not support compared to digital signatures?

Answer 43

Non-repudiation MACs use symmetric keys i.e. same shared key, whereas digital signatures use asymmetric keys, which allows for non-repudiation.

Question 44

Why is key-reuse discouraged in cryptographic systems?

Answer 44

If a key is used multiple times e.g. both encryption and authentication, then an attacker could not only decrypt messages, but also forge valid messages.

Question 45

What is an example of a catastrophic problem that could arise in a system with key re-use?

Answer 45

Stream ciphers are especially vulnerable to this, as if they re-use the same key, then all future communications are liable to being exposed by an attacker.

Question 46

What is a primitive polynomial?

Answer 46

A primitive polynomial is one that generates a maximum-length sequence in an LFSR

Question 47

What is a primitive polynomial's role in security?

Answer 47

It ensures that the keystream cycles through all non-zero bit states before repeating, which is critical in achieving statistical randomness in the keystream.

Question 48

Why is a static nonce in a stream cipher a critical security issue?

Answer 48

Using a key, a nonce generates the keystream. If the nonce is the exact same each time, then the keystream will also be the exact same each time. This means that, if an attacker got a hold of the keystream, they could then XOR it with any message, past or future, and retrieve the original plaintext message.

Question 49

What is the formula surrounding the Elliptic Curve Discrete Logarithm Problem?

Answer 49

Given a curve, listed as C, a primitive root, called P, and a point aP, what is a?

Question 50

Why is the Elliptic Curve Discrete Logarithm Problem hard to solve?

Answer 50

It is difficult to figure out a as there is no feasible time algorithm, such as Index Calculus, that can solve the problem on general curves.

Question 51

How do you determine if a point lies on the line in an elliptic curve?

Answer 51

Plug the points directly into the equation, and then solve both sides. If they are equivalent, then the point lies on the curve, otherwise it does not.

Question 52

How do you calculate the inverse of a point in an elliptic curve?

Answer 52

P = (x, y) -P = (x, -y) Therefore, just invert the point, and then apply modulus to it until you have a positive number. Then -P becomes: -P = (x, -y mod number) Example: P = (5, 22) with a mod of 29 -P = (5, -22 mod 29) -P = (5, 7)

Question 53

What is a side-channel attack?

Answer 53

It's a type of attack that exploits information leakage from the physical implementation of a cryptographic algorithm, rather than directly attacking the cryptographic algorithm itself.

Question 54

What is an example attack on a system that is a side-channel attack?

Answer 54

Using timing information for RSA. If you can identify how long RSA decryption takes to infer bits of the private key, then you can identify the private key structure.

Question 55

What is an advantage of using Elgamal in encryption, and what is a different advantage of using Elgamal in Digital Signatures?

Answer 55

Encryption: Semantic security built in due to the Discrete Logarithm Problem Digital Signatures: Unforgeability if implemented securely

Question 56

What is a disadvantage of using Elgamal in encryption, and what is a different disadvantage of using Elgamal in Digital Signatures?

Answer 56

Encryption: Ciphertext expansion, as it doubles the size of the plaintext Digital Signatures: Vulnerable to re-used nonce attacks, reusing k allows full private key recovery

Question 57

What is Kreckhoff's principle?

Answer 57

The security of the cryptosystem must lie in the choice of its keys only. Everything else should be considered public knowledge

Question 58

What is the formal definition of Confusion?

Answer 58

Obscure the relationship between the plaintext, ciphertext and key

Question 59

What is the formal definition of Diffusion?

Answer 59

Influence of each key bit or plaintext bit should be distributed throughout the ciphertext

Question 60

How is Confusion implemented in block ciphers?

Answer 60

Confusion is implemented through the use of S-Boxes in order to make the relationship between key and ciphertext more complex

Question 61

How is Diffusion implemented in block ciphers?

Answer 61

Diffusion is typically implemented through the use of specific operations, like ShiftRows and MixColumns in AES, which spread input bits over many output bits.

Question 62

What is an inherent advantage of stream ciphers?

Answer 62

Stream ciphers tend to be very fast and quite memory-efficient

Question 63

What is an inherent advantage of block ciphers?

Answer 63

Block ciphers use padding to set the message length to the block's desired size. As such, it has inherently increased security due to the addition of padding to the message.

Question 64

What is an inherent disadvantage of stream ciphers?

Answer 64

Stream ciphers are very vulnerable to keystream re-use, such as poor nonce management.

Question 65

What is an inherent disadvantage of block ciphers?

Answer 65

They are more complex to implement correctly.

Question 66

What are the four stages of AES, in order of execution?

Answer 66

- SubBytes - ShiftRows - MixColumns - AddRoundKey

Question 67

What does SubBytes do in AES?

Answer 67

It's a nonlinear substitution step that involves the use of S-Boxes, that uses a lookup table based on the multiplicative inverse of GF(2^8), followed by an affine transformation

Question 68

What does ShiftRows do in AES?

Answer 68

ShiftRows will take each row in the state matrix, and shift them to the left corresponding to their row number. Example: Row 1 - Shifts once Row 3 - Shifts three times

Question 69

What does MixColumns do in AES?

Answer 69

MixColumns will treat each column as a 4-byte vector and as a polynomial, and multiply it by a fixed matrix based on GF(2^8).

Question 70

What does AddRoundKey do in AES?

Answer 70

AddRoundKey will take each byte of the state matrix, and XOR it with the corresponding byte from the round key.

Question 71

How does ECB (Electronic Code Book) Mode work?

Answer 71

ECB works by: - Dividing the plaintext into fixed-size blocks - Encrypting each block independently using the same key - Concatenate ciphertext blocks into a single ciphertext

Question 72

What are some advantages of using ECB mode?

Answer 72

- Easy to implement and understand - Parallelisable - No padding issues if the plaintext is a multiple of the block size

Question 73

What are some disadvantages of using ECB mode?

Answer 73

- No diffusion across blocks - Pattern leakage - Vulnerable to block replay or rearrangement attacks

Question 74

What is the security issue with using ECB Mode?

Answer 74

It's not semantically secure, as an attacker can infer relationships between plaintext blocks by analysing ciphertext repetition

Question 75

What is an example case where the attacker can gain relationship information when something is encrypted using ECB?

Answer 75

Encrypting an image e.g. Uni of Nottingham logo, preserves visible patterns. As such, encrypted images retain their basic structure

Question 76

How do digital signatures work?

Answer 76

- An entity sends a hash of the given message with their private key - The receiver then verifies it using the sender's public key

Question 77

How do digital signatures establish authenticity and non-repudiation?

Answer 77

Only the sender could have created the signature, and if the message is changed, then the signature fails.

Question 78

How are Message Authentication Codes (MACs) created?

Answer 78

They are created through the use of a shared secret key, which is why it is used in symmetric encryption.

Question 79

What is an existential forgery attack?

Answer 79

An existential forgery attack assumes an attacker can create a message/signature pair that is valid, even if the message is nonsensical. There are no constraints on the message creation process in the scheme it attacks.

Question 80

What is a selective forgery attack?

Answer 80

The attacker is able to create a valid message/signature pair, where they have selected the message in advance.

Question 81

What is a universal forgery attack?

Answer 81

A type of attack where the attacker can select any message and create a valid message/signature pair

Question 82

What is the difference between PKCS#1 v1.5 and PSSRSA?

Answer 82

PSSRSA, also known as just PSS, is a probabilistic padding scheme, which means that the digital signature, if repeated, will produce different results. Meanwhile, PKCS#1 v1.5 is a deterministic scheme, which could lead to attackers gaining information after repeated digital signatures are created.