Cloud Computing Security Homework Assignment 1

November 26, 2010

Linear Block Cipher

A linear block cipher LC encrypts 64-bit blocks of plaintext into 64-bit blocks of ciphertext. Let LC(k, m) denote the encryption of a 64-bit message m using a key k. LC(k, [m1 m2 ]) = LC(k, m1 ) LC(k, m2 ) For N 64 chosen ciphertexts, show how an adversary can decrypt any ciphertext without knowing k. Ans. The most straight-forward way to achieve this is to choose the 64 ciphertexts, each with only one bit as one: chosen ciphertexts= {ci , 1 i 64| 64bit block whose ith bit is 1, all other bits being 0} , with pi as the corresponding plaintexts. For the ciphertext whose {i1 , i2 ...im } -th bits are 1, its plaintext is simply: pi1 pi2 ...pim And because the cipher is linear, ciphertext with all 64 bits being zero must come from the plaintext with all bits zero. Thus all ciphertexts can be decrypted.

Galois Field

GF(24 ) with m(x) = x4 + x + 1 Ans. From m(x) = x4 + x + 1, we can get the relation x4 = x + 1 for the reduction of degrees higher than 3. Power Representation 0 g 0 (= g 15 ) g1 g2 g3 g4 g5 g6 g7 g8 g9 g 10 g 11 g 12 g 13 g 14 Polynomial 0 1 g g2 g3 g+1 g2 + g g3 + g2 3 g +g+1 g2 + 1 g3 + g 2 g +g+1 g3 + g2 + g g3 + g2 + g + 1 g3 + g2 + 1 g3 + 1 Binary 0000 0001 0010 0100 1000 0011 0110 1100 1011 0101 1010 0111 1110 1111 1101 1001 1 Decimal 0 1 2 4 8 3 6 12 11 5 10 7 14 15 13 9

AES Encryption

Given plaintext {000102030405060708090A0B0C0D0E0F}, key {01010101010101010101010101010101} (a) Origin contents of State (as 44 matrix) 0C 0D 0E 0F

00 01 02 03

04 05 06 07

08 09 0A 0B

(b) Value of State after initial AddRoundKey After bitwise xor between initial block and key, we 00 04 08 0C 01 01 01 05 09 0D 01 01 02 06 0A 0E 01 01 03 07 0B 0F 01 01

can get: 01 01 01 01 01 01 01 00 = 01 03 01 02 05 04 07 06 09 08 0B 0A 0D 0C 0F 0E

(c) Value of State after SubBytes. Using the S-Box, we can substitute the value byte-by-byte (entry-by-entry from the matrix perspective.) 01 05 09 0D 7C 6B 01 D7 00 04 08 0C 63 F 2 30 F E 03 07 0B 0F 7B C5 2B 76 02 06 0A 0E 77 6F 67 AB (d) Value of State after ShiftRows. 7C 6B 63 F 2 7B C5 77 6F

01 30 2B 67

D7 7C F2 FE 2B 76 AB AB

6B 30 76 77

01 FE 7B 6F

D7 63 C5 67

(e) Value of State after MixColumns. AES uses the irreducible polynomial m(x) = x8 + x4 + x3 + x + 1, x8 = x4 + x3 + x + 1 under mod 2 arithmetic. 02 03 01 01 7C 6B 01 D7 01 02 03 01 F 2 30 F E 63 01 01 02 03 2B 76 7B C5 = 03 01 01 02 AB 77 6F 67

75 55 3E 10

87 0F B2 E6 04 22 2E B8 8C 15 58 0A

Take the rst byte (upper-left corner) as an example: ( : one-bit left shift) (02 7C) (03 F 2) 2B AB = {( 0111 1100)} {( 1111 0010) 1111 0010} {0010 1011} {1010 1011} = 1111 1000 {1110 0100 0001 1011} 1111 0010 0010 1011 1010 1011 = 0111 0101

Error Propagation

For each of the modes ECB, CBC, and CTR:

(a) Which decrypted plaintext block Px will be corrupted if theres an error in block C4 of the transmitted ciphertext. Ans. ECB: Only P4 is corrupted. CBC: P4 and P5 are corrupted. CTR: Only P4 is corrupted. (b) (The ciphertext has N blocks) If theres a bit error in the source version of P3 , through how many ciphertext blocks would the error propagate. Ans. ECB: Error is restricted in C3 . CBC: The error will propagate from C3 to the last block CN , totally N 3 + 1 blocks. CTR: Error is restricted in C3 .

Pseudorandom Number

Test the PRNG on the computer by Ernesto Cesaros Theorem: When x and y are integers randomly chosen: 6 P rob(gcd(x, y) = 1) = 2 Ans. The calculated is close to 3.14. Code used: #include <c s t d i o > #include <c s t d l i b > #include <cmath> #include <i o s t r e a m > #include <ctime> u s i n g namespace s t d ; int e u c l i d ( int a , int b ) { int temp ; i f ( a < b ) {temp = a ; a = b ; b =temp ; } i f ( b==0) return a ; return e u c l i d ( b , a%b ) ;

else

} int main ( ) { double t , temp ; double prime = 0 ; double t o t a l = 0 ; int n1 , n2 ; cout<<How many s amples ? ; c i n >> temp ; f o r ( int j = 0 ; j < 1 0 ; j ++){ t = temp ; prime = 0 ; fo r ( int i = 0 ; i < t ; i ++){ sra nd ( time (NULL) ) ; n1 = rand ( ) ; 3

for ( int i = 0 ; i <10000; i ++); n2 = rand ( ) ; i f ( e u c l i d ( n1 , n2)== 1 ) prime = prime + 1 ; } t = t / prime 6 . 0 0 0 0 ; t = sqrt ( t ); total = total + t ; cout<<j+1<< <<t<< \n ; for ( int i = 0 ; i <10000; i ++); } cout<< a v e r a g e = <<t o t a l /10<< \n ; return 0 ; } Result: Trial 1 How many samples? 1000000 1 3.20385 2 3.10014 3 3.45281 4 3.14291 5 3.23564 6 3.26122 7 2.97740 8 3.13176 9 3.44302 10 2.92017 average = 3.18689 Trial 2 How many samples? 1000000 1 3.13708 2 2.79151 3 3.66450 4 3.10826 5 3.17299 6 3.04876 7 2.99227 8 2.95708 9 3.15345 10 2.92690 average = 3.09528

The use of m = 2k to simplify modulo arithmetic has its defect. This makes the less signicant bits much less random than the more signicant bits.(From Xn+1 = aXn + c mod m, its obvious that there are only 3 kinds of possible outcome: all odd, all even, alternate between even and odd) 1 For truly random integers, of the pairs consist of 2 even numbers(gcd = 1); but for the sequence alternating 4 between even and odd, this can never happen. We can make an estimation from this fact: Assume that for truly random integers, P rob(gcd = 1) = P . 3 P is totally contributed by the pairs not with both even numbers; for alternating sequence, the probability 4 4 rises to P because the both are even factor which can make gcd = 1 is removed. So the corresponding 3 3 2.72 estimation of would become 2

Miller-Rabin Test

Ans. Though the algorithm cannot determine if a number n is really prime, we can safely say n is prime with high degree of condence after iterated use of the test for large enough number of times. Each time we choose a new a (1 a n) to test the number n, the probability that we get the inconclusive 1 result while n is composite . So after t checkings with t dierent as, (all with inconclusive results); 4 1 the probability that n is actually composite would be reduced to t . 4 When t is suciently large, we can determine with a high degree of condence whether n is prime. 4

RSA private key leakage

Ans. Not safe. public key (PU) = {e, n}; private key (PR) ={d, n} The algorithm is established on the relationship: M ed mod n = M 1 M n , security is based on the complexity of nding d given e and n, which is equivalent to large prime factoring. Once the private key d is known, combined with the public information{e, n}, n = pq can be factored easily by: { n = pq ed mod (n) = 1 ed 1 = (p 1)(q 1), After p, qare found, changing d without changing n is meaningless. Since d can be easily recovered by: d = e1 mod (n), with p and q known, (n) = (p 1)(q 1).

RSA attack

Ans. Not secure. The encryption algorithm is not secure when there are only 26 kinds of plaintext(M) and the corresponding 26 dierent ciphertexts; when the ciphertext of each alphabet can be calculated from the public key. The most ecient attack against the scheme is to compute M e modN for all possible M, then create a look-up table from ciphertext to plaintext (alphabet-by-alphabet.)