LABORATORY EXERCISES I: SYMMETRIC AND
ASYMMETRIC CRYPTOGRAPHY CRYPTOGRAPHY
Exercise 1 In this exercise we will focus on modern ciphers, primarily on the most prominent block cipher DES. We will study a relationship between DES and its extension 3DES !triple DES". #ecall, 3DES was introduced in order to compensate for a short encryption key !only $% bits" in the ori&inal DES cipher. 3DES is still widely used for protection of data confidentiality. In 'ctober ())), #i*ndael encryption al&orithm !+ES" was chosen as a more robust and more flexible replacement of the DES encryption al&orithm. Similar to DES, +ES is also a block cipher but it supports a ariable block len&th and a ariable key len&th !i.e., 1(-, 1( and ($% bits".
We will further study two basic operation modes of block ciphers, namely, E/0 and /0/. ore specifically, we will show that it is possible to rear ran&e the E/0 and /0/ ciphertext blocks in such a way that all !or some" of the blocks decrypt correctly. 2his is a wellknown cutandpaste c utandpaste attack.
2ask 1.1. isto&ram +nalysis of the Data Encryption Standard In this task we compare a fre4uency histo&ram of a document before and after encryption with the DES cipher. We use /ryp2ool /ryp2ool to accomplish this. 5uotin& /ryp2ool /ryp2ool help6 72he histo&ram of a document expresses the fre4uency distribution of the characters of a document in &raphical form in a correspondin& window.8 /reate a new document do cument in /rtyp2ool /rtyp2ool and fill it with a lon&er En&lish text. +lterna tiely, open an existin& En&lish text. Sae this document for later reference. In the main menu, click on the 79iew8 submenu and select 7+s exDump8. 2his is to conert +S/II representation of the plaintext document into the correspondin& hexadecimal representation. In the main menu, open the 7+nalysis8 submenu and select 72ools for +nalysis
. isto&ram8 to obtain the histo&ram of the plaintext !unencrypted" document !:i&ure ;". Sae the result. :ES0 /omputer and Data Security /ourse rse
$
:i&ure 16 /ryp2ool6 exadecimal representation of an +S/II text.
:i&ure (6 isto&ram of an unencrypted messa&e.
Encrypt the plaintext document !En&lish text" usin& the DES cipher. In /ryp2ool click on the window with the plaintext document in order to make it actie. In the main menu, under the 7/rypt
2ask 1.(. isto&ram +nalysis of the /aesar=s /ihper #epeat all the steps from the preious task, while usin& /aesar=s cihper with an arbitrary key instead of the DES cipher. /ompare the obtained results with the results from the preious task. Describe
2ask 1.3. 2riple DES !3DES" +ssume that a messa&e m is encrypted usin& 3DES !in the E/0 mode" with the followin& key !hex alue"6 > ? 11 (( 33 ;; $$ %% @@ -- ++ 00 // DD EE :: :: :: 2he encrypted messa&e is to be decrypted usin& only re&ular 1DES !not 3DES". Explain how is this done. Ase /ryp2ool and encrypt your name with 3DES in the E/0 mode under the followin& two encryption keys6 >1 ? 11 (( 33 ;; $$ %% @@ -- ++ 00 // DD EE :: :: :: >( ? 11 (( 33 ;; $$ %% @@ -- 11 (( 33 ;; $$ %% @@ -Decrypt resultin& ciphertexts usin& 1DES cipher. Broide any intermediate results that you obtain. 'ne amon& the keys > 1 and >( enables 7fast8 decryption with the 1DES cipher !a sin&le application of 1DES". Which oneC Blease explain your answer.
2ask 1.;. 7/utandBaste8 +ttack on E/0 and /0/ odes et us denote with 1 (... k a messa&e broken up into k %; bit se&ments. +lso, let us denote with > the correspondin& encryption key. 2hen, the E/0 encryption mode can be mathematically described as follows6
/ i
E!>, i", i ? {1, (, . . . , k} 1 i
? D!>, /i", i ? {1, (, . . . , k } .
Similarly, for the /0/ mode we hae6 /1
? E!>, 1 ⊕ I9" /i
? E!>, i ⊕ /i1", i ? {(, 3, . . . , k} 1
? D!>, /1" ⊕ I9 i
? D!>, /i" ⊕ /i1, i ? {(, 3, . . . , k } .
1. /onsider the followin& messa&e 6 ?0ob=s salary is F($)))2om=s salary is F1$))). 0reak the messa&e !plaintext" up into %; bit lon& plaintext se&ments ! 1 (... k". Gote that each letter in the messa&e is an - bit +S/II characterH each 7space8 !blank" counts as a sin&le +S/II character. Ase t si&n to denote blank characters. :or example, the first %; bit plaintext se&ment is 1?0ob=stsa .
2. Using CrypTool, encrypt the above message with DES in the ECB mode using ey > ? 11 (( 33 ;; $$ %% @@ -- . !rite down resulting "# bit cipherte$t blocs /1 /(... /k. E$change cipherte$t blocs /1 and /; in the above se%uence o& cipherte$t blocs to obtain the &ollowing se%uence o& cipherte$t blocs'
/; /( /3 /1 /$... /k Decrypt the resulting cipherte$t using the ey &rom step 2. !hat message do you obtain( )lease e$plain. *epeat steps +- but now use DES in the CBC mode. Contrast the decrypted te$t with the one obtained when the ECB mode is used. E$plain your observations.
2ask 1.$. /ontrolled Blaintext /han&es in the /0/ ode our tas is to cause a controlled change in the decrypted message by modi&ying an appropriate CBC cipherte$t bloc. +. Use CrypTool and encrypt message
?0ob=s salary is F($)))2om=s salary is F1$))). with DES in the CBC mode. Choose the encryption ey at will. /n the resulting cipherte$t se%uence modi&y an appropriate cipherte$t bloc so that it causes the &ollowing change in the decrypted message' F1$))) F.$))). )rovide details o& your actions. 01int' Use CrypTool to accomplish this tas.
Do all cipherte$t blocs decrypt correctly a&ter this modi3cation( E$plain your answer.
Does the CBC 0and4or ECB mode o& encryption ensure data integrity( )lease e$plain using e$perience gained &rom the present and the previous tas.
Exercise ( /n this e$ercise we will &ocus on asymmetric or public ey cryptography. !e will study some important properties o& a 0te$tboo *S5 public ey cryptosystem. !e will demonstrate certain attacs against *S5 6&actoringbased7 and 6chosencipherte$t7 attac. 8inally, we will touch upon the Di9e1ellman ey e$change protocol and its security in &ace o& passive and active attacs.
2ask (.1. #S+ Encryption The *S5 encryption algorithm wors with numbers. 5s your tas is to encrypt some te$tual messages, we obviously need a method &or coding o& a message into numbers. !e ne$t describe one such a method that is used in CrypTool. The method is called badic 0where b is the number o& plainte$t elements and wors as &ollows. Suppose that the plainte$t alphabet consists the &ollowing elements'
JspaceK+0/DE:LIM>G'B5#S2A9WNOP , that is, there are in total 2: di;erent plainte$t elements.
JspaceK ) 1 ( . ..
(% . Depending on the bit length o& the *S5 modulus G and the selected alphabet, in CrypTool you can ad=ust the bloc length used with *S5 encryption.
+Q#IQ'JspaceK . Encoding this with the above code, we obtain'
13 )1 Q 1- ) Q 1$ )) .
8inally, badic, that is, 2:adic coding o& a numerical representation o& the message is obtained according to the &ollowing &ormula'
Jletter 1K R (@ > Jletter (K . By applying this &ormula to the numerical representation o& our message, we 3nally obtain'
3$( Q ;$ Q ;)$ . /t is this se%uence o& numbers that is encrypted into cipherte$t 0in the 6blocbybloc7 &ashion. ou are ased to encrypt your name using *S5 with a small modulus G 0that is, G J +?????. Choose G such that the length o& the resulting *S5 modulus G allows you to wor with blocs o& length 2. Use CrypTool to accomplish this as &ollows'
:i&ure ;6 /ryp2ool6 2he #S+ /ryptosystem.
In the main menu, under 7/rypt
/lick on button 7'ptions for alphabet and numeric system...8 to open 7'ptions for #S+ Encryption8 !:i&ure $"!ri&ht". In the 7'ptions...8 window, in tab 7+lphabet options8 check 7Specify alphabet68, in tab 7#S+ ariant8 check 7Gormal8, in tab 7ethod for codin& a block into numbers8 check 7badic8, set the block len&th to (, and finally choose the 7Decimal8 number system. /lick 7'>8 button to sae the settin&s. Show that /ryp2ool #S+ encryption works by encryptin& the first block of the messa&e 7manually8. Oou are allowed to use only multiplication and s4uarin& operations !and of course your calculator". In order to make this process man a&eable, use 7reduction by modulo8 property, that is, !a R b" mod G !a mod G" R !b mod G" mod G . Broide the steps of your calculation. +fter decryption of a &ien ciphertext, we hae to decode the result back to its initial plaintext representation. ow would you do thisC Decode 3$; into a
plainte$t alphabet JspaceK+0/DE:LIM>G'B5#S2A9WNOP, assuming the bloc length o& 2 and 2:adic coding.
2ask (.(. /hosen /iphertext +ttack on #S+ This is an attac against the te$tboo version o& the *S5 algorithm. /n this attac, an attacer 3rst chooses a message and encrypts it the victim@s public ey. Then, the attacer ass the victim to sign 0decrypt &or him a specially cra&ted related message. Due to the &ollowing property o& *S5
E0BA, 1 R E0BA, ( A E0BA, 1 R ( , 0+ the attacer can easily recover any message encrypted with the victim@s
private ey, without ever learning this private ey.
8or e$ample, the attacer wants to decrypt the &ollowing cipherte$t / A e mod G, without nowing the private ey d. The attacer proceeds as &ollows. nowing the victim@s public ey e, he prepares the &ollowing message e
N A 0/ R 2 mod G , gives it to the victim and ass her to sign it. The victim signs message N with its private ey and sends the result O bac to the attacer. d
O A N mod G Using O and e%uation 0+, the attacer can retrieve the encrypted message as &ollows' d
N A e 0/ mod G R 02 mod G d
0e
e
A
mod G R 02 d mod G
02 R e mod G
A
ed
A
02 R mod G
d
A 2R. +. Show by e$ample that e%uation 0+ holds &or the *S5 encryption algorithm. )lease provide details o& your solution. Use CrypTool to accomplish this tas.
2. Demonstrate by e$ample the chosen cipherte$t attac against *S5. )lease provide details o& your solution. Use CrypTool to accomplish this tas.
2ask (.3. +ttack on #S+ by :actorin& odulus G By &actoring the *S5 modulus G, the attacer learn prime numbers p and 4. 8rom this, the attac can calculate Euler@s 0 G &unction as &ollows
0G A 0p +04 + .
1
d A e
mod 0G .
Decrypt the cipherte$t given below nowing that the public ey e is ++ and the *S5 modulus G is #?:#+. The plainte$t alphabet is encrypted using the bloc length o& 2 and 2:adic coding 0&or details on encoding please chec Tas -.+.
01int' Use CryptTool to &actor the modulus G. /n the main menu, under 65nal ysis7 submenu, select 65symmetric Encryption . 8actoriation o& a
)1;3@ Q 3(%;@ Q 3%@(1 Q 1;(3- Q (;@; Q (@);1 Q )11@) Q 31--- Q )--1 Q ()%@) Q )@;$3 Q 3%3%; Q 3-(@; Q )%(;; Q 11-) Q (-1$ Q 1(;( Q 3)%@3 Q (1$33 Q 1(;)) Q 1-(- Q 3;3) Q 3%3%;
Tas 2.#. Di9e1ellman ey E$change )rotocol The Di9e1ellman protocol is secure against passive 0eavesdropping attacs. E$plain why. Describe a possible maninthemiddle 0/T attac on the Di9e1ellman protocol and e$plain its conse%uences. 0Gote6 2his problem ori&inally appears in book 7Information Security6 Brinciples and Bractice8 by ark Stamp. 5ssume that alice mounts the N +
/T attac on Di9e1ellman ey e$change protocol as illustrated in 8igure ". Fet O + A & N
mod p, and O0 A & 0 mod p be Di9e1ellman public eys o& 5lice and Bob, respectively. )rivate eys N +, N0 and N remain nown only to the
respective owners 5lice, Bob and alice. Suppose that alice wants to establish N N N a single Di9e1elmman ey, > +0 A & + 0 mod p, that he, 5lice and Bob all share. Does the attac illustrated in 8igure " accomplish this( E$plain your answer. +lice O
+
alice N+N
&
0ob N0N
&
O 0
mod p-
mod p
