1

Mid-Semester Examination Solutions

Q UESTION 1

The effectiveness of the brute-force attack depends on the size of the secrets exchanged
between two parties. Since IKE allows the concatenation of keys to create a larger key, brute-
force attack can be protected by creating a larger key.

Q UESTION 2

Suppose an attacker has collected n frames with distinct IVs. Let p be the probability that
the next frame has a repeated IV (and hence keystream). The number of possible IVs is 216 . So
n
p= 216
and hence n = p × 216 .
(a)
n = 0.3 × 216 .

(b)
n = 0.6 × 216 .

Q UESTION 3

(a) CRC is a linear function. This means that you can predict which bits of the CRC are changed
if a single bit of the message is changed. Furthermore, it is possible to determine which
combination of bits could be flipped in the message so that the net result is no change in
the CRC. Thus, there are a number of combinations of bit flippings of the plaintext message
that leave the CRC unchanged, so message integrity is defeated.
(b) Ciphertext is obtained by XORing (plaintext data+CRC) with the key value stream so the
linearity is not affected even after encryption. The attacker does not need to know the contents
of the message. Flipping the bits in the encrypted message still gives predicatable changes
in the CRC. Hence it is still unsecure.
 2

Q UESTION 4

The VPN provides security for communication over the Internet, but not within the orga-
nization. Therefore, when communicating with Mary regarding R&D purchases, or any other
communication which need only be secure from people outside the organization, Jim does not
need to use encryption. However, if Jim wants his communication with Mary to be secure also
with respect to people inside the organization, such as when communicating with Mary about
his salary and the raise he had been promised, then encryption should be used.

Q UESTION 5

(a) n = pq = 3 × 11 = 33. So the encrypted message is c = me mod n = (13)3 mod (33) = 19.
(b) z = (p−1)(q−1) = 20. d must be chosen such that (ed) mod z = 1, i.e., (3×d) mod 20 = 1.
For example, d = 7 satisfies the above equality. The private key is (n, d).

Q UESTION 6

(a) No. This is because it is possible that some certificates expired in the interval (i, j), due to
which they were included in the CRL issued at time i, but not that at time j.
(b) No. If it were encrypted, then no one other than certifier.com would be able to read the
contents of the certificate; so they would not be able to obtain foo.com’s public key.

Q UESTION 7

The Ephemeral Diffie-Hellman method provides forward secrecy, whereas the second method
does not. The computational overhead of the second method is lower than that of the Ephemeral
Diffie-Hellman method.

Q UESTION 8

(a) Man-in-the-Middle Attack: If the attacker modifies any message of the handshake, then the
MACs received in steps 5 and 6 will fail the verification at the receivers. If the attacker
simply forwards all messages without any modification, then no harm is done.
(b) Password Sniffing: All application traffic is encrypted using the keys agreed upon during
the SSL handshake.
 3

(c) IP Spoofing: A MAC is computed over every data packet using the authentication key that
is agreed upon during the SSL handshake. So bogus data fails the MAC verification and is
rejected by the receiver.
(d) IP Hijacking: Since all data sent by either host is encrypted, the attacker is unable to read
the contents of data packets. Also, it is unable to modify the data stream since MACs and
sequence numbers are used.

Q UESTION 9

(a)
 
n
  k!
k n!
P1 (n, k) = =
nk (n − k)!nk
(b)

P2 (n, k) = 1 − P1 (n, k)
"     #
1 2 k−1
=1− 1− × 1− × ··· × 1 −
n n n
 
1 2 (k−1)
−n −n − n
> 1 − e × e × ··· × e
 
k(k−1)
− 2n
=1−e

To ensure that P2 (n, k) > 12 , We require:

 
k(k−1)
− 2n 1
1−e >
2
=⇒ k(k − 1) > 2n ln (2)
p
=⇒ k ≈ 2n ln (2) Since, for large k, k(k − 1) ≈ k 2

Q UESTION 10

(a) Let X be the number of A − B-collision. Then,

1{H(m1 )=H(m2 )} .
X X
X=
m1 ∈A m2 ∈B
 4

So:

E(1{H(m1 )=H(m2 )} )
X X
E(X) =
m1 ∈A m2 ∈B
k1 k2
= .
n
since, E(1{H(m1 )=H(m2 )} ) = P (H(m1 ) = H(m2 )) = 1
n
and there are k1 k2 terms in the two
summations.
√ k1
(b) To have E(X) > 6, we must have k1 > 4 n. Since, k2
= 38 . Thus, minimum value of
√
k1 = 4 n.

Q UESTION 11

In the lecture slides ”Authentication part 4”, it is discussed that (i) K, (ii) {K}(R), and
(iii) {K}(R + 1) does not provide secure communication if it will be used as session key. In
particular, if (i) will be used as session key than an intruder can eavesdrop the conversation
and might crack the key K when they have large volume of conversation. Also, intruder can
sent the previous conversation to Bob as Alice. If (ii) will be used as session key than intruder
can read all the conversation. If (iii) will be used as session key, then when Alice attempts to
authenticate herself to be Bob, Trudy sends R + 1 as the nonce to Alice from Bob address by
impersonating Bob’s network address and latter responds with {K}(R + 1). Trudy is then able
to decrypt entire conversation that took place using {K}(R + 1) as session key. Note that any
session key {g(K)}(R) with g(x) ̸= x or {K}(f (K, R)) or {g(K)}(f (K, R)) is secure from
above mentioned attack. For above mentioned reason, key in (a), (b) and (c) is secure and key
in (d) is not secure.
(a) Secure.
(b) Secure.
(c) Not Secure.
(d) Secure.

Q UESTION 12

(a) Modified protocol is not secure.

 5

(b) Reason is– An attacker, say, Trudy, sniff the reply R, KAlice−Bob {R} of Alice to challenge R
sent by Bob. Later on, Trudy authenticate herself as Alice by sending reply R, KAlice−Bob {R}
in response to challenge R1 , since Bob does not remember the challenge.