### Problem Set #4

#### Due: Mar 8th, 2012 at 9am

1. There is a tcp/ip service called "X7" (yes, I just made that up), running on annai.cs.colorado.edu port 31416. X7 is also running on 31417 (I'm providing two in case one crashes). If either of these servers crash, please let me know and I'll restart as soon as I can.

X7 implements a WEP-like scenario. If you send it three bytes, it will respond with a single byte and close the connection. The three bytes you send will be taken as the IV for WEP encryption as described in class; X7 has a 40-bit WEP key embedded in it. If you send an IV, X7 will prepend this to its internal 40-bit key, then use RC4's KSA to seed, then use RC4's PRGA to generate a single output byte which is sent back to you. Note that we are not xoring by the fixed 0xAA plaintext, so you are seeing the raw key byte here.

Please use the FMS attack as described in class to recover the 40-bit key hidden in X7. As always, turn in your source code along with the key you discovered.

2. Calculate the following without using a calculator or computer. (Feel free to use python to verify your answers, but you must show your work to get any credit.)

1. 41536 - 94824 mod 35.
2. 222012 mod 3.
3. 530000-6123456 mod 31.

3. In RSA, we know that factoring n allows you to recover φ(n). Show it works the other way as well: given φ(n), give an algorithm to efficiently recover the factors of n. As a test that your method works, provide the factors of n given below. Hand in your python source along with the factors.

n = 1565548969872265465246036414997755958596184387096896694310755704575264720478601522962278179860838506157941
φ(n) = 1565548969872265465246036414997755958596184387096896588825919091033285362770995843274094868624380615603584

4. Here is one way in which RSA can be misused: suppose you have n = pq for distinct large primes p and q, and distinct encryption exponents e1, e2 where gcd(e1, e2) = 1. You publish n along with e1, e2. Show that if an adversary has C1 = M e1 mod n and C2 = M e2 mod n, then she can recover M. (Note: M is the same for C1 and C2.)

Use your solution to compute M for the parameters given below; hand in any code you use to aid your computation. (You need not hand in code that was re-used above.)

n = 640434271860669796692811836922138143942513719203565769421924022297363333847089887235971007435680486193657059
e1 = 65537
e2 = 65539
M e1 mod n = 400030256839145194441034228199292487980894977737102147552044462667917219509871638663296814615652770720888715
M e2 mod n = 48384876797138828670281479166255073593234801358795810198774095180850824157124747742456773738763877257747936

5. Here is another way that RSA can be misused: suppose a vendor possesses three public keys from customers all using public exponent e = 3. The customer moduli are n1, n2, and n3. The vendor periodically broadcasts a message M to customers by encrypting under each public key, generating C1 = M3 mod n1, C2 = M3 mod n2, and C3 = M3 mod n3. Show that if you possess C1, C2, and C3, you can recover M. Demonstrate that your method works by recovering M for the parameters below. Include any code that you use. (Hint: Think about the CRT here.)

n1 = 640434271860669796692811836922138143942513719203565769421924022297363333847089887235971007435680486193657059
n2 = 970610447613980908168266345601001865862432914739686622721960687979888335326226411299703360406834787532308393
n3 = 2321625335993129657405265059789425474902906067465969731457920057903793687659258018704876705247348282139683997
C1 = 574452395725156603725695688076936855601594549917411892612661500787202925737746956998142588843598927541307873
C2 = 157799431549267581575022849850021876954972454961344389727981466349950578703950787569169912210813476301757037
C3 = 1848671214004714263512366793855069416003446215915866195803968453211062458759760233785518410532828930680295567

6. Demonstrate that leaking the CRT parameter d mod (p-1), stored in the OpenSSL private key file, is fatal. Given the parameters below, recover d. As usual, show your work and turn in any code you used. (Hint: Consider the usual Med=M mod n taken mod p and use LaGrange's Theorem.)

n = 488050814010779490531248530312455426465866510472770841696246699868812659229164499843636350229180933429378587
e = 65537
d mod (p-1) = 409092073320485968975293571009949630978342620137986361

7. (EXTRA CREDIT) Do this problem only if you have finished all other problems, you are caught up in your other school, work and life obligations, and you really want to tackle something hard. Also, you will need to have some familiarity with probability theory in order to do this problem. You can get an A in this class without doing this problem.

For the WEP attack, we discussed how many IVs of the proper form it would take in order to get a key byte. We said "about 60 should suffice" but I want to investigate this further.

It's a very hard problem to compute the expected number of values we should see before a majority element emerges that gives us the key value. However, it's far more tractible to develop an adaptive approach using Bayesian probability theory. Please do this.

Specifically, consider a 96-sided die where one side called "X" comes up with probability 0.05, and the other 95 sides come up with probability 0.01 each. You want to find side X. We will roll the die over and over and take the majority element. Write a conditional probability expression conditioned on X coming up, then use Bayes rule to calculate the probability that this side will come up. Show how this can be used adaptively to determine the probability that the majority element, after k trials, is X.