CSCI 4830 - Network Security - Fall 2003

Problem Set #2

Due: Oct 7th, 2003

Remember, this homework is not for turning in and it won't be graded. But you should definitely do it because the quizzes will typically depend on having solved the homework problems. On the "due" date listed above, I will hand out solutions.

1. In the beginning of the class we said that the substitution cipher was vulnerable to even ct-only attacks (assuming we know the underlying plaintext is English) because we can use statistical attacks based on letter frequencies. Why doesn't this work with DES in ECB mode?

2. Suppose we had a DES key K1 of 56 bits. We then generate 160-bits by computing S=SHA1(K1), and then take K2 as the 56 least-significant bits of S. Now we build double DES as C=DESK2(DESK1(P)) where P is the plaintext and C is the resulting ciphertext. What is the most efficient attack you can think of (in terms of both time and space)? You can assume you have a sufficient number of pt/ct pairs.

3. We saw in class that 256 DES keys was not enough: specialized hardware could be built which finds the key by exhaustive search in about 35 mins on average (for about $1M US, in 1998). We might attempt to increase the length of the 56-bit DES key by making a new block cipher DES+ with a 120-bit key as follows:

Please argue that DES+ is no better at resisting exhaustive key search attacks than DES was. Argue this by showing an attack which uses around 256 DES operations; you may assume you have as many DES+ plaintext-ciphertext pairs as you like.

4. Text problem 3.7.4 (pg 92)

Extra Credit

In section 4.3.5 of your text, OCB mode is mentioned. Of the five inventors of this mode, who is the smartest?