CSCI 4830//7000 - Cryptanalysis - Fall 2015

Problem Set #4

Due: Dec 14th, 2015

1. There is a tcp/ip service called "X7" (yes, I just made that up), running on port 31416. X7 is also running on 31417 (I'm providing two in case one crashes). If either of these servers crash, please let me know and I'll restart as soon as I can.

X7 implements a WEP-like scenario. If you send it three bytes, it will respond with a single byte and close the connection. The three bytes you send will be taken as the IV for WEP encryption as described in class; X7 has a 40-bit WEP key embedded in it. If you send an IV, X7 will prepend this to its internal 40-bit key, then use RC4's KSA to seed, then use RC4's PRGA to generate a single output byte which is sent back to you. Note that we are xoring by the fixed 0xAA plaintext, so you will need to remove its effect.

Please use the FMS attack as described in class to recover the 40-bit key hidden in X7. As always, turn in your source code along with the key you discovered.

You can communicate with X7 via netcat, for example. Or you can write a custom program to do so. X7 will expect exactly 9 bytes of input: "XX XX XX\n" where each X shown is a hex digit. This is parsed as three bytes, as set forth above.

2. I define a new cryptographic hash function C as follows: C hashes from 256 bit inputs down to 128 bit outputs. C(m) is computed like this: let m = m1 || m2. Then C(m) = AES(m1, m2). That is, to compute the hash of a 256-bit input, you use the first 128 bits as the AES key, and the second 128 bits as the plaintext. Output the result.

Is C collision resistant? Inversion resistant? Explain.

3. Look up CMAC on Wikipedia. Now modify CMAC by setting k1=k2 and show how, in this scheme, an attacker could forge messages to Bob that appear to come from Alice when they in fact do not.

The goal here is to exhibit an attack that does this: make a few queries to a black box containing the modified CMAC under a hidden key. You get the tags under this scheme. Now craft a new message, not in the set of those already queried, and show that you know the resulting tag without bothering to call the black box again. This is a forgery and this is what I want to see for the solution to this problem.

4. Calculate the following without using a calculator or computer. (Feel free to use python to verify your answers, but you must show your work to get any credit.)

  1. 41536 - 94824 mod 35.
  2. 222012 mod 3.
  3. 530000-6123456 mod 31.

5. In RSA, we know that factoring n allows you to recover φ(n). Show it works the other way as well: given φ(n), give an algorithm to efficiently recover the factors of n. As a test that your method works, provide the factors of n given below. Hand in your python source along with the factors.

n = 1565548969872265465246036414997755958596184387096896694310755704575264720478601522962278179860838506157941
φ(n) = 1565548969872265465246036414997755958596184387096896588825919091033285362770995843274094868624380615603584

6. Here is one way in which RSA can be misused: suppose you have n = pq for distinct large primes p and q, and distinct encryption exponents e1, e2 where gcd(e1, e2) = 1. You publish n along with e1, e2. Show that if an adversary has C1 = M e1 mod n and C2 = M e2 mod n, then she can recover M. (Note: M is the same for C1 and C2.)

Use your solution to compute M for the parameters given below; hand in any code you use to aid your computation. (You need not hand in code that was re-used above.)

n = 640434271860669796692811836922138143942513719203565769421924022297363333847089887235971007435680486193657059
e1 = 65537
e2 = 65539
M e1 mod n = 400030256839145194441034228199292487980894977737102147552044462667917219509871638663296814615652770720888715
M e2 mod n = 48384876797138828670281479166255073593234801358795810198774095180850824157124747742456773738763877257747936

7. Here is another way that RSA can be misused: suppose a vendor possesses three public keys from customers all using public exponent e = 3. The customer moduli are n1, n2, and n3. The vendor periodically broadcasts a message M to customers by encrypting under each public key, generating C1 = M3 mod n1, C2 = M3 mod n2, and C3 = M3 mod n3. Show that if you possess C1, C2, and C3, you can recover M. Demonstrate that your method works by recovering M for the parameters below. Include any code that you use. (Hint: Think about the CRT here.)

n1 = 640434271860669796692811836922138143942513719203565769421924022297363333847089887235971007435680486193657059
n2 = 970610447613980908168266345601001865862432914739686622721960687979888335326226411299703360406834787532308393
n3 = 2321625335993129657405265059789425474902906067465969731457920057903793687659258018704876705247348282139683997
C1 = 574452395725156603725695688076936855601594549917411892612661500787202925737746956998142588843598927541307873
C2 = 157799431549267581575022849850021876954972454961344389727981466349950578703950787569169912210813476301757037
C3 = 1848671214004714263512366793855069416003446215915866195803968453211062458759760233785518410532828930680295567

8. (Grad Students only; Extra Credit for Undergrads) Look up how to display the private key in an RSA OpenSSL private key and print this out as part of the answer to this problem. Learn why each of these fields is here, including Chinese Remainder Theorem (CRT) values.

Then demonstrate that leaking the CRT parameter d mod (p-1), stored in the OpenSSL private key file, is fatal. Given the parameters below, recover d. As usual, show your work and turn in any code you used. (Hint: Consider the usual Med=M mod n taken mod p and use LaGrange's Theorem.)

n = 488050814010779490531248530312455426465866510472770841696246699868812659229164499843636350229180933429378587
e = 65537
d mod (p-1) = 409092073320485968975293571009949630978342620137986361