1. There is a tcp/ip service called "X7" (yes, I just made that up), running on

X7 implements a WEP-like scenario. If you send it three bytes, it will respond with a single byte and close the connection. The three bytes you send will be taken as the IV for WEP encryption as described in class; X7 has a 40-bit WEP key embedded in it. If you send an IV, X7 will prepend this to its internal 40-bit key, then use RC4's KSA to seed, then use RC4's PRGA to generate a single output byte which is sent back to you. Note that we are xoring by the fixed 0xAA plaintext, so you will need to remove its effect.

Please use the FMS attack as described in class to recover the 40-bit key hidden in X7. As always, turn in your source code along with the key you discovered.

You can communicate with X7 via netcat, for example. Or you can write a custom program to do so. X7 will expect exactly 9 bytes of input: "XX XX XX\n" where each X shown is a hex digit. This is parsed as three bytes, as set forth above.

2. I define a new cryptographic hash function C as follows: C hashes from 256 bit inputs down to 128 bit outputs. C(m) is computed like this: let m = m1 || m2. Then C(m) = AES(m1, m2). That is, to compute the hash of a 256-bit input, you use the first 128 bits as the AES key, and the second 128 bits as the plaintext. Output the result.

Is C collision resistant? Inversion resistant? Explain.

3. Look up CMAC on Wikipedia. Now modify CMAC by setting k1=k2 and show how, in this scheme, an attacker could forge messages to Bob that appear to come from Alice when they in fact do not.

The goal here is to exhibit an attack that does this: make a few queries to a black box containing the modified CMAC under a hidden key. You get the tags under this scheme. Now craft a new message, not in the set of those already queried, and show that you know the resulting tag without bothering to call the black box again. This is a forgery and this is what I want to see for the solution to this problem.

4. Calculate the following without using a calculator or computer.
(Feel free to use python to *verify* your answers, but you
must show your work to get any credit.)

- 4
^{1536}- 9^{4824}mod 35. - 2
^{22012}mod 3. - 5
^{30000}-6^{123456}mod 31.

5. In RSA, we know that factoring *n* allows you to recover
φ(*n*). Show it works the other way as well: given
φ(*n*), give an algorithm to efficiently recover the
factors of *n*. As a test that your method works, provide
the factors of *n* given below. Hand in your python source
along with the factors.

*n* = 1565548969872265465246036414997755958596184387096896694310755704575264720478601522962278179860838506157941

φ(*n*) = 1565548969872265465246036414997755958596184387096896588825919091033285362770995843274094868624380615603584

6. Here is one way in which RSA can be misused: suppose you have
*n = pq* for distinct large primes *p* and *q*,
and distinct encryption exponents e_{1}, e_{2} where
gcd(e_{1}, e_{2}) = 1. You publish *n* along
with e_{1}, e_{2}. Show that if an adversary has
*C _{1} = M^{ e1} mod n* and

Use your solution to compute *M* for the parameters given below; hand in any code you use
to aid your computation. (You need not hand in code that was re-used above.)

*n* = 640434271860669796692811836922138143942513719203565769421924022297363333847089887235971007435680486193657059

*e _{1}* = 65537

7. Here is another way that RSA can be misused: suppose a vendor possesses three
public keys from customers all using public exponent *e* = 3. The customer moduli
are *n _{1}*,

*n _{1}* = 640434271860669796692811836922138143942513719203565769421924022297363333847089887235971007435680486193657059

8. (Grad Students only; Extra Credit for Undergrads) Look up how to display the private key in an RSA OpenSSL private key and print this out as part of the answer to this problem. Learn why each of these fields is here, including Chinese Remainder Theorem (CRT) values.

Then demonstrate that leaking the CRT parameter *d mod (p-1)*, stored in the OpenSSL private
key file, is fatal. Given the parameters below, recover *d*. As usual, show your work and turn
in any code you used. (Hint: Consider the usual *M ^{ed}=M mod n*
taken

*n* = 488050814010779490531248530312455426465866510472770841696246699868812659229164499843636350229180933429378587

*e* = 65537

*d mod (p-1)* = 409092073320485968975293571009949630978342620137986361