# Security and Cryptography (SaC1) --- - Answers for the questions might be wrong. I have tried my best to cover the whole syllabus(As of WiSe 2022/23) - Please refer the slides for the diagrams. Also, CBC, CFB, OFB, PCBC etc are not mentioned in this doc. --- ## Test Questions --- #### 1) Assume your task is to design a secure IT system. What are the three questions you have to ask yourself / your client (i.e. that are the main areas / things you have to think about)? <details> <summary> Answer </summary> * What we want to achieve in terms of security(Protection Goals) * Against whom are we protecting (Attacker Model) * How can we provide the security (Cryptographic algo etc) </details> #### 2) What are protection goals (other term: security goals)? Name a few of them and describe their meaning <details> <summary> Answer </summary> Specific objectives that a system needs to achieve in terms of security * Confidentiality : No unauthorized person should access the information * Integrity : Information should be correct, complete, current or this is detectably not the case * Availability : Information should be available where and when authorized person wants it * Anonymity : User can access service/resoure without disclosing his/her identity ... </details> #### 3) What is an attacker / attacker model? Why does one need to think about it? <details> <summary> Answer </summary> Attacker : Who undermines our protection goals Attacker Model : Model that generalizes individual attacker and defines role, behaviour and intelligence of attacker We can not protect our system against omnipotent attacker. Hence, we need to limit the capabilities of the attacker and explicitly define what type of attackers we consider. Pragmatic reason: More powerful attacker means more costly it becomes to design and implement. Costly means not only with money, but also other non functional properties such as latency.(Increase in energy consumption) </details> #### 4) How can we classify / describe attackers / attacker models? Name a few of them or give examples and describe them <details> <summary> Answer </summary> * Roles of the attacker : user, operator, maintainer, designer.(also combined e.g. user can also be the designer) * Area of physical control of the attacker : Access to the physical env of system. E.g. can put USB and access the information * Behaviour of the attacker : Passive/Active , Observing/Modifying </details> #### 5) What are the fundamental operations of (classical) ciphers? <details> <summary> Answer </summary> * Substitution: Substitute each character in a plaintext with another letter, symbol or ciphertext * Transposition: Plaintext will get rearranged based on fixed pattern. * Combination: Combination of both Substitution and Transposition </details> #### 6) Assume you found a ciphertext and you know, that a classical cipher was used for encryption. How could you find out, which method was (possibly) applied? How can you try to decrypt it? <details> <summary> Answer </summary> * Frequency analysis: We can check which group of ciphertext's frequency is more in the text. For example in english, generally, letter e's frequency is more. With this there's a likelyhood of Substitution cipher being used. * Pattaern analysis: If we find some recurring pattern in the ciphertext, there's a high chance of transposition cipher being used. </details> #### 7) What does perfect security (also known as: information theoretic security) mean? Can we achieve it? If yes, how? <details> <summary> Answer </summary> * You learn nothing from ciphertext except the length * Even with unlimited computational power the attacker learns nothing Yes we can achieve it. Example: One time pad. </details> #### 8) How can we classify / categorize cryptographic algorithms? Name and briefly describe the different categories / classes. <details> <summary> Answer </summary> * The purpose * Encryption System (Confidentiality) - Authentication System (Integrity e.g. digital signature) * The Key distribution (symmetric/asymmetric) * The security level(information-theoretical/cryptographic) </details> #### 9) What does “Kerckhoff’s principle” mean? <details> <summary> Answer </summary> The cipher method must not be kept secret. It must be able to fall into the hands of attacker as well. The actual security of the system must be on keeping the key as secret. </details> #### 10. How can we classify / categorize different types of attacks against cryptographic algorithms? Name and briefly describe the different categories / classes. <details> <summary> Answer </summary> * Passive: Observes all the time. No interfering with the system * Ciphertext-only attacks: Sees only cipher text * Known Plaintext attacks: Learns corresponding plaintext for some ciphertexts * Active: Attacker already interferes with the system before the actual attack For symmetric enc system: * plaintext -> ciphertext( n plaintext): Chooses the plaintext and gets the ciphertext. Analyze it to deduce some assumption about key * ciphertext -_ plaintext(choosen ciphertext): Chooses the ciphertext and tricks the user to get plaintext only choosen ciphertext is relevant to asymmetric enc system In symm authentication system * plaintext -> MAC * MAC -> plaintext For asymm signature system * plaintext -> Signature attack </details> #### 11) What does “semantically secure” mean? <details> <summary> Answer </summary> Attacker learns nothing from ciphertext except the length of it in some cases. Attacker has limited computational power(Main difference from information theoretic secure) To describe it mathematically: Let P(W) is the probability that attacker guessed the plaintext wrong Let P( C) is the probability that attacker guessed the plaintext correct Advantage = |P(W) - P(C)| Our cryprographic algo is semantgically secure iff Advantage ~ 0. </details> #### 12) Describe the main idea / basic concept of security proofs. <details> <summary> Answer </summary> * Attacker sends 2 messages to the challenger. * Challenger encrypts it and sends back to the attacker. * We can prove semantic security if the attacker can not do more than guessing the ouhtcome. I.e, the probability of guessing correct and guessing wromg is nearly equal to each other. </details> #### 13) Describe (e.g. with the help of a drawing) how symmetric encryption works in general. (Assume Alice wants to send a message to Bob). Do the same for asymmetric encryption. <details> <summary> Answer </summary> Slide number 131, 132. </details> #### 14) What are the requirements with respect to the nonce / initialisation vector then using CBC mode (and why)? <details> <summary> Answer </summary> * Unique: Must be unique for each message which is encrypted with the same key. This avoids the same ciphertext for the same plaintexts * Unpredictable: It should as random as possible. This ensures same IV is not used for multiple messages * Shared to the receiver as well. </details> #### 15) Assume you want to protect the integrity of a message sent from Alice to Bob. How does it work (in general) if you would use symmetric cryptography? And how if you would use asymmetric cryptography? <details> <summary> Answer </summary> * Symmetric: Both Sender and verifier use the same key for signing and verifying. Sender generates the MAC for message x, sends (x,MAC) to the verfier/receiver. Receiver takes the message x and uses the symmetric key to generate MAC and compares it with the received MAC. If mismatch then authentication failed * Asymmetric: Signer signs the the message x using private key and a random number. Signer send (x, Sign) to the verifier. Verifier uses public key to get plaintext x from the signature and compares it with the received x. If mismatch authentication failed </details> #### 16) Name and describe properties of a cryptographic hash function. <details> <summary> Answer </summary> * Collision resistant: It is hard to find x,y with h(x) = h(y) x!= y * Preimage resistant: Given h(x) it is hard to find x * Weak collision resistant: Given x, h(x), it is hard to find y,h(y) such that h(x) = h(y) and x!=y </details> #### 17) Describe the Birthday Paradox and explain its relevance with respect to cryptography. <details> <summary> Answer </summary> Let r1,r2,.....,rn ∈ {1,2,.... ,B} Let n = 1.2 B^(1/2). Then P[∃ ri,rj : ri=rj and i!=j] >= 1/2 Cryptographically, it means that, when number of inputs increases the likelihood of collision also increases in cryptographic hash functions. </details> #### 18) Describe the Merkle-Damgård construction for hashing a message <details> <summary> Answer </summary> Which is used to build collision resistant hash functions in cryptography. The hash function reduces the length from 2s to s. Steps: * Divide the message into fixed size blocks. Last block is padded with extra bits in case it's not of full sized block. * At first, h(IV, m0) = H1 * For all i subsequent steps, h(Hi-1, mi) = Hi </details> #### 19) How can we organise the key exchange? <details> <summary> Answer </summary> Not sure about the answer. We can use multiple key exchange exchange centers who will provde part of the keys to the sender and receiver. Sender and Receiver will combine these keys to generate the final key for encryption and decryption. Diffie Hellman can also be a potential answer ?! </details> #### 20) How does the Diffie-Hellman-Key-Agreement work? <details> <summary> Answer </summary> A generator g and a prime number p is choosen. g,p ∈ Zp* both g and p are public and sent to A and B. A selects a random x ∈ Zp* and calculates g^x mod p B selects a random y ∈ Zp* and calculates g^y mod p Calculated values are exchanged publicly. A calculates (g^x)^y mod p and B calculates (g^y)^x mod p Both are equal. Note: This final key can be used as symmetric key. EIGamal system. </details> #### 21) Explain how and why RSA works <details> <summary> Answer </summary> * How does it work Select 2 large prime numbers p and q. Calculate n = p*q Calculate Φ(n) = (p-1)*(q-1) choose c such that 3 <= c < (p-1)*(q-1) calculate d, c*d ≡ 1 mod(Φ(n)) public key c, private key d. Public key is multiplicative inverse of d with respect to Φ(n) Encryption(message m): C = m^c mod(n) Decryption: C^d mod(n) * Why it works mathematical proof slide no 177. Also point to be noted is, factoring n into p,q is hard </details> #### 22) What are problems of using the naïve / plain version of RSA? What measure should one take to enhance the security? <details> <summary> Answer </summary> * RSA encryption is deterministic. So attacker can make a lookup table and can try all possible plaintext for encryption. Assuming attacker knows the ciphertext. Solution to this is, use random number during encryption to make the encryption undeterministic * The homomoprhic property(...Enc(m1) * Enc(m2) = Enc(m1*m2)...) of RSA makes it vulnurable. The attacker can multiply the ciphertext with the choosen ciphertext and send it to the system to decrypt. After the decryption, the attacker can divide the plaintext of his choosen ciphertext to get the actual plaintext sent by the user. One good solution: Use Optimal Asymmetric Encryption Padding, this adds randomness as well as hash function. Randomness to make it undeterministic, hashfunction to remove homomorphic property </details> #### 23) What does “hybrid encryption” mean? <details> <summary> Answer </summary> Symmetric cryptography is efficient and faster, but key distribution is difficult since sender and receiver should get the key through secure channel. Asymmetric cryptography, key distribution is better than symmetric one. Because, public key does not need to be sent throuh secure channel. But it's less efficient and faster than symmetric encryption. Combination of these encryption algorithm is hybrid encryption. * Use the symmetric key to encrypt and decrypt the plaintext.(Usage of symmetric enc and dec) * Use asymmetric the symmetric key distribution. I.e, use public key to encrypt the symmetric key and receiver decrypts it using private key. With this we can overcome the disadvantages of both of the algorithm. </details> #### 24) What does “factoring problem” mean? What does “discrete logarithm assumption” mean? <details> <summary> Answer </summary> * Factoring problem: p and q are large prime numbers and n = p*q. Assumtion is, given n it is hard to find p,q * discrete logarithm assumption: Let p be a large prime number. Let g be a generator choosen randomly from cyclic group Zp*. is choosen randomly from Zp*. x = logh base g mod p. Assumption is it is very hard to find the logarithm in this equation. </details> --- ## Other Topics --- #### 1) Partial correctness vs Total Correctness <details> <summary> Answer </summary> - Partially Correct - Provides correct outputs for all valid inputs. But for invalid inputs it may not termniate / can produce wrong results - Total correct - Partially correct as well as terminates for all kind of inputs </details> #### 2) What makes confidentiality differ(fundamentally) from Integrity and Availiability <details> <summary> Answer </summary> - Confidentiality: Can not be detected, but can be prevented. (Someone received my signal. He/She can get access). If unauthorized entity got access to the data, it can not be reversed - Integrity and Availability: Can be detected, but can not be prevented. Let's say, unauthorized entity makes some modification, then we can use our backup to recover. Hence, can be reversed. </details> #### 3) Correlation among protection goals <details> <summary> Answer </summary> - Availability and Confidentiality : To increase availability we will distributed the data. Hence, it's not recommended to encrypt it. Because, there will be a high chance of losing the key. This conflicts confidentiality. - Accountability and Integrity: Accountability implies Integrity Note: There are more.... </details> #### 4) What are Trojan Horses <details> <summary> Answer </summary> Malware that acts as a legitimate software to trick user to download it and execute it in their system </details> #### 5) Trojan Horse vs Universal Trojan Horse <details> <summary> Answer </summary> Same as normal Trojan Horse which can breach Confidentiality, Integrity and availability. But on top of that Universal Trojan Horse is designed to work on multiple platforms. There will be an input channel from outside to the universal trojan horse to run malicious functions </details> #### 6) Active vs Passive attacker ? <details> <summary> Answer </summary> * Passive: Listens to the communication * Active: Interfere with the system and changing something </details> #### 7) Observing vs Modifying attacker ? <details> <summary> Answer </summary> * Observing attackers: follows the rules of the system, making itself hard to detect. Observing attackers can break the rules in their physical control area * Modifying attackers: does not follow rules, hence easy to detect </details> #### 8) How can we say an attacker is stronger than another ? <details> <summary> Answer </summary> Attacker A is stronger than Attacker B iff A is stronger than B in at least one respect and A is not weaker than B in any respect </details> #### 9) What is Multilateral security ? <details> <summary> Answer </summary> Inclusion of all participants protection interests as well as dealing with resulting conflicts. - Each party defines the goal - Each party can formulate its protection goals - Security conflicts are recognized and compromises negotiated - Each party can enforce it's protection goals within the agreed compromise. As far as limitations can not be avoided, they apply to each parties equally </details> #### 10) What is Zero Trust ? <details> <summary> Answer </summary> Never trust always verify </details> #### 11) What are tamper resistant casings ? Why we need it ? What's the problem ? <details> <summary> Answer </summary> This is used for physical security measures. This contain different layer for protection. Such as modification enroachments will be detected. Unauthorized modification are delayed, or if necessery the data will be deleted before the end of the delay period. Problems are, e.g. in Smart cards: - There are no batteries to delete data - Shielding layer can not be added since the card is thin Note: We can not verify legitamacy of systems. So we can own a trusted device and that device can verify the system(Teller machine). </details> #### 12) Properties of Hash function ? <details> <summary> Answer </summary> - One way - Collision resistant - Weak collision resistant </details> #### 13) Weak Collision resistance vs Collision resistance ? <details> <summary> Answer </summary> - Weak Collision resistance - Provides protection against the attackers who can choose one input freely but not the other - Collision resistance - Provides protection against the attackers who can choose both inpuuts freely </details> #### 14) Possible attacks for password based auth with one way hash function ? <details> <summary> Answer </summary> - Brute force: Try all possible x since h(x) is known - Dictionary attack ... </details> #### 15) What is salt ? Why it's needed ? <details> <summary> Answer </summary> If password is same, hash value stays the same. This is not secure. So use random value which is called salt. h(y) = h(salt, y) </details> #### 16) How to avoid dictionary attack ? <details> <summary> Answer </summary> - Enforce password rules - Long password - Before accepting a pwd, check it with John the Ripper </details> #### 17) What is replay attack ? What's the solution ? <details> <summary> Answer </summary> Attacker intercepts the communication and retransmits the same data packet impersonating the sender. Challenge response model - System sends a challenge to the user that only the user can solve. After confirmation it sends data. </details> #### 18) What's the problem with Challenge response ? What's the solution ? <details> <summary> Answer </summary> Vulnerable to Man in the middle attack. Dont allow parallel login. </details> #### 19) Biometric characteristics ? <details> <summary> Answer </summary> - Unique - Everyone has it - Stable over time - Hard to fake it - Measureable </details> #### 20) Pros and cons of biometrics ? <details> <summary> Answer </summary> - Pros - Can not be stolen - Can not be forgotten - Hard to copy - Cons - Privacy breach - Can not be renewed </details> #### 21) False Acceptance rate(FAR) vs False Rejection Rate(FRR) ? <details> <summary> Answer </summary> FAR - Systems authorizes for unauthorized user FRR - System unauthorizes authorized user Note: Encryption only ensures confidentiality </details> #### 22) Why we need random number input to asymmetric encryption ? <details> <summary> Answer </summary> Without randomness same input always results into same output. Hence, attacker can try all possible messages. </details> #### 23) What is the problem with single KDC ? How to overcome that problem ? <details> <summary> Answer </summary> KDC knows the key used. Hence, it can easily decrypt the message. Use multiple KDCs which will provide the symmetric keys and combine those keys to get the final key which is used for enc and dec. Note: Authentication system is to ensure integrity </details> #### 24) In Symmetric authentication system, what do you infer, if at the receiver side, local calculation of MAC does not match the MAC sent by the sender ? Does this mean that plaintext is modified ? <details> <summary> Answer </summary> Any one or both of the plaintext and MAC might be modified by the attacker. </details> #### 25) What I can achieve using asymmetric auth system which I can not achieve using symmetric one ? <details> <summary> Answer </summary> Accountability. In asymmetric private key is known to the sender only. So if the MAC says it's from A, only A knows the key. But in symmetric auth system, same key is used for signing and verifying. So there's a possibility of faking the signature. </details> #### 26) Needham-Schroeder-Protocol using Symmetric encryption. Goals ? <details> <summary> Answer </summary> Slide No. 139 (When I was studying :) ) Goal : Key freshness, key authentication </details> #### 27) Goal of the attacks ? <details> <summary> Answer </summary> - total break - attacker learns the key - procedure equivalent to key (universal break) - Individual messages - one selected message - any message </details> #### 28) Adaptive vs Non adaptive attacks ? <details> <summary> Answer </summary> * Adaptive: attacker learns from previous outputs and based on that he/she decides on how to do next attack * Non adaptive: attacker will have fixed set of inputs for the attacks and performs the attack solely based on those. No learnings from previous outputs. </details> #### 29) Security classes of cryprographic algo ? <details> <summary> Answer </summary> * Information theoretical secure - Secure against omnipotent attacker * Cryptographically Strong - Mathematically proven that breaking is as difficult as NP hard problem * Well analyzed - No math proof. But from ages experts are using, still nothing found any flaw * Somewhat analyzed: Not fully analyzed for all kind of attacks. It might be vulnurable to some attacks * Kept secret: Algo is kept secret </details> #### 30) Problem with symmetric Needham-Schroeder-Protocol ? <details> <summary> Answer </summary> Vulnurable to replay attack. Assume, session key has been compromised. Replay attacker sends Kbt(Kab, A) to B and B sends the Nonce. So communication proceeds even after compromisation </details> #### 31) Why adaptive attacks are not effective against one time pad ? <details> <summary> Answer </summary> Every time completely random key is used for encryption. </details> #### 32) Why key needs to be very long for Information Theoretic secure(for Vernam Cipher) ? <details> <summary> Answer </summary> With a fixed key all plaintexts must be encoded to distinct cipher texts. |C| >= |X| Any plaintext can be any of the cipher text |K| >= |C| Hence |K| >= |X| </details> #### 33) What does Euler's totient function say ? <details> <summary> Answer </summary> Φ(n) gives list of positive integers less than 'n' which are coprime to n. Φ(n) = |{a ∈ (0,...,n) } | gcd(a,n) = 1 | </details> #### 34) What does Chinese remainder theorem say ? <details> <summary> Answer </summary> x ≡ y mod n <=> x ≡ y mod p ^ x ≡ y mod p n = p * q and p,q are prime numbers </details> #### 35) What is Davida's attack ? <details> <summary> Answer </summary> Homomorphic property of RSA applies to signatures as well.(Not the best explaination :P) </details> #### 36) What is Diffie Hellman key agreement assumption ? <details> <summary> Answer </summary> * Given g, p, g^x mod p, g^y mod p, it is hard to calculate g^xy mod p. </details> #### 37) What is Pseudo random bit stream generator ? <details> <summary> Answer </summary> Which generates long bit stream by taking a random number as input. </details> #### 38) How does s^2 mod n pseudo random bitstream generator works ? (Blum/Blum/Shub) <details> <summary> Answer </summary> take large prime numbers p,q and calculate n = p*q take a random seed from cyclic group Zn* s0 = s^2 mod n b0 = s0 mod 2 s1 = s0^2 mod n b1 = s1 mod 2 s2 = s1^2 mod n b2 = s2 mod 2 Note: bits start repeating after some iterations. So take n as a very large value </details> #### 39) How to use s^2 mod n generator in symmetric encryption system(Pseudo One tim pad) ? <details> <summary> Answer </summary> Add a long pseudo random bits as one time pad. Slide no 194 for diagram. * Encryption: Gets both n,s from KDC. s is random seed. Generate random bits, XOR it with the message and send * Decryption: Gets both n,s from KDC. Generate random bits, XOR it with the received ciphertext. Note: * It's not information theoretic secure. Since, it's deterministic. * Everytime use different key to encrypt same message. Assumption: If the attacker is not able to distinguish pseudo random number with real random number, then pseudo random one time pad is secure. </details> #### 40) How to use s^2 mod n generator in asymmetric encryption system ? <details> <summary> Answer </summary> * Encryption: only n is given by KDC to the sender. Sender chooses the initial random value and generates pseudo random bits. After encryption the sender also sends sk+1 in the message to the receiver.(k is the length of msg) * Decryption: Receiver gets p,q which are private keys. Using the sk+1 bit the receiver will be able to decrypt the msg. How ? (say sk+1 = x) wp = x ^(p+1/4) wq = x ^(q+1/4) Use chinese remainder theorem to get w. Which is sk Note: Not secure against choosen cipher text attack </details> #### 41) RSA: Faster calculation of the secret operation ? <details> <summary> Answer </summary> Let's assume that we have a ciphertext C that was encrypted using an RSA public key (n,e) and we want to decrypt it using the private key (n,d). To speed up the decryption process, we can use CRT. Here are the steps for decrypting the ciphertext using CRT: Calculate dp = d mod (p-1) and dq = d mod (q-1), where p and q are the prime factors of n. This step can be done during the generation of the private key. Calculate the ciphertext's residue modulo p and q. Let C1 = C mod p and C2 = C mod q. Calculate the two modular exponentiations: M1 = C1^dp mod p M2 = C2^dq mod q These two steps can be done in parallel since they don't depend on each other. Combine M1 and M2 to get the value of the message modulo n using the CRT: Let M = M1qQinv + M2pPinv mod n, where Qinv and Pinv are the inverses of q mod p and p mod q respectively. These values can be precomputed during the private key generation. The value of M is the decrypted plaintext. </details> #### 42) How does DES work ? <details> <summary> Answer </summary> Block cipher. 64 bit block plaintext 64 bit block ciphertext 64 bit key.(56 bits random + 6 bits parity). Parity as to recover bit flips. 16 Rounds Steps: * Create initial permutation of the plaintext. First half is L0 and second half is R0 * For each round calculate * Li = Ri - 1 * Ri = Li-1 + f(Ki, Ri-1) * After last round interchange left and right half. That's the ciphertext Decryption is the same steops as above. Don't do the IP again. :) </details> #### 43) Why we need IP DES ? <details> <summary> Answer </summary> There's no cryptographic reason to do IP in DES. Economic reasons of IBM in 70s. Not sure. </details> #### 44) Why in DES we do feistel cipher steps(I mean splitting, interchanging left and right so on..) ? <details> <summary> Answer </summary> Because, the resulting construction is self inverse, i.e, take output use the same text and same function again, booomm, you will get plaintext. So no need to do inverse the function 'f'. </details> #### 45) Why sometimes we shift 1 bit and sometimes 2 bit while generating round key ? <details> <summary> Answer </summary> Didn't understand. May be to introduce more randomness in the round keys. </details> #### 46) What is complementation property of DES ? <details> <summary> Answer </summary> Take complement of plaintext, take complement of key. Then encrypt(C1) Encrypt with plaintext, key. Then complement the resulting ciphertext.(C2) C1 = C2 DES(p',k') = DES(p,k)' </details> \ ```Note: Because of key length DES is insecure. Not because of algorithm.``` #### 47) What is 3DES ? Why we need it ? Why 3DES.. Why not 2DES ? How does it work ? <details> <summary> Answer </summary> * What : DES with key length 56*3 = 168 bits. * Why: DES is vulnurable to brute force attack coz the key length is short. So increase key length. * Why not 2DES: Vulnurable to meet in the middle attack * How: E(k1, D(k2, E(k3, p))) - Encrypt p with k3, decrypt with k2, again encrypt with k1. </details> #### 48) Why we need E(k1, D(k2, E(k3, p))) ? Why cant we just do triple encrypt ? <details> <summary> Answer </summary> Then it'd be same as single DES encryption, if k1=k2=k3. </details> #### 49) What is meet in the middle attack ? <details> <summary> Answer </summary> Let's say attacker has a pair of plaintext and ciphertext (p,c). Encrypt p with all possible value of k2. Intermediate result I1. Decrypt c with all possible value of k1. Intermediate result I2. If there is a match in I1, I2. Attacker got the keys. </details> #### 50) What's the problem with ECB ? <details> <summary> Answer </summary> Same plaintext always result into same ciphertext. Hence, the attacker can learn the pattern of plaintext. </details> #### 51) How CBC works ? How it's self synchronizing ? <details> <summary> Answer </summary> Encryption: * iv XOR Encr(block0) => Save in memory * For all subsequent blocks i : Encr(blocki-1) XOR Encr(Blocki) Decrption: * Decr(Block0) XOR iv => Save in memory * For all subsequent blocks i : Decr(Blocki) XOR Decr(Blocki-1) Note: Somehow iv should be communicated prior to decryption A error in the line, then after 2 wrong blocks, subsequent blocks will be synhronized </details> #### 52) How can we use CBC as authentication system ? <details> <summary> Answer </summary> Use last block as MAC. </details> #### 53) Describe the Birthday Paradox and explain its relevance with respect to cryptography. <details> <summary> Answer </summary> Let r1,r2,.....,rn ∈ {1,2,.... ,B} Let n = 1.2 B^(1/2). Then P[∃ ri,rj : ri=rj and i!=j] >= 1/2 Cryptographically, it means that, when number of inputs increases the likelihood of collision also increases in cryptographic hash functions. </details> #### 54) What is length extension attack ? <details> <summary> Answer </summary> In Merkle Damgard construction we can add our own block(extend) at the end, and we can calculate fake MAC out of it. Fake_MAC = h(MAC(K,m), m[b+1]) </details>