THE HONG KONG POLYTECHNIC UNIVERSITY

DEPARTMENT OF COMPUTING

MID-TERM TEST SAMPLE SOLUTIONS

Subject : COMP3334 Computer Systems Security

Session : 2022 / 2023 Semester II

Date : 4 March 2023 Time: 14:30 - 16:00

Time Allowed: 1.5 hours Subject Lecturer: Dr Dennis LIU

This question paper has 11 pages (including this page).

Instructions to Candidates:

- This is a closed-book test.

- Write down your answers in this paper.
- Students should attempt ALL questions.
- Write down your steps if the question requires any calculation and
encryption/decryption operations.
- Full mark: 100

Do not turn this page until you are told to do so!

Name: ______________________________ Student No.: _____________________

For all questions, show your steps.

Question 1. Define the following security terms: (3 marks)

a. Disclosure
b. Masquerading
c. Threat

Disclosure
Unauthorized access to information
Masquerading
Impersonation of one entity by another
Threat
A threat is a potential violation of security

Question 2. What is the difference between security policy and security mechanism?
(4 marks)

A security policy is a statement of what is, and what is not allowed when assessing
computer assets (e.g., programs, documents, hardware and services).
A security mechanism is a method, tool, or procedure for enforcing a security policy. It
can be technical or non-technical.

Question 3. What is Principle of Effectiveness in security principles? (2 marks)

Controls must be used properly to be effective

Controls should be efficient, easy to use and appropriate

Question 4. Let S = {A, B, C, … , X, Y, Z} be the space of both plaintext and ciphertext.

Suppose the plaintext is

NORMAL

and the secret key is

RESUME

Encrypt this message using Vigenère cipher. (7 marks)

Plaintext: N | Key: R(17) | Ciphertext: N(13) + 17 mod 26 = E

Plaintext: O | Key: E(4) | Ciphertext: O(14) + 4 mod 26 = S
Plaintext: R | Key: S(18) | Ciphertext: R(17) + 18 mod 26 = J
Plaintext: M | Key: U(20) | Ciphertext: M(12) + 20 mod 26 = G

2
Plaintext: A | Key: M(12) | Ciphertext: A(0) + 12 mod 26 = M
Plaintext: L | Key: E(4) | Ciphertext: L(11) + 4 mod 26 = P
ESJGMP

Question 5. In Playfair cipher, why are ‘I’ and ‘J’ put in the same slot of the key matrix?
(4 marks)

The key matrix consists of only 25 slots and so two alphabets must be put in the same
slot.
I/J are normally be chosen to put in the same slot because I is a vowel and J is
comparatively rare in English words. It introduces less ambiguity to the reader after
decryption.

Question 6. Why is autokey cipher more resistant to statistical cryptanalysis than

monoalphabetic cipher? (4 marks)

This is because monoalphabetic cipher always maps one letter to another letter. The
frequency distribution of the letter remains unchanged after encryption. For autokey
cipher, the plaintext is used as part of the key when the master key is exhausted. One
letter has a much higher chance to map to different letters, given different letter key. It
gives a flatter frequency distribution of the ciphertext letters.

Question 7. Describe how stream cipher can approximate the property of one-time pad.
(4 marks)

Given a key as the input, the deterministic function generates a pseudorandom bit
sequence that is to be used as the key stream to encrypt the plaintext. (2 marks)
The pseudorandom bit sequence mimics the property of one-time-pad. (2 marks)

Question 8. What are the aims of confusion and diffusion in Feistel Cipher Structure?
(4 marks)

Diffusion
dissipates statistical structure of plaintext over bulk of ciphertext
Confusion
makes relationship between ciphertext and key as complex as possible

Question 9. Given an S-Box of DES, S5, below: (3 marks)

3
Write down the output bit string if the input is 0010012.

4 -> 0100

Question 10. To ensure confidentiality of information in an application, a programmer adopts

a symmetric encryption algorithm, Data Encryption Standard (DES), to encrypt
information that is transmitted to the Internet. Answer the following questions:

a. What is the size of effective key of DES? (1 mark)

8
b. Suppose a computer can perform 10 decryptions per second. Explain why DES is
not secure for the information to be kept secret for 25 years. (5 marks)
c. The programmer adopts electronic codebook (ECB) as the mode of operation.
Comment on the performance and security of his choice. (4 marks)

a. 56
b.
Time to break the cipher:

256 / (108 * 60 * 60 * 24 * 365) = 22.85 years < 25 years

c.
For performance, each block can be encrypted/decrypted separately and thus can be
performed in a parallel manner.

4
For security, the same plaintext always produces the same ciphertext. Statistical
analysis is made easier if there exists non-evenly distributed occurrence of the plaintext
information.

Question 11. Refer to the following DES variant implementation, which is called DESX.
Explain how it achieves backward compatibility to DES. (4 marks)

C = K3  DES(K2, M  K1)

Set K1 and K3 = 0. Therefore, there is no effect of K1 on M and K3 on the output DES

cipher and the plaintext is essentially encrypted by K2.

Question 12. The following is a block cipher scheme. Each block is 4-bit. For the ease of
representation, we use letter A to P to represent 0000 to 1111. The encryption table of this
block cipher is given below:

Input Block A B C D E F G H I J K L M N O P
Output Block D K H M B F O I J L E N G A C P

If we use ‘M’ as the initialization vector (IV), what is the ciphertext if we encrypt a message
“IAMANN” using cipher block chaining (CBC) mode? (8 marks)

1000 (I) XOR 1100 (M) -> 0100(E) -> (B)

0000 (A) XOR 0001 (B) -> 0001(B) -> (K)
1100 (M) XOR 1010 (K) -> 0110(G) -> (O)
0000 (A) XOR 1110 (O) -> 1110(O) -> (C)
1101 (N) XOR 0010 (C) -> 1111(P) -> (P)
1101 (N) XOR 1111 (P) -> 0010(C) -> (H)
BKOCPH
[Steps: 6 marks
Answer: 2 marks]

Question 13. In Diffie-Hellman Key exchange, why is a passive eavesdropper unable to

obtain the agreed secret key between Alice and Bob? (4 marks)

The passive eavesdropper is only able to obtain Ya = ga mod p and Yb = gb mod p. Due to

5
the difficulty of Discrete Log Problem (or Computational Diffie–Hellman assumption).
The attacker is unable to calculate efficiently gab mod p, which is the secret key.

Question 14. Calculate 1237-1 mod 2160. Express the result as a positive integer. (8 marks)

Using Extended Euclidean Algorithm,

1 0 2160 0 1 1237 1 -1 923

0 1 1237 1 -1 923 -1 2 314
1 -1 923 -1 2 314 3 -5 295
-1 2 314 3 -5 295 -4 7 19
3 -5 295 -4 7 19 63 -110 10
-4 7 19 63 -110 10 -67 117 9
63 -110 10 -67 117 9 130 -227 1
-67 117 9 130 -227 1
The inverse is -227 + 2160 = 1933

Question 15. In RSA encryption, n = 667, e = 3 and d = 411. If the same n is used, there is
another public key exponent, e’ = 17. Find out the decryption exponent d’, without
factoring n. (8 marks)

Due to the fact that ed = 1 mod phi(n),

Let k be a positive integer such that (ed – 1) / k = phi(n) < n where k < min{e, d} and
phi(n) < 667 [2 marks]

ed = 1233
ed – 1 = 1232
If k = 1, (ed – 1) / 1 = 1232 > n
If k = 2, (ed – 1) / 2 = 616
Therefore phi(n) = 616 [2 marks]

Using Extended Euclidean Algorithm,

1 0 616 0 1 17 1 -36 4
0 1 17 1 -36 4 -4 145 1
1 -36 4 -4 145 1
Therefore, d' is 145 [4 marks]

[Note: If factorization is used, 0 mark]

Question 16. The RSA key agreement protocol uses the recipient’s public key to encrypt a
session key. Under what condition is the RSA key agreement scheme susceptible to man-
in-the-middle attack? Explain. (5 marks)

6
If the session key is always generated by Alice or Bob. Trudy can intercept the
encrypted key (or the digital envelop) but cannot extract the key generated by Alice (or
Bob). However, if Trudy can fool Bob that he is Alice and Alice that she is Bob, he can
trick them into using a session key of his choice. This is possible as the basic RSA key
agreement protocol does not provide for the verification of the identities (i.e.,
authentication) of the participants.

Question 17. Assume an encryption algorithm in which the effort for the good guys (the ones
that know the key) grows linearly with the bit length of the key, and for which the only
way to break it is a brute-force attack of trying all possible keys. Then suppose advances
in computer technology make computers twice as fast. Given that both the good guys and
the bad guys get these faster computers, does this advance in computer speed work to the
advantage of the good guys, the bad guys, or does it not make any difference? Illustrate
using a concrete example. (6 marks)

The advance in computer speed works to the advantage of the good guys. If the
performance of the good guys grows linearly with the bit length of the key, then
doubling the computer speed would allow for doubling the length of the key without any
performance penalty. Doubling the length of the key would have a significant impact on
the bad guys, since the number of keys that much be checked grows exponentially with
the length of the key. (3 marks)
For example, if the key were originally 8 bits, the bad guys would need to check 256
keys (28). If both good and bad guys get computers that run twice as fast, then, for the
same amount of processing time, the good guys can use a 16-bit key and the bad guys
can check 512 keys. However, because the number of keys grows exponentially, there
will now be (216) or 65,536 keys. Checking this many keys will take the bad guys 128
times longer to than the original 8-bit key (65,536 / 512 = 128). (3 marks)

Question 18. What is the difference between strong collision resistance and weak collision
resistance for hash functions? (4 marks)

Weak collision resistant For any given block x, it is computationally infeasible

to find y≠x with H(y) = H(x).
Strong collision resistant It is computationally infeasible to find any pair
(x, y) such that H(x) = H(y).

Question 19. Consider the use of CRC (or checksum) to detect message errors in
communication protocols. Can similar mechanism be used to detect message tampering
(violation of message integrity) by an attacker? Explain. (4 marks)

It depends on the schemes being used.

Suppose a secure hash function is used to ensure message integrity. If the function is
secure against collision-companion attack, it is infeasible for the attacker to find a new
message with the same hash value as the message being attacked.

7
However, in some CRC (or checksum) algorithms, only the total number of 1s or 0s in
the message is checked. The attacker can alter the message so that the new tampered
message still passes the CRC checking. For example,
Original Message: 1010 -> Checksum = 2 (two ‘1’ bits)
Tampered Message: 0110 -> Checksum = 2 (two ‘1’ bits)
As we see from the above example, the checksum is not able to detect any tampering of
the message.

Question 20. What are the input(s) and output(s) of a digital signature algorithm? Describe
briefly. (4 marks)

Inputs:
Message – the message to be signed
A digital signature – an alleged digital signature
Public key – the signer’s public key

Output:
Valid/Invalid – Indicating the validity of the signature on the message signed by the
owner of the public key.