Chapter 2

Classical Encryption Techniques

2.1).What are the essential ingredients of a symmetric cipher?

Plaintext
Encryption algorithm
Secret key
Cipher text
Decryption algorithm

2.2).What are the two basic functions used in encryption algorithms?

Permutation
Substitution

2.3). How many keys are required for two people to communicate via a cipher?

One key for symmetric ciphers

Two keys for asymmetric ciphers.

2.4).What is the difference between a block cipher and a stream cipher?

A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A
block cipher is one in which a block of plaintext is treated as a whole and used to produce a cipher
text block of equal length.

2.5).What are the two general approaches to attacking a cipher?

Cryptana
lysis
Brute force.

2.6).List and briefly define types of cryptanalytic attacks based on what is known to the
attacker.

Cipher text only: One possible attack under these circumstances is the brute-force approach
of trying all possible keys. If the key space is very large, this becomes impractical. Thus, the
opponent must rely on an analysis of the cipher text itself
Known plaintext: The analyst may be able to capture one or more plaintext messages as well
as their encryptions. With this knowledge, the analyst may be able to deduce the key on the
basis of the way in which the known plaintext is transformed.
Chosen plaintext: If the analyst is able to choose the messages to encrypt, the analyst may
deliberately pick patterns that can be expected to reveal the structure of the key.

2.7).What is the difference between an unconditionally secure cipher and a computationally

secure cipher?

An encryption scheme is unconditionally secure if the cipher text generated by the scheme
does not contain enough information to determine uniquely the corresponding plaintext, no
matter how much cipher text is available. An encryption scheme is said to be computationally
 secure if: (1) the cost of breaking the cipher exceeds the value of the encrypted information,
and (2) the time required to break the cipher exceeds the useful lifetime of the information.

2.8).Briefly defines the Caesar cipher.

The Caesar cipher involves replacing each letter of the alphabet with the letter standing k places
further down the alphabet, for k in the range 1 through 25.

2.9).Briefly defines the monoalphabetic cipher.

A monoalphabetic substitution cipher maps a plaintext alphabet to a cipher text alphabet, so that
each letter of the plaintext alphabet maps to a single unique letter of the cipher text alphabet.

2.10).Briefly defines the Play fair cipher.

The Play fair algorithm is based on the use of a 5 * 5 matrix of letters constructed using a
keyword. Plaintext is encrypted two letters at a time using this matrix.

2.11).What is the difference between a monoalphabetic cipher and a polyalphabetic cipher?

A polyalphabetic substitution cipher uses a separate monoalphabetic substitution cipher

for each successive letter of plaintext, depending on a key.

2.12).What are two problems with the one-time pad?

1.There is the practical problem of making large quantities of random keys. Any heavily used
system might require millions of random characters on a regular basis. Supplying truly
random characters in this volume is a significant task.
2.Even more daunting is the problem of key distribution and protection. For every message to
be sent, a key of equal length is needed by both sender and receiver. Thus, a mammoth key
distribution problem exists.

2.13).What is a transposition cipher?

A transposition cipher involves a permutation of the plaintext letters.

2.14).What is steganography?

Steganography involves concealing the existence of a message.

 Chapter 3
Block Ciphers and the Data Encryption Standard
3.1). Why is it important to study the Feistel cipher?

Most symmetric block encryption algorithms in current use are based on the Feistel block cipher
structure. A study of the Feistel structure reveals the principles behind these recent ciphers.

3.2).What is the difference between a block cipher and a stream cipher?

A stream cipher is one that encrypts a digital data stream one bit or one byte at a time. A
block cipher is one in which a block of plaintext is treated as a whole and used to produce a cipher
text block of equal length.

3.3).Why is it not practical to use an arbitrary reversible substitution cipher of the kind shown
in Table 3.1?

If a small block size, such as n = 4, is used, then the system is equivalent to a classical
substitution cipher. For small n, such systems are vulnerable to a statistical analysis of the plaintext.
n
For a large block size, the size of the key, which is on the order of n * 2 , makes the system
impractical.

3.4).What is a product cipher?

In a product cipher, two or more basic ciphers are performed in sequence in such a way that
the final result or product is cryptographically stronger than any of the component ciphers.

3.5).What is the difference between diffusion and confusion?

In diffusion, the statistical structure of the plaintext is dissipated into long-range statistics of
the cipher text. This is achieved by having each plaintext digit affect the value of many cipher text
digits, which is equivalent to saying that each cipher text digit is affected by many plaintext digits.
Confusion seeks to make the relationship between the statistics of the cipher text and the
value of the encryption key as complex as possible, again to thwart attempts to discover the key.
Thus, even if the attacker can get some handle on the statistics of the cipher text, the way in which
the key was used to produce that cipher text is so complex as to make it difficult to deduce the key.
This is achieved by the use of a complex substitution algorithm.

3.6).Which parameters and design choices determine the actual algorithm of a Feistel cipher?

Block size: Larger block sizes mean greater security (all other things being equal) but
reduced encryption/decryption speed.
Key size: Larger key size means greater security but may decrease encryption/decryption
speed.
Number of rounds: The essence of the Feistel cipher is that a single round offers
inadequate security but that multiple rounds offer increasing security.
Sub key generation algorithm: Greater complexity in this algorithm should lead to greater
difficulty of cryptanalysis.
Round function: Again, greater complexity generally means greater resistance to
cryptanalysis.
 Fast software encryption/decryption: In many cases, encryption is embedded in
applications or utility functions in such a way as to preclude a hardware implementation.
Accordingly, the speed of execution of the algorithm becomes a concern.
Ease of analysis: Although we would like to make our algorithm as difficult as possible to
cryptanalyze, there is great benefit in making the algorithm easy to analyze. That is, if the algorithm
can be concisely and clearly explained, it is easier to analyze that algorithm for cryptanalytic
vulnerabilities and therefore develop a higher level of assurance as to its strength.

3.7).What is the purpose of the S-boxes in DES?

The S-box is a substitution function that introduces nonlinearity and adds to the complexity
of the transformation.

3.8).Explain the avalanche effect.

The avalanche effect is a property of any encryption algorithm such that a small change in
either the plaintext or the key produces a significant change in the cipher text.

3.9).What is the difference between differential and linear cryptanalysis?

Differential cryptanalysis is a technique in which chosen plaintexts with particular XOR

difference patterns are encrypted. The difference patterns of the resulting cipher text provide
information that can be used to determine the encryption key.
Linear cryptanalysis is based on finding linear approximations to describe the
transformations performed in a block cipher.
 Chapter 11
Message Authentication and Hash Functions
10.1).What characteristics are needed in a secure hash function?

1. H can be applied to a block of data of any size.

2. H produces a fixed-length output.
3. H(x) is relatively easy to compute for any given x, making both hardware and software
implementations practical.
4. For any given value h, it is computationally infeasible to find x such that H(x) = h. This is
sometimes referred to in the literature as the one-way property.
5. For any given block x, it is computationally infeasible to find y ≠ x with H(y) = H(x).
6. It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).

11.2).What is the difference between weak and strong collision resistance?

Weak collision resistance:

For any given block x, it is computationally infeasible to find y ≠ x with H(y) = H(x). Strong
collision resistance:
It is computationally infeasible to find any pair (x, y) such that H(x) = H(y).

11.3).What is the role of a compression function in a hash function?

A typical hash function uses a compression function as a basic building block, and involves
repeated application of the compression function.

11.4).What is the difference between little-endian and big-endian format?

In little-endian format, the least significant byte of a word is in the low-address byte
position.
In big-endian format, the most significant byte of a word is in the low-address byte position.

11.5).What basic arithmetical and logical functions are used in SHA?

64 32
Addition modulo 2 or 2 , circular shift, primitive Boolean functions based on AND, OR,
NOT, and XOR.
 Chapter 12
Message Authentication Code
12.1).What types of attacks are addressed by message authentication?

 Masquerade
 Content modification
 Sequence modification
 Timing modification

12.2).What two levels of functionality comprise a message authentication or digital

signature mechanism?

At the lower level, there must be some sort of function that produces an authenticator: a value
to be used to authenticate a message. This lower-level function is then used as primitive in a
higher-level authentication protocol that enables a receiver to verify the authenticity of a
message.

12.3).What are some approaches to producing message authentication?

Message encryption, message authentication code, digitally signature

12.4).When a combination of symmetric encryption and an error control code is used for
message authentication, in what order must the two functions be performed?

First, Error control code is used and then encryption is performed.

12.5).What is a message authentication code?

Message authentication code refers to the mechanism used to ensure that the integrity of the
received message has been preserved - that the message has not been altered during
transmission. It also assures the receiver that the message has originated from the intended
sender and not from any intruder. Thus, a message is said to be authentic if the message has
not been altered and has come from the actual sender.

12.6).What is the difference between a message authentication code and a one-way hash
function?

A hash function, by itself, does not provide message authentication. A secret key must be used
in some fashion with the hash function to produce authentication. A MAC, by definition, uses
a secret key to calculated a code used for authentication.

12.7).In what ways can a hash value be secured so as to provide message authentication?

The message plus concatenated hash code is encrypted using symmetric encryption.The
hash code provides the structure required for authentication.

Only the hash code is encrypted using symmetric encryption. This reduces the processing
burden.

Only the hash code is encrypted using public key encryption and the sender’s private
key.This provides digital signature.
 The message plus the public key-encrypted hash code may be encrypted using a symmetric
secret key.

A hash function may be used without encryption for message authentication.It assumes that
two communicating parties (A and B) share a common key (s). ’A’ computes the hash value
over the concatenation of M and S.B knows S and therefore can re-compute M.

The entire message plus the hash code may be encrypted.

12.8).Is it necessary to recover the secret key in order to attack a MAC algorithm?

A number of keys will produce the correct MAC and the opponent has no way of knowing
which the correct key is. On an average 2(n-k) keys produce a match. Therefore attacks do not
require the discovery of the key.

12.9).What changes in HMAC are required in order to replace one underlying hash function
with another?

To replace a given hash function in an HMAC implementation, all that is required is to remove
the existing hash function module and drop in the new module.
 Chapter 13
Digital Signatures
13.1).List two disputes that can arise in the context of message authentication.

Suppose that John sends an authenticated message to Mary. The following disputes that could
arise: 1. Mary may forge a different message and claim that it came from John. Mary would
simply have to create message and append an authentication code using the key that John and
Mary share. 2. John can deny sending the message. Because it is possible for Mary to forge a
message, there is no way to prove that John did in fact send the message.

13.2).What are the properties a digital signature should have?

1. It must be able to verify the author and the date and time of the signature.
2. It must be able to authenticate the contents at the time of the signature.
3. The signature must be verifiable by third parties, to resolve disputes.

13.3).What requirements should a digital signature scheme satisfy?

1. The signature must be a bit pattern that depends on the message being signed.
2. The signature must use some information unique to the sender, to prevent both forgery and
denial.
3. It must be relatively easy to produce the digital signature.
4. It must be relatively easy to recognize and verify the digital signature.
5. It must be computationally infeasible to forge a digital signature, either by constructing a
new message for an existing digital signature or by constructing a fraudulent digital
signature for a given message.
6. It must be practical to retain a copy of the digital signature in storage.

13.4).What is the difference between direct and arbitrated digital signature?

A direct digital signature involves only the communicating parties (source, destination). It is
assumed that the destination knows the public key of the source. A digital signature may be
formed by encrypting the entire message with the sender's private key or by encrypting a hash
code of the message with the sender's private key.
An arbitrated digital signature operates as follows. Every signed message from a sender X
to a receiver Y goes first to an arbiter A, who subjects the message and its signature to a
number of tests to check its origin and content. The message is then dated and sent to Y with
an indication that it has been verified to the satisfaction of the arbiter.

13.5).In what order should the signature function and the confidentiality function be applied
to a message, and why?

It is important to perform the signature function first and then an outer confidentiality
function. In case of dispute, some third party must view the message and its signature. If the
signature is calculated on an encrypted message, then the third party also needs access to the
decryption key to read the original message. However, if the signature is the inner operation,
then the recipient can store the plaintext message and its signature for later use in dispute
resolution.
13.6).What are some threats associated with a direct digital signature scheme?

1. The validity of the scheme depends on the security of the sender's private key. If a sender
later wishes to deny sending a particular message, the sender can claim that the private key
was lost or stolen and that someone else forged his or her signature.
2. Another threat is that some private key might actually be stolen from X at time T. The
opponent can then send a message signed with X's signature and stamped with a time before
or equal to T.
 Chapter 17
Web Security
17.1).What are the advantage of each of the three approaches shown in Figure 17.1?

The advantage of using IPSec (Figure 17.1a) is that it is transparent to end users and
applications and provides a general-purpose solution. Further, IPSec includes a filtering
capability so that only selected traffic need incur the overhead of IPSec processing. The
advantage of using SSL is that it makes use of the reliability and flow control mechanisms of
TCP. The advantage application-specific security services (Figure 17.1c) is that the service can
be tailored to the specific needs of a given application.

17.2).What protocols comprise SSL?

SSL handshake protocol

SSL change cipher
spec protocol SSL
alert protocol
SSL record protocol.

17.3).What is the difference between an SSL connection and an SSL session?

Connection: A connection is a transport (in the OSI layering model definition) that provides a
suitable type of service. For SSL, such connections are peer-to-peer relationships. The
connections are transient. Every connection is associated with one session.
Session: An SSL session is an association between a client and a server. Sessions are created
by the Handshake Protocol. Sessions define a set of cryptographic security parameters, which
can be shared among multiple connections. Sessions are used to avoid the expensive
negotiation of new security parameters for each connection.

17.4).List and briefly define the parameters that define an SSL session state.

Session identifier: An arbitrary byte sequence chosen by the server to identify an active or
resumable session state.
Peer certificate: An X509.v3 certificate of the peer.
Compression method: The algorithm used to compress data prior to encryption.
Cipher spec: Specifies the bulk data encryption algorithm (such as null, DES, etc.) and a hash
algorithm (such as MD5 or SHA-1) used for MAC calculation. It also defines cryptographic
attributes such as the hash size.
Master secret: 48-byte secret shared between the client and server.
Is resumable: A flag indicating whether the session can be used to initiate new connections.

17.5).List and briefly define the parameters that define an SSL session connection.

Server and client random: Byte sequences that are chosen by the server and client for each
connection.
Server write MAC secret: The secret key used in MAC operations on data sent by the server.
Client write MAC secret: The secret key used in MAC operations on data sent by the client.
Server write key: The conventional encryption key for data encrypted by the server and
decrypted by the client.
 Client write key: The conventional encryption key for data encrypted by the client and
decrypted by the server.
Initialization vectors: When a block cipher in CBC mode is used, an initialization vector (IV)
is maintained for each key. This field is first initialized by the SSL Handshake Protocol.
Thereafter the final cipher text block from each record is preserved for use as the IV with the
following record.
Sequence numbers: Each party maintains separate sequence numbers for transmitted and
received messages for each connection. When a party sends or receives a change cipher spec
message, the appropriate sequence number is set to zero. Sequence numbers may not exceed
64
2 – 1.

17.6).What services are provided by the SSL Record protocol?

Confidentiality: The Handshake Protocol defines a shared secret key that is used for
conventional encryption of SSL payloads.
Message Integrity: The Handshake Protocol also defines a shared secret key that is used to
form a message authentication code (MAC).

17.7).What steps are involved in the SSL record protocol transmission?

Fragmentation
Compression
Add MAC
Encrypt
Append SSL record header.

17.8).List and briefly define the principal categories of SET participants.

Cardholder: In the electronic environment, consumers and corporate purchasers interact with
merchants from personal computers over the Internet. A cardholder is an authorized holder of
a payment card (e.g., MasterCard, Visa) that has been issued by an issuer.
Merchant: A merchant is a person or organization that has goods or services to sell to the
cardholder. Typically, these goods and services are offered via a Web site or by electronic
mail. A merchant that accepts payment cards must have a relationship with an acquirer.
Issuer: This is a financial institution, such as a bank, that provides the cardholder with the
payment card. Typically, accounts are applied for and opened by mail or in person. Ultimately,
it is the issuer that is responsible for the payment of the debt of the cardholder. Acquirer:
This is a financial institution that establishes an account with a merchant and processes
payment card authorizations and payments. Merchants will usually accept more than one
credit card brand but do not want to deal with multiple bankcard associations or with multiple
individual issuers. The acquirer provides authorization to the merchant that a given card
accounts is active and that the proposed purchase does not exceed the credit limit. The
acquirer also provides electronic transfer of payments to the merchant's account.
Subsequently, the acquirer is reimbursed by the issuer over some sort of payment network for
electronic funds transfer.
Payment gateway: This is a function operated by the acquirer or a designated third party that
processes merchant payment messages. The payment gateway interfaces between SET and the
existing bankcard payment networks for authorization and payment functions. The merchant
exchanges SET messages with the payment gateway over the Internet, while the payment
gateway has some direct or network connection to the acquirer's financial processing system.
Certification authority (CA): This is an entity that is trusted to issue X.509v3 public-key
certificates for cardholders, merchants, and payment gateways. The success of SET will
 depend on the existence of a CA infrastructure available for this purpose. As was discussed in
previous chapters, a hierarchy of CAs is used, so that participants need not be directly certified
by a root authority.

17.9).What is a dual signature and what is its purpose?

A dual signature is used to sign two concatenated documents each with its own hash code. The
purpose of the dual signature is to link two messages that are intended for two different
recipients. In this case, the customer wants to send the order information (OI) to the merchant
and the payment information (PI) to the bank. The merchant does not need to know the
customer's credit card number, and the bank does not need to know the details of the
customer's order.
 Chapter 20
Intruders
20.1).List and briefly define three classes of intruders.

Masquerader: An individual who is not authorized to use the computer and who penetrates a
system's access controls to exploit a legitimate user's account.
Misfeasor: A legitimate user who accesses data, programs, or resources for which such access
is not authorized, or who is authorized for such access but misuses his or her privileges.
Clandestine user: An individual who seizes supervisory control of the system and uses this
control to evade auditing and access controls or to suppress audit collection.

20.2).What are two common techniques used to protect a password file?

One-way encryption: The system stores only an encrypted form of the user's password.
When the user presents a password, the system encrypts that password and compares it with
the stored value. In practice, the system usually performs a one-way transformation (not
reversible) in which the password is used to generate a key for the encryption function and in
which a fixed-length output is produced.
Access control: Access to the password file is limited to one or a very few accounts.

20.3).What are three benefits that can be provided by an intrusion detection system?

1.If an intrusion is detected quickly enough, the intruder can be identified and ejected from the
system before any damage is done or any data are compromised. Even if the detection is not
sufficiently timely to pre-empt the intruder, the sooner that the intrusion is detected, the less
the amount of damage and the more quickly that recovery can be achieved.
2.An effective intrusion detection system can serve as a deterrent, so acting to prevent
intrusions.
3.Intrusion detection enables the collection of information about intrusion techniques that can
be used to strengthen the intrusion prevention facility.

20.4).What is the difference between statistical anomaly detection and rule-based intrusion
detection?

Statistical anomaly detection involves the collection of data relating to the behavior of
legitimate users over a period of time. Then statistical tests are applied to observed behavior to
determine with a high level of confidence whether that behavior is not legitimate user
behavior.
Rule-Based Detection involves an attempt to define a set of rules that can be used to decide
that a given behavior is that of an intruder.

20.5).What metrics are useful for profile-based intrusion detection?

Counter: A nonnegative integer that may be incremented but not decremented until it is reset
by management action. Typically, a count of certain event types is kept over a particular
period of time.
Gauge: A nonnegative integer that may be incremented or decremented. Typically, a gauge is
used to measure the current value of some entity. Interval timer: The length of time between
two related events.
Resource utilization: Quantity of resources consumed during a specified period.
20.6).What is the difference between rule-based anomaly detection and rule-based penetration
identification?

With rule-based anomaly detection, historical audit records are analysed to identify usage
patterns and to generate automatically rules that describe those patterns. Rules may represent
past behavior patterns of users, programs, privileges, time slots, terminals, and so on. Current
behavior is then observed, and each transaction is matched against the set of rules to
determine if it conforms to any historically observed pattern of behavior. Rule-based
penetration identification uses rules for identifying known penetrations or penetrations that
would exploit known weaknesses. Rules can also be defined that identify suspicious behavior,
even when the behavior is within the bounds of established patterns of usage. Typically, the
rules used in these systems are specific to the machine and operating system. Also, such rules
are generated by "experts" rather than by means of an automated analysis of audit records.

20.7).What is a honeypot?

Honeypots are decoy systems that are designed to lure a potential attacker away from critical
systems.

20.8).What is a salt in the context of UNIX password management?

The salt is combined with the password at the input to the one-way encryption routine.

20.9).List and briefly define four techniques used to avoid guessable passwords.

User education: Users can be told the importance of using hard-to-guess passwords and can
be provided with guidelines for selecting strong passwords.
Computer-generated passwords: Users are provided passwords generated by a computer
algorithm.
Reactive password checking: the system periodically runs its own password cracker to find
guessable passwords. The system cancels any passwords that are guessed and notifies the user.
Proactive password checking: a user is allowed to select his or her own password. However,
at the time of selection, the system checks to see if the password is allowable and, if not,
rejects it.