1. Design Problems (Open book)
Network Security
Final Examination
Lecture ID: ET-IDA ( )
Design Problems (Open book)
Duration: 120 Minutes v15
Sample Solution
Name: ……………………………………………..
Matr. Nr.: ………………………….………………
Prof. W. Adi

2. Andre Zierfuß, Arther Strasser
Many thanks to :
Andre Zierfuß, Arther Strasser
For their valuable contribution to the sample solution

3. How many public keys are possible to choose for each user?
P1: A public key RSA System is used by two users A and B with the private secret primes for A: 19, 7 and for B:17, 7.
Find out the adequate open key of user A from the following list of integers [12, 21, 35] and for B [16, 33, 22]. Compute the corresponding secret keys for user A and B.
User A encrypts the message M=3 to send the cryptogram YA to B and generates from M the signature SA . Compute YA and SA .
Decrypt cryptogram YA on the receiver‘s side B and verify the signature SA of user A.
User B signs the received message M and sends back the resulting signature SB to A. Compute the signature SB
How many public keys are possible to choose for each user?
MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

4. Solution:
Find out the adequate open key of user A from the following list of integers [12, 21, 35] and for B [16, 33, 22]. Compute the corresponding secret keys for user A and B.
NA = 19 x 7 = 133 , φ (NA ) = (19-1)(7-1) = 108
gcd [ EA, φ (NA ) ] = 1 => select 35 as gcd (108,35) = 1
(12 and 21 are not relatively prime to 108)
EA = 35
DA = -37 mod 108 = = 71 (see computation below)
DA = mod 108 = - 37 = = 71 n1 n2 b1 b2 q r
108 35 1 3 -3 11 2 34
-37
Find out the adequate open key of user B from the following list of integers: [16, 33, 22].
Compute the corresponding secret key for user B.
NB = 17 x 5 = 85 , φ (NB) = (17-1)(5-1) = 64
gcd (EB, φ (NB ) ] =1 => select 33 as gcd (64,33) = 1
EB = 33
DB = -31 mod 64 = 33 (see computation below)
DB = mod 64 = - 31 = = 33 n1 n2 b1 b2 q r 64 33 1 31 -1 2 15
-31 4

5. 5. How many public keys are possible to choose for each user?
2. User A encrypts the message M=3 to send the cryptogram YA to B and generates from M the signature SA . Compute YA and SA .
3. Decrypt cryptogram YA on the receiver‘s side B and verify the signature SA of user A.
Decryption:
Verification:
4. User B signs the received message M and sends back the resulting signature SB to A. Compute the signature SB
5. How many public keys are possible to choose for each user?
# of keys for user A = φ [φ (NA )] = φ (108 ) = φ ( )= 108 (1 -1/2 ) ( 1 – 1/3 ) = 36 keys
# of keys for user B = φ [φ (NB )] = φ (64 ) = φ (26 )= 64 (1 -1/2 ) = 32 keys 5

6. What are the possible multiplicative orders of elements in GF(26)?
P2: A Diffie-Hellman (DH) Exchange-System with public key uses GF(26) with the irreducible polynomial P(x) = x6 + x as field modulus.
Calculate all exponents of the element x from 1 to 10. Compute the multiplicative order of x?
What are the possible multiplicative orders of elements in GF(26)?
Let β= (1+x3) be an element from GF(26). Calculate the order of ß. Hint: 1+x3 = x6.
Use α=(1+x) as open element for DH System. Users A and B have the private keys Xa=31 und Xb=43 respectively. Compute the DH open key for A and B and the shared key ZAB in the form αt for the smallest t and as a binary vector.
Compute is the order for the element (1+x)45 ? Compute all elements having the same order .
Compute the multiplicative inverse of β = x3 + 1 in the form β -1 = xk for the smallest possible k.
MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

7. Solution:
Calculate all exponents of the element x from 1 to 10. Compute the multiplicative order of x?
P(x) = x6 + x = => x6 = x3 + 1
x1 = x
x2 = x2
x3 = x3
x4 = x4
x5 = x5
x6 = x3 +1
x7 = x4 + x
x8 = x5 + x2
x9 = x6 + x3 = x x3 = => order of x = 9
x10 = x
2. What are the possible multiplicative orders of elements in GF(26)?
Possible orders are the divisors of = 63
Divisors of 63 are: 1, 3,7,9,21,63
3. Let β= (1+x3) be an element from GF(26). Calculate the order of ß. Hint: 1+x3 = x6.
The order can be 1, 3,7,9,21,63.
Order of β= 3 7

8. α = 1 + x, P(x) = x6 + x3 + 1 4. Computing the order of α = (1+x)
α3 = (1+x)3 =(1+x)2 (1+x)= 1 + x2 +x + x3 ≠ 1
α7 = (1+x)4 (1+x)3 = (1+x4)(1+ x2 +x + x3 ) = 1+ x2 +x + x3 + x4+ x6 +x5 + x7 ≠ 1
α7= 1+ x2 +x + x3 + x4+ x3 +1 +x5 + x4 + x = x2 +x5 ≠ 1
α 9 = α7 α2 = (x2 +x5) (1+ x2 ) = x2 + x5 + x4 + x7 = x2 + x5 + x4 + x4 + x = x2 + x5 + x ≠ 1
α14 = ((1+x)7)2 = (x2 +x5 )2 = x4 +x10 = x4 +x ≠ 1
α21 = (1+x)14 (1+x)7 = (x4 +x ) (x2 +x5 ) = x6 +x3 + x9+ x6 = x ≠ 1
=> order of α=(1+x) is => α is a primitive element.
Public Directory: GF(26)
α = 1 + x, P(x) = x6 + x3 + 1
order α = 63
Ya = α , Yb = α 43
User A:
Xa= 31 ,
Ya = α31
User B:
Xb= 43 ,
Yb = α 49
Common secret key for users A and B
Zab = (α 31) 43 = α 31x43 mod 63 = α 10
α10 = (1+x)7 (1+x)3 = (x2 +x5 ) (1+x2 +x + x3 )
= x2 +x4 + x3+ x5 + x5 +x7 + x6+ x8 = x2 +x4 + x3+ x5 + x5 +x4 + x + 1+x3+ x5 + x2
= 1 + x + x5 = 8

9. Elements having the same order as γ are γi = for gcd(7,i)=1 :
5. Compute is the order for the element (1+x)45 ? Compute all elements having the same order . Order of (1+x)45 = α45 =γ
Elements having the same order as γ are γi = for gcd(7,i)=1 :
γ1 = (1+x)45
γ2 = (1+x)45x2 = (1+x)90 mod = (1+x)27
γ3 = (1+x)45x3 = (1+x)135 mod 63 = (1+x)9
γ4 = (1+x)45x4 = (1+x)180 mod 63 = (1+x)54
γ5 = (1+x)45x5 = (1+x)225 mod 63 = (1+x)36
γ6 = (1+x)45x6 = (1+x)270 mod 63 = (1+x)18
6. Compute the multiplicative inverse of β = x3 + 1 in the form β -1 = xk for the smallest possible k.
β -1 mod 3 = β = β 2  t = 2
As the order of β is 3.
Notice. Using the modulus 63 in the exponent would work, however the solution would not deliver the required minimum!.

10. Prove that P is a prime according to Pocklington’s theorem.
P3: A PGP-based security system as shown in fig.1 is setup such that an appropriate prime number P = 2 x = 83 is generated for GF(P), where q=41 is a prime.
Prove that P is a prime according to Pocklington’s theorem.
Find a primitive element „a“ in GF(83). Compute the probability, that a randomly chosen element is primitive.
Take the private keys for Diffie-Hellmann System over GF(83) for sender and receiver shown in fig. 1 as Xa=13 and Xb=17 . Use the primitive element “a” and compute the resulting session key Ks. (Ks in the form of at for the smallest t is sufficient as a result)
Design an appropriate RSA System for fig. 1, such that the same private keys in question 3 can be used for sender and receiver. Compute the corresponding open keys.
The message M= is sent. Use the hash function H = ( M mod 100) mod 32 and state all necessary computations for all framed symbols in Fig. 1.
MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

11. PGP Message with Confidentiality & Authentication
Ks: Session Key
PRa: A’s Private key for PK scheme
PUa: A’s Public key for PK scheme
EP : Public Key Encryption RSA
DP : Public Key Decryption RSA
EC: Symmetric Encryption
DC: Symmetric Decryption
H : Hash Function
|| : Concatenation
Z : Compression (not applied)
MD: Message Digest
A: Sender
H(M)=MD
Signed
Message
Z=1
PE(PUb, Ks)
PE(PRa, MD)
B: Emfänger
PE(PUb, Ks)
Message MD is ciphered
using key PRa
PE(PRa, MD) Ks MD
Z-1=1
Fig. 1 MD

12. the probability that a randomly selected element is primitive.
Solution:
1. Prove that N is prime according to Pocklington’s Theorem.
N = R . F + 1 = 2 x = 83 , F = 41 and R = Is 83 a prime?
Proof: gcd ( a (N-1)/ pj –1 , N ) = gcd ( 2 82/ 41 –1 , 83 ) = gcd ( 3 , 83 ) = 1 is true
2. a N-1 = 1 ( mod N )  282 = 1 (mod 83) is true
F > 83 =9, that is > 9,11 is true
As all conditions 1, 2 and 3 are all true  is a prime number.
2. Find a primitive element „a“ in GF(83). Compute the probability, that a randomly chosen element is primitive.
Possible multiplicative orders are the divisors of of φ (83) = 82
that is => 1, 2, 41, 82
Checking if the element 2 is a primitive one:
2 1 ≠ 1 , 2 2 ≠ 1 , =82= -1 ≠ 1  Ord (2) =  2 is a primitive element
the probability that a randomly selected element is primitive.
# of all non-zero elements : – 1 = 82
# of primitive elements: φ ( 82 ) = φ ( ) = (2-1)(41-1) = 40
P( element=primitive ) = ( 40 / 82 ) = 48,78% 12

13. 3. DH key exchange system:
Public directory
User A.
XA = 13
YA =  Xa = = --
User B.
XB = 17
YB =  Xb = mod 83 = --
α = 2 , GF(83)
YA = 2 13 , YB = 2 17
Shared DH key Ks= ZAB= XA XB= 217x13 mod 82 = 257 mod 83 = 34
RSA system for PGP
( Notice: the selected modulo should be larger than 82 which is the maximum key size of KS))
NA = 2 x 47= 94 , φ (NA ) = (2-1)(47-1) = 46
gcd [ DA, φ (NA ) ] = 1 , DA = 13
EA = -7 mod 46 = 39 (see computation below)
EA = mod 46 = - 7= 39 n1 n2 b1 b2 q r 46 13 1 3 7 -3 6 4 -7
NB = 2 x 53 = 106 , φ (NB ) = (2-1)(53-1) = 52
gcd [ DB, φ (NB ) ] = 1 , DB = 17
EB = -3 mod 52 = 49 (see computation below)
EB = mod 52 =- 3 n1 n2 b1 b2 q r 52 17 1 3 -3

14. Ks= ZAB= 257 mod 83 = 34 5. PGP messages H(M) = M mod 100 mod 32
H(M) = mod 100 mod 32 = 21
PRa = 13
PE(PRa, MD) = H DA mod NA = mod 94 = --
PUb = 3
Ks= ZAB= 257 mod 83 = 34
PE(PUb, KS) = KS Eb mod NB = (34)3 mod 102
PRb = 17
PUa = 39

15. How secure is the system according to this procedure?
P4: A key distribution center KDC is shown in fig. 2. A one-time pad system with private keystreams KA-KDC and KB-KDC is used. A random value R1= is chosen as key by the KDC as a secret key for users A and B. User identities for A and B are given in fig. 2.
Calculate the messages M1, M2, M3 in binary format. (the Symbol || is Concatenation)
How secure is the system according to this procedure?
The key lengths used for this method is too long. Suggest an alternative effective ciphering technique instead of the used „One-Time-Pad” and discuss its security level.
MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?

16. Key Distribution Center (KDC) (Secret key)
KA-KDC =
A= 0101
KB-KDC =
B= 0011
KDC generates R1=
M1= KA-KDC(A||B)
M2= KA-KDC( R1 || KB-KDC(A||R1) )
Alice
Computes R1
Bob computes R1 to communicate with Alice
M3= KB-KDC(A||R1)
MH: Unterscheidet sich der Font auf dieser Folie absichtlich von den anderen?
Alice and Bob communicate: using R1 as
session key for shared symmetric encryption
Fig. 2

17. M2= KA-KDC( R1 || KB-KDC(A||R1) ) = 11011101 0101 11011101
1. Messages M1, M2 and M3
KA-KDC =
A= 0101
KB-KDC =
B= 0011
M1= KA-KDC(A||B) =
XOR KA-KDC
M1 = R1 A R1
KDC generates R1=
M2= KA-KDC( R1 || KB-KDC(A||R1) ) =
XOR KB-KDC
XOR KA-KDC
M2 =
A decrypts M2 to extract M3
KB-KDC(A||R1) =
XOR KA-KDC
M3 =
Check by deciphering M3= KB-KDC(A||R1) =
at Bob’s site XOR KB-KDC
M3’ = A R1

18. The system is unconditionally secure if no keys are repeatedly used.
The system is equivalent to the one-time-pad Vernam cipher.
A block cipher like DES or AES can be deployed with fixed key of length
say 128 bits. Keys are distributed once between users and key distribution center (N keys exchanged for N users). The used ciphers are not perfect compared with Vernam cipher and can be theoretically broken as their unicity distance is finite.