CIS-4930: Midterm 1. FSU (Spring 2005).

B. de Medeiros, instructor

Name: Breno pp. 1

1. (45pts) Answer TRUE or FALSE to each of the questions below?

Example: In order to communicate securely using symmetric encryption, two parties

must share a common key using a public channel. FALSE (In the example the reason
is underlined.)

A cipher is an invertible function. TRUE ****

The Caesars cipher is a poly-alphabetic substitution cipher. FALSE ***

A block cipher is a stateless function, while a stream cipher is a finite-state machine.

TRUE ****

Character frequency analysis is an example of a ciphertext-only attack. TRUE ****

A simple substitution cipher can be broken using exhaustive key search in very short
time. FALSE ****

The CFB mode of operation can use the block cipher encryption function both to encrypt
and decrypt messages. TRUE ****

The Counter mode of operation is more efficiently parallelizable than other encryption
modes. TRUE ****

The ECB mode of operation is not recommended for the transmission of long messages.
TRUE ****

The OFB mode of operation is self-synchronizing, recovering automatically from trans-

mission losses. FALSE ****

In CBC mode, the initialization vector IV is sent as the first block of the cipher-text.
TRUE ****

One-time pad encryption with a randomly generated keystream is secure even if the
adversary has infinite computational power. TRUE ****

Certain block cipher encryption modes can be used to implement stream ciphers. TRUE ****

The DES S-Box implements a permutation. FALSE ***

The OFB mode of operation has no error propagation: If a ciphertext bit is transmitted
incorrectly only the same bit of the plaintext is decrypted incorrectly. TRUE ****.

If the random pad is very long, then it can be used multiple times without risk that the
adversary will decrypt messages. FALSE ***

1
 CIS-4930: Midterm 1. FSU (Spring 2005).
B. de Medeiros, instructor

Name: Breno pp. 2

2. (30 pts) Underline the word that makes the sentence true.

Example: The { Vigenere, Hill } cipher can be broken via linear cryptanalysis (solving
linear equations relating the plaintext to the ciphertext).
The keyword length of a Vigenere cipher may be found using { the Kasiski method, the
index of coincidence method (IC), either using Kasiski or IC methods}.
{ Diffusion, Confusion } is a property of block ciphers that can be describe as follows:
Each bit of the cipher-text is a function of all bits of the plain-text.
The effective length of the DES key is { 56, 64 } bits.
The { Hill, Playfair } cipher uses a 55 square to encrypt two characters of the plaintext
at a time.
The enigma machine implements a { poly-alphabetic substitution, Vigen`ere } cipher.
The { CBC, CFB } mode of encryption uses the block cipher function to generate a
keystream that is XORed with the plaintext.

3. (40 pts) Define the following concepts precisely and completely.

Example: Confusion: is a property of block ciphers, meaning that the computed cipher-
text is not statistically related to the key in a simple way.
Chosen plaintext attack: The adversary chooses some plaintexts and obtains the
corresponding ciphertexts, hoping that the information will help him recover either the
key or the decryption of a target ciphertext.

Brute-force attack: The adversary tries to decrypt ciphertext with all available keys,
until the plaintext is recognized (either by its statistical properties or because the at-
tacker has plaintext-ciphertext pairs).

Security through obscurity: When a system is designed to make analysis difficult,

so that vulnerabilities in the system may remain undetected.

Differential of two equal-length bit strings: another bit string of the same length.
The bits of the differential with value 1 correspond to positions where the argument bit
strings have opposite values.

Error propagation rate: Given that one bit of ciphertext is transmitted incorrect,
the error propagation rate is given by how many bits of plaintext are corrupted after
decryption.

2
 CIS-4930: Midterm 1. FSU (Spring 2005).
B. de Medeiros, instructor

Name: Breno pp. 3

4. (10 pts) Recognize the following modes of encryption for block ciphers based on their mathe-
matical expressions. (Encryption mode diagrams are available at the last page of the exam.)
Notation: Pi is the i-th block of plaintext, Ci of ciphertext, Ek () is the block cipher encryption
function, and denotes the XOR function

Example: Ci = Ek (Ci1 Pi ). Answer: CBC mode.

Ci = Ek (Pi ). Answer: ECB mode.

Ci = Ek (i) Pi . Answer Counter mode.

5. (15pts) Answer the following questions about block ciphers:

(5pts) There are two modes of encryption that allow random access to the ciphertext blocks.
That is, if the attacker has the information (i, Ci ) it can find the plaintext Pi with-
out having any other ciphertext blocks. One of these modes is ECB. The other is?
Counter mode.

(10 pts) Why the PKCS5 padding scheme pads a message with a block entirely of zeroes if
the message has length an exact multiple of the block size? Because the receiver would
not know if the received message had been padded or not, and therefore could interpret
the last bit of plaintext as padding.

3
 CIS-4930: Midterm 1. FSU (Spring 2005).
B. de Medeiros, instructor

Name: Breno pp. 4

6. (20pts) Since DES has too short keys (56-bits), Alice decides to use a quick scheme to combine
DES with XOR to achieve 120-bit encryption. She picks a 56-bit key K1 for regular DES and
a 64-bit key K2 . To encrypt a block b, she first encrypts it using DES, then XORs the result
with the second key. Mathematically, Alices encryption scheme is:

Alice-Encrypt(K1 , K2 , b) = DES(K1 , b) K2 .

Show that Bob can exhaustively search for the key K1 without having to worry about the
value of K2 , and therefore the scheme is not much secure than basic DES, as far as exhaustive
key search goes.
Hint. Assume that Bob has two plaintext-ciphertext blocks:

b1 , Alice-Encrypt(K1 , K2 , b1 ) = DES(K1 , b1 ) K2 , and

b2 , Alice-Encrypt(K1 , K2 , b2 ) = DES(K1 , b2 ) K2 , and

Show that Bob can craft a value that depends only on b1 , b2 , and K1 , but not K2 .
Bob can compute Alice-Encrypt(K1 , K2 , b1 ) Alice-Encrypt(K1 , K2 , b2 ) = DES(K1 , b1 )
DES(K1 , b2 ). The last value depends only on K1 , so can be exhaustively searched using ap-
proximately 255 tries, as in regular DES. Once the value of K1 is known, DES(K1 , b1 ) can
be computed and K2 recovered as K2 = Alice-Encrypt(K1 , K2 , b1 ) DES(K1 , b1 ).