Xiangtan University Information Security Course Homework Answer 5

Xiangtan University Information Security Class Homework Answer 5
Teacher: Dean Li Chengqing
sorted out the self-help and kind teaching assistant brother-Shen Ge.

1. As discussed in this chapter, a cryptographic hash function must satisfy all of the following properties: compression
   efficient
   one
   -way
   weak collision resistance
   strong collision resistance
   equipment features. Please give an application scenario in which a cryptographic hash function can be used, but the hash function we mentioned here cannot be used.
   Question b is the same as a, but it is assumed that the hash function has all other characteristics except high-efficiency characteristics.
   The c problem is the same as a, but it is assumed that the hash function has all other characteristics except for the one-way characteristic.
   Question d is the same as a, but it is assumed that the hash function has all other characteristics except anti-collision characteristics.
   Answer:
   a Digital signing with such a hash function is useless, because you still have to sign a large message.
   b This will slow down the digital signature computation.
   The example of online bidding in book c will fail.
   d will fail when using that hash in a digital signature.
   2. Please justify the following statement about cryptographic hash functions.
   Having anti-strong collision characteristics must be able to have anti-weak collision characteristics.
   Having anti-collision characteristics does not necessarily have one-way characteristics.
   Answer:
   Suppose h satisfies the strong anti-collision performance, but does not satisfy the weak anti-collision performance. Then for x_0 and 〖h(x〗_0), we can find x_1 so that 〖h(x〗_0)=〖h(x〗_1). But x_0 and x_1 violate the strong collision-resistant assumption.
   Suppose g is a hash function that is highly resistant to collisions (and therefore weakly resistant to collisions), and that g produces an n-bit output. Let (a,b) be the concatenation of a and b, and then define the hash function h as:
   h(x)={ █( (1,x) x is the length of n@(0,g(x)) else) ┤ Then
   h is collision resistant, but not unidirectional.
   3. Suppose a secure cryptographic hash function generates a hash value of n-bit binary length. Please explain how a brute force attack can be successfully implemented and what is the estimated computational cost?
   Answer:
   If you want to attack the strong anti-collision ability, you need to hash 2^(n/2) random inputs to be able to successfully implement and find collisions.
   4. Under the following circumstances, please estimate the number of possible collisions?
   Your hash function produces an output value that is 12 bits long and you are hashing 1024 randomly selected messages.
   Your hash function generates an n-bit long output value that you hash against a randomly selected message.
   Answer:
   a. If hashing 2 ^{10 messages, then about 2} 20 comparisons. For every 2 ^{12 comparisons, you expect to find a collision, so the expected number of possible collisions is 2} 8.
   b. The answer is m ^2/2 n.
   5. Assume that force is a secure hash function that generates n-bit binary long hash values.
   a. Estimate how many hash operations need to be performed to necessarily find a collision?
   b. Estimate how many hash operations will be performed to necessarily find 10 collisions? That is to say, it is estimated how many hash operations need to be performed to find a set of (X, Z,) such that h(Xi)=machine Z,), where i = 0,1,2,...,9.
   c. Please estimate how many hash operations will be performed to find m collisions?
   answer:
   a. Need to perform 2^(n/2) hash operations.
   b. Requires approximately √10×2 ^{(n/2) hash operations. Because this hash number will result in 10×2} n comparisons, and for every 2^n comparisons, a collision will be found.
   c. We need √10×2^(n/2) hash operations. Note that this means that it becomes easier to find collisions as the number of hashes computed increases.
2. A k-way collision refers to a set whose element values ​​are Xo, X1, · ··.Xk-1, and the values ​​generated by these elements after hashing are the same, that is, satisfy the following formula: h(x0) =
   h (x1) = ... = h(xk-I)
   Assume h is a secure hash function that generates a hash value of n-bit binary length.
   a. Estimate how many hash operations must be performed to find a k-way collision?
   b. Please estimate how many Hanch operations are required to find two k-way collisions?
   c. Estimate how many hash operations must be performed to find m distinct k-way collisions?
   Answer:
   a. about 2^(n(k-1)/k) calculations before being able to find a k-way collision
   b. about 2 ^(1/k)∙2 (n(k-1)/k) calculations before being able to find two k-way collisions
   c. For y hash values, there are about y ^{k k-way comparisons. Therefore, to find m k-way collisions, one needs to calculate m} (1/k)∙2^(n(k-1)) times.
3. Recall the birthday attack on digital signatures discussed in Section 5.4. Suppose we modify the design of the hash operation as follows: Given a message M, Alice wants to sign it, she first randomly chooses R, and then calculates the signature, as in the formula: S = [h(M, R)] AJice• Send (M, R, S) to Bob again. Excuse me, can this prevent the above attack? Why?
   Answer:
   no. Trudy can simply find R' like h(i, R)=h(E, R'), where I is the original information and E is Trudy's information. So, it's actually easier for Trudy because she doesn't have to make up a bunch of equivalent other information because she's just changing random information.
   8. Consider a cyclic redundancy check (CRC) code calculated with a divisor of 10011. Please find the two collisions of 10101011. That is, please find two other values ​​that can generate the same sum of cyclic element co-check codes as 10101011.
   Answer:
   11100111
   11110000
   9. Consider a cyclic redundancy check code (CRC) calculated with a divisor of 1001 l If the data has a value of 11010110 and Trudy wants to change its value to 111 Doesn't care about the values ​​on these unary bits, and she wants the checksum sum of the result to be the same as the checksum sum of the original data. Determine how many total values ​​Trudy will have available, and which ones? Answer
   :
   2 11100011 11110000 10: For the outer
   round algorithm of the Tiger hash algorithm shown in Figure 5-2, please fill in the value of each binary bit in each row Answer: The arrows on the right (key list) all indicate the number of 512 bits The arrows on the left represent 192 bits of (a,b,c), while all in the middle represent 64 bits.
   
   
   

Let h be the Tiger hash function, and let F be the outer round operation of the Tiger hash algorithm shown in Figure 5-2.
a. For M=(B: B2, B3), where each B; is 512 binary bits long, please list an expression similar to formula (5.2).
b. Now suppose M=(B1 Be...Bn), where each B is 512 binary bits long, please prove that h(M)=F(h(B1, B2...B...1), B,).
Answer: a, h(M)=F(F(F(A,B1),B2),B3) =F(F(
h(B1),B2),B3)
=F(h(B1,B2), B3)
b. In general, simple induction is performed first.
12.
On the website of this book, you can find a program that implements the so-called Lynx hashing algorithm that the author carefully designed. This hashing algorithm is essentially a scaled-down version of the Tiger algorithm - the Tiger hashing algorithm produces an output of a 192-bit binary value (equivalent to three 64-bit binary word lengths), while the Bobcat hashing algorithm produces a 48-bit binary value value (equivalent to three 16-bit binary word lengths).

Answer: a. For the 12-bit binary version of the Lynx hashing algorithm, find a collision. Here, you can obtain a 12-bit binary hash by intercepting the resulting 48-bit binary hash. Excuse me, how many hash operations do you need to find the first 12-bit binary collision?
b. Please find a collision of the complete 48-bit binary version of the Lynx hash algorithm.
13.
Alice likes to use the Tiger hash algorithm, which generates a 192-bit binary hash value. However, for one specific application, Alice only needs a 64-bit binary hash. Please answer the following questions. Here, we assume that the Tiger hash algorithm is secure.
a. For Alice, if only intercepting the output value of the Tiger hash function is used, is this safe? Or in other words, for Alice, only the 192-bit binary output of the Tiger hash algorithm is used. Is it ok for the first 64 bits? Please explain why.
b. For Alice, using the
output of the Tiger hash function by selecting one bit for every three binary bits, is this a solution worth considering? Please explain why.
c. For Alice, it is safe to use the Tiger hash function to obtain the three 64-bit binary words output, and then put them together to perform XOR operation to obtain the final output? Please explain why.
Answer:
Yes. Every position in the Tiger hash algorithm is safe, and 4 S-boxes are used in the algorithm implementation, and each of these 4 S-boxes maps 8 binary bits to 64 bits.
worth considering. The Tiger hash algorithm includes a total of 24 rounds of operations. These 24 rounds of operations can be regarded as 3 outer rounds of operations, each of which includes 8 inner rounds of operations.
Safety. Because the hash algorithm is an algorithm that is safe in all positions.
14.
Consider equation (5.3).
a. Please prove that if the lengths of K, M, and X are all
integer multiples of the block length of the hash function (usually, 64 bytes), then the equality holds.
b. For values ​​of K, M and X of other lengths, is this equation true?
c. Please prove that for values ​​of M, M and K of any length, as long as h(M)=h(M'), Formula (5.4) is established.
Answer: a. It is clear from the definition of F that this function holds if K, M, and X are all multiples. b
. It can work any time (K, M) is a multiple of the block length.
c. To be determined
15.
Excuse me, can message authentication code MAC be used as HMAC? That is, does message authentication code MAC have all the characteristics that HMAC satisfies?
Answer: MAC will provide the same integrity protection as HMAC, but There are subtle differences between the two. It is easy to generate collisions for MAC if the key is known, but this is not the case for HMAC.
16. Suppose you know that the output of an HMAC is X and its key is K, but you do not know what the message M is. So, can you construct a message M, using the same key K, so that the HMAC value of the message is equal to X? If so, please give an algorithm for constructing such a message. If not, please explain why. Please note that we assume that you know the key K, and the same key K is used for both HMAC calculations (comparing this question with question 43 in Chapter 3 will be instructive).
Answer: No, because hashing is one-way
17. Please recall the online bidding scheme discussed in Section 5.8.1.
a. In this scheme, what are the characteristics of a secure hash function h that is used to prevent fraud
?
b. If Charlie can determine that Alice and Bob will submit bidding prices that must be between $10,000 and $20,000
between. Please describe - -a forward search attack, so that Charlie can
use this attack method to determine the bidding price of Alice and Bob based on their respective hash values.
c. Will the attack described in b constitute an actual security problem?
d. What kind of modification should be made to this online bidding process to prevent the forward retrieval attack similar to that described in b
? :
a prevents anyone from determining a bid based on relevant information and collision resistance (prevents anyone from changing their bid)
b forward search - hashes all reasonable bids, then looks for a bid that gives the same bid that hashes as Alice's or Bob's bid
c can
d Alice can choose a random value RA and submit h(A, RA), similarly when other bidders make bids, Alice must submit bid A and fill RA randomly.
18. Recall the spam drag reduction scheme discussed in Section 5.8.2.
a. In this scheme, what are the
characteristics of a secure hash function h to reduce spam?
b. In section 5.8.2, we have said that "the message M contains the sender and the email address of the intended recipient
, but does not contain any other additional address information." Suppose we relax this condition to require only that
the message M contains the email address of the intended recipient. Please find an attack against this modified spam
drag reduction system, that is, please prove that under this modified scheme, the spammer
can still send spam without doing too much additional Work.
Answer:
a. Impact resistance, preventing multiple emails with the same hash. One-way, otherwise a message can be identified by specifying a hash.
b. A "message" can contain multiple email addresses, in which case Trudy only needs to find a suitable R to send the message to all addresses.
19. Suppose you have a secure block encryption scheme, but no hash function. Also, no keys are available.
For simplicity, assume that the key length and block length of this block encryption scheme are both equal to n.
a. Excuse me, if you only need to perform a hash operation on a block whose length is exactly n bits long, how can
you use this block encryption scheme as a cryptographic hash function?
b. Excuse me, when the message includes multiple How do you
use this block encryption scheme as a cryptographic hash function when there are blocks of n-bit binary length ?
Answer:
A. Define h(B) = E(X, B), where X is some non-secret constant (eg, 0), the hashed block will be used as the key.
B. If there is more than one block, you can divide the message into blocks of n bits, where n is the length of the block cipher key, and then iterate over the encrypted blocks.
For example, suppose the message is 3 blocks: Bo, B1, B2. Then define a cipher with blocks h(Bo, B1, B2) = E(E(E(X, Bo), Br), Br), where X is some non-secret constant. This is secure because determining the "key" is difficult, even if the attacker knows the plaintext and ciphertext. As described in part a, any initial constant can be used. Likewise, CBC's "encryption" would work, where the message is used as the key and the plaintext is a constant. In any case, the block cipher must have a sufficiently large block size that a brute force collision attack cannot be performed.
20. Suppose Alice wants to encrypt a message for Bob, which contains three plaintext packets, Po, P1 and P2. Both Alice and Bob have access to a hash function and a shared symmetric key K, but no encryption scheme is available. So, how can it be done: Alice can safely encrypt the message, and Bob can decrypt it smoothly.
Answer:
Encryption method: Co= Pθ K, C1 = P1θh(K), C1 = Pθh(h(K)).
But this is not robust, because if Trudy knows Pi, she can easily decide Pj because allj≥ i.
21. Alice's computer needs access - a symmetric key K. Please consider the following two parties (i) who generate and store the key KA
to generate the key by setting KA = h (Alice's password). The key is not stored on Alice's computer, instead, when Kg needs to be used, Alice enters her password, and the key is generated in real time.
(ii) Initially randomly generate the key Kx, then encrypt it, and store the value E(Kx, K), where K=h (Alice's password). When Ka is needed, Alice enters her password, which is hashed to generate K, which is then used to decrypt the key K.
Please give one significant advantage of scheme (i) over scheme (ii), and please give one significant advantage of scheme (ii) over scheme (i).
Answer: Method (i) does not require storing anything. Method (i) encrypts the data with a stronger, key, making it more difficult to directly attack the ciphertext. Approach (i) may also be advantageous when Alice wants to change the password, since there is no need to decrypt/re-encrypt the data.
twenty two.
Suppose Sally (the name of a server) needs access to three symmetric keys - one for Alice, another for Bob, and a third for Charlie. Well, Sally can generate symmetric keys KA, Kp and Kc and store them in - a database. Another option is key diversification, that is, Mr. Sally generates and stores a single key Ks. Then, when needed, Sally generates the key K, by calculating Ks = h(Alice, Ks), and the key Kp and Kc are generated in a similar way to Ks. Point out one clear advantage and one significant disadvantage of this key decentralization scheme relative to storing keys in a database.
A: The obvious advantage of key diversification is that it requires almost no storage. A possible advantage of a database is that there is no single point of failure. However, if someone can recover the master key, they might be able to recover the database as well. On the other hand, if the database is distributed (like it is on GSM), then it probably is. Better to use a database. In some cases it may be easier to change a user's key using a database.
23. If the function T satisfies the following characteristics, then we call the function an incremental function: if the function T is applied to M, as M changes, the change speed of the corresponding function value is proportional to the change speed of M itself . Suppose we have an incremental hash function H.
a. Please discuss an application scenario where using the above incremental hash function H would be better than using a standard (non-incremental) hash function.
b. Suppose a message M can only be modified by adding padding bits, that is, the modification M of the message can be expressed as M=(M, x), where x is some definite value. Then, given a cryptographic hash function h, please define an incremental cryptographic hash function H based on h.
Answer: a. When you have a large amount of data, only slightly changed, incremental hashing will be preferred. For example, suppose you hash all the file drives on your hard drive as a method of detecting errors. Suppose you later want to hash all files the same, but only one file should have changed. With non-incremental hashing, re-computing the hash will be as expensive as computing the original hash, while incremental hashing is only as expensive as computing the hash of the modified file.
b. Assuming the block size is appropriate, let H(M') = F(H(M), X) where Fis hashes the "round function" of H.
twenty four. Suppose Bob and Alice want to flip a coin over the network. Alice proposes the following protocol:
(i) Alice randomly chooses a value XE{0,1}.
(ii) Alice generates a 256-bit binary random symmetric key K.
(iii) Alice uses the AES encryption scheme to perform the calculation Y=E(X,R,K), where R contains 255 randomly selected binary bits.
(iv) Alice sends Y to Bob.
(v) Bob guesses a value Z ∈ {0,1} and tells Alice about it.
(vi) Alice gives the key K to Bob, and Bob performs the calculation (X,R)=D(Y,K). (vii) If X=Z, then Bob wins, otherwise, Alice wins. This protocol is not secure.
a. Please explain how Alice can cheat?
b. Please use an encrypted hash function h to modify this protocol so that Alice cannot cheat.
Answer: a. Once Alice knows Bob's guess Z, she tries different "K" keys until she finds one where the first digit of W=D(Y,K') is not Z. She then sends the "key" K' to Bob.
b. Alice sends h(K) together with Y, so she cannot change the key. That is, the hash of the key commits Alice to K, and since K is random, there is no forward search attack.
25. The MD5 hash algorithm is considered broken because a collision has been found, and, in fact, the 25.MD5 hash algorithm is considered broken because a collision has been found, and, in fact With this algorithm, it takes a few seconds on a PC to construct a collision (see Ref. [244]). Find all the different bit 12s in the two messages below. Please verify that the MD5 hash results of the two messages are the same.
00000000 DL 31 DD 02 C5 E6 EE C4 69 3D 9A 06 98 AF F9 5C
00000000 2F CA B5 87 12 46 7E AB 40 04 58 3E B8 FB 7F 89 00000020 55 AD 34 09
F4 B3 83 E4 83 25 71 41 41 5A
00000030 08 51 25 E8 F7 CD C9 9F D9 1D BD F2 80 37 3C 5B
00000040 96 0B 1D D1 DC 41 7B 9C E4 D8 5a 5a 5a 00000000 00000000 39a
C7 F0 EB FD 29 F1 66 D1 09 b1 8f
00000060 75 27 7f 79 30 d5 5c eb 22 e8 ad ba 79 cc 15 5c
00000070 ed 74 cb dd 5f c5 d3 6d b1 9b 0a d8 35 cc a7 e3
and
00000000 D1 31 DD 02 C5 E6 EE C4 69 3D 9A 06 98 AF F9 5C
00000010 2F CA B5 071246 7E AB 40 04 58 3E B8 FB 7F 89 0000000000 AD 34 09 F4
B3 83 E4 88 F1 41 5A 00000030
30 08 51 25 e8 f7 cd c9 9f d9 1d bd 72 80 37 3c 5b
00000040 96 0b 1d dl dc 41 7b 9c e4 d8 97 f4 5a 65 55 d5
00000050 35 73 9a 47 f0 eb fd 621 b 0c 8 f 30 6
00000060 75 27 7 79 30 d5 5c eb 22 e8 ad ba 79 4c 15 5c
00000070 ed 74 cb dd 5f c5 d3 6d b1 9b 0a 58 35 cc a7 e3
Answer:
1st:
16 digits lowercase: 7d4746b3c8d09fe3
2nd:
61fe3 Bit lowercase: 7d4746b3c8d09fe3
collision successful
26. The MD5 collision described in Question 25 is often considered moot, because the two messages that collide seem to be some random binary bits, that is, the two messages do not carry meaningful information . Currently, with this MD5 collision attack, it is impossible to generate a meaningful collision. For this reason, it is sometimes said that MD5 collisions are not a serious threat. The purpose of this thought question is to make you realize that this is not the case. Please download the file MD5_collision.zip from the website of this book. After unzipping the file, you can get two script files: rec2.ps and auth2.ps.

aPlease open rec2.ps through the script browser, what kind of message can you see? Then open auth2.ps through the script browser, what kind of news can you see?
b Excuse me, what is the MD5 hash value of the script file rec2.ps? What is the MD5 hash value of the script file auth2.ps? Why is this a security issue? Please explain how easy it is for Trudy to launch an attack in this particular case, and please explain a specific attack implementation scheme. Hint: Consider the case of digital signatures.
c Modify the script files rec2.ps and auth2.ps so that they appear different from each other compared to their current state, but hashing them yields the same result. Excuse me, what is the final hash value?
dSince it is impossible to generate a meaningful MD5 collision, how can two (meaningful) messages have the same MD5 hash value? Tip, the script will contain A conditional statement in the following form;
(X)(Y)eq{T0}{T1}ifelse
Among them, when the text X and Y are the same, display T0; otherwise, display T1.
Answers:
a. easy
b. both are c321325acff48137d62844e481ab01c5;
assuming I sign the recommendation rec2.ps;
Trudy (or anyone else) can replace fileauth2.ps with the recommendation and the signature verification will still pass.
c. Depends on the selected message, but opening either file with a text editor should give you a good idea of ​​what needs to be done.
d. The basic idea is: Assume that A and B form an MD5 collision, that is, h(A) = h(B). Then we create two identical Postscript files where the "good" letter is T0 and the "bad" letter is T1, and then in the first file we set, say in the conditional statement x - Band Y = B, such that To ("OK" message) is displayed. In the second file we let X - A and Y = B so that the "evil" message is displayed. Due to the fact that h(A) = h(B), the two messages will hash to the same thing, and the files are identical outside of "(X)(Y)".
27．Suppose you receive an email from someone who calls themselves Alice. The email includes a digital certificate with the following content:
M=("Alice", Alice's public key) and [h(M)]CA
where CA is a certificate authority.
Excuse me, how do you verify this signature? Please give as detailed a description as possible.
Why would you bother to verify the signature?
If you trust the CA that signed the certificate. Then, after verifying the signature, you can be sure that only Alice holds the private key corresponding to the public key contained in this certificate. Assuming that Alice's private key has not been compromised or destroyed, why is your assertion valid?
If you trust the CA that signed the certificate, after verifying the signature, you have no idea about the identity of the sender of the certificate. What information can be learned?
Answer:
a. Verify the CA's digital certificate and set up verification of Alice's mail key. Check the digital certificate carried by the email through the webpage to confirm that the certificate is indeed certified by the CA.
b. Failure of signature verification means that the corresponding private key can be verified as belonging to anyone. For example, Trudy could simply create a public/private key pair, put this public key into a certificate representing "Alice", sign that certificate himself, and keep the private key. If a message is encrypted with a public key, only Trudy can decrypt it, not Alice.
c. The job of the CA is to create the certificate and ensure that the private key belongs to Alice (and not someone else). Only a CA can sign a certificate, so if the CA has done its job and Alice's private key has not been compromised, then only Alice has the private key.
d. nothing. The certificate is public, so anyone can have it and send it.
28. Recall that we use both a public key system and a hash function when computing a digital signature.
a. Please describe in detail the calculation process and verification process of the digital signature.
b. Assume that the public key system used to calculate and verify the signature is insecure, but the hash function
is secure. Prove that, in this case, you are able to forge the signature.
c. It is assumed that the hash function used to calculate and verify the signature is insecure, but the public key system is secure. Prove that, in this case, you are able to forge the signature.
Answer:
a. Calculation process: First, generate the signed electronic file, then make a digital summary of the electronic file with a hash algorithm, and then asymmetrically encrypt the digital summary with the signature private key, that is, make a digital signature; after that, the above The signature and the original text of the electronic document and the public key of the signature certificate are packaged together to form a signature result and sent to the recipient for verification by the recipient.
Verification process: The receiver first decrypts the digital signature with the sender's public key, derives the digital abstract, and performs the same hash algorithm on the original electronic document to obtain a new digital abstract, compares the hash values ​​of the two abstracts, and finds that they are the same The signature is verified, otherwise it is invalid.
The receiver of the b message first calculates the hash value from the received original message, and then uses the sender's public key to decrypt the digital signature attached to the message. If the two hash values ​​are the same, the receiver can confirm that the digital signature belongs to the sender. But if the public key system is insecure, there is no way to guarantee whether the hash value is authentic, so that the signature can be forged.
The recipient of the c message first calculates the hash value from the received original message, and then uses the sender's public key to decrypt the digital signature attached to the message. But since the hash function is already known. Therefore, as long as the hash values ​​before and after decryption are the same, the signature can be forged.
29. This question is about digital signatures.
a. Please explain in detail how the digital signature is calculated and verified?
b. Please prove that the digital signature can support data integrity protection.
c. Please prove that the digital signature can support non-repudiation protection.
Answer:
a. Simply put, the so-called digital signature is some data attached to the data unit, or the cryptographic transformation of the data unit. This data or transformation allows the recipient of the data unit to confirm the origin of the data unit and the integrity of the data unit and to protect the data from forgery by a person such as the recipient. It is a method of signing messages in electronic form so that a signed message can be transmitted over a communication network. Digital signatures can be obtained based on both public key cryptosystems and private key cryptosystems, mainly digital signatures based on public key cryptosystems. Including ordinary digital signatures and special digital signatures. Common digital signature algorithms include RSA, ElGamal, Fiat-Shamir, Guillou-Quisquarter, Schnorr, Ong-Schnorr-Shamir digital signature algorithm, Des/DSA, elliptic curve digital signature algorithm and finite automaton digital signature algorithm, etc. Special digital signatures include blind signatures, proxy signatures, group signatures, undeniable signatures, fair blind signatures, threshold signatures, signatures with message recovery functions, etc., which are closely related to the specific application environment. b. Suppose Alice sends M and s=[
h (M)]aice · If Bob receives M'≠M and S,
then H(M')≠{S}Alice. Likewise, if Bob receives M and S'≠S, then h(M)≠{S'}Alice. If both are wrong, then it is almost certain that h(M') ≠ {S'}Alice-.
c. Encrypt the data with his own private key, because only he himself has the private key, and no one else has, so it provides non-repudiation protection.
30. Suppose Alice wants to sign a message M and send it to Bob.
a. According to our standardized representation, what operations does Alice need to perform?
b. What information does Alice need to send to Bob? How does Bob verify the signature?
Answer:
Alice calculates S=-[h(M) ]Alice
Alice sends M and S=[h(M)]Alice to Bob. Bob verifies that h(M)={S}Alice.
31. In the last chapter, we discussed the implementation ideas behind forward retrieval attacks against public-key encryption systems. In some specific applications, forward retrieval attacks can also be used against hash functions.
a. Excuse me, what is a forward retrieval attack against a public key encryption scheme? How can this type of attack be prevented? b
. Please describe an application scenario of the hash function, making it seem reasonable and feasible, but it occurs Possibility of forward retrieval attack.
c. Excuse me, how can we prevent forward retrieval attacks on hash functions?.
a. Guess possible plaintext messages, and then encrypt each message with the public key. Compare the result with the ciphertext.
b. Online bidding issues.
c. Random padding, the same solution for public key pre-search
32.
Suppose we have a block encryption scheme and want to implement a hash function using it. Let X be some specific constant, and let M be a message containing only a single block whose length is exactly the key length in our block encryption scheme. Define the hash calculation of message M as y=E(X, M. Please note: when we use this block encryption scheme, we use message M instead of the corresponding key.
a. Assuming that our basic block encryption scheme is secure, please prove that this hash function satisfies the anti-collision and one-way characteristics of encrypted hash functions.
b. Please expand the definition of the hash function so that the hash operation can be performed on messages of any length. After extension, does this hash function satisfy all the properties that a cryptographic hash function must possess?
c. Excuse me, for a block encryption scheme to be used as a cryptographic hash function, why must it be able to resist the "chosen key" attack? Hint: If this is not possible, then for a given plaintext message P, we can find two keys K0 and K1 such that E(P, K0) = E(P, K1). Prove that such a block encryption scheme is insecure when used as a hash function Solution
:
If our basic block encryption scheme is secure, then this hash function should satisfy the fundamental properties of a secure cipher, then It will have the basic properties of the encryption function, that is, anti-collision characteristics and single-item characteristics. The
expanded hash function satisfies all the characteristics of the encryption hash function
. A block encryption scheme of the hash function, then others will be able to attack us by constructing collisions33
: Please consider a "2 out of 3" type secret sharing scheme.
a. Suppose Alice's shared secret is (4,10/3), Bob's shared secret is (6,2), and Charlie's shared secret is (5,8/3). Excuse me, what is the shared secret S? What is the expression of the straight line?
b. Assume that the operation used is modulo 13, that is, the expression of the straight line is in the form of ax+by =c(mod 13). If Alice's share is (2,2), Bob's share is (4,9), and Charlie's share is (6,3), then what is the shared secret S? The expression corresponding to the straight line What is (computation form modulo 13)?
a. The shared secret S is 6, and the straight line expression is 2x+3y=18.
b. The shared secret S is 8, and the expression of the corresponding straight line (operation form modulo 13) is 5x+6y=9 mod 13.
34: Please recall that the definition we gave earlier is: If the most effective known attack on an encryption scheme is an exhaustive key retrieval attack, then the encryption scheme can be considered secure. If an encryption scheme is secure and its key space is large, then the most efficient known attack on it will be computationally infeasible - the ideal situation for a practical encryption scheme . However, there is always the possibility that a new and clever attack has emerged that turns a previously secure encryption scheme into an insecure one. In contrast, Shamir's polynomial-based secret sharing system is secure in the sense of information theory, which means that there is no possibility of shortcut attacks. In other words, the secret sharing mechanism can ensure that it is always safe.
a. Suppose we have a "2 out of 2" type secret sharing scheme, in which Alice and Bob share a secret S. Excuse me, why can't Alice determine anything about the shared secret from her own share?
b. Suppose we have a "m out of n" type secret sharing scheme. Explain why, then, any set of m-1 participants cannot determine anything about the shared secret S? Answer
:
a. Two points are required to determine the line. Given just one point value, any possible S will produce a valid line through Alice's point, and there is no additional information to decide whether the assumed S is correct.
b. Requires m points to determine the expression for the line. Given only the values ​​of m-1 points, any possible S will produce a valid line passing through these m-1 points, and there is no additional information to decide whether the assumed S is correct.
35: Please download the file visual.zip from the book's website and unzip the downloaded file.
a. Please use your favorite browser to open the file visual.html, and carefully overlap the two copies. May I ask what image you can see?
b. Please use the program on a different image file to create the shared parts. Note that the selected image must be in gif file format. Please provide separate screen shot images showing the original image, the shared parts, and the result of overlaying the shared parts in turn.
Answer:
a. After overlapping the two copies, you can see Alice's image.
b. Created the various parts by modifying the html file. Since we did not find the visual.zip file on the official website, our team considered completing the content of this assignment by seeking help from other resources on the Internet.
36: Please recall that the definition we gave earlier is: If the most effective known attack on an encryption scheme is an exhaustive key retrieval attack, then the encryption scheme can be considered secure. If an encryption scheme is secure and its key space is large, then the most efficient known attack on it will be computationally infeasible—for a practical encryption scheme, this is the most Ideal situation. However, there is always the possibility that a new and clever attack has emerged that turns a previously secure encryption scheme into an insecure one. In contrast, Naor and Shamir's visual secret sharing system is secure in the sense of information theory, which means that there is no possibility of shortcut attacks - that is, the secret sharing system can be guaranteed to be always safe (according to our security by definition).
a. Consider the “2 out of 2” type visual secret sharing scheme discussed in this chapter. Excuse me, why is Alice unable to determine anything about the shared secret from her own share?
b. Excuse me, how can a more generalized "m out of n" type visual secret sharing scheme be efficient?
c. For A "m out of n" type visual secret sharing scheme. When the value of m is large and the value of n is small, what is the contrast of the image recovered according to the secret sharing scheme? When the value of n is large and the value of m is small, how is the contrast of the obtained image? When What happens when the values ​​of m and n are both large?
Answer
a Suppose you know a share, and consider any given pixel that is shared. You have no information about whether the original pixel was black or white, since both are
b Three out of three schemes are described in the paper "(3,3)-Vision Encryption Sharing Scheme for Hiding Three Secret Data" by Tsai and Wang.
c At least for the 3/3 formats mentioned in the solution of part b, the resolution of the recovered image has a certain drop37
: Suppose you have a text file, and you plan to distribute it to several different people. Please describe an easy non-digital watermarking method that you can use to place distinct, invisible digital watermarks in each version of the document. Note that "invisible" in this context does not mean that the digital watermark is truly invisible, but rather that the digital watermark is not obvious to the reader of the document.
Solution: change the line spacing, change the line break, change the perforation, etc. The difference is that each line is rewritten in a slightly different way
. 38. Suppose you take a course of study that stipulates: Use the printed version of the manuscript written by the instructor as a textbook. For simplicity, teachers insert a simple invisible watermark in each version of their manuscript. The teacher wants to make it so that, given any one version of his manuscript, he can easily determine who originally received that version of the lecture manuscript. The teacher raised the following questions to the class, and I hope everyone can give corresponding solutions".
(i) Determine the watermark scheme used.
(i) Please try to make the watermark invisible.
Please note that in Here, the meaning of "invisible" does not mean that the corresponding watermark is really invisible to the eyes, but that it is
not easy for readers of textbooks to see or read the corresponding watermark.
a. Please discuss: the teacher should give the handout manuscript There are several methods that can be used to generate watermarks, what are they?
b. Excuse me: how do you plan to solve problem ()?
c. Assuming you have solved problem (), then how do you plan to solve problem (i)?
d. If you can’t solve problem (), what kind of method can you use to solve problem (i) when problem (
i) has not been solved?
Answer: a. The teacher may have rewritten specific sentences, or various newline variables. In fact, ied is the spacing between lines (or words), changing fonts, punctuation, etc., the scheme the authors use is to create two slightly different versions of the first version of each chapter's page (e.g., using italics or italics font, for quotes, or to slightly alter the punctuation on the page, etc). With 13 chapter-ters, this gives the author the ability to create 213 different watermarks. Because the authors chose different watermarks, 60 manuscripts required as many bit positions as possible. In effect, this is an error-correcting code – under a certain threshold, if a mark is corrupted, it is still possible to assign the correct student to mark it. There was only one pair of (excellent) students at work who solved the problem together and they needed a couple of hints. It would be interesting if such a scheme could be applied to actual textbooks. As far as manuscripts go, this scheme would be much stronger for books, since the attacks mentioned below would be more difficult. Of course, this is difficult to apply to hard copy editions of books, but to e-books. Note that if there is a watermark on the textbook, the author can determine who is responsible for these ilgal pdf versions of the book that are inevitably available through BitTorrent. . . .
b. The best way is collusion attack. That is, carefully comparing several copies of the manuscript looking for differences
c. Because it is known how the scheme works, it is straightforward to swap pages containing key watermark information manuscripts between different copies.
d. Turn pages randomly between manuscripts.
39. At the beginning of this chapter we quoted part of a poem by Lewis Carroll I.
In the second part of the quotation, although no title is given for the passage, it is generally
quoted from the opening line, "a small boat under a sunny sky".
a. Please give the full text of the poem.
b. The poem contains a hidden message. May I ask what is that?
Answer: a. The boat in July
is full of sunlight
and drifts off to dreamland

Tired and sleepless child
eyes jumped out of bed,
ears pushed open the window

Listen to the old things in the sunny day,
the love that never looks back,
look at the autumn frost on Xia Zhuang’s face

She still lingers in dreams,
passing through the light
, just a shadow not holding hands

Curious children,
uncontrollable hearts,
unconsciously sleeping peacefully

They lie in the fairyland,
sucking the sun and the moon,
reminiscing about the goodbye kiss in midsummer

This endless pursuit
is covered with golden light,
is life just a dream

Translation 3
The setting sun shines on the small rowing boat,
drifting slowly, slowly playing,
half a day late in July

The three children are leaning on the pillow,
their eyes are willing to
listen to their ears, and they want to listen to stories.

That year, the evening glow had already dissipated,
the sound was blurred and the shadows were chaotic,
the autumn wind came and the scene changed

But on another day
Alice, the little boy,
always seems to be in my heart

There are also children who also think that
if their eyes are willing to have itchy ears
, they should squeeze to listen to others

Happy in dreams, sad in dreams,
years flow in dreams

Follow along the flowing water, fall in love with
the setting sun and watch the sunset,
life is like a dream is not bad
b, the first letter of each line spells the full name of the real Alice.
40. This question examines the content of the RGB color system.
Please prove that the following two RGB colors
(0x7E, 0x52, 0x90) and (0x7E, 0x52, 0x10) have
only one binary bit difference, but the visual effect is completely different. The other two colors:
(0xAB, 0x32, 0xF1) and (0xAB, 0x33, 0xF1)
also have only one binary bit difference, but it is difficult to distinguish with the naked eye. Please try to explain this phenomenon, why is it so?
From the position arrangement of the binary bits, which positions have the least influence? In other words, at what position the binary value can be easily changed without producing a perceivable change in color? Answer
: a:

Although there is a binary difference between the two, they are indeed very different.

The difference between the two is also one binary bit, but the difference in visual effect is very small. The main reason is whether the binary bit of the difference is high or low. The difference between the high bit, such as 0x90 and 0x10, will cause a certain color difference due to the large difference in absolute value. The amount of a color has a large deviation, and the difference in low bits such as 0x32 and 0x33, the absolute value difference is only 1, so the color difference is small.
b: From the perspective of binary arrangement, the low bit of each color channel, that is, the last bit, has the least influence on the color without any perceivable change.
41. Please download the image file alice.bmp from the website of this book, and consider the following questions.
a. Please use a hex editor to hide some potential attack information in the file.
b. Please provide a hexadecimal edit review report, which shows which binary bits in the image file have been changed, and what is the specific location? And please show the corresponding unchanged binary bits.
c. Please give a screenshot of the original bmp image file, and a screenshot of the bmp image file containing the hidden information.
Answer: Original bmp image:

Images containing hidden information:

The information that is trying to write into the image is a txt file, as shown in the figure: the
hexadecimal view is:
split the file into 6, b, 6, f, 7, 4...
and Write the lowest bit of the color value of each rgb channel in the image part of the bitmap file, as shown in the figure:

Through this method, the 1.txt file is steganographically written into alice1.bmp, and the difference from the original image cannot be detected by the naked eye.
42．Please download the file stego.zip from the book's website and consider the following questions:
a. Please use the program stegoRead to extract the hidden files contained in the image file aliceStego.bmp.
b. Using the program, insert a file into a different (uncompressed) image file and try to extract the information from it again.
c. Please give a screenshot of the image files obtained in b, including files with hidden information and files without hidden information.
Answer: a. The hidden file is a pdf file, and the decryption process is as shown in the figure:

The pdf image part is empty, but there is a table of contents, as shown in the picture:

b. Create a file that needs steganography, as shown in the figure:
write:

Re-read:

The read result is:

c. Pictures that do not contain steganographic information are:

The images containing steganographic information are:

43．Please download the file stego.zip from the website of this book, and consider the following questions:
a. Please write a program stegoDestroy.c whose function is to destroy any information hidden in the file, assuming that the information hiding method adopts is the method used in the program stego.c. The program you write should take a bmp file as input and generate a bmp file as output. Visually, the output file of the program must be basically the same as the input file.
b. Please use the image file aliceStego.bmp to test your program. Verify that the output image file is not corrupted. Excuse me, what information does the program stegoRead.c extract from your output file?
Answer: a. The low-order RGB data can be randomized (or zeroed). Alternatively, the data can be replaced with other selected information.
If this data is randomized, it will be useless.
44．Please download the file stego.zip from the website of this book, and consider the following questions:
a. Excuse me, how does the program stego.c hide information in the image file?
b. Suppose you use the method in the program stego.c to hide information , how can you destroy the information hidden in an image file without visually damaging the image?
c. May I ask, how can this information hiding technology have a stronger resistance to this kind of damage attack?
Answer: a. Put the information in the low-order RGB data
b. Randomize the bits, make the bits zero, use Other message substitutions, etc. c. Use high-order RGB to store images.
45．Please download the file stego.zip from the website of this book, and consider the following questions:
a. Excuse me, why is this method of information hiding only available for uncompressed image files?
b. Please explain, what to do with this method What kind of modification can make it available for compressed image formats, such as jpg image files.
Answer: a. If the image is compressed, a new encoding scheme will be generated, so it will be more difficult to modify the data.
b. The modification should follow the coding scheme of the compressed image, which will complicate the process.
46. ​​Please write a program that hides information in an audio file and can extract the hidden information.
a. Please describe your information hiding method in detail.
b. Please compare an audio file without hidden information with the same file, but with hidden information. Can you tell the difference in sound quality between the two?
c. Please discuss, what are the possible attack methods for your information hiding system?
Answer: a. Audio files in WAV format are stored as 8 or 16-bit values ​​in Windows. For 8-bit samples, this means that the range of values ​​is between Between 0 and 255. 16-bit samples range in value between 0 and 65535. When S-Tools hides information in WAV format audio files, it first encrypts with a password, and then decides where to embed the information according to the password, and uses the LSB (least significant bits) method to replace the secret information with the least important bits of the carrier audio file Bits.
For example, suppose an audio file has the following 8 bytes of information, which are: 132134137 141 121 101 7438 The binary
representation is:
10000100 10000110 10001001 10001101 01111001 01100101 01001010
00100110 Simply replace the LSB (Least Significant Bit) of the audio file for information hiding. So the above sequence will be changed to:
133135 136 141 120 10174 39
The binary representation is:
10000101 10000111 10001000 10001101 01111000 01100101 01001010 00100111
In this way, the secret information is hidden in the carrier audio file, and the audio file is almost indistinguishable from the original file in terms of auditory effect.
b. Under normal circumstances, we cannot feel the difference between the two audios.
c. Random data can be randomly inserted into the audio data.
47. Please write a program to hide information in a video file and be able to extract the information you have hidden.
a. Please describe your method of information hiding in detail.
b. Please compare a video file without hidden information with the same file but with hidden information
. Can you discern the difference in visual quality between the two?
c. Discuss, what are the possible attacks on your information hiding system?
Answer: a. Physimography is a new information camouflage technology developed from visual cryptography. The idea of ​​visual cryptography is to hide the confidential information to be hidden into two or more subkey pictures through an algorithm. These pictures can be stored on disk or printed onto transparencies. There are randomly distributed black and white dots on each picture. Due to the random distribution of black and white dots, no matter what method is used by a person holding a single picture, it is impossible to analyze any useful information. And if all the pictures are superimposed together, the original confidential information can be recovered. Because the method is simple and effective, its recovery can be recognized only through the human visual system without a lot of calculation and cryptography knowledge, so it is more widely used. Each image generated by this technology can also be not a random noise image, but an image that ordinary people can understand: there are different texts or pictures on the image, which are no different from general materials, as long as a certain number of images are superimposed together, Then the original content on each image will disappear, and the hidden secret content will appear. As for a single image, whether it is stolen or leaked, it will not bring catastrophic damage to the security of information. Due to the "readability" of each image, it achieves a better camouflage effect, and can easily escape the cracking of interceptors and attackers. Moreover, under certain conditions, it can be proved theoretically that the The technology is undecipherable, enabling optimal security.
b. You shouldn't notice any difference, exactly.
c. Scanning, monitoring, sniffing.
48. This question is aimed at the application of random numbers in encryption technology.
a. Excuse me, where are random numbers used in symmetric key encryption technology?
b. Excuse me, where are random numbers used in RSA algorithm and Difie-Hellman key exchange system?
Answer: a. Symmetric Keys and IVs.
b. Random selection of prime numbers (RSA) and generation of random exponents (DH).
49. According to our discussion in the article, random numbers used in cryptography must be unpredictable.
a. Excuse me, for encryption technology applications, why statistical random numbers (this type of random number is often used for simulation
Simulation field) is not enough?
b. Let’s make an assumption that for a key stream generated by a stream cipher algorithm, if an n-bit binary key stream is given
, all subsequent keys can be determined In this sense, we say
that the keystream is predictable. Excuse me, is there an actual security problem in this situation? Please explain why.
Answer:
a. Given a sequence of these numbers, the remaining numbers in the sequence can be bounded. If such a sequence is used as the keystream, a known-plaintext attack could be devastating.
b. Yes, because the attacker might know some plaintext, in which case they would know the keystream bits.