SOLUTIONS MANUAL

LD0RD0 = RE16LE16 = IP(C) = 1111...111 (64 bits) .... For encryption, the input
to the final IP?1 is RE16 || LE16. ... TD1(R16 || L16) = R16 || L16 ? f(R16, K16).

Part of the document

Solutions Manual
CRYPTOGRAPHY AND NETWORK SECURITY
Principles and Practice
Fourth Edition William Stallings Copyright 2006: William Stallings
© 2006 by William Stallings All rights reserved. No part of this document may be reproduced, in any
form or by any means, or posted on the Internet, without permission in
writing from the author.
Notice This manual contains solutions to all of the review questions and
homework problems in Cryptography and Network Security, Fourth
Edition. If you spot an error in a solution or in the wording of a
problem, I would greatly appreciate it if you would forward the
information via email to ws@shore.net. An errata sheet for this
manual, if needed, is available at
ftp://shell.shore.net/members/w/s/ws/S.
W.S. TABLE OF CONTENTS
Chapter 1: Introduction 5
Chapter 2: Classical Encryption Techniques 7
Chapter 3: Block Ciphers and the Date Encryption Standard 13
Chapter 4: Finite Fields 21
Chapter 5: Advanced Encryption Standard 28
Chapter 6: More on Symmetric Ciphers 33
Chapter 7: Confidentiality Using Symmetric Encryption 38
Chapter 8: Introduction to Number Theory 42
Chapter 9: Public-Key Cryptography and RSA 46
Chapter 10: Key Management; Other Public-Key Cryptosystems 55
Chapter 11: Message Authentication and Hash Functions 59
Chapter 12: Hash and MAC Algorithms 62
Chapter 13: Digital Signatures and Authentication Protocols 66
Chapter 14: Authentication Applications 71
Chapter 15: Electronic Mail Security 73
Chapter 16: IP Security 76
Chapter 17: Web Security 80
Chapter 18: Intruders 83
Chapter 19: Malicious Software 87
Chapter 20: Firewalls 89
Chapter 1
Introduction
Answers to Questions
1.1 THE OSI SECURITY ARCHITECTURE IS A FRAMEWORK THAT PROVIDES A
SYSTEMATIC WAY OF DEFINING THE REQUIREMENTS FOR SECURITY AND
CHARACTERIZING THE APPROACHES TO SATISFYING THOSE REQUIREMENTS. THE
DOCUMENT DEFINES SECURITY ATTACKS, MECHANISMS, AND SERVICES, AND THE
RELATIONSHIPS AMONG THESE CATEGORIES. 1.2 Passive attacks have to do with eavesdropping on, or monitoring,
transmissions. Electronic mail, file transfers, and client/server
exchanges are examples of transmissions that can be monitored. Active
attacks include the modification of transmitted data and attempts to
gain unauthorized access to computer systems. 1.3 Passive attacks: release of message contents and traffic analysis.
Active attacks: masquerade, replay, modification of messages, and
denial of service. 1.4 Authentication: The assurance that the communicating entity is the
one that it claims to be.
Access control: The prevention of unauthorized use of a resource
(i.e., this service controls who can have access to a resource, under
what conditions access can occur, and what those accessing the resource
are allowed to do).
Data confidentiality: The protection of data from unauthorized
disclosure.
Data integrity: The assurance that data received are exactly as sent
by an authorized entity (i.e., contain no modification, insertion,
deletion, or replay).
Nonrepudiation: Provides protection against denial by one of the
entities involved in a communication of having participated in all or
part of the communication.
Availability service: The property of a system or a system resource
being accessible and usable upon demand by an authorized system entity,
according to performance specifications for the system (i.e., a system
is available if it provides services according to the system design
whenever users request them). 1.5 See Table 1.3. Answers to Problems
|1.1 |Release |Traffic |Masquerade |Replay |Modificatio|Denial |
| |of |analysis| | |n of |of |
| |message | | | |messages |service|
| |contents| | | | | |
|Peer entity | | |Y | | | |
|authentication | | | | | | |
|Enci|Y | | | |
|pher| | | | |
|ment| | | | |
|S |T |B |C |D |
|F |H |I/J |K |M |
|N |O |P |Q |U |
|V |W |X |Y |Z | b.
|O |C |U |R |E |
|N |A |B |D |F |
|G |H |I/J |K |L |
|M |P |Q |S |T |
|V |W |X |Y |Z |
2.11 a. UZTBDLGZPNNWLGTGTUEROVLDBDUHFPERHWQSRZ
b. UZTBDLGZPNNWLGTGTUEROVLDBDUHFPERHWQSRZ
c. A cyclic rotation of rows and/or columns leads to equivalent
substitutions. In this case, the matrix for part a of this problem
is obtained from the matrix of Problem 2.10a, by rotating the
columns by one step and the rows by three steps. 2.12 a. 25! ( 284
b. Given any 5x5 configuration, any of the four row rotations is
equivalent, for a total of five equivalent configurations. For each
of these five configurations, any of the four column rotations is
equivalent. So each configuration in fact represents 25 equivalent
configurations. Thus, the total number of unique keys is 25!/25 =
24! 2.13 A mixed Caesar cipher. The amount of shift is determined by the
keyword, which determines the placement of letters in the matrix. 2.14 a. Difficulties are things that show what men are.
b. Irrationally held truths may be more harmful than reasoned
errors. 2.15 a. We need an even number of letters, so append a "q" to the end
of the message. Then convert the letters into the corresponding
alphabetic positions: |M |e |e |t |m |
|0 |0 |0 |1 |1 |
|0 |1 |1 |0 |0 |
|1 |0 |1 |0 |0 |
|1 |1 |0 |1 |1 | We also need the equality A ? B = A' ? B', which is easily seen
to be true. Now, consider the two XOR operations in Figure 3.8. If
the plaintext and key for an encryption are complemented, then the
inputs to the first XOR are also complemented. The output, then, is
the same as for the uncomplemented inputs. Further down, we see that
only one of the two inputs to the second XOR is complemented,
therefore, the output is the complement of the output that would be
generated by uncomplemented inputs.
b. In a chosen plaintext attack, if for chosen plaintext X, the
analyst can obtain Y1 = E[K, X] and Y2 = E[K, X'], then an
exhaustive key search requires only 255 rather than 256 encryptions.
To see this, note that (Y2)' = E[K', X]. Now, pick a test value of
the key T and perform E[T, X]. If the result is Y1, then we know
that T is the correct key. If the result is (Y2)', then we know that
T' is the correct key. If neither result appears, then we have
eliminated two possible keys with one encryption. 3.14 The result can be demonstrated by tracing through the way in which
the bits are used. An easy, but not necessary, way to see this is to
number the 64 bits of the key as follows (read each vertical column of 2
digits as a number): 2113355-1025554-0214434-1123334-0012343-2021453-0202435-0110454-
1031975-1176107-2423401-7632789-7452553-0858846-6836043-9495226- The first bit of the key is identified as 21, the second as 10, the
third as 13, and so on. The eight bits that are not used in the
calculation are unnumbered. The numbers 01 through 28 and 30 through 57
are used. The reason for this assignment is to clarify the way in which
the subkeys are chosen. With this assignment, the subkey for the first
iteration contains 48 bits, 01 through 24 and 30 through 53, in their
natural numerical order. It is easy at this point to see that the first
24 bits of each subkey will always be from the bits designated 01
through 28, and the second 24 bits of each subkey will always be from
the bits designated 30 through 57. 3.15 For 1 ? i ? 128, take ci ( {0, 1}128 to be the string containing a 1
in position i and then zeros elsewhere. Obtain the decryption of these
128 ciphertexts. Let m1, m2, . . . , m128 be the corresponding
plaintexts. Now, given any ciphertext c which does not consist of all
zeros, there is a unique nonempty subset of the ci's which we can XOR
together to obtain c. Let I(c) ( {1, 2, . . . , 128} denote this
subset. Observe
[pic] Thus, we obtain the plaintext of c by computing [pic]. Let 0 be the
all-zero string. Note that 0 = 0 ( 0. From this we obtain E(0) = E(0 (
0) = E(0) ( E(0) = 0. Thus, the plaintext of c = 0 is m = 0. Hence we
can decrypt every c ( {0, 1}128. 3.16 a. This adds nothing to the security of the algorithm. There is a
one-to-one reversible relationship between the 10-bit key and the
output of the P10 function. If we consider the output of the P10
function as a new key, then there are still 210 different unique
keys.
b. By the same reasoning as (a), this adds nothing to the security
of the algorithm. 3.17 s = wxyz + wxy + w