Diskussion:Lösungsvorschlag Information Security FS16

Aus VISki
Wechseln zu: Navigation, Suche


The previous answer T was changed to F because WEP is not insecure due to its use of RC4. Although RC4 has some problems, the lecture slides on Stream Ciphers [1] state on the third last slide: "RC4 is still 'rather' secure, if used in a correct way." and they hint a few slides earlier that the real problem is how RC4 is implemented, in particular the problems come from its initially small key size of 40 bits that could be brute forced (but that was raised to 104 bits) and it's small set of 24 bit long IV's that is "exhausted in half a day [...] with 5Mbps bandwidth". This also corresponds to the german Wikipedia article on WEP [2] that states "most attacks abuse the vulnerability of the very short 24 bit initialisation vector IV"

7 c)

From the slides (topic3, slide 80): the expected number of false positives is 2^2n * 2^(-2n) = 1. An additional pair (x,y) allows to eliminate the false positive.

Note that in the slides block length and the key length are assumed to be the same which is not the case in this exercise

Errors ?

I believe some answers provided may be errors. Here is the list :

1 True or False

b) F => I believe it's true. Negligibility is blurry in this context, because it's relative (at least of what I know, something is negligible TO something.) I assume the question is "x^-1000" negligible to x ? And the limit in infinity of x^-1000/x is 0. Which shows that x^-1000 is negligible to x. (We would write x^-100 = o(x) )

Comment: The original solution is correct. Negligibility of functions is a well-defined concept and not blurry at all, see, e.g., [3]. --Aecturus (Diskussion) 11:53, 7. Aug. 2018 (CEST)

c) F => I believe it's true. As no information is given on the IV (it may change, or not) and because CBC is deterministic, with the same encryption key. I see no reason why it would be different. (Assuming we are talking about a block Cipher in CBC mode)

Comment: The original solution is correct here as well. Even assuming no IV is used or it is not changed, the same block may appear at different positions in different messages. This means that it is xored with different other blocks and its encryption differs. --Aecturus (Diskussion) 11:53, 7. Aug. 2018 (CEST)

9 is incomplete

c : is valid (similar trace)

d : is invalid (no occurence of K2 in A)

Comment: d is valid, because K2 can be derived as in (a) --Tierriminator (Diskussion) 16:41, 7. Aug. 2018 (CEST)

10 Secrecy has errors in (a)


i) F => I believe it's true. A is sure that B ONLY can decrypt it. B has absolutely no guarantee that A sent this message. Therefore, an adversary may have sent this message, and so m is not secret. The claim is invalid.

ii) F => Ok.

iii) T => I believe it's false. B has no guarantee that A sent this message. Therefore, there is no secrecy on m for B. (See mod3-protocol-properties.pdf slide 41)

PK(A): The protocol is not functional => Ok.


i) F => Ok.

ii) F => Ok.

iii) T => Ok. As we consider the key Kab is previously shared with both party and so is secret.