# Question 1: Hash & MAC Security (30 Marks) In a certain network protocol, each datagram consists of a 256-bit header and a 256-bit payload. An organisation decides to store hashed datagrams for analytic purposes. These hash values need to be calculated on resource-limited devices that can only process data in 256-bit chunks. Thankfully, the devices have hardware implementations of the following cryptographic algorithms: • SHACAL, a block cipher with 256-bit keys, 256-bit input blocks, and 256-bit outputs, and • H, a secure internal hash function with 256-bit inputs and 128-bit outputs. Since the internal hash function H cannot process entire datagrams, it is necessary to design a hashing method that can compute datagram hashes based on the internally implemented algorithms. The engineers come up with the following designs for hashing datagrams: Design A: Hash separately, then XOR, i.e., Hash(datagram) := H(header) ⊕ H(payload) .

Question 1: Hash & MAC Security (30 Marks)

In a certain network protocol, each datagram consists of a 256-bit header and a 256-bit payload. An organisation decides to store hashed datagrams for analytic purposes. These hash values need to be calculated on resource-limited devices that can only process data in 256-bit chunks. Thankfully, the devices have hardware implementations of the following cryptographic algorithms:
• SHACAL, a block cipher with 256-bit keys, 256-bit input blocks, and 256-bit outputs, and
• H, a secure internal hash function with 256-bit inputs and 128-bit outputs.
Since the internal hash function H cannot process entire datagrams, it is necessary to design a hashing method that can compute datagram hashes based on the internally implemented algorithms. The engineers come up with the following designs for hashing datagrams:

Design A: Hash separately, then XOR, i.e.,

Design B: Hash separately, then hash the concatenated results, i.e.,
Design C: Apply SHACAL to the payload (as input block) using the header as key, then XOR the result with the header, i.e.,
In these deigns, denotes the bit-wise exclusive-or operation and denotes string concatenation. The designed datagram-hashing method is called Hash to distinguish it from the internal hash function H.

Questions

(i) [5 Marks] The organisation needs to develop a program that looks at the stored datagram hash values and for any two hashed datagrams reliably distinguishes if the original datagrams were identical or not. Identify the security requirement on datagram hashing in this case, and justify your answer.
(ii) [12 Marks] Consider the three candidate designs A, B, and C above. For each design, discuss whether or not it satisfies the security requirement identified in part (i). In each case provide a convincing argument or an attack to support your answer.

Now assume that beside calculating datagram hash values, the devices are to transmit the datagrams to a central monitoring platform over a public network. The devices apply a message-authentication code MAC to hashed datagrams and send the following information to the monitoring platform.

datagram, MACK( Hash(datagram) )
Assume that the MAC used is secure and its key K is securely pre-shared between a device and the monitoring platform. Since datagrams are not required to remain confidential, no encryption is used, and the above information is sent in the clear over the network. Hence, the network communication might be observed, blocked, or modified by third parties. The monitoring platform performs MAC verification upon receiving any communication, and only accepts the incoming communication if MAC verification succeeds.

Questions

(iii) [5 Marks] The authenticity and integrity of the received communication are important to the monitoring platform. In other words, the platform needs to make sure any communication it accepts is indeed from the device and that the information has not been tampered with in transit. Identify the security requirement on the MAC component for the above protocol to provide authenticity and integrity guarantees. Justify your answer by discussing attacks that may arise in practice.
(iv) [8 Marks] Consider Designs B and C only. For each design, discuss if the required goals of authenticity and integrity are met when used in the protocol above. In each case, provide a convincing argument or an attack to support your answer.

Page Limit

Your answer to this question must not exceed 2 sides of A4 in total. This does not include code and any further supplementary information presented in appendices.

Question 2: Encryption at YorKrypt (30 Marks)

You were recently hired as a Cryptography Engineer at YorKrypt, a local start-up company that is specialising in building solutions to secure IoT devices. You are asked to secure the communication between two small, resource-constrained IoT devices who already share a private key.

Questions

(i) [5 Marks] Which cryptographic primitive should you implement to this end? What notion of security should the identified primitive achieve? Justify your answer by discussing attack vectors that could arise in practice.
(ii) [10 Marks] A former colleague had recommended using AES-CBC (i.e., CBC with AES as the underlying block cipher), and at each invocation incrementing the IV by a publicly known fixed value ∆. (This choice was made in order to save on the generation of random bits.) Thus, in this construction initially a random IV is chosen; subsequently at each new invocation the IV is updated via IV IV + ∆ and is then used in AES-CBC for encryption. Show that this is not a sound design by presenting an appropriate attack with an identified security model. (Note that the encryption scheme is stateful and stores the current IV in its internal state so that it can increment it by ∆ at its next invocation.)
(iii) [10 Marks] After discussions with other engineers, the company has finally agreed to use fresh random IVs at each invocation. Show that this mode of operation still fails to provide an adequate level of security. Your answer should contain an appropriate security model, an adversary within this model, and an analysis of the adversary’s advantage.
(iv) [5 Marks] The engineers at YorKrypt are reluctant to switch from AES-CBC to another mode of operation. How would you transform AES-CBC (without modifying its internals) to a scheme that provides the levels of security required in practice, and as identified in part (i)? Briefly discuss why your attack in part (iii) no longer applies.

Page Limit

Your answer to this question must not exceed 3 sides of A4 in total. This does not include code and any further supplementary information presented in appendices.

Question 3: Digital Documents (20 Marks)

Two law firms, who used to exchange signed contracts manually, are deciding to “go digital.” Their requirement is that any document sent from one firm (say, firm A) to the other (say, firm B) needs to be legally binding; that is, in case of a dispute, firm B should be able to prove to a court that a document has been sent to them from firm A in its exact form. In other words, if firm A sends a document to firm B, then firm A should not be able to later deny sending the document.
The firms are looking to adopt a cryptographic solution to satisfy their requirement. They were advised to adopt a (nationally or internationally) standardised solution. Due to the nature of the documents, the firms require that the solution they adopt is secure for up to 5 years. The firms are based in the United States and the European Union; hence they were advised to follow the NIST 2020 and ECRYPT-CSA 2018 recommendations for security levels and key sizes.

Questions

(i) [4 Marks] Identify the security property required by the firms and the cryptographic primitive that would provide this property.
(ii) [4 Marks] Propose a standardised scheme to be adopted by the firms, citing the specific standard recommending the algorithm.
(iii) [8 Marks] Considering the duration requirement of the firms, recommend a level of security for the firms that satisfies both the NIST 2020 and ECRYPT-CSA 2018 recommendations, and briefly justify your answer. Determine the recommended key sizes and hash digest lengths for the scheme proposed in part (ii).
(iv) [4 Marks] Considering the proposed solution, explain what preparations need to be made in terms of generating and sharing cryptographic information between the two firms before the proposed algorithm can be used for exchanging documents in a trustworthy manner.

Specific Guidance

NIST stands for National Institute of Standards and Technology, and ECRYPT-CSA stands for European Network of Excellence for Cryptology – Coordination & Support Action.
NIST 2020 recommendations refer to: Recommendation for Key Management, Special Publication 800-57, Part 1, Revision 5, NIST, May 2020.
ECRYPT-CSA 2018 recommendations refer to: Algorithms, Key Size and Protocols Report (2018), H2020-ICT-2014 – Project 645421, D5.4, ECRYPT-CSA, February 2018.

Page Limit

Your answer to this question must not exceed 2 sides of A4 in total. This does not include code and any further supplementary information presented in appendices.

Question 4: Weak Keys in the Wild (20 Marks)

• “Ron was wrong, Whit is right” by Lenstra et al. presented at Crypto 2012. Available at: https://eprint.iacr.org/2012/064.pdf
• “Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices” by Heninger et al. presented at USENIX Security 2012.
Available at: https://factorable.net/weakkeys12.extended.pdf

Your summary must cover at least the following topics: some of the main vulnerabilities discussed in these papers, the original cause(s) of these vulnerabilities, the security consequences of these vulnerabilities, some of the main findings of the above papers in their surveys of keys in the wild, some of the main lessons from these works for you as a future security practitioner.

Specific Guidance

Good marks will be given to well-structured summaries that provide reasonable coverage and demonstrate a good overall understanding of the vulnerabilities, their causes and consequences, and practical lessons learned. You do not need to understand all the technical details such as the mathematics of the more sophisticated attacks.

Page Limit

Your answer to this question must not exceed 2 sides of A4 in total. This does not include code and any further supplementary information presented in appendices.

End of examination paper