This repository has been archived on 2024-01-04. You can view files and clone it, but cannot push or open issues or pull requests.
ComputerSecurity/cw/cw.tex
Andre Henriques ce95a4a48a
All checks were successful
continuous-integration/drone/push Build is passing
fix spelling
2023-11-07 17:40:00 +00:00

294 lines
11 KiB
TeX

%%% Preamble
\documentclass[11pt, a4paper]{article}
\usepackage[english]{babel} % English language/hyphenation
\usepackage{url}
\usepackage{tabularx}
\usepackage{pdfpages}
\usepackage{float}
\usepackage{amsmath, amssymb}
\usepackage{systeme}
\usepackage{graphicx}
\graphicspath{ {../images for report/} }
\usepackage[margin=2cm]{geometry}
\usepackage{hyperref}
\hypersetup{
colorlinks,
citecolor=black,
filecolor=black,
linkcolor=black,
urlcolor=black
}
\usepackage{cleveref}
%%% Custom headers/footers (fancyhdr package)
\usepackage{fancyhdr}
\pagestyle{fancyplain}
\fancyhead{} % No page header
\fancyfoot[L]{} % Empty
\fancyfoot[C]{\thepage} % Pagenumbering
\fancyfoot[R]{} % Empty
\renewcommand{\headrulewidth}{0pt} % Remove header underlines
\renewcommand{\footrulewidth}{0pt} % Remove footer underlines
\setlength{\headheight}{13.6pt}
% numeric
\usepackage[style=ieee,sorting=none,backend=biber]{biblatex}
\addbibresource{../main.bib}
% Write the approved title of your dissertation
\title{Automated image classification with expandable models}
% Write your full name, as in University records
\author{Andre Henriques, 6644818}
\date{}
%%% Begin document
\begin{document}
\section*{1}
\subsection*{1.1}
key: JDQLWBSNZM
w1: MONISTICAL
w2: APHRODITES
\subsection*{1.2}
The first step was to load all the words from the word list into a tree, where each depth of the tree corresponds with an $i$th letter of the word. The branches that come off each node correspond to the next letter of the word.i.e.
\begin{itemize}
\item aa…
\item ab…
\item ba…
\end{itemize}
Would generate a tree that looks like:
$$()\to(a\to(a, b), b\to(a))$$
Since the words were encrypted with the same key, that means if we were to generate a possible key, that key would need to decrypt both ciphertexts such that when the tree is navigated we navigate to nodes that exist. If the key results in a path in the tree that does not exist, then we can disregard that answer as a possible key and continue with the possible next key.
Once you find a key that is the same length as the cipher text, we know that we found the right key.
\section*{2}
\subsection*{2.1}
Ciphertext:
6cea122f3b42975bdbbeb7f2c6efaf9fd5a54fdd62\textbf{3c}27\textbf{6f}55358f4fbcb7a9492d0451b7019c69faef5fd23103ff7ec521fbbc6516ca2cb2ca663d5dbff86bcf
T=2nd block
U=6th byte from the 2nd block
V=0x33
W=0x3c
X=8th byte from the 2nd block
Y=0x6c
Z=0x6f
To change the given cipher text we need to first find the block we want to change and go to the previous block, this only works for blocks after the first one, after that we need to find the value that comes out of the Encryption function and we can do that if we follow this formula:
$$\text{After Encrytion}\oplus\text{Previous Block Original Ciphertext}=\text{PlainText}\iff\text{After Encryption}=\text{Previous Block Original Ciphertext}\oplus\text{PlainText}$$
After we calculate the value that comes out of the encryption function and before we xor with the previous block we can now calculate the value that we need to change the previous block in the cipher text to:
$$\text{After Encrytion}\oplus\text{Previous Block Altered Ciphertext}=\text{Altered PlainText}\iff\text{Previous Block Altered Ciphertext}=\text{After Encrytion}\oplus\text{Altered PlainText}$$
\subsection*{2.2}
The block before the block where the change appens becomes altered as well.
\subsection*{2.3}
The change is similiar to the one described in 2.1 but with the iv value instead of the previous block
$$\text{After Encrytion}\oplus\text{Original IV value}=\text{PlainText}\iff\text{After Encryption}=\text{Original IV value}\oplus\text{PlainText}$$
After we calculate the value that comes out of the encryption function and before we xor with IV value we can now calculate the value that we need to change the IV value to:
$$\text{After Encrytion}\oplus\text{New IV value}=\text{Altered PlainText}\iff\text{New IV value}=\text{After Encrytion}\oplus\text{Altered PlainText}$$
\subsection*{2.4}
You can not change the location word "station'', because the word is spread between 2 blocks which means that to change the second part of the word "ion'', you need to change the previos block but by changing the previous block the rest of the word "stat'' would have become garbled.
\section*{3}
\subsection*{3.1}
The computational hard problem is factorization
\subsection*{3.2}
I used factorization to obatin the cipher text is "handlebars''
\subsection*{3.3}
I used the general number sieve to factorize\cite{cadonfs} to factorize the public modulus and obtained:
$$p=112546167358047505471958486197519319605436748416824057782825895564365669780011$$
and
$$q=65802972772386034028625679514602920156340140357656235951559577501150333990623$$
with p and q I calculated
$$d=1545653943570564246212141988589994139279645559486726912293297140150091598977726717239879077953798120855868459360771804433616650588668281034152580212290153$$
with d you can decrypt the ciphertext
I used the openssl crypto libaray with the $p,q,d,m,e$ to decrypt the cipher text
\subsection*{3.4}
While factorizing the numbers takes more time, then a dictionary attack, it allows me to decrypting any message that was encrypted with this public key. It also allows me to decrypt messages that have diferent padding including padding methods that use random values.
\subsection*{3.5}
Yes, since I know the private key I can just decrypt the message.
\section*{4}
\subsection*{4.1}
$$P||R = E(K,C)$$
then you can remove the $R$ part and the $P$ can be obtained
\subsection*{4.2}
The q pairs could look like: $${(1, k),(2,k),(3,k)\cdots(q, k)}$$
where k is a constant value for simplicity sets say $k=0$
$E_b$ is the list of encrypted values returned by the oracle
This q pairs work because when the oracle selects b=0:
There will be no colisions:
$$\nexists i,k : i \ne j \land P_{0i} \ne p E_{0i} \implies E_{0i} \ne E_{0j}$$
there if you don't find any colissions you can assume that the the oracle selected b=0
if the oracle selects b=1:
If q is big enough, there will be colissions:
$$\exists i,k : i \ne j \land P_{1i} = P_{1j} \land R_i = R_j \implies E_{1i} = E_{1j}$$
where $R$ is the list of random values generated for each pair
\subsection*{4.3}
\section*{5}
\subsection*{5.1}
The hash function is collision resistante for $n=1$, since if the block size is one the hash function is the encryption. Therefore:
if the message is only one block long:
$$H=E$$
$$m\ne m'$$
$$H(m)=E(K, IV \oplus m) = C_1$$
$$H(m')=E(K, IV \oplus m') = C_2$$
And if there the hashing function was not collision resistant that would imply
$$C_1=C_2\Rightarrow D(C_1)=D(C_2) \Rightarrow m=m'$$
and since $m\ne m'$ the hash function is collision resistant, for messages with 1 block.
For if the block size is bigger than one we can say
$$H(m)=E(m)_{\text{Last Block}}$$
$$E(m)=E(K, m)$$
$$\exists a,b,c,d : m = a||b \land m' = c||d$$
where a,b,c,d are the size of one block
$$H(m)=E(b \oplus E(a \oplus IV)) = C_1$$
$$H(m')=E(d \oplus E(c \oplus IV)) = C_2$$
since it's possible to have:
$$b \oplus E(a \oplus IV) = d \oplus E(c \oplus IV) \implies$$
$$\implies C_1=C_2$$
with:
$$a \ne b \ne c \ne d$$
therefore
$$H(m)=H(m') \land m\ne m'$$
therefore the hash function is not collision resistant.
Since this can be expanded with more than 2 blocks the hash functions is not collision resistant for any message bigger than 1 block.
\subsection*{5.2}
When the message has the size of a block, the authenticated encryption system scheme has both data confidentiality and integrity because the hash function is only collision resistant with messages of block size 1, because of that is impossible to change the ciphertext in away that when the mac is generated on the receiver side, the mac will be the same and since the mac key is not public the attacker cannot generate the new mac.
When the message has a bigger size than one block, the scheme still has data confidentiality because the message can still not be decrypted without knowing the key, but it has no longer data integrity because the attacker can change the message in such a way that it would generate a hash collision; therefore the sender could not prove that the information that was received was not sent that way by the server.
\section*{6}
\subsection*{6.1}
\subsubsection*{6.1.1}
Bob can check if the equation holds then Bob knows that Alice signed the Contract
$$h = H(g^s\times y^c \text{ mod } p || C)$$
where y is Alice's pub key.
\subsubsection*{6.1.2}
If the Alice used the the same r then this equation would only have 2 variables to solve, $a$ and $r$ which makes this equation possible to solve.
$$\begin{cases}
s = r - h \times a \text{ mod } q\\
s' = r - h' \times a \text{ mod } q
\end{cases}
$$
\section*{7}
\subsection*{7.1}
$$v1 = (137, 312), v2 = (215, -187)$$
$$u1 = (1975,438), u2 = (7548, 1627)$$
$$B = \begin{pmatrix}
137 & 312 \\
215 & -187 \\
\end{pmatrix}$$
$$U = \begin{pmatrix}
1975 & 438\\
7548 & 1627\\
\end{pmatrix}$$
A:
$$det(L)=|det(B)|=|-92699|=92699$$
$$H(B)=(\frac{det(L)}{\|v1\|\times\|v2\|})^\frac{1}{n}=(\frac{92699}{\sqrt{v1_1^2 + v1_2^2}\times\sqrt{v2_1^2 + v2_2^2}})^\frac{1}{2}=$$
$$=\frac{\sqrt{92699}}{9427678922^{\frac{1}{4}}}\approx0.977094\approx0.98$$
$$H(U)=(\frac{det(L)}{\|u1\|\times\|u2\|})^\frac{1}{n}=(\frac{92699}{\sqrt{u1_1^2 + u1_2^2}\times\sqrt{u2_1^2 + u2_2^2}})^\frac{1}{2}=$$
$$=\frac{\sqrt{92699}}{243990681350077^{\frac{1}{4}}}\approx0.0770361\approx0.077$$
B:
$$w = (30548, 6642)$$
$$\begin{cases}
30548=137t_1 + 215t_2\\
6642=312t_1 + -187t_2\\
\end{cases}= \begin{cases}
t_1 = \frac{7140506}{92699}\\
t_2 = \frac{8621022}{92699}\\
\end{cases}=\begin{cases}
t_1 \approx 77.03\\
t_2 \approx 93\\
\end{cases}=\begin{cases}
t_1 \approx 77\\
t_2 \approx 93\\
\end{cases}
$$
$$v'=77(137,312) + 93(215,-187)=(30544, 6633)$$
$$r=w-v'=(4, 9)$$
$$
w = v'\times m + r\iff
m= (30544, 6633)\times\begin{pmatrix}
1975 & 438\\
7548 & 1627\\
\end{pmatrix}^{-1}\iff
m=(4,3)
$$
The plaintext is $(4, 3)$ and the $r=(4,9)$
C:
$$\begin{cases}
30548=1975t_1 + 7548t_2\\
6642=438t_1 + 1627t_2\\
\end{cases}= \begin{cases}
t_1 = \frac{432220}{92699}\\
t_2 = \frac{262074}{92699}\\
\end{cases}=\begin{cases}
t_1 \approx 4.66\\
t_2 \approx 2.83\\
\end{cases}=\begin{cases}
t_1 \approx 5\\
t_2 \approx 3\\
\end{cases}
$$
$$v'=5(1975,438) + 3(7548, 1627)=(32519, 7071)$$
$$
w = v'\times m' + r\iff
m'= (32519, 7071)\times\begin{pmatrix}
1975 & 438\\
7548 & 1627\\
\end{pmatrix}^{-1}\iff
m'=(5,3)
$$
Using $u_1$ and $u_2$ we do not dectypt correctly $m\ne m'$
\subsection*{7.2}
No he should not.
If r is not changed then we could submit to the oracle (1,0) and (2,0) and if the oracle gives us 2 cipher texts that are the same then we know that b = 1 and if they are different then we know its b=0 therefore not changing the r is not secure.
\section*{References}
\printbibliography[heading=none]
\end{document}