Score of 6.67 out of 10.00.
Question 1
Suppose a MAC system is used to protect files in a file system
by appending a MAC tag to each file. The MAC signing algorithm
is applied to the file contents and nothing else. What tampering attacks
are not prevented by this system?
Your Answer | Score | Explanation | |
---|---|---|---|
Erasing the last byte of the file contents. | |||
Changing the first byte of the file contents. | |||
Replacing the contents of a file with the concatenation of two files on the file system. | Incorrect | 0.00 | The MAC tag will fail to verify if any file data is changed. |
Changing the last modification time of a file. | |||
Total | 0.00 / 1.00 |
Question 2
Let be a secure MAC defined over where
and (i.e. the key space is ,
message space is , and tag space is ).
Which of the following is a secure MAC: (as usual, we use to denote
string concatenation)
Your Answer | Score | Explanation | |
---|---|---|---|
and | Correct | 0.17 | This construction is insecure because an adversary can request the tag for and thereby obtain a tag for any message. This follows from the fact that . |
and
(i.e., outputs ``1'' if is a valid tag for either or ) |
Correct | 0.17 | This construction is insecure because a valid tag on is also a valid tag on . Consequently, the attacker can request the tag on and output an existential forgery for . |
and | Inorrect | 0.00 | This construction is insecure because the tags on and are the same. Consequently, the attacker can request the tag on and output an existential forgery for . |
and
(i.e., outputs ``1'' if both and are valid tags) |
Correct | 0.17 | a forger for gives a forger for . |
and . | Inorrect | 0.00 | a forger for gives a forger for . |
and . | Correct | 0.17 | a forger for gives a forger for . |
Total | 0.67 / 1.00 |
Question 3
Recall that the ECBC-MAC uses a fixed IV (in the lecture we simply set the IV to 0).
Suppose instead we
chose a random IV for every message being signed and include
the IV in the tag. In other words,
where refers to the ECBC function using as
the IV. The verification algorithm given key , message ,
and tag outputs ``1'' if and outputs
``0'' otherwise.
The resulting MAC system is insecure. An attacker can query for the tag of the 1-block message and obtain the tag . He can then generate the following existential forgery: (we assume that the underlying block cipher operates on -bit blocks)
The resulting MAC system is insecure. An attacker can query for the tag of the 1-block message and obtain the tag . He can then generate the following existential forgery: (we assume that the underlying block cipher operates on -bit blocks)
Your Answer | Score | Explanation | |
---|---|---|---|
The tag is a valid tag for the 1-block message . | |||
The tag is a valid tag for the 1-block message . | Correct | 1.00 | The CBC chain initiated with the IV and applied to the message will produce exactly the same output as the CBC chain initiated with the IV and applied to the message . Therefore, the tag is a valid existential forgery for the message . |
The tag is a valid tag for the 1-block message . | |||
The tag is a valid tag for the 1-block message . | |||
Total | 1.00 / 1.00 |
Question 4
Suppose Alice is broadcasting packets to 6 recipients
. Privacy is not important but integrity is.
In other words, each of should be assured that the
packets he is receiving were sent by Alice.
Alice decides to use a MAC. Suppose Alice and all share a secret key . Alice computes a tag for every packet she sends using key . Each user verifies the tag when receiving the packet and drops the packet if the tag is invalid. Alice notices that this scheme is insecure because user can use the key to send packets with a valid tag to users and they will all be fooled into thinking that these packets are from Alice.
Instead, Alice sets up a set of 4 secret keys . She gives each user some subset of the keys. When Alice transmits a packet she appends 4 tags to it by computing the tag with each of her 4 keys. When user receives a packet he accepts it as valid only if all tags corresponding to his keys in are valid. For example, if user is given keys he will accept an incoming packet only if the first and second tags are valid. Note that cannot validate the 3rd and 4th tags because he does not have or .
How should Alice assign keys to the 6 users so that no single user can forge packets on behalf of Alice and fool some other user?
Alice decides to use a MAC. Suppose Alice and all share a secret key . Alice computes a tag for every packet she sends using key . Each user verifies the tag when receiving the packet and drops the packet if the tag is invalid. Alice notices that this scheme is insecure because user can use the key to send packets with a valid tag to users and they will all be fooled into thinking that these packets are from Alice.
Instead, Alice sets up a set of 4 secret keys . She gives each user some subset of the keys. When Alice transmits a packet she appends 4 tags to it by computing the tag with each of her 4 keys. When user receives a packet he accepts it as valid only if all tags corresponding to his keys in are valid. For example, if user is given keys he will accept an incoming packet only if the first and second tags are valid. Note that cannot validate the 3rd and 4th tags because he does not have or .
How should Alice assign keys to the 6 users so that no single user can forge packets on behalf of Alice and fool some other user?
Your Answer | ||||||||
---|---|---|---|---|---|---|---|---|
|
Question 5
Consider the encrypted CBC MAC built from AES. Suppose we
compute the tag for a long message comprising of AES blocks.
Let be the -block message obtained from by flipping the
last bit of (i.e. if the last bit of is then the last bit
of is ). How many calls to AES would it take
to compute the tag for from the tag for
and the MAC key? (in this question please ignore message padding and
simply assume that the message length is always a multiple of the AES
block size)
Your Answer | Score | Explanation | |
---|---|---|---|
3 | |||
4 | Correct | 1.00 | You would decrypt the final CBC MAC encryption step done using , the decrypt the last CBC MAC encryption step done using , flip the last bit of the result, and re-apply the two encryptions. |
2 | |||
5 | |||
Total | 1.00 / 1.00 |
Question 6
Let be a collision resistant hash function.
Which of the following is collision resistant:
(as usual, we use to denote string concatenation)
Your Answer | Score | Explanation | |
---|---|---|---|
(i.e. hash the length of ) | Correct | 0.14 | This construction is not collision resistant because . |
Correct | 0.14 | This construction is not collision resistant because . | |
Correct | 0.14 | a collision finder for gives a collision finder for . | |
(i.e. output the first 32 bits of the hash) | Correct | 0.14 | This construction is not collision resistant because an attacker can find a collision in time using the birthday paradox. |
Correct | 0.14 | a collision finder for gives a collision finder for . | |
Correct | 0.14 | a collision finder for gives a collision finder for . | |
(where is the complement of ) | Correct | 0.14 | This construction is not collision resistant because . |
Total | 1.00 / 1.00 |
Question 7
Suppose and are collision resistant
hash functions mapping inputs in a set to .
Our goal is to show that the function is also
collision resistant. We prove the contra-positive:
suppose is not collision resistant, that is, we are
given such that .
We build a collision for either or for .
This will prove that if and are collision resistant
then so is . Which of the following must be true:
Your Answer | Score | Explanation | |
---|---|---|---|
Either are a collision for or are a collision for . | Correct | 1.00 | If then either and , thereby giving us a collision on . Or but giving us a collision on . Either way we obtain a collision on or as required. |
Either are a collision for or are a collision for . | |||
Either are a collision for or are a collision for . | |||
Either are a collision for or are a collision for . | |||
Total | 1.00 / 1.00 |
Question 8
In this question and the next, you are asked to find collisions on two compression functions:
We provide an AES function for you to play with. The function takes as input a key and an value and outputs once you press the "encrypt" button. It takes as input a key and a value and outputs once you press the "decrypt" button. All three values are assumed to be hex values (i.e. using only characters 0-9 and a-f) and the function zero-pads them as needed.
Your goal is to find four distinct pairs such that and . In other words, the first two pairs are a collision for and the last two pairs are a collision for . Once you find all four pairs, please enter them below and check your answer using the "check" button.
- , and
- ,
We provide an AES function for you to play with. The function takes as input a key and an value and outputs once you press the "encrypt" button. It takes as input a key and a value and outputs once you press the "decrypt" button. All three values are assumed to be hex values (i.e. using only characters 0-9 and a-f) and the function zero-pads them as needed.
Your goal is to find four distinct pairs such that and . In other words, the first two pairs are a collision for and the last two pairs are a collision for . Once you find all four pairs, please enter them below and check your answer using the "check" button.
Note for those using the NoScript browser extension: for the buttons to
function correctly please allow Javascript from class.coursera.org and
cloudfront.net to run in your browser. Note also that the "save
answers" button does not function for this question and the next.
You entered:
Your Answer | Score | Explanation | |
---|---|---|---|
x1 = 00000000000000000000000000000000 y1 = 00000000000000000000000000000000 x2 = 00000000000000000000000000000000 y2 = 00000000000000000000000000000000 | Incorrect | 0.00 | Don't cheat, you must enter distinct pairs ! |
Total | 0.00 / 1.00 |
Question 9
You entered:
Your Answer | Score | Explanation | |
---|---|---|---|
x3 = 25900110000000000000000000000000 y3 = 00000000000000000000000000000000 x4 = 00000000000000000000000000000000 y4 = 00000000000000000000000000000000 | Incorrect | 0.00 | Sorry, incorrect! |
Total | 0.00 / 1.00 |
Question 10
Let be a random hash function where (i.e. the size of is much larger than the size of ).
In lecture we showed
that finding a collision on can be done with
random samples of . How many random samples would it take
until we obtain a three way collision, namely distinct strings
in such that ?
Your Answer | Score | Explanation | |
---|---|---|---|
Correct | 1.00 | An informal argument for this is as follows: suppose we collect random samples. The number of triples among the samples is choose 3 which is . For a particular triple to be a 3-way collision we need and . Since each one of these two events happens with probability (assuming behaves like a random function) the probability that a particular triple is a 3-way collision is . Using the union bound, the probability that some triple is a 3-way collision is and since we want this probability to be close to 1, the bound on follows. | |
Total | 1.00 / 1.00 |