Homework 2

Luis Astudillo 00211000

# Exercise 1:

a) Suppose a password is chosen as a concatenation of seven lower-case dictionary words. Each word is selected uniformly at random from a dictionary of size 50,000. An example of such a password is "mothercathousefivenextcrossroom". How many bits of entropy does this have?

b) Consider an alternative scheme where a password is chosen as a sequence of 10 random alphanumeric characters (including both lower-case and upper-case letters). An example is "dA3mG67Rrs". How many bits of entropy does this have?

c) Which password is better, the one from 1. or 2.?

### a) Password from Dictionary Words

Number of possibilities = $50,000^7$

Entropy in bits:

$ \text{Entropy} = \log_2(50,000^7) = 7 \times \log_2(50,000) $

Using a calculator:

$ \text{Entropy} \approx 7 \times 15.61 = 109.27 $

So, the password has approximately **109.27 bits** of entropy.

### b) Alphanumeric Password


Number of possibilities = $62^{10}$ (26 lowercase + 26 uppercase + 10 digits)

Entropy in bits:

$ \text{Entropy} = \log_2(62^{10}) = 10 \times \log_2(62) $

Using a calculator:

$ \text{Entropy} \approx 10 \times 5.95 = 59.5 $

So, the password has approximately **59.5 bits** of entropy.

### c) Comparison

- Password from scheme 1: **109.27 bits** of entropy
- Password from scheme 2: **59.5 bits** of entropy

The password from scheme 1 **("mothercathousefivenextcrossroom")** is better in terms of entropy and is therefore theoretically harder to guess or crack than the password from scheme 2 **("dA3mG67Rrs")**.


# Exercise 2:
a) Design a data verification system using hash functions. Explain the steps involved in the process.

b) Discuss the advantages and disadvantages of using hash functions for data verification.

c) Provide an example of a real-world application where a data verification system using hash functions is used.

### a) Designing a Data Verification System Using Hash Functions

A data verification involves the following steps:

1. **Selection of Hash Function**: Choose a cryptographically secure hash function like SHA-256, SHA-3, or BLAKE2. The choice depends on the specific requirements like speed, security, and compatibility.

2. **Hash Generation**: When data is created or received, pass it through the chosen hash function to generate a hash value (often termed as a 'digest').

3. **Hash Storage/Transmission**: Store the generated hash value alongside the original data or transmit it along with the data to a recipient.

4. **Verification**: 
    - When the data needs to be verified (like during retrieval or upon receipt by a third party), the data is passed again through the same hash function to generate a new hash value.
    - This newly generated hash value is compared with the originally stored/transmitted hash value.
    - If both hash values match, the data is verified to be unchanged. If they differ, the data may have been tampered with or corrupted.

### b) Advantages and Disadvantages of Using Hash Functions for Data Verification

**Advantages**:
1. **Integrity Assurance**: Hash functions can detect even minor changes in data, ensuring data integrity.
2. **Efficiency**: Hash functions are computationally efficient, allowing for quick verification.
3. **Fixed Size**: Regardless of the input data size, the hash value (digest) is of a fixed size.
4. **Non-reversibility**: Given a hash value, it's computationally infeasible to retrieve the original input data, ensuring data privacy.

**Disadvantages**:
1. **Collision Risks**: While rare, different data can produce the same hash value, leading to potential security risks.
2. **Not Encryption**: Hash functions only verify data integrity and not confidentiality. They don't encrypt data.
3. **Vulnerability to Attacks**: Some older hash functions (like MD5) are vulnerable to attacks and should not be used for security-critical applications.

### c) Real-world Application of Data Verification Using Hash Functions

**Software Downloads**: Many software providers offer hash values (like SHA-256 digests) alongside downloadable software packages. Users can compute the hash value of the downloaded file and compare it with the provided hash. If they match, it ensures that the software hasn't been tampered with and is genuine. This is commonly practiced by open-source projects and operating system distributions to ensure the integrity of their software.


# Exercise 3:
a) Define what a Message Authentication Code (MAC) is and how it is used in cryptography.

b) Explain the process of generating and verifying a MAC.

c) Discuss the importance of using MACs in secure communication systems.

### a) Definition of Message Authentication Code (MAC)

A **Message Authentication Code (MAC)** is a cryptographic construct used to ensure both data integrity and authenticity. It is a short piece of information generated from a secret key and a message. The MAC value is then sent along with the message. The receiver, possessing the same secret key, can generate the MAC for the received message and ensure it matches the sent MAC, verifying both the data's integrity and the authenticity of the sender.

### b) Process of Generating and Verifying a MAC

1. **Generation**:
    - The sender and receiver agree upon a secret key, which is known only to them.
    - When the sender wants to transmit a message, they input the message and the secret key into a MAC function. This produces the MAC value.
    - The sender then sends both the message and the MAC value to the receiver.
    

2. **Verification**:
    - Upon receiving the message and the MAC value, the receiver inputs the received message and their copy of the secret key into the same MAC function to generate a new MAC value.
    - The receiver then compares the newly generated MAC value with the received MAC value.
    - If they match, it indicates that the message has not been tampered with and that it came from the expected sender. If they don't match, the data might have been altered or the sender might not be genuine.

### c) Importance of Using MACs in Secure Communication Systems

1. **Data Integrity**: MACs ensure that the received message has not been altered during transmission.
  
2. **Authentication**: Unlike simple hash functions, MACs also provide sender authentication. Since the MAC value is generated using a secret key, only someone with the correct key can produce a valid MAC. This ensures that the message is from the expected sender.

3. **Replay Attack Prevention**: By incorporating elements like timestamps or sequence numbers in the message, MACs can help prevent replay attacks where an attacker resends a previously captured message.

4. **Non-repudiation**: In some systems, MACs can provide evidence that a particular party sent a message, ensuring that the sender cannot later deny having sent the message.

5. **Synergy with Encryption**: While encryption hides the content of a message, MACs ensure its integrity and authenticity. Used together, they provide a robust security mechanism for communications.



# Exercise 4:

Given the values of p = 17 and q = 23, generate a pair of keys for RSA.

### Step-by-step RSA Key Generation:

1. **Compute $n$**:
$n = p \times q$
$n = 17 \times 23 = 391$

2. **Compute the totient $\phi(n)$**:
$\phi(n) = (p-1) \times (q-1)$
$\phi(391) = 16 \times 22 = 352$

3. **Choose an integer $e$**:
We need $e$ such that $1 < e < \phi(n)$ and $\text{gcd}(e, \phi(n)) = 1$. A valid choice is $e = 3$.

4. **Compute $d$**:
We need $d$ such that:
$d \times e \equiv 1 \mod \phi(n)$
For our values, the solution is $d = 235$.

The public key is $(391, 3)$ and the private key is $(391, 235)$.


In [4]:
import sympy

# Given values
p = 17
q = 23

# 1. Compute n
n = p * q

# 2. Compute the totient
phi_n = (p - 1) * (q - 1)

# 3. Choose e
e = 3  # We've already determined this by hand

# 4. Compute d
d = sympy.mod_inverse(e, phi_n)

print(f"n: {n}")
print(f"e: {e}")
print(f"d: {d}")

print(f"Public key: ({n}, {e})")
print(f"Private key: ({n}, {d})")


n: 391
e: 3
d: 235
Public key: (391, 3)
Private key: (391, 235)


# Exercise 5:

a) Design a public key infrastructure (PKI) system. Explain the components and their roles in the system.

b) Discuss the advantages and challenges of implementing a PKI system.

c) Provide an example of a real-world application where a PKI system is used.

### a) Design of a Public Key Infrastructure (PKI) System:

A Public Key Infrastructure (PKI) is a combination of hardware, software, policies, standards, and procedures that work together to provide a framework for secure communications. The main components of a PKI system and their roles are:

1. **Certificate Authority (CA):**
   - Issues digital certificates to entities.
   - Validates the identity of the certificate requester before issuing a certificate.
   - Signs certificates using its private key.

2. **Registration Authority (RA):**
   - Acts as the verifier for the CA before the digital certificate is issued to the end user.
   - Authenticates requesters and approves or denies requests for digital certificates.

3. **Digital Certificates:**
   - Serve as electronic "passports" that establish an individual's credentials when conducting business online.
   - Contains the public key and information about the key owner.

4. **Certificate Revocation List (CRL):**
   - A list of certificates that have been revoked by the CA before their expiration date.

5. **End Entities:**
   - Users/Devices that employ the digital certificates for secure communications.

6. **Key Storage:**
   - Secure storage mechanisms for private keys, ensuring they aren't lost or accessed by unauthorized entities.

### b) Advantages and Challenges of Implementing a PKI System:

**Advantages:**
1. **Enhanced Security:** PKI offers a high level of security for electronic transactions.
2. **Authentication:** Ensures that the parties involved in a transaction are who they claim to be.
3. **Data Integrity:** Ensures that data has not been altered during transmission.
4. **Non-repudiation:** Ensures that a completed transaction is valid and cannot be denied later.
5. **Encryption:** Data is encrypted and can only be decrypted by the intended recipient.

**Challenges:**
1. **Complexity:** Setting up a PKI system can be complex and requires expertise.
2. **Cost:** Initial setup and ongoing maintenance can be expensive.
3. **Certificate Management:** Managing the lifecycle of certificates can be challenging.
4. **Revocation:** Ensuring that revoked certificates are not used can be challenging, especially in real-time scenarios.
5. **Interoperability:** Ensuring different PKI systems can work together seamlessly.

### c) Real-world Application of a PKI System:

**Online Banking:**
In online banking, PKI is used to ensure secure transactions between the bank and the customer. When a customer logs into their online banking account, the bank's website presents a digital certificate to the customer's browser. The browser checks the validity of this certificate with the CA. Once validated, the session between the bank and the customer is encrypted, ensuring that personal and financial information is securely transmitted.


# Exercise 6:

Design a system for digital signatures based on public-key cryptography. Explain the steps involved in the process and the role of each component.

### Design of a Digital Signature System Based on Public-Key Cryptography:

A digital signature system based on public-key cryptography ensures the authenticity, integrity, and non-repudiation of digital messages or documents. Here's how such a system is designed and the steps involved:

1. **Key Generation:**
   - Each user generates a pair of keys: a private key, which is kept secret, and a public key, which is distributed widely.
   - The private key is used to sign documents, while the public key is used to verify signatures.

2. **Signing the Document:**
   - The original document is passed through a hash function, producing a fixed-size string of bits, known as a hash value or digest.
   - The signer then encrypts this digest with their private key, creating the digital signature.
   - The digital signature is then attached to the document, and both are sent to the recipient.

3. **Verifying the Signature:**
   - The recipient receives the document and the attached digital signature.
   - Using the sender's public key, the recipient decrypts the digital signature to retrieve the original hash value.
   - The recipient also computes a hash value of the received document.
   - If both hash values match, the signature is valid, and the document is confirmed as authentic and unchanged.

### Role of Each Component:

1. **Private Key:**
   - Used by the signer to create the digital signature.
   - Must be kept secret to ensure the security of the signature.

2. **Public Key:**
   - Used by recipients to verify the digital signature.
   - Can be distributed widely without compromising security.

3. **Hash Function:**
   - Produces a fixed-size string of bits (digest) from the input document.
   - Ensures that even a tiny change in the document will produce a completely different digest.

4. **Digital Signature:**
   - The encrypted hash value of the original document.
   - Serves as proof of the document's authenticity and integrity.

5. **Document:**
   - The original message or file that needs to be signed and verified.

By using this system, recipients can be confident that a signed document is genuine (authenticity), hasn't been tampered with (integrity), and the signer cannot deny having signed it (non-repudiation).
