University of Parma – Department of Engineering and Architecture

Course of Cybersecurity
Luca Veltri

Cybersecurity

2023/2024

Solutions of the exercises

1) Let us consider a simple monoalphabetic shift cipher (Caesar’s Cipher), with an alphabet of di N characters (with N= 26),
with a secret key K=4 (the shift). Do encrypt the text “SECRET”.

SOLUTION
A shift of K=4 leads to the following encryption substitution table:
Cleartext char: abcdefghijklmnopqrstuvwxyz
Ciphertext char: EFGHIJKLMNOPQRSTUVWXYZABCD
then:
Cipher text: c = Ek(m) = SHIFT(4,"SECRET") = "WIGVIX"

2) Consider a monoalphabetic substitution cipher, that maps a plaintext character M into the cipher character C, defined as
follows:
C = Ek(M) = a M + b mod 26
where M is any character of the alphabet {‘a’,’b’, ‘c’, .. ,’z’}, and a and b are two integer parameters that form the secret
key K = <a,b>
By using such a cipher, a ciphertext has been generated starting from an English plaintext. By analyzing the ciphertext it
results that the most frequent letter of the ciphertext is ‘B’, and the second most frequent letter of the ciphertext is ‘U’.
Try to break this code, by knowing that the two most frequent letters in English are ‘e’ and ‘t’.
(Hints: x mod n = y ⇒ ∃ h : x = y +hn. The equation 15x mod 26 = 19 has the solution x = 3).

SOLUTION
M1=‘e’=4 → C1=’B’=1
M2=‘t’=19 → C1=’U’=20

(4a+b) mod 26 = 1
(19a+b) mod 26 = 20

∃ h : b = 1-4a +h*n
(19a -4a +1 +h*26) mod 26 = 20

15a mod 26 = 19, that has the solution a=3 (to find the solution, you can use the Euclid’s algorithm to find 15-1 modulo 26, that
is 7; then by multiplying both sides by 7 you obtain a = 7*19 mod 26 = 3)

Then, a = 3, and b = 1 – 4*3 +h*26 = 15

C = Ek(M) = 3 M + 15 mod 26

3) Starting from a block cipher EK(.) with block size q, please show the scheme for the CBC (Cipher Block Chaining)
encryption of a message m with length L>q (for simplicity, let’s consider L=n q).

SOLUTION
If we express m and c as:
m=M1||M2|| . . . ||Mn
c=C1||C2|| . . . ||Cn

it is:
C0=IV
Ci=EK(Mi ⊕ Ci-1)

4) Suppose to have an API implementing a block cipher E in CBC mode, with block size q. The same block cipher in CBC
mode has been used to encrypt a message m with length pq using a key K of size n bits. Evaluate the complexity of a brute
force attack against the secret key K, by supposing to know both the plaintext m and the ciphertext c. In each attempt, the
entire message is processed. Indicate the complexity in terms of the number of block encryptions (using the function E), as
function of n, p and q.

SOLUTION
Given the message m, the maximum number of keys that should be tried (worst case) in order to find the right key K such that
E-CBC(K,m) ≡ c is 2n. Since each attempt requires the execution of p encryption operations, the complexity of this attack in
terms of number of E operations is:
p 2n.
If TE is the time for one encryption with E(.), the total time required for the complete brute-force attack is: p 2n TE
The same result could be obtained by using the decryption function D-CBC(K,c) and searching the key K such that: D-
CBC(K,c) ≡ m.

5) Let us consider a symmetric block cipher Ek(.) with size 4 bit. plaintext ciphertext
By supposing that, given a secret key K, the encryption table of Ek(.) corresponds 0000 1110
0001 0100
to the table at the right side, do encrypt in CBC mode with IV=0000 the 0010 1101
following plaintext message: 0011 0001
m= 1100 1010 0010 1101 0100 0010
0101 1111
0110 1011
0111 1000
1000 0011
1001 1010
1010 0110
1011 1100
1100 0101
1101 1001
1110 0000
1111 0111
SOLUTION

Encryption is performed in CBC mode, that is:

Ci = Ek(Mi XOR Ci-1)
with C0 = IV = 0000

then:
C1 = Ek(1100 XOR 0000) = Ek(1100) = 0101
C2 = Ek(1010 XOR 0101) = Ek(1111) = 0111
C3 = Ek(0010 XOR 0111) = Ek(0101) = 1111
C4 = Ek(1101 XOR 1111) = Ek(0010) = 1101

c= 0101 0111 1111 1101 (iv=0000)

2
6) Let us consider the following plaintext message:
m = 1100 0000 1100 0000
encrypted by means of the same symmetric encryption algorithm Ek(.) with block size 4bit and secret key K of the previous
exercise (same encryption/substitution table) in OFB mode with IV=0001, resulting the following ciphertext:
c = 1000 0010 0001 1001 (IV=0001)
Show how it is possible to modify the ciphertext c in such a way that by decrypting it you obtain the following plaintext:
m’= 1100 0000 1001 0000

SOLUTION

Encryption has been done in OFB mode, that is c = m XOR o.

Hence, if you want to change a bit of the decrypted plaintext you have to change the corresponding bit of the ciphertext.
Referring to the third block:
original M3 = 1100
target M3' = 1001

so you have to simply change the second and fourth bit of C3, that is:
original C3 = 0001
modified C3' = 0100

c'= 1000 0010 0100 1001 (iv=0001)

7) Let us consider a message m=M1||M2||M3||M4, and suppose to decrypt it by means of a block cipher EK() in CBC mode
(the block size of EK() is equal to the size of the blocks Mi), with iv=IV0, obtaining the ciphertext c= C1||C2||C3||C4.
If an attacker modifies the ciphertext by rearranging the component blocks obtaining the new ciphertext c’=
C1||C3||C2||C4, which will be the corresponding plaintext message m’=M’1||M’2||M’3||M’4 obtained by “erroneously”
decrypting the ciphertext c’? Show the blocks M’i as function of Mj and Cj with j=1..4.

SOLUTION
With CBC encryption, it is:
Ci = EK(Mi ⊕ Ci-1)
and:
Mi = DK(Ci) ⊕ Ci-1

and also:
DK(Ci) = Mi ⊕ Ci-1

indicating with:
m’ = M’1||M’2||M’3||M’4

by setting:
c’= C1||C3||C2||C4

it results:
M’1 = DK(C’1) ⊕ IV0 = DK(C1) ⊕ IV0 = M1
M’2 = DK(C’2) ⊕ C’1 = DK(C3) ⊕ C1 = (M3 ⊕ C2) ⊕ C1
M’3 = DK(C’3) ⊕ C’2 = DK(C2) ⊕ C3 = (M2 ⊕ C1) ⊕ C3
M’4 = DK(C’4) ⊕ C’3 = DK(C4) ⊕ C2 = (M4 ⊕ C3) ⊕ C2

8) Realize a symmetric encryption scheme for encrypting messages m with any length, based on a block cipher EK() (e.g.
AES), without obtaining avalanche effect, in such a way that if you change one bit of the ciphertext, only one bit of the
plaintext will change when decrypting the ciphertext (hint: use the XOR operator).

3
SOLUTION
m=M1||M2|| . . . ||Mn
c=IV||C1||C2|| . . . ||Cn
Ci=Mi ⊕ Oi
with:
Oi= EK(Oi-1)=AES(K,Oi-1)
O0=IV

9) Consider the following three padding algorithms for extending the length of a message to a multiple of N bytes (e.g.
N=32). Which of the three algorithms are suitable for using with a block cipher with block size N bytes? Why?
Padding1: append to the message random bytes until the total length (in bytes) becomes a multiple of N.
Padding2: append to the message random bytes until the total length (in bytes) becomes a multiple on N – 1; append
one byte encoding the number of padding bytes that have been added.
Padding3: append to the message a bit ‘1’, then append as many bits ‘0’ as needed to reach a multiple of N bytes.

SOLUTION
All three padding algorithms extend the message length to a multiple of N. However only Padding2 and Padding3 are
suitable for encryption/decryption, since they allow the receiver to detect the end of the original message and to correctly
remove the padding data after decryption.

10) Starting from a hash function H() and a symmetric key KAB shared between two entities A e B:
i) show a possible authentication scheme between A (supplicant) and B (authenticator);
ii) show how it is possible to send a message m from A to B providing data authentication and integrity protection;
iii) create an encryption function (and the corresponding decryption function) that can be used for sending a message m
encrypted from A to B.

SOLUTION
i) A possible authentication scheme between A (supplicant) and B (authenticator):
A B

H(KAB||R)

ii) Authentication and integrity protection of a message m sent from A to B:

A B

m||H(KAB||m)

iii) Encryption function (and the corresponding decryption function) that can be used for encrypting the message m from A to
B:
Let’s define
O0 = IV
Oi = H(KAB|| Oi-1)
o = O1||O2||O3|| .. ||On|| ..

c = E(KAB,IV,m) = m ⊕ o

message that is sent:

A B : x= IV||c

4
decryption:
m = E(KAB,IV,c) = c ⊕ o

11) Find the multiplicative inverse of each nonzero element in Z7.

SOLUTION
Z7* = {1,2,3,4,5,6}
Corresponding multiplicative inverses: 1, 4, 5, 2, 3, 6

12) Find all nonzero elements in Z21 that are relatively prime with 21.

SOLUTION
Elements in Z21 that are co-prime with 21 are: U21 = {1, 2, 4, 5, 8, 10, 11, 13, 16, 17, 19, 20}.
Note that: Φ(21) = Φ(3x7) = (3-1)(7-1) = 12 = |U21|

13) By using the Euclid’s algorithm, find the greatest common divisor gcd( , ) of:
a) 36, 15
b) 47, 20
c) 43, 35

SOLUTION
a) gcd(36,15)=(36,15)=(15,6)=(6,3)=3
b) gcd(47,20)=(20,7)=(7,6)=(6,1)=1
c) gcd(43,35)=(35,8)=(8,3)=(3,2) =(2,1)=1

14) Prove the following: If p and q are prime, then Φ(pq) = (p-1)(q-1).
(Hint: What numbers have a factor in common with pq?)

SOLUTION
The integers that are less than pq and have a factor in common with pq are: p,2p,3p, .. (q-1)p, q,2q,3q, .. (p-1)p
In total they are (q-1) + (p-1) values.
Since the total number of values less than pq is: pq-1,
then:
Φ(pq) = pq-1 – [(q-1) + (p-1)] = pq –p –q +1 = (p-1)(q-1)

15) Create a pair of public/private RSA keys, using as p and q primes the values p=3, q=11. With such keys, do encrypt the
plaintext message m=2.

SOLUTION
n=pq=33
φ(n)=(p-1)(q-1)=20
Possible values for e and d are: 1,3,7,9,11,13,17,19 (co-primes of 20)
If we choose e=7
using the extended Euclid’s algorithm:
20 1 0
7 0 1
6 1 -2
1 -1 3

that gives d= 3, with ed=1 mod φ(n)

If we define the public and private keys as: K+=<e,n> and K-=<d,n>
By encrypting m with the public key K+ we have:
5
c=E(m)=27 mod 33=29

it is also possible to verify that:

m=D(c)=293 mod 33=((29*29) mod 33)*29 mod 33)=16x29 mod 33=2

16) With the following values p=7, q=11 and e=13. Create a pair of public/private RSA keys KU=<e,n> and KR=<d,n> (Use
the Euclid’s algorithm for finding the value d). With such keys, do decrypt the ciphertext message c=2.

SOLUTION
n=77, Φ(n)=60
e=13

By using the extended Euclid’s algorithm:

rk ak bk
60 1 0
13 0 1
8 1 -4
5 -1 5
3 2 -9
2 -3 14
1 5 -23

that leads to:

1=5.60-23.13
that is:
(-23).13 = mod 60
d=e-1=(-23)=37

Then:
m=237 mod 77=51

Verify:
5113 mod 77=2=c

17) In a public-key system using RSA, you intercept the ciphertext C = 10 sent to a user whose public key is e = 5, n =
35.What is the plaintext M?

SOLUTION
It easy to find that n = 35 = 5x7, than p=5, q=7, Φ(pq)=24.
Since it is: d.e = 1 mod 24,
than d=5, and M=10d mod n = 105 mod 35 = 5

18) In an RSA system, the public key of a given user is e = 31, n = 901.What is the private key of this user?
(Hint: First use trial-and-error to determine p and q; then use the extended Euclidean algorithm to find d)

SOLUTION
By trying to divide n=901 by different prime p values, we find p=17, and q= n/p = 53.
Hence, Φ(n) = 16x52 = 832, and (by using the Euclid’s algorithm) d= e-1 mod 832 = 671.

19) Show an example of shared key exchange between A and B based on Diffie-Hellman scheme, using the generator g=2 and
the prime p=11.

6
SOLUTION
If A chooses the secret xa=5, while B chooses the secret xb=3, we have (Diffie-Hellman exchange):
A send to B: ya=gxa mod p=10
B send to A: yb=gxb mod p=8
starting from ya and xb, B computes: KBA = yaxb mod p=103=100x10=1x10=10
starting from yb and xa, A computes: KAB = ybxa mod p=85=(82)2x8=92x8=4x8=10
with: KAB = KBA

20) Show that 2 is a primitive root of 11.

SOLUTION
By computing g1, g2, .. gk mod 11, with g=2, we obtain: 2,4,8,5,10,9,7,3,6,1, that are all nonzero elements in Z11 that are co-
prime with 11 (since 11 is prime, all nonzero integer less than 11 are coprime with 11); that means that 2 is a primitive root of
11.
Alternatively:
From the previous computed values, it is possible to see that the first m such as gm = 1 mod 11, is m=10=Φ(11).

21) Users A and B use the Diffie-Hellman key exchange technique with a common prime p=71 and a primitive root g=7.
i. If user A has private key xA=5, what is A’s public key yA?
ii. If user B has private key xB=12, what is B’s public key yB?
iii. What is the shared secret key KAB?

SOLUTION
yA = 75 mod 71 = 51
yB = 712 mod 71 = 4
KAB = 45 mod 71 = 30 = 5112 mod 71 = 30

22) Let us suppose that you want to securely send a message m from A to B, by guaranteeing ONLY the data confidentiality.
For message encryption you should use a symmetric encryption algorithm (since it is faster than asymmetric algorithm). By
supposing that A and B share only their public RSA keys KUA e KUB (KRA and KRB are the private keys), show which
functions can be executed at the sender and receiver sides. Try to depict the corresponding schemes.

SOLUTION
Sender:
m Eks(m) Eks(m)||{Ks}KUB
E ||

RSA

ks
KUB

23) Let us suppose that you want to securely send a message m from A to B, by guaranteeing ONLY data
authentication/integrity. By supposing that A and B share only a secret key KAB and a hash algorithm H(), show which
functions can be executed at the sender and receiver sides. Try to depict the corresponding schemes.

7
SOLUTION
Sender:
m m||H(m||KAB)
||

|| H
mac(KAB,m)=H(m||KAB)
KAB

24) Let us suppose that you want to securely send a message m from A to B, by guaranteeing both confidentiality and data
authentication/integrity. For message encryption you should use a symmetric encryption algorithm (since it is faster than
asymmetric algorithm). By supposing that A and B share only their public RSA keys KUA e KUB (KRA and KRB are the
private keys), show which functions can be executed at the sender and receiver sides. Try to depict the corresponding
schemes. A and B share the following algorithms: RSA, AES, SHA1.

SOLUTION
Data that are sent:
x = AESKs(m) || RSAKUb(Ks) || RSAKRa(H(m))

or also:
x = AESKs(m || RSAKRa(H(m))) || RSAKUb(Ks)

25) Let us suppose that you want to securely send a message m from A to two recipients B and C, by guaranteeing both
confidentiality (through symmetric encryption with algorithm Ek()) and data authentication/integrity (through digital
signature). Let us suppose that A, B and C have their own private RSA keys, K-A, K-B e K-C , and that they share all their
public keys K+A, K+B e K+C.
Please show which functions could be executed by A (sender), and the resulting message x that is actually sent from A to B
and C.

SOLUTION
Sender:
A B C
EKs(m) || {Ks}K+B|| {Ks}K+C || {H(m)}K-A

Sent message: x = EKs(m) || {Ks}K+B || {Ks}K+C || {H(m)}K-A

26) Show a possible secure authentication scheme between Alice (supplicant) and Bob (authenticator), by supposing that Alice
and Bob share their public RSA keys KUA and KUB (KRA and KRB are the corresponding private keys).

8
SOLUTION
A lic e B o b

request
R
{R}KR_A

or:
request
{R}KU_A
R

or:
request
{R}KU_A
{R}KU_B

27) Show a possible mutual authentication scheme between Alice and Bob, based on the use of an hash function H(.) and a
shared secret KAB.

SOLUTION
A lic e B o b
request
R1
H(R1||KAB) , R2
H(R2||KAB)

28) Show a possible key transport scheme between two entities A and B, based on asymmetric encryption (public key
cryptography), without the use of a KDC.

SOLUTION

A possible key distribution scheme between A and B is:

A → B: {Ks,signA(IDB,Ks)}KUb

This scheme guarantees implicit key authentication to A, key authentication and confirmation to B, but no key confirmation to
A. It also doesn’t guarantee key freshness to B.

In order to add key freshness guarantee (to B), a timestamp can be also included:
A → B: {Ks,t,signA(IDB,Ks,t)}KUb

29) Show an example of authenticated DH exchange that holds out against MITM attack.

9
SOLUTION
An example of authenticated DH that uses only digital signature is:
A → B: A, gXa
A ← B: B, gXb, SignB(gXa || gXb || A)
A → B: SignA(gXa || gXb || B)

An authenticated DH that uses both signature and encryption is (it is a varian of the STS protocol):
A → B: gXa
A ← B: gXb, EKs(B || SignB(gXa || gXb))
A → B: EKs(A || SignA(gXa || gXb))
Where KS is a key derived by the DH result gXaXb.

30) Let us consider an entity A that holds the following digital certificates: certCA3(A), certCA2(CA3), certCA1(CA2), and
certCA1(CA1) (where certY(X) refers to the certificate of X signed by Y). Indicate what A should send to B in order to let A
and B start a secure communication, under the following different hypotheses:

SOLUTION
B owns: A should send to B:
certCA1(CA1) certCA3(A), certCA2(CA3), certCA1(CA2)
certCA3(A) no additional certificate is required

certCA1(CA2) certCA3(A), certCA2(CA3)

certCA1(CA1), certCA3(A) no additional certificate is required

31) If A holds certB(A) and certC(B) (where certY(X) refers to the certificate of X signed by Y), while D holds certE(D), please
indicate:
a. what should A hold in order to authenticate D? Show a possible authentication scheme.
b. what should D hold in order to authenticate A? Show a possible authentication scheme.

SOLUTION
a) what should A hold in order to authenticate D? Show a possible authentication scheme.
The public key of D,
OR the public key of E

In the latter case (A holds the public key of E), a possible authentication scheme is:
D → A: request
A → D: R
D → A: {R}KRd , certE(D)
Note: the certE(D) can be sent either in the first or in third message.

OR:
D → A: request , certE(D)
A → D: {R}KUd
D → A: R

b) what should D hold in order to authenticate A? Show a possible authentication scheme.

The public key of A,
OR the public key of B,
OR the public key of C.

In the latter case (D holds the public key of C), a possible authentication scheme is:
A → D: request
D → A: R
A → D: {R}KRa, certB(A), certC(B)
10
OR:
A → D: request, certB(A), certC(B)
D → A: {R}KUa
A → D: R

32) Let us consider an anonymizing network formed by high-latency anonymizing Mix nodes. Let us consider the case in which
a node A wants to send a message m to a node B by means of three intermediate Mix nodes X, Y, and Z. Assume that K+i
and K-i are respectively the public and private keys of node i (i=x,y,z).
Indicate the format of the message CX composed by A and sent to the first node X.

SOLUTION

Data sent by A to the first node X: CX = EK+x( IDY || EK+y(IDZ || EK+z(IDB || m) ) )

where IDi is the identify or address of node i.

Note:
node X will receive such data, decrypt it with K-x and relay the following content data to Y: EK+y(IDZ, EK+z(IDB, M) )
node Y will receive such data, decrypt it with K-y and relay the following content data to Z: EK+z(IDB, M)
node Z will receive such data, decrypt it with K-z and relay the message m to B.

33) Consider the following C function for verifying a user-provided password. Which type of attack it could be vulnerable to?
What is a possible input password that could exploit such vulnerability?

int verifyPassword(char* pwd) {

char str1[8];
char str2[8];
strcpy(str1,"SECRET"); // correct password is "SECRET"
strcpy(str2,pwd);
if (strncmp(str1,str2,8)==0) return 1; // compares the first 8 characters
else return 0;
}

SOLUTION

It is vulnerable to buffer overflow attack. Any input string formed by a repetition of the same 8 characters may lead to a
success.
For example, input: aaaaaaabaaaaaaab
When the input string is copied to str2 , the second part ‘aaaaaaab’ will overwire str1. The result is that the comparison of
the first 8 characters of str1 and str2 will match.

If the input string is much longer than 16 characters, the stack frame of the function can be damaged, resulting in a program
error (possible DoS attack).

11
34) Let us consider the following network scheme, where in the node 100.5.5.2 there is a HTTP web server (TCP port 80) and
a SMTP mail server (TCP port 25); you are requested to configure the filtering table of the router R1 so that:
i) from external clients it is possible to access to the internal web server (node 100.5.5.2, TCP port 80);
ii) from internal clients it is possible to access any external web server (port 80);
iii) all client/server and server/client communications between the internal SMTP mail server and possible external SMTP
servers are enabled; that is, internal SMTP Client → external SMTP Server (TCP port 25), and external SMTP Client
→ internal SMTP Server (TCP port 25).

100.5.5.2
PF-R1

100.5.5.0/24 Internet
eth0 ppp0

SOLUTION

FORWARD
Matching action
in_ interface out_ interface s_addr d_addr Proto s_port d_port state ACCEPT/
DROP
* * * * * * * ESTABLISHED ACCEPT
ppp0 eth0 * 100.5.5.2 TCP * 80 NEW ACCEPT
eth0 ppp0 100.5.5.0/24 * TCP * 80 NEW ACCEPT
ppp0 eth0 * 100.5.5.2 TCP * 25 NEW ACCEPT
eth0 ppp0 100.5.5.2 * TCP * 25 NEW ACCEPT
* * * * * * * * DROP

Or by applying anti-spoofing rules separately:

FORWARD
Matching action
in_ interface out_ interface s_addr d_addr Proto s_port d_port state ACCEPT/
DROP
ppp0 eth0 100.5.5.0/24 * * * * * DROP
* * * * * * * ESTABLISHED ACCEPT
* * * 100.5.5.2 TCP * 80 NEW ACCEPT
* * 100.5.5.0/24 * TCP * 80 NEW ACCEPT
* * * 100.5.5.2 TCP * 25 NEW ACCEPT
* * 100.5.5.2 * TCP * 25 NEW ACCEPT
* * * * * * * * DROP

35) Let us consider the following company network formed by an internal network and a DMZ separated by a screening router
R2, and connected to the external public network (Internet) through the screening router R1, as shown in figure.
You are requested to configure the filtering table of R1 so that:
a) it is possible to establish application level client→server communications (through any transport protocol) from any
DMZ node to any external node;
b) it is blocked any attempt to establish a client→server communication from the external network to the DMZ;
c) it is blocked any communication between the internal and the external networks;
d) it is possible to establish TCP connections from the external network to the node 200.0.0.5 TCP port 80 (HTTP).

200.0.0.5
PF-R2 PF-R1

200.0.1.0/24 200.0.0.0/24 Internet

eth1 eth0 eth1 eth0

12
SOLUTION

FORWARD
Matching action
in_int out_int s_addr d_addr Proto s_port d_port state ACCEPT/
DROP
* * * * * * * ESTABLISHED ACCEPT
eth1 eth0 200.0.0.0/24 * * * * NEW ACCEPT
eth0 eth1 * 200.0.0.5 TCP * 80 NEW ACCEPT
* * * * * * * * DROP

13