網(wǎng)絡(luò)安全技術(shù)英文習(xí)題集網(wǎng)絡(luò)安全技術(shù)樣本

《網(wǎng)絡(luò)安全技術(shù)》英文習(xí)題集Chapter1IntroductionANSWERSNSWERSTOQUESTIONS1.1WhatistheOSIsecurityarchitecture?TheOSISecurityArchitectureisaframeworkthatprovidesasystematicwayofdefiningtherequirementsforsecurityandcharacterizingtheapproachestosatisfyingthoserequirements.Thedocumentdefinessecurityattacks，mechanisms，andservices，andtherelationshipsamongthesecategories.1.2Whatisthedifferencebetweenpassiveandactivesecuritythreats?Passiveattackshavetodowitheavesdroppingon，ormonitoring，transmissions.Electronicmail，filetransfers，andclient/serverexchangesareexamplesoftransmissionsthatcanbemonitored.Activeattacksincludethemodificationoftransmitteddataandattemptstogainunauthorizedaccesstocomputersystems.1.3Listsandbrieflydefinecategoriesofpassiveandactivesecurityattacks?Passiveattacks：releaseofmessagecontentsandtrafficanalysis.Activeattacks：masquerade，replay，modificationofmessages，anddenialofservice.1.4Listsandbrieflydefinecategoriesofsecurityservice?Authentication：Theassurancethatthecommunicatingentityistheonethatitclaimstobe.Accesscontrol：Thepreventionofunauthorizeduseofaresource(i.e.，thisservicecontrolswhocanhaveaccesstoaresource，underwhatconditionsaccesscanoccur，andwhatthoseaccessingtheresourceareallowedtodo).Dataconfidentiality：Theprotectionofdatafromunauthorizeddisclosure.Dataintegrity：Theassurancethatdatareceivedareexactlyassentbyanauthorizedentity(i.e.，containnomodification，insertion，deletion，orreplay).Nonrepudiation：Providesprotectionagainstdenialbyoneoftheentitiesinvolvedinacommunicationofhavingparticipatedinallorpartofthecommunication.Availabilityservice：Thepropertyofasystemorasystemresourcebeingaccessibleandusableupondemandbyanauthorizedsystementity，accordingtoperformancespecificationsforthesystem(i.e.，asystemisavailableifitprovidesservicesaccordingtothesystemdesignwheneverusersrequestthem).Chapter2SymmetricEncryptionandMessageConfidentialityANSWERSNSWERSTOQUESTIONS2.1Whataretheessentialingredientsofasymmetriccipher?Plaintext，encryptionalgorithm，secretkey，ciphertext，decryptionalgorithm.2.2Whatarethetwobasicfunctionsusedinencryptionalgorithms?Permutationandsubstitution.2.3Howmanykeysarerequiredfortwopeopletocommunicateviaasymmetriccipher?Onesecretkey.2.4Whatisthedifferencebetweenablockcipherandastreamcipher?Astreamcipherisonethatencryptsadigitaldatastreamonebitoronebyteatatime.Ablockcipherisoneinwhichablockofplaintextistreatedasawholeandusedtoproduceaciphertextblockofequallength.2.5Whatarethetwogeneralapproachestoattackingacipher?Cryptanalysisandbruteforce.2.6Whydosomeblockciphermodesofoperationonlyuseencryptionwhileothersusebothencryptionanddecryption?Insomemodes，theplaintextdoesnotpassthroughtheencryptionfunction，butisXORedwiththeoutputoftheencryptionfunction.Themathworksoutthatfordecryptioninthesecases，theencryptionfunctionmustalsobeused.2.7Whatistripleencryption?Withtripleencryption，aplaintextblockisencryptedbypassingitthroughanencryptionalgorithm；theresultisthenpassedthroughthesameencryptionalgorithmagain；theresultofthesecondencryptionispassedthroughthesameencryptionalgorithmathirdtime.Typically，thesecondstageusesthedecryptionalgorithmratherthantheencryptionalgorithm.2.8Whyisthemiddleportionof3DESadecryptionratherthananencryption?Thereisnocryptographicsignificancetotheuseofdecryptionforthesecondstage.Itsonlyadvantageisthatitallowsusersof3DEStodecryptdataencryptedbyusersoftheoldersingleDESbyrepeatingthekey.2.9Whatisthedifferencebetweenlinkandend-to-endencryption?Withlinkencryption，eachvulnerablecommunicationslinkisequippedonbothendswithanencryptiondevice.Withend-to-endencryption，theencryptionprocessiscarriedoutatthetwoendsystems.Thesourcehostorterminalencryptsthedata；thedatainencryptedformarethentransmittedunalteredacrossthenetworktothedestinationterminalorhost.2.10Listwaysinwhichsecretkeyscanbedistributedtotwocommunicatingparties.FortwopartiesAandB，keydistributioncanbeachievedinanumberofways，asfollows:(1)AcanselectakeyandphysicallydeliverittoB.(2)AthirdpartycanselectthekeyandphysicallydeliverittoAandB.(3)IfAandBhavepreviouslyandrecentlyusedakey，onepartycantransmitthenewkeytotheother，encryptedusingtheoldkey.(4)IfAandBeachhasanencryptedconnectiontoathirdpartyC，CcandeliverakeyontheencryptedlinkstoAandB.2.11Whatisthedifferencebetweenasessionkeyandamasterkey?Asessionkeyisatemporaryencryptionkeyusedbetweentwoprincipals.Amasterkeyisalong-lastingkeythatisusedbetweenakeydistributioncenterandaprincipalforthepurposeofencodingthetransmissionofsessionkeys.Typically，themasterkeysaredistributedbynoncryptographicmeans.2.12Whatisakeydistributioncenter?Akeydistributioncenterisasystemthatisauthorizedtotransmittemporarysessionkeystoprincipals.Eachsessionkeyistransmittedinencryptedform，usingamasterkeythatthekeydistributioncentershareswiththetargetprincipal.ANSWERSNSWERSTOPROBLEMS2.1WhatRC4keyvaluewillleaveSunchangedduringinitialization?Thatis，aftertheinitialpermutationofS，theentriesofSwillbeequaltothevaluesfrom0through255inascendingorder.Useakeyoflength255bytes.Thefirsttwobytesarezero；thatisK[0]=K[1]=0.Thereafter，wehave：K[2]=255；K[3]=254；…K[255]=2.2.2Ifabiterroroccursinthetransmissionofaciphertextcharacterin8-bitCFBmode，howfardoestheerrorpropagate?Nineplaintextcharactersareaffected.Theplaintextcharactercorrespondingtotheciphertextcharacterisobviouslyaltered.Inaddition，thealteredciphertextcharacterenterstheshiftregisterandisnotremoveduntilthenexteightcharactersareprocessed.2.3Keydistributionschemesusinganaccesscontrolcenterand/orakeydistributioncenterhavecentralpointsvulnerabletoattack.Discussthesecurityimplicationsofsuchcentralization.Thecentralpointsshouldbehighlyfault-tolerant，shouldbephysicallysecured，andshouldusetrustedhardware/software.Chapter3Public-KeyCryptographyandMessageAuthenticationANSWERSNSWERSTOQUESTIONS3.1Listthreeapproachestomessageauthentication.Messageencryption，messageauthenticationcode，hashfunction.3.2Whatismessageauthenticationcode?Anauthenticatorthatisacryptographicfunctionofboththedatatobeauthenticatedandasecretkey.3.3BrieflydescribethethreeschemesillustratedinFigture3.2.(a)Ahashcodeiscomputedfromthesourcemessage，encryptedusingsymmetricencryptionandasecretkey，andappendedtothemessage.Atthereceiver，thesamehashcodeiscomputed.Theincomingcodeisdecryptedusingthesamekeyandcomparedwiththecomputedhashcode.(b)Thisisthesameprocedureasin(a)exceptthatpublic-keyencryptionisused；thesenderencryptsthehashcodewiththesender'sprivatekey，andthereceiverdecryptsthehashcodewiththesender'spublickey.(c)Asecretvalueisappendedtoamessageandthenahashcodeiscalculatedusingthemessageplussecretvalueasinput.Thenthemessage(withoutthesecretvalue)andthehashcodearetransmitted.Thereceiverappendsthesamesecretvaluetothemessageandcomputesthehashvalueoverthemessageplussecretvalue.Thisisthencomparedtothereceivedhashcode.3.4Whatpropertiesmustahashfunctionhavetobeusefulformessageauthentication?(1)Hcanbeappliedtoablockofdataofanysize.(2)Hproducesafixed-lengthoutput.(3)H(x)isrelativelyeasytocomputeforanygivenx，makingbothhardwareandsoftwareimplementationspractical.(4)Foranygivenvalueh，itiscomputationallyinfeasibletofindxsuchthatH(x)=h.Thisissometimesreferredtointheliteratureastheone-wayproperty.(5)Foranygivenblockx，itiscomputationallyinfeasibletofindy≠xwithH(y)=H(x).(6)Itiscomputationallyinfeasibletofindanypair(x，y)suchthatH(x)=H(y).3.5Inthecontextofahashfunction，whatisacompressionfunction?Thecompressionfunctionisthefundamentalmodule，orbasicbuildingblock，ofahashfunction.Thehashfunctionconsistsofiteratedapplicationofthecompressionfunction.3.6Whataretheprincipalingredientsofapublic-keycryptosystem?Plaintext：Thisisthereadablemessageordatathatisfedintothealgorithmasinput.Encryptionalgorithm：Theencryptionalgorithmperformsvarioustransformationsontheplaintext.Publicandprivatekeys：Thisisapairofkeysthathavebeenselectedsothatifoneisusedforencryption，theotherisusedfordecryption.Theexacttransformationsperformedbytheencryptionalgorithmdependonthepublicorprivatekeythatisprovidedasinput.Ciphertext：Thisisthescrambledmessageproducedasoutput.Itdependsontheplaintextandthekey.Foragivenmessage，twodifferentkeyswillproducetwodifferentciphertexts.Decryptionalgorithm：Thisalgorithmacceptstheciphertextandthematchingkeyandproducestheoriginalplaintext.3.7Listandbrieflydefinethreeusesofapublic-keycryptosystem.Encryption/decryption：Thesenderencryptsamessagewiththerecipient'spublickey.Digitalsignature：Thesender"signs"amessagewithitsprivatekey.Signingisachievedbyacryptographicalgorithmappliedtothemessageortoasmallblockofdatathatisafunctionofthemessage.Keyexchange：Twosidescooperatetoexchangeasessionkey.Severaldifferentapproachesarepossible，involvingtheprivatekey(s)ofoneorbothparties.3.8Whatisthedifferencebetweenaprivatekeyandasecretkey?Thekeyusedinconventionalencryptionistypicallyreferredtoasasecretkey.Thetwokeysusedforpublic-keyencryptionarereferredtoasthepublickeyandtheprivatekey.3.9Whatisdigitalsignature?Adigitalsignatureisanauthenticationmechanismthatenablesthecreatorofamessagetoattachacodethatactsasasignature.Thesignatureisformedbytakingthehashofthemessageandencryptingthemessagewiththecreator'sprivatekey.Thesignatureguaranteesthesourceandintegrityofthemessage.3.10Whatisapublic-keycertificate?Apubic-keycertificateconsistsofapublickeyplusaUserIDofthekeyowner，withthewholeblocksignedbyatrustedthirdparty.Typically，thethirdpartyisacertificateauthority(CA)thatistrustedbytheusercommunity，suchasagovernmentagencyorafinancialinstitution.3.11Howcanpublic-keyencryptionbeusedtodistributeasecretkey?Severaldifferentapproachesarepossible，involvingtheprivatekey(s)ofoneorbothparties.OneapproachisDiffie-Hellmankeyexchange.Anotherapproachisforthesendertoencryptasecretkeywiththerecipient'spublickey.ANSWERSNSWERSTOPROBLEMS3.1Considera32-bithashfunctiondefinedastheconcatenationoftwo16-bitfunctions：XORandRXOR，definedinSection3.2as“twosimplehashfunction.”a.Willthischecksumdetectallerrorscausedbyanoddnumberoferrorbits?Explain.b.Willthischecksumdetectallerrorscausedbyanevennumberoferrorbits?Ifnot，characterizetheerrorpatternsthatwillcausethechecksumtofail.c.Commentsontheeffectivenessofthisfunctionforuseahashfunctionsforauthentication.a.Yes.TheXORfunctionissimplyaverticalparitycheck.Ifthereisanoddnumberoferrors，thentheremustbeatleastonecolumnthatcontainsanoddnumberoferrors，andtheparitybitforthatcolumnwilldetecttheerror.NotethattheRXORfunctionalsocatchesallerrorscausedbyanoddnumberoferrorbits.EachRXORbitisafunctionofaunique"spiral"ofbitsintheblockofdata.Ifthereisanoddnumberoferrors，thentheremustbeatleastonespiralthatcontainsanoddnumberoferrors，andtheparitybitforthatspiralwilldetecttheerror.b.No.ThechecksumwillfailtodetectanevennumberoferrorswhenboththeXORandRXORfunctionsfail.Inorderforbothtofail，thepatternoferrorbitsmustbeatintersectionpointsbetweenparityspiralsandparitycolumnssuchthatthereisanevennumberoferrorbitsineachparitycolumnandanevennumberoferrorbitsineachspiral.c.Itistoosimpletobeusedasasecurehashfunction；findingmultiplemessageswiththesamehashfunctionwouldbetooeasy.3.2SupposeH(m)isacollisionresistanthashfunctionthatmapsamessageofarbitrarybitlengthintoann-bithashvalue.Isittruethat，forallmessagesx，x’withx≠x’,wehaveH(x)≠H(x’)?Explainyouranswer.Thestatementisfalse.Suchafunctioncannotbeone-to-onebecausethenumberofinputstothefunctionisofarbitrary，butthenumberofuniqueoutputsis2n.Thus，therearemultipleinputsthatmapintothesameoutput.3.3PerformencryptionanddecryptionusingtheRSAalgorithm，asinFigture3.9，forthefollowing:a.p=3;q=11;e=7;M=5b.p=5;q=11;e=3;M=9c.p=7;q=11;e=17;M=8d.p=11;q=13;e=11;M=7e.p=17;q=31;e=7;M=2.Hint：Decryptionisnotashardasyouthink；usesomefinesse.a.n=33；(n)=20；d=3；C=26.b.n=55；(n)=40；d=27；C=14.c.n=77；(n)=60；d=53；C=57.d.n=143；(n)=120；d=11；C=106.e.n=527；(n)=480；d=343；C=128.Fordecryption，wehave128343mod527=1282561286412816128412821281mod527=352563510147128=2mod527=2mod2573.4Inapublic-keysystemusingRSA，youintercepttheciphertextC=10senttoauserwhosepublickeyise=5，n=35.WhatistheplaintextM?M=53.5InanRSAsystem，thepublickeyofagivenuserise=31，n=3599.Whatistheprivatekeyofthisuser?d=30313.6SupposewehaveasetofblocksencodedwiththeRSAalgorithmandwedon’thavetheprivatekey，Assumen=pq，eisthepublickey.Supposealsosomeonetellsustheyknowoneoftheplaintextblockshasacommonfactorwithn.Doesthishelpusinanyway?Yes.Ifaplaintextblockhasacommonfactorwithnmodulonthentheencodedblockwillalsohaveacommonfactorwithnmodulon.Becauseweencodeblocksthataresmallerthanpq，thefactormustbeporqandtheplaintextblockmustbeamultipleofporq.Wecantesteachblockforprimality.Ifprime，itisporq.Inthiscasewedivideintontofindtheotherfactor.Ifnotprime，wefactoritandtrythefactorsasdivisorsofn.3.7ConsideraDiffie-Hellmanschemewithacommonprimeq=11andaprimitiveroota=2.a.IfuserAhaspublickeyYA=9，whatisA’sprivatekeyXA?b.IfuserBhaspublickeyYB=3，whatisthesharedsecretkeyK?a.XA=6b.K=3Chapter4AuthenticationApplicationsANSWERSNSWERSTOQUESTIONS4.1WhatproblemwasKerberosdesignedtoaddress?TheproblemthatKerberosaddressesisthis：Assumeanopendistributedenvironmentinwhichusersatworkstationswishtoaccessservicesonserversdistributedthroughoutthenetwork.Wewouldlikeforserverstobeabletorestrictaccesstoauthorizedusersandtobeabletoauthenticaterequestsforservice.Inthisenvironment，aworkstationcannotbetrustedtoidentifyitsuserscorrectlytonetworkservices.4.2WhatarethreethreatsassociatedwithuserauthenticationoveranetworkorInternet?Ausermaygainaccesstoaparticularworkstationandpretendtobeanotheruseroperatingfromthatworkstation.2.Ausermayalterthenetworkaddressofaworkstationsothattherequestssentfromthealteredworkstationappeartocomefromtheimpersonatedworkstation.3.Ausermayeavesdroponexchangesanduseareplayattacktogainentrancetoaserverortodisruptoperations.4.3Listthreeapproachestosecureuserauthenticationinadistributedenvironment.Relyoneachindividualclientworkstationtoassuretheidentityofitsuserorusersandrelyoneachservertoenforceasecuritypolicybasedonuseridentification(ID).2.Requirethatclientsystemsauthenticatethemselvestoservers，buttrusttheclientsystemconcerningtheidentityofitsuser.3.Requiretheusertoproveidentityforeachserviceinvoked.Alsorequirethatserversprovetheiridentitytoclients.4.4WhatfourrequirementsaredefinedforKerberos?Secure：Anetworkeavesdroppershouldnotbeabletoobtainthenecessaryinformationtoimpersonateauser.Moregenerally，Kerberosshouldbestrongenoughthatapotentialopponentdoesnotfindittobetheweaklink.Reliable：ForallservicesthatrelyonKerberosforaccesscontrol，lackofavailabilityoftheKerberosservicemeanslackofavailabilityofthesupportedservices.Hence，Kerberosshouldbehighlyreliableandshouldemployadistributedserverarchitecture，withonesystemabletobackupanother.Transparent：Ideally，theusershouldnotbeawarethatauthenticationistakingplace，beyondtherequirementtoenterapassword.Scalable：Thesystemshouldbecapableofsupportinglargenumbersofclientsandservers.Thissuggestsamodular，distributedarchitecture.4.5Whatentitiesconstituteafull-serviceKerberosenvironment?Afull-serviceKerberosenvironmentconsistsofaKerberosserver，anumberofclients，andanumberofapplicationservers.4.6InthecontextofKerberos，whatisarealm?Arealmisanenvironmentinwhich：1.TheKerberosservermusthavetheuserID(UID)andhashedpasswordofallparticipatingusersinitsdatabase.AllusersareregisteredwiththeKerberosserver.2.TheKerberosservermustshareasecretkeywitheachserver.AllserversareregisteredwiththeKerberosserver.4.7Whataretheprincipaldifferencebetweenversion4andversion5ofKerberos?Version5overcomessomeenvironmentalshortcomingsandsometechnicaldeficienciesinVersion4.4.8WhatisthepurposeoftheX.509standard?X.509definesaframeworkfortheprovisionofauthenticationservicesbytheX.500directorytoitsusers.Thedirectorymayserveasarepositoryofpublic-keycertificates.Eachcertificatecontainsthepublickeyofauserandissignedwiththeprivatekeyofatrustedcertificationauthority.Inaddition，X.509definesalternativeauthenticationprotocolsbasedontheuseofpublic-keycertificates.4.9Whatisachainofcertificates?Achainofcertificatesconsistsofasequenceofcertificatescreatedbydifferentcertificationauthorities(CAs)inwhicheachsuccessivecertificateisacertificatebyoneCAthatcertifiesthepublickeyofthenextCAinthechain.4.10HowisanX.509certificaterevoked?Theownerofapublic-keycanissueacertificaterevocationlistthatrevokesoneormorecertificates.ANSWERSNSWERSTOPROBLEMS4.1ShowthatarandomerrorinblockofciphertextispropagatedtoallsubsequentblocksofplaintextinPCBCmode(Figure4.9).AnerrorinC1affectsP1becausetheencryptionofC1isXORedwithIVtoproduceP1.BothC1andP1affectP2，whichistheXORoftheencryptionofC2withtheXORofC1andP1.Beyondthat，PN–1isoneoftheXORedinputstoformingPN.4.2The1988versionofX.509listspropertiesthatPSAkeysmustsatisfytobesecure，givencurrentknowledgeaboutthedifficultyoffactoringlargenumbers.Thediscussionconcludeswithaconstraintonthepublicexponentandthemodulusn：Itmustbeensuredthate>log2(n)topreventattackbytakingtheethrootmodntodisclosetheplaintext.Althoughtheconstraintiscorrect，thereasongivenforrequiringitisincorrect.Whatiswrongwiththereasongivenandwhatisthecorrectreason?Takingtheethrootmodnofaciphertextblockwillalwaysrevealtheplaintext，nomatterwhatthevaluesofeandnare.Ingeneralthisisaverydifficultproblem，andindeedisthereasonwhyRSAissecure.Thepointisthat，ifeistoosmall，thentakingthenormalintegerethrootwillbethesameastakingtheethrootmodn，andtakingintegerethrootsisrelativelyeasy.Chapter5ElectronicMailSecurityANSWERSNSWERSTOQUESTIONS5.1WhatarethefiveprincipalservicesprovidedbyPGP?Authentication，confidentiality，compression，e-mailcompatibility，andsegmentation5.2Whatistheutilityofadetachedsignature?Adetachedsignatureisusefulinseveralcontexts.Ausermaywishtomaintainaseparatesignaturelogofallmessagessentorreceived.Adetachedsignatureofanexecutableprogramcandetectsubsequentvirusinfection.Finally，detachedsignaturescanbeusedwhenmorethanonepartymustsignadocument，suchasalegalcontract.Eachperson'ssignatureisindependentandthereforeisappliedonlytothedocument.Otherwise，signatureswouldhavetobenested，withthesecondsignersigningboththedocumentandthefirstsignature，andsoon.5.3WhydoesPGPgenerateasignaturebeforeapplyingcompression?a.Itispreferabletosignanuncompressedmessagesothatonecanstoreonlytheuncompressedmessagetogetherwiththesignatureforfutureverification.Ifonesignedacompresseddocument，thenitwouldbenecessaryeithertostoreacompressedversionofthemessageforlaterverificationortorecompressthemessagewhenverificationisrequired.b.Evenifonewerewillingtogeneratedynamicallyarecompressedmessageforverification，PGP'scompressionalgorithmpresentsadifficulty.Thealgorithmisnotdeterministic；variousimplementationsofthealgorithmachievedifferenttradeoffsinrunningspeedversuscompressionratioand，asaresult，producedifferentcompressedforms.However，thesedifferentcompressionalgorithmsareinteroperablebecauseanyversionofthealgorithmcancorrectlydecompresstheoutputofanyotherversion.ApplyingthehashfunctionandsignatureaftercompressionwouldconstrainallPGPimplementationstothesameversionofthecompressionalgorithm.5.4WhatisR64conversion?R64convertsaraw8-bitbinarystreamtoastreamofprintableASCIIcharacters.EachgroupofthreeoctetsofbinarydataismappedintofourASCIIcharacters.5.5WhyisR64conversionusefulforane-mailapplication?WhenPGPisused，atleastpartoftheblocktobetransmittedisencrypted.Ifonlythesignatureserviceisused，thenthemessagedigestisencrypted(withthesender'sprivatekey).Iftheconfidentialityserviceisused，themessageplussignature(ifpresent)areencrypted(withaone-timesymmetrickey).Thus，partoralloftheresultingblockconsistsofastreamofarbitrary8-bitoctets.However，manyelectronicmailsystemsonlypermittheuseofblocksconsistingofASCIItext.5.6WhyisthesegmentationandreassemblyfunctioninPGPneeded?E-mailfacilitiesoftenarerestrictedtoamaximummessagelength.5.7HowdoesPGPusetheconceptoftrust?PGPincludesafacilityforassigningaleveloftrusttoindividualsignersandtokeys.5.8WhatisRFC822?RFC822definesaformatfortextmessagesthataresentusingelectronicmail.5.9WhatisMIME?MIMEisanextensiontotheRFC822frameworkthatisintendedtoaddresssomeoftheproblemsandlimitationsoftheuseofSMTP(SimpleMailTransferProtocol)orsomeothermailtransferprotocolandRFC822forelectronicmail.5.10WhatisS/MIME?S/MIME(Secure/MultipurposeInternetMailExtension)isasecurityenhancementtotheMIMEInternete-mailformatstandard，basedontechnologyfromRSADataSecurity.ANSWERSNSWERSTOPROBLEMS5.1InthePGPscheme，whatistheexpectednumberofsessionkeysgeneratedbeforeapreviouslycreatedkeyisproduced?ThisisjustanotherformofthebirthdayparadoxdiscussedinAppendix11A.Letusstatetheproblemasoneofdeterminingwhatnumberofsessionkeysmustbegeneratedsothattheprobabilityofaduplicateisgreaterthan0.5.FromEquation(11.6)inAppendix11A，wehavetheapproximation:k1.18nFora128-bitkey，thereare2128possiblekeys.Thereforek1.1821281.182645.2Thefirst16bitsofthemessagedigestinaPGPsignaturearetranslatedintheclear.a.Towhatextentdoesthiscompromisethesecurityofthehashalgorithm?b.Towhatextentdoesitinfactperformitsintendedfunction，namely，tohelpdetermineifthecorrectRSAkeywasusedtodecryptthedigest?a.Notatall.Themessagedigestisencryptedwiththesender'sprivatekey.Therefore，anyoneinpossessionofthepublickeycandecryptitandrecovertheentiremessagedigest.b.Theprobabilitythatamessagedigestdecryptedwiththewrongkeywouldhaveanexactmatchinthefirst16bitswiththeoriginalmessagedigestis2–16.5.3InFigure5.4，eachentryinthepublic-keyringcontainsanownertrustfieldthatindicatesthedegreeoftrustassociatedwiththispublic-keyowner.Whyisthatnotenough?Thatis，ifthisowneristrustedandthisissupposedtobetheowner’spublickey，whyisnotthattrustenoughtopermitPGPtousethispublickey?Wetrustthisowner，butthatdoesnotnecessarilymeanthatwecantrustthatweareinpossessionofthatowner'spublickey.5.4Considerradix-64conversionasaformofencryption.Inthiscase，thereisnokey.ButsupposethatanopponentknewonlythatsomeformofsubstitutionalgorithmwasbeingusedtoencryptEnglishtextanddidnotguessitwasR64.Howeffectivewouldthisalgorithmbeagainstcryptanalysis?Itcertainlyprovidesmoresecuritythanamonoalphabeticsubstitution.Becausewearetreatingtheplaintextasastringofbitsandencrypting6bitsatatime，wearenotencryptingindividualcharacters.Therefore，thefrequencyinformationislost，oratleastsignificantlyobscured.5.5PhilZimmermannchoseIDEA，three-keytripleDES，andCAST-128assymmetricencryptionalgorithmsforPGP.GivereasonswhyeachofthefollowingsymmetricencryptionalgorithmsfordescribedinthisbookissuitableorunsuitableforPGP：DES，two-keytripleDES，andAES.DESisunsuitablebecauseofitsshortkeysize.Two-keytripleDES，whichhasakeylengthof112bits，issuitable.AESisalsosuitable.Chapter6IPSecurityANSWERSNSWERSTOQUESTIONS6.1GiveexamplesofapplicationsofIPSec.SecurebranchofficeconnectivityovertheInternet：AcompanycanbuildasecurevirtualprivatenetworkovertheInternetoroverapublicWAN.ThisenablesabusinesstorelyheavilyontheInternetandreduceitsneedforprivatenetworks，savingcostsandnetworkmanagementoverhead.SecureremoteaccessovertheInternet：AnenduserwhosesystemisequippedwithIPsecurityprotocolscanmakealocalcalltoanInternetserviceprovider(ISP)andgainsecureaccesstoacompanynetwork.Thisreducesthecostoftollchargesfortravelingemployeesandtelecommuters.Establishingextranetandintranetconnectivitywithpartners：IPS