CSE 4317 Homework 3

Due: June 29, 2001 by midnight (no late submissions accepted)

Submit via email to holder@cse.uta.edu (not to Red!).

Homework 3 is to complete the worksheets on pages 154 and 155 of Bowyer's 2nd edition. For those of you who do not have the 2nd edition, I have repeated the worksheets below along with pointers to PDF of the two referenced articles.

WORKSHEET I: Read the article "Cryptography: The Importance of Not Being Different" by Bruce Schneier in IEEE Computer, Volume 32, Number 3, pages 108-109, 1999 (click here for PDF). This article is also reprinted in Bowyer, 2nd edition, on pages 159-161. Answer the following questions.

  1. Explain Schneier's opening analogy about a doctor and antibiotics. How accurate does the analogy seems to you?

  2. Schneier says, "Most cryptography products on the market are insecure. Some don't work as advertised. Some are obviously flawed. ..." What does this imply for the importance of a standard like the AES? How likely is the AES to suffer from such problems? Why?

  3. Schneier says, "Security has nothing to do with functionality." Explain what he means by this.

  4. What does Schneier say are the reasons for the flaws he sees in Microsoft's Point-To-Point Tunneling Protocol?

  5. Why does Schneier suggest that there is great confidence in the correctness of DES, RSA, and PGP?

WORKSHEET II: Read the article "Cryptography: Is Staying with the Herd Really Best?" by Terry Ritter in IEEE Computer, Volume 32, Number 8, pages 94-95, 1999 (click here for PDF). This article is also reprinted in Bowyer, 2nd edition, on pages 162-163. Answer the following questions.

  1. Ritter asserts that "... anyone concerned with real security probably should consider using something other than the same cipher as everyone else." What is his reasoning for this conclusion? What practical problems would you foresee with "using something other than the same cipher as everyone else?" Based on Schneier's article, what do you think would be Schneier's counter-argument? Who do you think is more correct, and why?

  2. Ritter asserts that "... most crypto experts probably would agree that just because 20 years of analysis of the U.S. Data Encryption Standard has not found an easy break does not mean that no easy break exists. ... In practice, even extensive review is not a rational or scientific indication of strength." Do you agree? Why or why not?

  3. Ritter asserts that "Since no one can prove that any cipher is secure, absolute confidence is simply not available. Any cipher can fail at any time." Do you agree? Why or why not? Does Ritter's assertion imply that all cipher algorithms are equally (un)reliable?

  4. Is "strength against unknown attack" the only property of interest in a cipher algorithm? Why or why not?

  5. Who would you hire as your encryption security consultant, Ritter or Schneier? Why?