Homework 2 - Cryptography and Authentication

1. One-time pads are provably secure. Why are one-time pads so rarely used in practice?
2. Why does combining substitution and transposition (permutation) result in a higher level of security than either alone?
3. DES has been around for over three decades and is still used in many systems. Do you think AES will have this sort of staying power? Explain why or why not.
4. Explain why encrypting a message then signing it is not secure.
5. What would be the implication of Jane having the same RSA private key as Bob's RSA public key? Should Jane change her key pair?
6. Passwords are typically stored as a cryptographic one-way hash instead of in plain text. Does adding a salt to the hash function make it harder for an attacker (who has access to the stored hashes) to recover the original password? Explain why or why not.
7. When websites post large files for users to download, they want to give the user some assurance that the file is uncorrupted and has not be substituted with another file. A common method to do this is to list the MD5 hash on the website with the download link. Is this any better than just having the download link? Explain why or why not.
8. Is using a Kerberos ticket more secure, less secure or equivalent to setting a session key in the user's browser? Justify your answer.
9. If a password consists purely of 6 upper case letters, how long would it take to test all possible passwords if the attacker could generate and test one password per second?
10. If a password consists of 10 tokens, where each token can be an upper case letter, a lower case letter, a number or a symbol chosen from ! @ # $ % ^ & * . = +, now how long would it take to test all possible passwords, again assuming the attacker could generate and test one password per second?