Browse papers
LevelBSc CSIT (TU)
StreamScience
SubjectCryptography (BSc CSIT, CSC316)
Year2082 BS
Exam sessionRegular (annual)
Full marks60
Time allowed180 minutes
Questions12, all with step-by-step solutions
A

Section A: Long Answer Questions

Attempt any TWO questions.

3 questions·10 marks each
1Long answer10 marks

Describe the Fiestel Cipher structure. Given the key {2B, 7E, 15, 16, 28, AE, D2, A6, AB, F7, 97, 66, 01, 02, 03, 04}, compute the first 4 byte of next key after first iteration, using the following S-Box in AES.

0 1 2 3 4 5 6 7 8 9 A B C D E F

0 63 7C 77 7B F2 6B 6F C5 30 01 67 2B FE D7 AB 76

Feistel Cipher Structure

A Feistel cipher is a symmetric structure used to build many block ciphers (e.g. DES). The plaintext block is split into two halves and processed through several rounds, in each of which one half is transformed by a round function FF keyed with a round subkey, and then XORed with the other half.

For round ii, given the halves (Li1,Ri1)(L_{i-1}, R_{i-1}):

Li=Ri1,Ri=Li1F(Ri1,Ki).L_i = R_{i-1}, \qquad R_i = L_{i-1} \oplus F(R_{i-1}, K_i).
        Plaintext (split into L0 | R0)
                 |
   +-------------+-------------+
   |                           |
  L0                          R0 ---> F(R0, K1)
   |                           |        |
   +------------ XOR <---------|--------+
   |                           |
  (swap) L1 = R0          R1 = L0 XOR F(R0,K1)
   |                           |
        ... repeat for n rounds ...
                 |
        Ciphertext (Rn | Ln)

Key features:

  • Decryption uses the same structure, applying subkeys in reverse order KnK1K_n \dots K_1 — so encryption and decryption hardware/software are identical.
  • The round function FF need not be invertible, giving great design freedom.
  • Security depends on the number of rounds, the function FF, and the key schedule (Shannon's confusion and diffusion).

AES Key Expansion: First 4 Bytes of the Next Round Key

The AES key is grouped into 4-byte words. The given 16-byte key gives:

WordBytes
W0W_02B 7E 15 16
W1W_128 AE D2 A6
W2W_2AB F7 97 66
W3W_301 02 03 04

The next round key starts with W4W_4, and the first 4 bytes of the next key are exactly W4W_4:

W4=W0g(W3)W_4 = W_0 \oplus g(W_3)

where gg = RotWord → SubWord → XOR Rcon(1).

Step 1 — RotWord(W3W_3): cyclic left shift of (01 02 03 04) → (02 03 04 01).

Step 2 — SubWord (substitute each byte using the AES S-Box):

  • 02 → 77
  • 03 → 7B
  • 04 → F2
  • 01 → 7C

Result: (77 7B F2 7C).

Step 3 — XOR with Rcon(1) = (01 00 00 00):

(7701,  7B00,  F200,  7C00)=(76,  7B,  F2,  7C).(77\oplus01,\;7B\oplus00,\;F2\oplus00,\;7C\oplus00) = (76,\;7B,\;F2,\;7C).

So g(W3)=g(W_3) = 76 7B F2 7C.

Step 4 — W4=W0g(W3)W_4 = W_0 \oplus g(W_3):

byte 0byte 1byte 2byte 3
W0W_02B7E1516
g(W3)g(W_3)767BF27C
XOR5D05E76A
W4=5D 05 E7 6A\boxed{W_4 = \text{5D 05 E7 6A}}

So the first four bytes of the next round key after the first iteration are 5D 05 E7 6A.

2Long answer10 marks

Illustrate the man in middle attack in Diffie – Hellman key exchange protocol. Assume the prime number be 19 and 10 as its primitive root. Select 5 as private key and 4 as random integer. Find the cipher text of M = 2 using Elgamal crypto system.

Man-in-the-Middle Attack on Diffie–Hellman

The Diffie–Hellman (DH) key exchange has no authentication, so an active attacker (Eve) sitting between Alice and Bob can impersonate each to the other.

  Alice                Eve (attacker)              Bob
   |  g^a  ----------->  | (intercepts)            |
   |                     |  g^e  --------------->   |
   |                     |  <---------------  g^b   |
   |  <----------  g^e   | (intercepts)            |
   |                     |                          |
  shares g^(ae) with Eve |     shares g^(be) with Eve
  1. Alice sends gag^{a}; Eve intercepts it and sends her own geg^{e} to Bob.
  2. Bob sends gbg^{b}; Eve intercepts it and sends geg^{e} to Alice.
  3. Alice computes K1=gaeK_1 = g^{ae} (thinking she shares it with Bob); Bob computes K2=gbeK_2 = g^{be}.
  4. Eve knows both K1K_1 and K2K_2. She decrypts, reads/alters, and re-encrypts every message between them. Neither party detects the attack.

Countermeasure: authenticate the public values (e.g. signed DH, STS protocol, certificates) so Eve cannot substitute her keys.

ElGamal Encryption of M = 2

Given: prime p=19p = 19, primitive root g=10g = 10, private key x=5x = 5, random integer k=4k = 4, message M=2M = 2.

Step 1 — public key y=gxmodpy = g^{x} \bmod p:

105mod19.10^{5} \bmod 19.
  • 102=1005(mod19)10^{2} = 100 \equiv 5 \pmod{19}
  • 104=52=256(mod19)10^{4} = 5^{2} = 25 \equiv 6 \pmod{19}
  • 105=10410=6×10=603(mod19)10^{5} = 10^{4}\cdot 10 = 6 \times 10 = 60 \equiv 3 \pmod{19}

So y=3y = 3. Public key: (p,g,y)=(19,10,3)(p,g,y) = (19, 10, 3).

Step 2 — C1=gkmodpC_1 = g^{k} \bmod p:

C1=104mod19=6.C_1 = 10^{4} \bmod 19 = 6.

Step 3 — C2=MykmodpC_2 = M \cdot y^{k} \bmod p:

  • y4=34=818176=5(mod19)y^{4} = 3^{4} = 81 \equiv 81 - 76 = 5 \pmod{19}
  • C2=2×5=10(mod19)C_2 = 2 \times 5 = 10 \pmod{19}

Ciphertext:

(C1,C2)=(6,10)\boxed{(C_1, C_2) = (6, 10)}

(Verification: M=C2(C1x)1mod19M = C_2\,(C_1^{x})^{-1} \bmod 19. C1x=65mod19=5C_1^{x} = 6^{5} \bmod 19 = 5; 514(mod19)5^{-1} \equiv 4 \pmod{19}; M=10×4=402(mod19)M = 10 \times 4 = 40 \equiv 2 \pmod{19}. ✓)

3Long answer10 marks

List the properties of hash function. Describe the algorithm for SHA-1.

Properties of a Cryptographic Hash Function

A hash function HH maps an arbitrary-length message to a fixed-length digest. To be cryptographically secure it must satisfy:

  1. Fixed output length: any input size produces a fixed-size digest (e.g. 160 bits for SHA-1).
  2. Efficiency: H(x)H(x) is fast to compute for any xx.
  3. Preimage resistance (one-way): given a hash hh, it is infeasible to find any xx with H(x)=hH(x)=h.
  4. Second preimage resistance (weak collision resistance): given xx, it is infeasible to find xxx' \neq x with H(x)=H(x)H(x') = H(x).
  5. Collision resistance (strong): it is infeasible to find any two distinct inputs x,xx, x' with H(x)=H(x)H(x) = H(x').
  6. Avalanche effect: a small change in input (even one bit) changes the output drastically.
  7. Deterministic: the same input always yields the same digest.

SHA-1 Algorithm

SHA-1 takes a message of length <264< 2^{64} bits and produces a 160-bit message digest. It processes the message in 512-bit blocks over 80 rounds per block.

Step 1 — Padding

The message is padded so its length 448(mod512)\equiv 448 \pmod{512}: append a single 1 bit, then 0 bits, then a 64-bit representation of the original message length. Total length becomes a multiple of 512.

Step 2 — Initialize Buffer (five 32-bit words)

H0 = 67452301   H1 = EFCDAB89   H2 = 98BADCFE
H3 = 10325476   H4 = C3D2E1F0

Step 3 — Process each 512-bit block

For each block:

  1. Expand the sixteen 32-bit words W0W15W_0 \dots W_{15} into eighty words:
Wt=ROTL1(Wt3Wt8Wt14Wt16),16t79.W_t = \text{ROTL}^{1}(W_{t-3} \oplus W_{t-8} \oplus W_{t-14} \oplus W_{t-16}), \quad 16 \le t \le 79.
  1. Set working variables a,b,c,d,e=H0,H1,H2,H3,H4a,b,c,d,e = H_0,H_1,H_2,H_3,H_4.
  2. Run 80 rounds; for t=079t = 0 \dots 79:
T=ROTL5(a)+ft(b,c,d)+e+Wt+KtT = \text{ROTL}^{5}(a) + f_t(b,c,d) + e + W_t + K_t e=d,  d=c,  c=ROTL30(b),  b=a,  a=T.e=d,\; d=c,\; c=\text{ROTL}^{30}(b),\; b=a,\; a=T.

The round function ftf_t and constant KtK_t depend on the round group:

Roundsft(b,c,d)f_t(b,c,d)KtK_t
0–19(bc)(¬bd)(b\wedge c)\vee(\lnot b\wedge d)5A827999
20–39bcdb\oplus c\oplus d6ED9EBA1
40–59(bc)(bd)(cd)(b\wedge c)\vee(b\wedge d)\vee(c\wedge d)8F1BBCDC
60–79bcdb\oplus c\oplus dCA62C1D6
  1. Add the working variables back into the buffer:
H0+=a,  H1+=b,  H2+=c,  H3+=d,  H4+=e(mod232).H_0\mathrel{+}=a,\; H_1\mathrel{+}=b,\; H_2\mathrel{+}=c,\; H_3\mathrel{+}=d,\; H_4\mathrel{+}=e \pmod{2^{32}}.

Step 4 — Output

After the last block, the digest is the concatenation:

H0H1H2H3H4(160 bits).H_0 \,\|\, H_1 \,\|\, H_2 \,\|\, H_3 \,\|\, H_4 \quad (160 \text{ bits}).

Note: SHA-1 is now considered broken for collision resistance (practical collisions found in 2017) and is replaced by SHA-2/SHA-3 in modern systems.

B

Section B: Short Answer Questions

Attempt any EIGHT questions.

9 questions·5 marks each
4Short answer5 marks

Describe any three types of malicious logic.

Types of Malicious Logic

Malicious logic is code that performs unauthorized, harmful actions. Three common types:

1. Virus A program fragment that attaches itself to a host file or program and replicates by inserting copies of itself into other programs when the infected host runs. It requires a host and usually some user action to spread, and carries a payload that may corrupt or delete data.

2. Worm A stand-alone, self-replicating program that spreads across networks on its own, without attaching to a host or needing user action. It exploits system/network vulnerabilities to copy itself to other machines, consuming bandwidth and resources (e.g. the Morris worm).

3. Trojan Horse A program that masquerades as legitimate or useful software but secretly performs malicious actions such as data theft or installing a backdoor. It does not self-replicate and relies on deceiving the user into running it.

FeatureVirusWormTrojan
Self-replicatingYesYesNo
Needs a host fileYesNoNo
Spreads over network aloneNoYesNo
Relies on deceptionSometimesNoYes

(Other examples of malicious logic include logic bombs, rootkits, spyware and ransomware.)

5Short answer5 marks

Given the key "HELLOWORLD", encrypt the plaintext "TURINGTEST" using Play fair cipher.

Playfair Cipher Encryption

Key: HELLOWORLD Plaintext: TURINGTEST

Step 1 — Build the 5×5 key matrix (I/J share a cell)

Write the key letters left-to-right (dropping repeats), then fill with the remaining alphabet. Unique key letters: H E L O W R D.

HELOW
RDABC
FGI/JKM
NPQST
UVXYZ

Step 2 — Split plaintext into digraphs

TURINGTESTTU · RI · NG · TE · ST (no repeated-letter or odd-length padding needed).

Step 3 — Apply Playfair rules

Same row → take letter to the right; same column → take letter below; rectangle → take letter in the same row but the other pair's column.

PairPositionsRuleCipher
TUT(r3,c4), U(r4,c0)rectangle → (r3,c0),(r4,c4)N Z
RIR(r1,c0), I(r2,c2)rectangle → (r1,c2),(r2,c0)A F
NGN(r3,c0), G(r2,c1)rectangle → (r3,c1),(r2,c0)P F
TET(r3,c4), E(r0,c1)rectangle → (r3,c1),(r0,c4)P W
STS(r3,c3), T(r3,c4)same row → right of eachT N

(rows/cols numbered from 0)

Result

Ciphertext=NZ AF PF PW TN=NZAFPFPWTN\boxed{\text{Ciphertext} = \text{NZ AF PF PW TN} = \text{NZAFPFPWTN}}
6Short answer5 marks

Explain any two modes of block cipher encryption.

Modes of Block Cipher Encryption

A block cipher only encrypts one fixed-size block; a mode of operation defines how to securely encrypt messages longer than one block. Two important modes:

1. Electronic Codebook (ECB)

Each plaintext block is encrypted independently with the same key:

Ci=EK(Pi),Pi=DK(Ci).C_i = E_K(P_i), \qquad P_i = D_K(C_i).
P1 ->[E_K]-> C1     P2 ->[E_K]-> C2     P3 ->[E_K]-> C3
  • Pros: simple, blocks can be processed in parallel, random access.
  • Cons: identical plaintext blocks produce identical ciphertext blocks, so data patterns leak (the classic "ECB penguin"). Insecure for structured data.

2. Cipher Block Chaining (CBC)

Each plaintext block is XORed with the previous ciphertext block before encryption, using an Initialization Vector (IV) for the first block:

Ci=EK(PiCi1),C0=IV;Pi=DK(Ci)Ci1.C_i = E_K(P_i \oplus C_{i-1}), \quad C_0 = IV; \qquad P_i = D_K(C_i) \oplus C_{i-1}.
P1 -XOR(IV)->[E_K]-> C1
P2 -XOR(C1)->[E_K]-> C2
P3 -XOR(C2)->[E_K]-> C3
  • Pros: identical plaintext blocks give different ciphertext (hides patterns); each block depends on all previous blocks.
  • Cons: encryption is sequential (cannot parallelize); a transmission error in Ci1C_{i-1} corrupts two decrypted blocks; requires a random IV.

(Other modes include CFB, OFB and CTR, which turn the block cipher into a stream cipher.)

7Short answer5 marks

State Fermat's theorem with example. What is the implication of discrete logarithm?

Fermat's Theorem (Fermat's Little Theorem)

Statement: If pp is a prime and aa is an integer with gcd(a,p)=1\gcd(a, p) = 1, then

ap11(modp).a^{p-1} \equiv 1 \pmod{p}.

Equivalently, for any integer aa: apa(modp)a^{p} \equiv a \pmod{p}.

Example: Let p=7p = 7, a=3a = 3:

36=729=104×7+11(mod7).  3^{6} = 729 = 104 \times 7 + 1 \equiv 1 \pmod 7. \;\checkmark

It is widely used for modular exponentiation, computing inverses, and primality testing (Fermat test) in cryptography.

Implication of the Discrete Logarithm

Given a prime pp, a generator gg of Zp\mathbb{Z}_p^{*}, and a value y=gxmodpy = g^{x} \bmod p, the discrete logarithm problem (DLP) is to find the exponent xx.

  • Forward direction is easy: computing y=gxmodpy = g^{x} \bmod p is fast (modular exponentiation).
  • Reverse direction is hard: recovering xx from yy is computationally infeasible for large pp — it is a presumed one-way / trapdoor function.

Implication: This asymmetry is the security foundation of several public-key schemes — Diffie–Hellman key exchange, ElGamal encryption, the Digital Signature Algorithm (DSA), and elliptic-curve cryptography (ECDLP). Their secrecy holds only as long as the discrete logarithm remains intractable; an efficient DLP solver (e.g. a large quantum computer running Shor's algorithm) would break all of them.

8Short answer5 marks

Describe the working mechanism of digital signature algorithm.

Digital Signature Algorithm (DSA)

DSA is a standard (FIPS 186) for generating and verifying digital signatures. Its security relies on the discrete logarithm problem. A signature provides authentication, integrity, and non-repudiation, but (unlike RSA signing) DSA is used only for signing, not encryption.

Parameter & Key Generation

  • Choose a large prime pp and a prime qq that divides p1p-1.
  • Choose g=h(p1)/qmodpg = h^{(p-1)/q} \bmod p (an element of order qq).
  • Private key: random xx with 0<x<q0 < x < q.
  • Public key: y=gxmodpy = g^{x} \bmod p.
  • Public parameters: (p,q,g,y)(p, q, g, y).

Signing a message MM (signer with private key xx)

  1. Pick a fresh random secret kk, 0<k<q0 < k < q.
  2. Compute r=(gkmodp)modqr = (g^{k} \bmod p) \bmod q.
  3. Compute the hash H(M)H(M) and
s=k1(H(M)+xr)modq.s = k^{-1}\,(H(M) + x\,r) \bmod q.
  1. The signature is the pair (r,s)(r, s), sent with MM.

Verification (verifier with public key yy)

  1. Compute w=s1modqw = s^{-1} \bmod q.
  2. Compute u1=H(M)wmodqu_1 = H(M)\,w \bmod q and u2=rwmodqu_2 = r\,w \bmod q.
  3. Compute v=((gu1yu2)modp)modqv = \big((g^{u_1} y^{u_2}) \bmod p\big) \bmod q.
  4. Accept the signature if and only if v=rv = r.
  Sign:    M -> H(M) -> (r,s) using x, k
  Send:    (M, r, s)
  Verify:  recompute v from H(M), r, s, y  ->  v == r ?  -> valid

Key points: the hash binds the signature to the message (integrity); only the holder of xx can produce a valid (r,s)(r,s) (authentication & non-repudiation); the random kk must be unique and secret for every signature — reusing kk leaks the private key.

9Short answer5 marks

List and explain the types of firewall.

Firewall

A firewall is a hardware or software system placed between a trusted internal network and an untrusted external network (e.g. the Internet) that filters traffic according to a security policy, allowing or blocking packets/connections.

Types of Firewalls

1. Packet-Filtering Firewall Operates at the network/transport layer. It inspects each packet's header — source/destination IP, port, and protocol — and accepts or drops it based on a rule set (ACL).

  • Pros: fast, cheap, transparent.
  • Cons: stateless; cannot see application content; vulnerable to spoofing.

2. Stateful Inspection Firewall Keeps a state table of active connections and evaluates packets in the context of the whole session (e.g. only allows reply packets that belong to an established connection).

  • Pros: more secure than simple packet filters; tracks connection state.
  • Cons: more resource-intensive.

3. Application-Level Gateway (Proxy Firewall) Works at the application layer; a proxy relays traffic for specific applications (HTTP, FTP). It inspects the actual content of requests/responses.

  • Pros: deep inspection, hides internal hosts, strong control.
  • Cons: slow; needs a separate proxy per application.

4. Circuit-Level Gateway Operates at the session layer; it validates the TCP handshake/session setup (e.g. SOCKS) and then relays data without inspecting content.

  • Pros: low overhead, hides internal network.
  • Cons: no content inspection.

(Modern "Next-Generation Firewalls" combine stateful inspection with deep-packet inspection, IPS and application awareness.)

10Short answer5 marks

Decrypt the ciphertext "HI" using Hill Cipher where the key is [5/4 3/3].

Hill Cipher Decryption

Ciphertext: HI Key matrix (columns 5,4 and 3,3):

K=[5343]K = \begin{bmatrix} 5 & 3 \\ 4 & 3 \end{bmatrix}

with letter values A=0,B=1,,Z=25A=0, B=1, \dots, Z=25, so H=7H = 7, I=8I = 8, and C=[78]C = \begin{bmatrix}7\\8\end{bmatrix}.

Decryption uses the inverse key matrix mod 26: P=K1Cmod26P = K^{-1} C \bmod 26.

Step 1 — Determinant of K (mod 26)

detK=(5)(3)(3)(4)=1512=3.\det K = (5)(3) - (3)(4) = 15 - 12 = 3.

Step 2 — Modular inverse of the determinant

Find 31mod263^{-1} \bmod 26: 3×9=271(mod26)3 \times 9 = 27 \equiv 1 \pmod{26}, so (detK)1=9(\det K)^{-1} = 9.

Step 3 — Adjugate of K

adj(K)=[3345][323225](mod26).\text{adj}(K) = \begin{bmatrix} 3 & -3 \\ -4 & 5 \end{bmatrix} \equiv \begin{bmatrix} 3 & 23 \\ 22 & 5 \end{bmatrix} \pmod{26}.

Step 4 — Inverse key matrix

K1=9[323225]=[2720719845][1251619](mod26).K^{-1} = 9 \cdot \begin{bmatrix} 3 & 23 \\ 22 & 5 \end{bmatrix} = \begin{bmatrix} 27 & 207 \\ 198 & 45 \end{bmatrix} \equiv \begin{bmatrix} 1 & 25 \\ 16 & 19 \end{bmatrix} \pmod{26}.

Step 5 — Recover plaintext

P=K1[78]mod26.P = K^{-1}\begin{bmatrix}7\\8\end{bmatrix} \bmod 26.
  • P1=(1)(7)+(25)(8)=7+200=207207182=25  (Z)P_1 = (1)(7) + (25)(8) = 7 + 200 = 207 \equiv 207 - 182 = 25 \;(\to Z)
  • P2=(16)(7)+(19)(8)=112+152=264264260=4  (E)P_2 = (16)(7) + (19)(8) = 112 + 152 = 264 \equiv 264 - 260 = 4 \;(\to E)
Plaintext=ZE\boxed{\text{Plaintext} = \text{ZE}}

(Check by re-encrypting: K[254]=[525+34425+34]=[137112][78]=HI.K\begin{bmatrix}25\\4\end{bmatrix} = \begin{bmatrix}5\cdot25+3\cdot4\\4\cdot25+3\cdot4\end{bmatrix} = \begin{bmatrix}137\\112\end{bmatrix} \equiv \begin{bmatrix}7\\8\end{bmatrix} = \text{HI}. \checkmark)

11Short answer5 marks

What is digital certificate? Discuss the certificate life cycle.

Digital Certificate

A digital certificate is an electronic document that binds a public key to the identity of its owner, and is digitally signed by a trusted third party called a Certificate Authority (CA). It lets a relying party trust that a given public key really belongs to the named subject (preventing public-key substitution / MITM).

The common standard is X.509, whose fields include: version, serial number, signature algorithm, issuer (CA) name, validity period (not-before / not-after), subject name, subject's public key, extensions, and the CA's digital signature.

Certificate Life Cycle

  1. Key generation: the subject (or CA) generates a public/private key pair.
  2. Registration / Enrollment: the applicant submits a Certificate Signing Request (CSR) with their public key and identity to a Registration Authority (RA).
  3. Verification (Identity validation): the RA/CA verifies the applicant's identity and ownership of the key.
  4. Issuance: the CA creates the certificate, signs it with the CA private key, and delivers it to the subject.
  5. Distribution / Publication: the certificate is published (directory, LDAP) and used to establish secure communication.
  6. Usage / Validation: relying parties verify the CA's signature, the validity period, and revocation status (via CRL or OCSP) before trusting it.
  7. Renewal: before expiry, the certificate is re-issued (usually with a new validity period / key).
  8. Revocation: if the private key is compromised or details change, the CA revokes the certificate early and lists it on a CRL (Certificate Revocation List) / OCSP.
  9. Expiration / Destruction: after the validity period ends, the certificate expires and associated keys are securely archived or destroyed.
Key-gen -> Enroll(CSR) -> Verify -> Issue -> Distribute -> Use
                                               |
                                  Renew <------+------> Revoke -> Expire
12Short answer5 marks

Define authentication system. Discuss about challenge response system.

Authentication System

An authentication system is a mechanism that verifies the claimed identity of an entity (user, host, or process) before granting access. It answers "are you who you say you are?" and is based on one or more factors:

  • Something you know — password, PIN, passphrase.
  • Something you have — smart card, token, OTP device.
  • Something you are — biometrics (fingerprint, iris, face).

Combining two or more factors gives multi-factor authentication (MFA), which is far stronger than a single factor. A good authentication system also resists eavesdropping and replay of credentials.

Challenge–Response System

A challenge–response authentication scheme proves identity without transmitting the secret itself, defeating eavesdropping and replay attacks.

Working mechanism:

  1. The claimant requests access to the verifier.
  2. The verifier sends a random, one-time challenge (a nonce) to the claimant.
  3. The claimant computes a response by applying a secret-keyed function to the challenge — e.g. encrypting it or hashing it together with the shared secret:
response=EK(challenge)orH(secretchallenge).\text{response} = E_K(\text{challenge}) \quad\text{or}\quad H(\text{secret}\,\|\,\text{challenge}).
  1. The verifier performs the same computation (or verifies it) and grants access only if the response matches.
  Claimant                         Verifier
     |  request access  ------------->  |
     |  <-----------  random challenge  |
     |  response = f(secret,challenge)->|
     |                          verify  | -> grant / deny

Advantages:

  • The secret is never sent over the network.
  • Because the challenge is fresh each time, an attacker who records an old response cannot replay it.
  • Used in CHAP, Kerberos, OTP/token systems and smart-card authentication.

Frequently asked questions

Where can I find the BSc CSIT (TU) Cryptography (BSc CSIT, CSC316) question paper 2082?
The full BSc CSIT (TU) Cryptography (BSc CSIT, CSC316) 2082 (Regular (annual)) question paper is available free on Kekkei. You can read every question online and attempt the paper under timed exam conditions.
Does the Cryptography (BSc CSIT, CSC316) 2082 paper come with solutions?
Yes. Every question on this Cryptography (BSc CSIT, CSC316) past paper includes a step-by-step solution, plus instant AI feedback when you attempt it on Kekkei.
How many marks is the BSc CSIT (TU) Cryptography (BSc CSIT, CSC316) 2082 paper?
The BSc CSIT (TU) Cryptography (BSc CSIT, CSC316) 2082 paper carries 60 full marks and is meant to be completed in 180 minutes, across 12 questions.
Is practising this Cryptography (BSc CSIT, CSC316) past paper free?
Yes — reading and attempting this Cryptography (BSc CSIT, CSC316) past paper on Kekkei is completely free.