《網(wǎng)絡安全技術(shù)》英文習題集Chapter1IntroductionANSWERSNSWERSTOQUESTIONSWhatistheOSIsecurityarchitecture?TheOSISecurityArchitectureisaframeworkthatprovidesasystematicwayofdefiningtherequirementsforsecurityandcharacterizingtheapproachestosatisfyingthoserequirements.Thedocumentdefinessecurityattacks,mechanisms,andservices,andtherelationshipsamongthesecategories.Whatisthediffereneebetweenpassiveandactivesecuritythreats?Passiveattackshavetodowitheavesdroppingon,ormonitoring,transmissions.Electronicmail,filetransfers,andclient/serverexchangesareexamplesoftransmissionsthatcanbemonitored.Activeattacksincludethemodificationoftransmitteddataandattemptstogainunauthorizedaccesstocomputersystems.Listsandbrieflydefinecategoriesofpassiveandactivesecurityattacks?Passiveattacks:releaseofmessagecontentsandtrafficanalysis.Activeattacks:masquerade,replay,modificationofmessages,anddenialofservice.Listsandbrieflydefinecategoriesofsecurityservice?Authentication :Theassuraneethatthecommunicatingentityistheonethatitclaimstobe.Accesscontrol:Thepreventionofunauthorizeduseofaresource(i.e.,thisservicecontrolswhocanhaveaccesstoaresource,underwhatconditionsaccesscanoccur,andwhatthoseaccessingtheresourceareallowedtodo).Dataconfidentiality:Theprotectionofdatafromunauthorizeddisclosure.Dataintegrity:Theassuraneethatdatareceivedareexactlyassentbyanauthorizedentity(i.e.,containnomodification,insertion,deletion,orreplay).Nonrepudiation:ProvidesprotectionagainstdenialbyoneoftheentitiesinvoIvedinacommunicationofhavingparticipatedinallorpartofthecommunication.2.12Whatisakeydistributioncenter?2.12Whatisakeydistributioncenter?2.7Whatistripleencryption?2.7Whatistripleencryption?Availabilityservice:Thepropertyofasystemorasystemresourcebeingaccessibleandusableupondemandbyanauthorizedsystementity,accordingtoperformaneespecificationsforthesystem(i.e.,asystemisavailableifitprovidesservicesaccordingtothesystemdesignwheneverusersrequestthem).Chapter2SymmetricEncryptionandMessageConfidentialityANSWERSNSWERSTOQUESTIONSWhataretheessentialingredientsofasymmetriccipher?Plaintext,encryptionalgorithm,secretkey,ciphertext,decryptionalgorithm.Whatarethetwobasicfunctionsusedinencryptionalgorithms?Permutationandsubstitution.Howmanykeysarerequiredfortwopeopletocommunicateviaasymmetriccipher?Onesecretkey.Whatisthediffereneebetweenablockcipherandastreamcipher?Astreamcipherisonethatencryptsadigitaldatastreamonebitoronebyteatatime.Ablockcipherisoneinwhichablockofplaintextistreatedasawholeandusedtoproduceaciphertextblockofequallength.Whatarethetwogeneralapproachestoattackingacipher?Cryptanalysisandbruteforce.Whydosomeblockciphermodesofoperationonlyuseencryptionwhileothersusebothencryptionanddecryption?Insomemodes,theplaintextdoesnotpassthroughtheencryptionfunction,butisXORedwiththeoutputoftheencryptionfunction.Themathworksoutthatfordecryptioninthesecases,theencryptionfunctionmustalsobeused.Withtripleencryption,aplaintextblockisencryptedbypassingitthroughanencryptionalgorithm;theresultisthenpassedthroughthesameencryptionalgorithmagain;theresultofthesecondencryptionispassedthroughthesameencryptionalgorithmathirdtime.Typically,thesecondstageusesthedecryptionalgorithmratherthantheencryptionalgorithm.Whyisthemiddleportionof3DESadecryptionratherthananencryption?Thereisnocryptographicsignificaneetotheuseofdecryptionforthesecondstage.Itsonlyadvantageisthatitallowsusersof3DEStodecryptdataencryptedbyusersoftheoldersingleDESbyrepeatingthekey.Whatisthediffereneebetweenlinkandend-to-endencryption?Withlinkencryption,eachvulnerablecommunicationslinkisequippedonbothendswithanencryptiondevice.Withend-to-endencryption,theencryptionprocessiscarriedoutatthetwoendsystems.Thesourcehostorterminalencryptsthedata;thedatainencryptedformarethentransmittedunalteredacrossthenetworktothedestinationterminalorhost.Listwaysinwhichsecretkeyscanbedistributedtotwocommunicatingparties.FortwopartiesAandB,keydistributioncanbeachievedinanumberofways,asfollows:AcanselectakeyandphysicallydeliverittoB.AthirdpartycanselectthekeyandphysicallydeliverittoAandB.lfAandBhavepreviouslyandrecentlyusedakey,onepartycantransmitthenewkeytotheother,encryptedusingtheoldkey.IfAandBeachhasanencryptedconnectiontoathirdpartyC,CcandeliverakeyontheencryptedlinkstoAandB.Whatisthediffereneebetweenasessionkeyandamasterkey?Asessionkeyisatemporaryencryptionkeyusedbetweentwoprincipals.AmasterkeyisaIong-lastingkeythatisusedbetweenakeydistributioncenterandaprincipalforthepurposeofencodingthetransmissionofsessionkeys.Typically,themasterkeysaredistributedbynoncryptographicmeans.3.2Whatismessageauthenticationcode?3.2Whatismessageauthenticationcode?Akeydistributioncenterisasystemthatisauthorizedtotransmittemporarysessionkeystoprincipals.Eachsessionkeyistransmittedinencryptedform,usingamasterkeythatthekeydistributioncentershareswiththetargetprincipal.ANSWERSNSWERSTOPROBLEMSWhatRC4keyvaluewillleaveSunchangedduringinitialization?Thatis,aftertheinitialpermutationofS,theentriesofSwillbeequaltothevaluesfrom0through255inascendingorder.Useakeyoflength255bytes.Thefirsttwobytesarezero;thatisK[0]=K[1]=0.Thereafter,wehave:K[2]=255;K[3]=254; …K[255]=2.Ifabiterroroccursinthetransmissionofaciphertextcharacterin8-bitCFBmode,howfardoestheerrorpropagate?Nineplaintextcharactersareaffected.Theplaintextcharactercorrespondingtotheciphertextcharacterisobviouslyaltered.Inaddition,thealteredciphertextcharacterenterstheshiftregisterandisnotremoveduntilthenexteightcharactersareprocessed.Keydistributionschemesusinganaccesscontrolcenterand/orakeydistributioncenterhavecentralpointsvulnerabletoattack.Discussthesecurityimplicationsofsuchcentralization.Thecentralpointsshouldbehighlyfault-tolerant,shouldbephysicallysecured,andshouldusetrustedhardware/software.Chapter3Public-Key CryptographyandMessageAuthenticationANSWERSNSWERSTOQUESTIONSListthreeapproachestomessageauthentication.Messageencryption,messageauthenticationcode,hashfunction.Anauthenticatorthatisacryptographicfunctionofboththedatatobeauthenticatedandasecretkey.BrieflydescribethethreeschemesillustratedinFigture3.2.(a)Ahashcodeiscomputedfromthesourcemessage,encryptedusingsymmetricencryptionandasecretkey,andappendedtothemessage.Atthereceiver,thesamehashcodeiscomputed.Theincomingcodeisdecryptedusingthesamekeyandcomparedwiththecomputedhashcode.(b)Thisisthesameprocedureasin(a)exceptthatpublic-keyencryptionisused;thesenderencryptsthehashcodewiththesender'sprivatekey,andthereceiverdecryptsthehashcodewiththesender'spublickey.(c)Asecretvalueisappendedtoamessageandthenahashcodeiscalculatedusingthemessageplussecretvalueasinput.Thenthemessage(withoutthesecretvalue)andthehashcodearetransmitted.Thereceiverappendsthesamesecretvaluetothemessageandcomputesthehashvalueoverthemessageplussecretvalue.Thisisthencomparedtothereceivedhashcode.Whatpropertiesmustahashfunctionhavetobeusefulformessageauthentication?Hcanbeappliedtoablockofdataofanysize.Hproducesafixed-lengthoutput.H(x)isrelativelyeasytocomputeforanygivenx,makingbothhardwareandsoftwareimplementationspractical.Foranygivenvalueh,itiscomputationallyinfeasibletofindxsuchthatH(x)=h.Thisissometimesreferredtointheliteratureastheone-wayproperty.Foranygivenblockx,itiscomputationallyinfeasibletofindy工xwithH(y)=H(x).Itiscomputationallyinfeasibletofindanypair(x,y)suchthatH(x)=H(y).Inthecontextofahashfunction,whatisacompressionfunction?Thecompressionfunctionisthefundamentalmodule,orbasicbuildingblock,ofahashfunction.Thehashfunctionconsistsofiteratedapplicationofthecompressionfunction.Whataretheprincipalingredientsofapublic-keycryptosystem?Plaintext:Thisisthereadablemessageordatathatisfedintothealgorithmasinput.Encryptionalgorithm:Theencryptionalgorithmperformsvarioustransformationsontheplaintext.Publicandprivatekeys:Thisisapairofkeysthathavebeenselectedsothatifoneisusedforencryption,theotherisusedfordecryption.Theexacttransformationsperformedbytheencryptionalgorithmdependonthepublicorprivatekeythatisprovidedasinput.Ciphertext:Thisisthescrambledmessageproducedasoutput.Itdependsontheplaintextandthekey.Foragivenmessage,twodifferentkeyswillproducetwodifferentciphertexts.Decryptionalgorithm:Thisalgorithmacceptstheciphertextandthematchingkeyandproducestheoriginalplaintext.Listandbrieflydefinethreeusesofapublic-keycryptosystem.Encryption/decryption:Thesenderencryptsamessagewiththerecipient'spublickey.Digitalsignature:Thesender"signs"amessagewithitsprivatekey.Signingisachievedbyacryptographicalgorithmappliedtothemessageortoasmallblockofdatathatisafunctionofthemessage.Keyexchange:Twosidescooperatetoexchangeasessionkey.Severaldifferentapproachesarepossible,involvingtheprivatekey(s)ofoneorbothparties.3.8Whatisthediffereneebetweenaprivatekeyandasecretkey?Thekeyusedinconventionalencryptionistypicallyreferredtoasasecretkey.Thetwokeysusedforpublic-keyencryptionarereferredtoasthepublickeyandtheprivatekey.3.9Whatisdigitalsignature?Adigitalsignatureisanauthenticationmechanismthatenablesthecreatorofamessagetoattachacodethatactsasasignature.Thesignatureisformedbytakingthehashofthemessageandencryptingthemessagewiththecreator'sprivatekey.Thesignatureguaranteesthesourceandintegrityofthemessage.Whatisapublic-keycertificate?Apubic-keycertificateconsistsofapublickeyplusaUserIDofthekeyowner,withthewholeblocksignedbyatrustedthirdparty.Typically,thethirdpartyisacertificateauthority(CA)thatistrustedbytheusercommunity,suchasagovernmentagencyorafinancialinstitution.Howcanpublic-keyencryptionbeusedtodistributeasecretkey?Severaldifferentapproachesarepossible,involvingtheprivatekey(s)ofoneorbothparties.OneapproachisDiffie-Hellmankeyexchange.Anotherapproachisforthesendertoencryptasecretkeywiththerecipient'spublickey.ANSWERSNSWERSTOPROBLEMSConsidera32-bithashfunctiondefinedastheconcatenationoftwo16-bitfunctions:XORandRXOR,definedinSection3.2as “twosimpiehashfunction.”Willthischecksumdetectallerrorscausedbyanoddnumberoferrorbits?Explain.Willthischecksumdetectallerrorscausedbyanevennumberoferrorbits?Ifnot,characterizetheerrorpatternsthatwillcausethechecksumtofail.Commentsontheeffectivenessofthisfunctionforuseahashfunctionsforauthentication.Yes.TheXORfunctionissimplyaverticalparitycheck.Ifthereisanoddnumberoferrors,thentheremustbeatleastonecolumnthatcontainsanoddnumberoferrors,andtheparitybitforthatcolumnwilldetecttheerror.NotethattheRXORfunctionalsocatchesallerrorscausedbyanoddnumberoferrorbits.EachRXORbitisafunctionofaunique"spiral"ofbitsintheblockofdata.Ifthereisanoddnumberoferrors,thentheremustbeatleastonespiralthatcontainsanoddnumberoferrors,andtheparitybitforthatspiralwilldetecttheerror.No.ThechecksumwillfailtodetectanevennumberoferrorswhenboththeXORandRXORfunctionsfail.Inorderforbothtofail,thepatternoferrorbitsmustbeatintersectionpointsbetweenparityspiralsandparitycolumnssuchthatthereisanevennumberoferrorbitsineachparitycolumnandanevennumberoferrorbitsineachspiral.Itistoosimpletobeusedasasecurehashfunction;findingmultiplemessageswiththesamehashfunctionwouldbetooeasy.SupposeH(m)isacollisionresistanthashfunctionthatmapsamessageofarbitrarybitlengthintoan n-bithashvalue.Isittruethat,forallmessagesx,x'withx孜',wehaveHX)工H<')?Explainyouranswer.

Thestatementisfalse.Suchafunctioncannotbeone-to-onebecausethenumberofinputstothefunctionisofarbitrary,butthenumberofuniqueoutputsis2n.Thus,therearemultipleinputsthatmapintothesameoutput.PerformencryptionanddecryptionusingtheRSAalgorithm,asinFigture3.9,forthefollowing:p=3;q=11;e=7;M=5p=5;q=11;e=3;M=9p=7;q=11;e=17;M=8p=11;q=13;e=11;M=7p=17;q=31;e=7;M=2.Hint:Decryptionisnotashardasyouthink;usesomefinesse.n=33;(n)=20;d=3;C=26.n=55;(n)=40;d=27;C=14.n=77;(n)=60;d=53;C=57.n=143;(n)=120;d=11;C=106.n=527;(n)=480;d=343;C=128.Fordecryption,wehave128343mod527=1282561286412816128412821281mod527=352563510147128=2mod527=2mod257C=10M?C=10M?InanRSAsystem,thepublickeyofagivenuserise=31,n=3599.Whatistheprivatekeyofthisuser?d=3031SupposewehaveasetofblocksencodedwiththeRSAalgorithmandwedon'thavetheprivatekey,Assumen=pq,eisthepublickey.Supposealsosomeonetellsustheyknowoneoftheplaintextblockshasacommonfactorwithn.Doesthishelpusinanyway?Yes.Ifaplaintextblockhasacommonfactorwithnmodulonthentheencodedblockwillalsohaveacommonfactorwithnmodulon.Becauseweencodeblocksthataresmallerthanpq,thefactormustbeporqandtheplaintextblockmustbeamultipleofporq.Wecantesteachblockforprimality.Ifprime,itisporq.Inthiscasewedivideintontofindtheotherfactor.Ifnotprime,wefactoritandtrythefactorsasdivisorsofn.q=11andaConsideraDiffie-Hellmanschemewithacommonprimeprimitiveroot a=2.q=11andaIfuserAhaspublickeyYA=9,whatisA 'sprivatekeyXA?IfuserBhaspublickeyYB=3,whatisthesharedsecretkeyK?XA=6K=3Chapter4AuthenticationApplicationsANSWERSNSWERSTOQUESTIONSWhatproblemwasKerberosdesignedtoaddress?TheproblemthatKerberosaddressesisthis:Assumeanopendistributedenvironmentinwhichusersatworkstationswishtoaccessservicesonserversdistributedthroughoutthenetwork.Wewouldlikeforserverstobeabletorestrictaccesstoauthorizedusersandtobeabletoauthenticaterequestsforservice.Inthisenvironment,aworkstationcannotbetrustedtoidentifyitsuserscorrectlytonetworkservices.WhatarethreethreatsassociatedwithuserauthenticationoveranetworkorInternet?Ausermaygainaccesstoaparticularworkstationandpretendtobeanotheruseroperatingfromthatworkstation.2.Ausermayalterthenetworkaddressofaworkstationsothattherequestssentfromthealteredworkstationappeartocomefromtheimpersonatedworkstation.3.Ausermayeavesdroponexchangesanduseareplayattacktogainentrancetoaserverortodisruptoperations.Listthreeapproachestosecureuserauthenticationinadistributedenvironment.4.8WhatisthepurposeoftheX.509standard?4.8WhatisthepurposeoftheX.509standard?Relyoneachindividualclientworkstationtoassuretheidentityofitsuserorusersandrelyoneachservertoenforceasecuritypolicybasedonuseridentification(ID).2.Requirethatclientsystemsauthenticatethemselvestoservers,buttrusttheclientsystemconcerningtheidentityofitsuser.3.Requiretheusertoproveidentityforeachserviceinvoked.Alsorequirethatserversprovetheiridentitytoclients.WhatfourrequirementsaredefinedforKerberos?Secure:Anetworkeavesdroppershouldnotbeabletoobtainthenecessaryinformationtoimpersonateauser.Moregenerally,Kerberosshouldbestrongenoughthatapotentialopponentdoesnotfindittobetheweaklink.Reliable:ForallservicesthatrelyonKerberosforaccesscontrol,lackofavailabilityoftheKerberosservicemeanslackofavailabilityofthesupportedservices.Hence,Kerberosshouldbehighlyreliableandshouldemployadistributedserverarchitecture,withonesystemabletobackupanother.Transparent:Ideally,theusershouldnotbeawarethatauthenticationistakingplace,beyondtherequirementtoenterapassword.Scalable:Thesystemshouldbecapableofsupportinglargenumbersofclientsandservers.Thissuggestsamodular,distributedarchitecture.Whatentitiesconstituteafull-serviceKerberosenvironment?Afull-serviceKerberosenvironmentconsistsofaKerberosserver,anumberofclients,andanumberofapplicationservers.InthecontextofKerberos,whatisarealm?Arealmisanenvironmentinwhich:1.TheKerberosservermusthavetheuserID(UID)andhashedpasswordofallparticipatingusersinitsdatabase.AllusersareregisteredwiththeKerberosserver.2.TheKerberosservermustshareasecretkeywitheachserver.AllserversareregisteredwiththeKerberosserver.Whataretheprincipaldiffereneebetweenversion4andversion5ofKerberos?Version5overcomessomeenvironmentalshortcomingsandsometechnicaldeficienciesinVersion4.X.509definesaframeworkfortheprovisionofauthenticationservicesbytheX.500directorytoitsusers.Thedirectorymayserveasarepositoryofpublic-keycertificates.Eachcertificatecontainsthepublickeyofauserandissignedwiththeprivatekeyofatrustedcertificationauthority.Inaddition,X.509definesalternativeauthenticationprotocolsbasedontheuseofpublic-keycertificates.Whatisachainofcertificates?Achainofcertificatesconsistsofasequeneeofcertificatescreatedbydifferentcertificationauthorities(CAs)inwhicheachsuccessivecertificateisacertificatebyoneCAthatcertifiesthepublickeyofthenextCAinthechain.HowisanX.509certificaterevoked?Theownerofapublic-keycanissueacertificaterevocationlistthatrevokesoneormorecertificates.ANSWERSNSWERSTOPROBLEMSShowthatarandomerrorinblockofciphertextispropagatedtoallsubsequentblocksofplaintextinPCBCmode(Figure4.9).AnerrorinCiaffectsPibecausetheencryptionofCisXORedwithIVtoproducePi.BothC1andPiaffectP2,whichistheXORoftheencryptionofC2withtheXORofCiandPi.Beyondthat,PN-isoneoftheXORedinputstoformingFN.The1988versionofX.509listspropertiesthatPSAkeysmustsatisfytobesecure,givencurrentknowledgeaboutthedifficultyoffactoringlargenumbers.Thediscussionconcludeswithaconstraintonthepublicexponentandthemodulusn:Itmustbeensuredthate>log2(n)topreventattackbytakingtheethrootmodntodisclosetheplaintext.Althoughtheconstraintiscorrect,thereasongivenforrequiringitisincorrect.Whatiswrongwiththereasongivenandwhatisthecorrectreason?Takingtheethrootmodnofaciphertextblockwillalwaysrevealtheplaintext,nomatterwhatthevaluesofeandnare.Ingeneralthisisaverydifficultproblem,andindeedisthereasonwhyRSAissecure.Thepointisthat,ifeistoosmall,thentakingthenormalintegerethrootwillbethesameastakingtheethrootmodn,andtakingintegerethrootsisrelativelyeasy.Chapter5ElectronicMailSecurityANSWERSNSWERSTOQUESTIONSWhatarethefiveprincipalservicesprovidedbyPGP?Authentication,confidentiality,compression,e-mailcompatibility,andsegmentationWhatistheutilityofadetachedsignature?Adetachedsignatureisusefulinseveralcontexts.Ausermaywishtomaintainaseparatesignaturelogofallmessagessentorreceived.Adetachedsignatureofanexecutableprogramcandetectsubsequentvirusinfection.Finally,detachedsignaturescanbeusedwhenmorethanonepartymustsignadocument,suchasalegalcontract.Eachperson'ssignatureisindependentandthereforeisappliedonlytothedocument.Otherwise,signatureswouldhavetobenested,withthesecondsignersigningboththedocumentandthefirstsignature,andsoon.WhydoesPGPgenerateasignaturebeforeapplyingcompression?Itispreferabletosignanuncompressedmessagesothatonecanstoreonlytheuncompressedmessagetogetherwiththesignatureforfutureverification.Ifonesignedacompresseddocument,thenitwouldbenecessaryeithertostoreacompressedversionofthemessageforlaterverificationortorecompressthemessagewhenverificationisrequired.b.Evenifonewerewillingtogeneratedynamicallyarecompressedmessageforverification,PGP'scompressionalgorithmpresentsadifficulty.Thealgorithmisnotdeterministic;variousimplementationsofthealgorithmachievedifferenttradeoffsinrunningspeedversuscompressionratioand,asaresult,producedifferentcompressedforms.However,thesedifferentcompressionalgorithmsareinteroperablebecauseanyversionofthealgorithmcancorrectlydecompresstheoutputofanyotherversion.ApplyingthehashfunctionandsignatureaftercompressionwouldconstrainallPGPimplementationstothesameversionofthecompressionalgorithm.WhatisR64conversion?R64convertsaraw8-bitbinarystreamtoastreamofprintableASCIIcharacters.EachgroupofthreeoctetsofbinarydataismappedintofourASCIIcharacters.WhyisR64conversionusefulforane-mailapplication?WhenPGPisused,atleastpartoftheblocktobetransmittedisencrypted.Ifonlythesignatureserviceisused,thenthemessagedigestisencrypted(withthesender'sprivatekey).Iftheconfidentialityserviceisused,themessageplussignature(ifpresent)areencrypted(withaone-timesymmetrickey).Thus,partoralloftheresultingblockconsistsofastreamofarbitrary8-bitoctets.However,manyelectronicmailsystemsonlypermittheuseofblocksconsistingofASCIItext.WhyisthesegmentationandreassemblyfunctioninPGPneeded?E-mailfacilitiesoftenarerestrictedtoamaximummessagelength.HowdoesPGPusetheconceptoftrust?PGPincludesafacilityforassigningaleveloftrusttoindividualsignersandtokeys.WhatisRFC822?RFC822definesaformatfortextmessagesthataresentusingelectronicmail.WhatisMIME?MIMEisanextensiontotheRFC822frameworkthatisintendedtoaddresssomeoftheproblemsandlimitationsoftheuseofSMTP(SimpleMailTransferProtocol)orsomeothermailtransferprotocolandRFC822forelectronicmail.WhatisS/MIME?S/MIME(Secure/MultipurposeInternetMailExtension)isasecurityenhancementtotheMIMEInternete-mailformatstandard,basedontechnologyfromRSADataSecurity.ANSWERSNSWERSTOPROBLEMSInthePGPscheme,whatistheexpectednumberofsessionkeysgeneratedbeforeapreviouslycreatedkeyisproduced?ThisisjustanotherformofthebirthdayparadoxdiscussedinAppendix11A.Letusstatetheproblemasoneofdeterminingwhatnumberofsessionkeysmustbegeneratedsothattheprobabilityofaduplicateisgreaterthan0.5.FromEquation(11.6)inAppendix11A,wehavetheapproximation:k1.18nFora128-bitkey,thereare228possiblekeys.Thereforek1.1821281.18264Thefirst16bitsofthemessagedigestinaPGPsignaturearetranslatedintheclear.Towhatextentdoesthiscompromisethesecurityofthehashalgorithm?Towhatextentdoesitinfactperformitsintendedfunction,namely,tohelpdetermineifthecorrectRSAkeywasusedtodecryptthedigest?Notatall.Themessagedigestisencryptedwiththesender'sprivatekey.Therefore,anyoneinpossessionofthepublickeycandecryptitandrecovertheentiremessagedigest.Theprobabilitythatamessagedigestdecryptedwiththewrongkeywouldhaveanexactmatchinthefirst16bitswiththeoriginalmessagedigestis2 -6.InFigure5.4,eachentryinthepublic-keyringcontainsanownertrustfieldthatindicatesthedegreeoftrustassociatedwiththispublic-keyowner.Whyisthatnotenough?Thatis,ifthisowneristrustedandthisissupposedtobetheowner'spublickey,whyisnotthattrustenoughtopermitPGPtousethispublickey?Wetrustthisowner,butthatdoesnotnecessarilymeanthatwecantrustthatweareinpossessionofthatowner'spublickey.Considerradix-64conversionasaformofencryption.Inthiscase,thereisnokey.ButsupposethatanopponentknewonlythatsomeformofsubstitutionalgorithmwasbeingusedtoencryptEnglishtextanddidnotguessitwasR64.Howeffectivewouldthisalgorithmbeagainstcryptanalysis?Itcertainlyprovidesmoresecuritythanamonoalphabeticsubstitution.Becausewearetreatingtheplaintextasastringofbitsandencrypting6bitsatatime,wearenotencryptingindividualcharacters.Therefore,thefrequencyinformationislost,oratleastsignificantlyobscured.PhilZimmermannchoseIDEA,three-keytripleDES,andCAST-128assymmetricencryptionalgorithmsforPGP.Gi