Chapter 3 Β· Tricks & Performance

Trick Questions & Performance Tasks

Common exam traps for Non-Repudiation.

⚠️ Think before you reveal. Form your answer mentally first.

🎯 Trick 1 β€” Key Direction Reversal

"Bob receives a message signed by Alice. He uses Alice's public key to verify it. Could Bob have used Alice's public key to FORGE a new signature from Alice?"

No β€” absolutely not. The public key can ONLY decrypt (verify) signatures. To create (forge) a signature, you need Alice's private key. Since only Alice has her private key, forgery is mathematically infeasible. This is the entire foundation of non-repudiation.

🎯 Trick 2 β€” Hashing vs. Integrity vs. Non-Repudiation

Question says: "Which provides non-repudiation?" Options include both "Hashing" and "Digital Signature." Students often choose Hashing since it's about data integrity. Which is correct?

Digital Signature provides non-repudiation. Hashing alone does not.

Non-repudiation requires BOTH integrity (cannot deny the data was unchanged) AND origin (cannot deny who sent it). Hashing only covers integrity. The digital signature adds origin via the private key. Always pair non-repudiation with digital signatures, not hashing alone.

🎯 Trick 3 β€” Does the Message Need to Be Encrypted?

"Alice sends Bob a digitally signed message. She does NOT encrypt the plaintext. Bob receives both the plaintext and the signature. Is the digital signature still valid and meaningful?"

Yes β€” completely valid. Digital signatures work independently of message encryption. The signature is an encrypted hash β€” it provides integrity and origin proof regardless of whether the message itself is encrypted. The two are separate concerns:

β€’ Encrypt message β†’ Confidentiality
β€’ Sign message β†’ Non-repudiation (Integrity + Origin)

You can do one, both, or neither, independently.

🎯 Trick 4 β€” Authentication vs. Non-Repudiation

Both authentication and non-repudiation involve verifying identity. What's the difference?

Authentication = proving identity at login time. Non-repudiation = proving identity for a specific action after the fact.

When you log in with a password, you authenticate. But if someone later questions whether YOU made a specific transaction, authentication alone doesn't help β€” you need non-repudiation (a digital signature that proves the specific message came from you at a specific time).

🎯 Performance Task β€” Walk the Process

Alice sends Bob "Transfer $10,000 to account 12345." Walk through every step of the digital signature process Alice and Bob perform. Identify exactly what each step proves.

Alice (Sender):
1. Writes plaintext: "Transfer $10,000 to account 12345"
2. Runs SHA-256 on the plaintext β†’ gets hash "a3f9..."
3. Encrypts "a3f9..." with Alice's private key β†’ digital signature
4. Sends: plaintext + digital signature

Bob (Receiver):
5. Receives plaintext + signature
6. Decrypts signature using Alice's public key β†’ recovers "a3f9..."
7. Runs SHA-256 on received plaintext β†’ gets hash "a3f9..."
8. Compares: "a3f9..." = "a3f9..." βœ…

What's proven: Message wasn't altered (integrity). Had to come from Alice β€” only her private key could produce a signature her public key verifies (origin). Alice cannot deny sending it (non-repudiation).

🎯 Trick 5 β€” SHA-256 Collision Risk

"An attacker could find two different messages that produce the same SHA-256 hash and use a collision to forge non-repudiation." Is this a realistic threat?

No β€” SHA-256 collisions are computationally infeasible.

SHA-256 produces a 256-bit hash. Finding a collision would require approximately 2^128 operations β€” more than the number of atoms in the observable universe. This would take longer than the age of the universe even with all computing power on Earth. Older algorithms (MD5, SHA-1) DO have known collision vulnerabilities and should not be used for non-repudiation.