• CBC mode with DES and return the last 48 bits of the last block.
• IV = 0 vector.

• Same as CBC mode, last step has extra XOR with the key as well.
• IV again 0 vector.

• Do CMAC on a nonce, metadata, and plaintext to get T.
• Do CTR encryption, and encrypt 0th counter with the same key and XOR with T.

• ipad = 0x36 repeated b/8 times.
• opad = 0x5c repeated b/8 times.
• K' = Key padded with zeros on the left.
• Step 1: H₁ = H[(K' ^ ipad) || M]
• Step 2: H₂ = H[K' ^ opad || H₁]

• S is a hash only secret key.
• LOT OF RSA encryption
• M || E[K, H(M||S)] (message in cleartext, repudiation possible)
• E[K, M || H(M||S)] (repudiation possible)
• M || RSA[PR_A, H(M||S)] (cleartext, hash is known to attacker, non-repudiable cuz private keys were used)
• E[K,M] || RSA[PR_A, H(M||S)] (cleartext, hash known to attacker, non-repudiable)
• E[K, M || RSA[PR_A, H(M||S)]] (same as above but more overhead)

Key exchange using RSA:

• RSA[PU_B, K_S] || E[K_S, M] || RSA[PR_A, H(M||S)] (all's good)
• RSA[PU_B, K_S] || E[K_S, M || RSA[PR_A, H(M||S)]] (double-enc overhead)

• Public parameters are a prime \(p\), \(q\) which is a divisor of \(p - 1\), and \(g = h^{\frac{p-1}{q}} \mod p\) where \(h\) is any integer below \(p - 1\).
• Private key, a random \(x, 0 < x < q\), public key, \(y = g^x \mod p\)
• Signing and verification are too complex for my smooth brain to wrap my head around.