Bob runs a social network web server that requires users, such as Alice, to log in. He wants to use cryptography to protect Alices account. However, he doesnt understand cryptography very well. For each of the below uses of cryptography, identify his mistake, and explain what he should do instead.

(a) [4 points] Bob obtains a public/private encryption key pair using RSA. When Alice visits his site, Alice generates a 128-bit secret key, encrypts it using Bobs 128- bit public key, and sends it to Bob. Alice and Bob can now use AES (128 bits) to communicate, so they can also use a SHA-256 HMAC to authenticate their messages.

(b) [4 points] To establish trust, Bob asks a CA to sign his private RSA key using the CAs private ECC key. The CAs public ECC key is in Alices browser, so Alice can verify Bobs key automatically when she visits his site, even though she does not explicitly know who the CA is.

(c) [4 points] For Alices login, Bob requires Alice to hash and salt her password on the client side using SHA-3, and then send it to Bob using 128-bit AES. Then, Bob will store Alices hashed password and the salt in his database. In future attempts, Alice can use the same hashed password and salt to login.

(d) [4 points] To store Alices password securely, Bob uses AES encryption with a secret key and a 64-bit IV to encrypt her password. A CRC32 checksum is used to ensure correctness against random bit flip errors.