1 intro to encryption exercise 8. 2 simple mac functions mac k (x)=int(x||k mod 2 32 ) for any...
Post on 21-Dec-2015
215 views
TRANSCRIPT
1
Intro To EncryptionExercise 8
2
Simple MAC Functions
MACk(x)=int(x||k mod 232) For any k>232 any x is a forgery K is exposed so we can calculate any x
For exposing k we need known x
MACk(x)=(x[0…15]+k) (x[16…31]+k) Any symmetrical message can be forged (result 0)
for any k Some other vulnerabilities may exist
MACk(x)=x*(32567+k) mod 32767 Simply forge: x’=x+(32767) holds for any k
3
Simple MAC Functions
MACk(x)=int(32768*fraction(x*a+k*b)) ))where 0<a,b<1 For very low values of a and b the forgery is simpler,
x’=x+1 For higher values, x’ should be larger(or smaller) with
a smaller Delta(ADV knows a and b) The problem is that int looses precision
4
Problem
Some designs attempt to provide message authentication by sending the encryption of the message concatenated with its hash (or simply with an error detection code).
Namely, they send Encrypt(Message||Hash(Message)),and hope that in so doing, they achieve encryption and authentication together.
Show that this design is insecure (an attacker can modify a message and it would still be considered authentic).
Hint: this is easy to show, when using one-time-pad or OFB mode encryption.
5
Solution
Assuming OTP is used and ADV knows some information about the message.
ADV knows the algorithm, so knows which hash function is used.
Knowing so, he can figure out the key encrypting the message (known plain text).
Since he knows the message and hash of the message, he can figure out the key encrypting the hash.
ADV can now calculate new message and new hash for the message and replace them.
6
Solution
ADV’s playout: km=mcm (revealing the key of m)
kh(m)=h(m) ch(m)
Forge: m’km||h(m’)kh(m)
This is a poor MAC because it isn’t even immune to KMA.
7
Using MAC: Shared Key Mutual Authentication Model: Alice and Bob share secret master key k
Goals Mutual authentication: Alice knows it talked with Bob and
vice verse. Parties may also send a message; prevent replays. Allow multiple concurrent connections. Either party can initiate.
Basic problem, appears (and is) easy …but also easy to do wrong
8
Two Party Mutual Authentication – The SNA LU6.2 Protocol (till 1989) SNA – IBM’s Secure Network Architecture
Predominant network protocol till late eighties Protocol: (Na, Nb - randomly chosen nonces)
9
Attack on SNA LU6.2 Authentication Idea: Eve opens two connections with Bob…
sending Nb to Bob in 2nd connection to get Ek(Nb)
10
Conclusions & Thumb-rules Prevent re-direction of message to sender
Identify party in challenge Prevent re-direction of flow i to flow ji
Ensure different flows are easily distinguished Prevent use of old challenge
Select new random challenge (nonce) or time Do not compute values chosen by Adversary
Include self-chosen nonce in the protected reply Authenticate with MAC, not encryption
11
Two Party Protocol (2PP) [BGH*93]
Fixed SNA protocol Use MAC rather than encryption to authenticate Separate 2nd and 3rd flows – 3 vs. 2 input blocks Include identities (A,B) to prevent redirections Proof of security: from MAC properties (Claim 1)
See [BR93] for definition and proof
12
Authenticating messages Optionally, authenticate messages mA, mB by
including their hash in the MAC inputs To authenticate many messages (in order):
Add sequence numbers Can use same nonces for multiple messages
13
Efficient Implementation with CBC MAC Assume: one block per parameter MACk(Na,Nb)= Ek(Nb+Ek(Na)) MACk(Na,Nb,B)=Ek(A||B+ Ek(Nb+Ek(Na))) Potential reuse: MACk(Na,Nb,B)=Ek(B+ MACk(Na,Nb))
Only three `block operations` for entire protocol Suggested in [BGH*93]
Alice Bob
Na
Nb, Ek(A||B+Ek(Nb+Ek(Na)))
Ek(Nb+Ek(Na))
14
Implementation with CBC MAC Is this secure?
Claim 3 (foil 26) [BKR94] shows CBC is a MAC if inputs are prefix-free
But here 3rd flow is prefix of 2nd flow – not prefix free!
Seems secure… but I’m not aware of proof
Alice Bob
Na
Nb, Ek(A||B+Ek(Nb+Ek(Na)))
Ek(Nb+Ek(Na))
15
Question: can 2PP authenticate users? Is 2PP secure using a password for the key k? Problems:
Password is not uniformly distributed Limited number of common passwords – attacker can
guess (Dictionary attack)
16
Problem
A proposal is made to perform hybrid authentication, in the same manner as hybrid encryption, but authenticating the message using MAC instead of encrypting it.
Namely the sender selects key randomly and sends CipherKey=EncryptPUB(key) as in Figure 5.1, but appends to it msg, MACkey(msg) for authenticating message msg.
Criticize: Is this solution secure? Is there a better way to authenticate a long message with a single public key encryption operation?
17
Solution Mackey(msg) may provide ADV information
about msg. Why?
MAC requirements don’t require privacy.
A possible solution may be Encryptpub(msg||mackey(msg))
What may be the possible problems with the following scheme? Performance wise it may be preferred to compute
the following Mackey(Encryptpub(msg)), Encryptpub(msg) why?
18
Problem
is it secure to use the same RSA modulus N=pq for multiple users, keeping q and p secret and giving each user x just his private key d_x?
19
Solution NO!!! (fact from lecture) Fact : d must be roughly the size of n Fact: e may be small (or not)
If e is only co-prime to (n) it is easier to find (n) Fact: de=1 mod((n)) The parties know: e,d,n The parties don’t know: p,q,(n) de=(n)+1. Finding isn’t trivial but it is possible. See sketch proof in
handbook of applied cryptography
20
Explenation
How come de=(n)+1? Little Fermat: m(p-1)mod p=1 (p is prime) Euler: m((p-1)(q-1))mod n=1
(p,q are primes, n=pq) m*m((p-1)(q-1))mod n=m m1*m((p-1)(q-1))mod n=m m((p-1)(q-1)+1)mod n=m
ed=((p-1)(q-1)+1)=(n)+1
21
Problem
In RSA, given that the primes p and q are approximately same size, approximately how big is phi(n) compared to n?
22
Solution
Since for simplicity we may assume pq. This means n=p*p=p2
Since (n)=(p-1)(q-1)(p-1)2p2-2p+1 Meaning (n)n-2p O(n)
23
Problem
The following protocol is proposed for sending a secret message and acknowledging its receipt:
send message: A -> B: E_B(m) [message m encrypted with B's public key]
send acknowledgement: B -> A: E_A(m) This protocol is secure against a passive attacker,
but not against an active attacker. Why? Propose a fix. (hint: the attacker C is a valid party,
i.e. A and B may send and receive messages to C using the above protocol)
24
Solution Flaws:
Charlie may listen on the wire and transmit to Bob:C -> B : E_B(m)
Bob replies to Charlie:B -> C : m
Fix: Alice sends a random challenge with the message
A -> B: E_B(m,r) Bob replies
B -> A: r
25
Problem
Suppose that Eve discovers a polynomial-time algorithm that, given RSA encryption of m, say Ea(m) for a random message m, has a 1% probability of returning m and a 99% probability of returning "Sorry, I failed to break it for this input".
Show that Eve can, within polynomial time, decipher almost all messages.
26
Solution
Problem with RSA multiplicative properties ERSA(m1)=m1
e mod n
ERSA(m2)=m2e mod n
ERSA(m1 m2)=(m1 m2 )e mod n=
=(m1e mod n)(m2
e mod n) mod n
ERSA(m1 m2)= ERSA (m1) ERSA(m2)
Meaning Eve can start multiplying ERSA(m1) After the more she multiplies the better chance she has.
She need a polynomial times multiplication. Then what?
27
Solution
After I multiplications Eve receives mi. Eve only needs to calculate the Ith root of m.