1

Intro To EncryptionExercise 8

2

Simple MAC Functions

MACk(x)=int(x||k mod 232) For any k>232 any x is a forgery K is exposed so we can calculate any x

For exposing k we need known x

MACk(x)=(x[0…15]+k) (x[16…31]+k) Any symmetrical message can be forged (result 0)

for any k Some other vulnerabilities may exist

MACk(x)=x*(32567+k) mod 32767 Simply forge: x’=x+(32767) holds for any k

3

Simple MAC Functions

MACk(x)=int(32768*fraction(x*a+k*b)) ))where 0<a,b<1 For very low values of a and b the forgery is simpler,

x’=x+1 For higher values, x’ should be larger(or smaller) with

a smaller Delta(ADV knows a and b) The problem is that int looses precision

4

Problem

Some designs attempt to provide message authentication by sending the encryption of the message concatenated with its hash (or simply with an error detection code).

Namely, they send Encrypt(Message||Hash(Message)),and hope that in so doing, they achieve encryption and authentication together.

Show that this design is insecure (an attacker can modify a message and it would still be considered authentic).

Hint: this is easy to show, when using one-time-pad or OFB mode encryption.

5

Solution

Assuming OTP is used and ADV knows some information about the message.

ADV knows the algorithm, so knows which hash function is used.

Knowing so, he can figure out the key encrypting the message (known plain text).

Since he knows the message and hash of the message, he can figure out the key encrypting the hash.

ADV can now calculate new message and new hash for the message and replace them.

6

Solution

ADV’s playout: km=mcm (revealing the key of m)

kh(m)=h(m) ch(m)

Forge: m’km||h(m’)kh(m)

This is a poor MAC because it isn’t even immune to KMA.

7

Using MAC: Shared Key Mutual Authentication Model: Alice and Bob share secret master key k

Goals Mutual authentication: Alice knows it talked with Bob and

vice verse. Parties may also send a message; prevent replays. Allow multiple concurrent connections. Either party can initiate.

Basic problem, appears (and is) easy …but also easy to do wrong

8

Two Party Mutual Authentication – The SNA LU6.2 Protocol (till 1989) SNA – IBM’s Secure Network Architecture

Predominant network protocol till late eighties Protocol: (Na, Nb - randomly chosen nonces)

9

Attack on SNA LU6.2 Authentication Idea: Eve opens two connections with Bob…

sending Nb to Bob in 2nd connection to get Ek(Nb)

10

Conclusions & Thumb-rules Prevent re-direction of message to sender

Identify party in challenge Prevent re-direction of flow i to flow ji

Ensure different flows are easily distinguished Prevent use of old challenge

Select new random challenge (nonce) or time Do not compute values chosen by Adversary

Include self-chosen nonce in the protected reply Authenticate with MAC, not encryption

11

Two Party Protocol (2PP) [BGH*93]

Fixed SNA protocol Use MAC rather than encryption to authenticate Separate 2nd and 3rd flows – 3 vs. 2 input blocks Include identities (A,B) to prevent redirections Proof of security: from MAC properties (Claim 1)

See [BR93] for definition and proof

12

Authenticating messages Optionally, authenticate messages mA, mB by

including their hash in the MAC inputs To authenticate many messages (in order):

Add sequence numbers Can use same nonces for multiple messages

13

Efficient Implementation with CBC MAC Assume: one block per parameter MACk(Na,Nb)= Ek(Nb+Ek(Na)) MACk(Na,Nb,B)=Ek(A||B+ Ek(Nb+Ek(Na))) Potential reuse: MACk(Na,Nb,B)=Ek(B+ MACk(Na,Nb))

Only three `block operations` for entire protocol Suggested in [BGH*93]

Alice Bob

Na

Nb, Ek(A||B+Ek(Nb+Ek(Na)))

Ek(Nb+Ek(Na))

14

Implementation with CBC MAC Is this secure?

Claim 3 (foil 26) [BKR94] shows CBC is a MAC if inputs are prefix-free

But here 3rd flow is prefix of 2nd flow – not prefix free!

Seems secure… but I’m not aware of proof

Alice Bob

Na

Nb, Ek(A||B+Ek(Nb+Ek(Na)))

Ek(Nb+Ek(Na))

15

Question: can 2PP authenticate users? Is 2PP secure using a password for the key k? Problems:

Password is not uniformly distributed Limited number of common passwords – attacker can

guess (Dictionary attack)

16

Problem

A proposal is made to perform hybrid authentication, in the same manner as hybrid encryption, but authenticating the message using MAC instead of encrypting it.

Namely the sender selects key randomly and sends CipherKey=EncryptPUB(key) as in Figure 5.1, but appends to it msg, MACkey(msg) for authenticating message msg.

Criticize: Is this solution secure? Is there a better way to authenticate a long message with a single public key encryption operation?

17

Solution Mackey(msg) may provide ADV information

about msg. Why?

MAC requirements don’t require privacy.

A possible solution may be Encryptpub(msg||mackey(msg))

What may be the possible problems with the following scheme? Performance wise it may be preferred to compute

the following Mackey(Encryptpub(msg)), Encryptpub(msg) why?

18

Problem

is it secure to use the same RSA modulus N=pq for multiple users, keeping q and p secret and giving each user x just his private key d_x?

19

Solution NO!!! (fact from lecture) Fact : d must be roughly the size of n Fact: e may be small (or not)

If e is only co-prime to (n) it is easier to find (n) Fact: de=1 mod((n)) The parties know: e,d,n The parties don’t know: p,q,(n) de=(n)+1. Finding isn’t trivial but it is possible. See sketch proof in

handbook of applied cryptography

20

Explenation

How come de=(n)+1? Little Fermat: m(p-1)mod p=1 (p is prime) Euler: m((p-1)(q-1))mod n=1

(p,q are primes, n=pq) m*m((p-1)(q-1))mod n=m m1*m((p-1)(q-1))mod n=m m((p-1)(q-1)+1)mod n=m

ed=((p-1)(q-1)+1)=(n)+1

21

Problem

In RSA, given that the primes p and q are approximately same size, approximately how big is phi(n) compared to n?

22

Solution

Since for simplicity we may assume pq. This means n=p*p=p2

Since (n)=(p-1)(q-1)(p-1)2p2-2p+1 Meaning (n)n-2p O(n)

23

Problem

The following protocol is proposed for sending a secret message and acknowledging its receipt:

send message: A -> B: E_B(m) [message m encrypted with B's public key]

send acknowledgement: B -> A: E_A(m) This protocol is secure against a passive attacker,

but not against an active attacker. Why? Propose a fix. (hint: the attacker C is a valid party,

i.e. A and B may send and receive messages to C using the above protocol)

24

Solution Flaws:

Charlie may listen on the wire and transmit to Bob:C -> B : E_B(m)

Bob replies to Charlie:B -> C : m

Fix: Alice sends a random challenge with the message

A -> B: E_B(m,r) Bob replies

B -> A: r

25

Problem

Suppose that Eve discovers a polynomial-time algorithm that, given RSA encryption of m, say Ea(m) for a random message m, has a 1% probability of returning m and a 99% probability of returning "Sorry, I failed to break it for this input".

Show that Eve can, within polynomial time, decipher almost all messages.

26

Solution

Problem with RSA multiplicative properties ERSA(m1)=m1

e mod n

ERSA(m2)=m2e mod n

ERSA(m1 m2)=(m1 m2 )e mod n=

=(m1e mod n)(m2

e mod n) mod n

ERSA(m1 m2)= ERSA (m1) ERSA(m2)

Meaning Eve can start multiplying ERSA(m1) After the more she multiplies the better chance she has.

She need a polynomial times multiplication. Then what?

27

Solution

After I multiplications Eve receives mi. Eve only needs to calculate the Ith root of m.