Problems for week 5-6, Cryptography
Problems for week 5-6, Cryptography
Problems for week 5-6, Cryptography
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>Problems</strong> <strong>for</strong> <strong>week</strong> 5-6, <strong>Cryptography</strong><br />
1. Verify that the method described in lecture 11 <strong>for</strong> verifying RSA-PSS signatures is<br />
correct.<br />
2. Peggy and Victor use the Schnorr identification protocol. Peggy happens to use the<br />
same r in two different executions of the protocol. Can Victor learn anything about<br />
x?<br />
3. Alice and Bob have invented the following protocol <strong>for</strong> sending a message securely<br />
from A to B. The protocol is based on the ideas of the one-time pad, but without a<br />
common, shared secret. Instead, <strong>for</strong> each message, both A and B invent a random<br />
nonce and execute the following protocol to send message M from A to B<br />
1. A → B : M 1 = M ⊕ N A<br />
2. B → A : M 2 = M 1 ⊕ N B<br />
3. A → B : M 2 ⊕ N A<br />
Here, we extend our protocol notation to give names to an entire message M 1 = . . ..<br />
Only the message in the right hand side is sent, but the left hand side can be used<br />
to refer to the message content in subsequent messages.<br />
(a) Show that B can recover M.<br />
(b) Is the system secure?<br />
4. Alice and Bob have a shared secret k and have decided to use it in the following<br />
protocol, which enables Alice to identify Bob as the party at the other end.<br />
1. Alice picks a random bit string r and sends it as challenge to Bob.<br />
2. Bob responds with r ⊕ k.<br />
Alice’s and Bob’s analysis of the protocol is this: The protocol does indeed provide<br />
identification, since Alice can check that the sender of message 2 knows k. It is also<br />
secure, since only random numbers are ever sent on the communication channel.<br />
(a) How does Alice check that the sender of message 2 knows k?<br />
(b) Do you agree with Alice and Bob about the security of their protocol? Motivate<br />
your answer!<br />
5. Your organisation is using the Fiat-Shamir identification protocol (see slides <strong>for</strong><br />
lecture 9). Victor shows you what he claims is a transcript of a protocol run where<br />
Peggy has proved her knowledge of x. However, you do not trust Victor; why will<br />
the transcript not convince you?<br />
6. An organization uses a public key encryption scheme E where each user has a key<br />
pair (e, d). Here e is the public encryption key and d is the private decryption key.<br />
Further, the organization has devised the following protocol, where each receiver<br />
acknowledges receipt of a message:<br />
1. A → B : A, B, E eB (m).<br />
2. B → A : B, A, E eA (m).<br />
1
A wants to send message m to B and there<strong>for</strong>e sends B a message containing the<br />
names of the two parties and the message encrypted <strong>for</strong> B. B acknowledges the<br />
message by first decrypting the last part to recover m and then sending back a<br />
similarly structured message to A, but with the roles of the two parties interchanged.<br />
A can now decrypt the last part, check that she gets m and conclude that B has<br />
indeed received m.<br />
(a) This protocol is not secure against adversaries within the organization. More<br />
precisely, consider an adversary who himself has a key pair and can send messages<br />
and get them acknowledged. Show that if he, by eavesdropping, gets<br />
access to the two messages sent in a protocol run between A and B, he can go<br />
on to recover m.<br />
(b) Both messages in the protocol have the structure S, R, E eR (m), where S denotes<br />
Sender and R denotes Receiver of the message. It is proposed to modify the<br />
message structure to S, R, E eR (m||X) <strong>for</strong> some suitable X. For each of the<br />
following three proposals <strong>for</strong> X, explain why or why not it prevents the attack<br />
from (a).<br />
i. X = S.<br />
ii. X = R.<br />
iii. X = message number within the run, i.e. X = 1 <strong>for</strong> the first message and<br />
X = 2 <strong>for</strong> the second.<br />
7. We consider here the Blum-Goldwasser public-key stream cipher. A simplified version<br />
of this scheme goes as follows.<br />
Alice chooses p, q to be primes both congruent to 3 modulo 4 and N = p · q. N is<br />
her public key; p and q are private.<br />
To encrypt message m of length n bits <strong>for</strong> Alice, Bob first generates a bitstream as<br />
follows. He chooses a random seed s and computes<br />
x 0 = s<br />
x n+1 = x 2 n mod N.<br />
The bitstream is b 2 b 3 . . . b n+1 where b k is the least significant bit of x k . Then Bob<br />
encrypts m by bitwise xor c = m ⊕ b 2 b 2 . . . b n+1 . Note that the least significant bit<br />
of the two first x i are not used. Finally, he sends to Alice the pair (x n , c). The first<br />
component differs from the secret-key stream ciphers as discussed in lecture 11; the<br />
point is that s is not a shared secret between Alice and Bob. Instead, Alice (and only<br />
Alice) can use x n to recover x 2 , which is what she needs to recreate the bitstream.<br />
Let us show this:<br />
(a) Assume Alice receives (x, c). As a first step, she computes d such that d ·<br />
2 n mod Φ(N) = 4, where n is the length of c. Show that she can do this. (Note<br />
also that if message lengths are known she can precompute d and store it as<br />
part of her private key.)<br />
(b) Show that x d = x 2 .<br />
(c) How does Alice decrypt the message?<br />
(d) Why cannot the Adversary decrypt the message?<br />
8. (Requires material from lecture 12). The bitstream generator in the previous exercise<br />
is called the Blum-Blum-Shub generator and is very well-known. It has been<br />
proved to be cryptographically secure. What is its advantage over the RSA bitstream<br />
generator?<br />
2
9. We recall the CBC mode of encryption of a message M = M 1 M 2 M 3 . . . M n , where<br />
M i is block number i of M. Then the encrypted message is C 0 C 1 C 2 . . . C n , where<br />
C 0 = IV<br />
C i = E K (M i ⊕ C i−1 ), i = 1, 2, . . . n.<br />
Now we consider the following beginning of a protocol:<br />
1. A −→ B : N A<br />
2. B −→ A : {N A , K} KAB .<br />
We do not need to know more about the protocol (which may contain further messages)<br />
than the following:<br />
• A and B share a long-term AES key K AB ; the notation {. . .} KAB<br />
encryption of . . . using AES in CBC mode (block size 128 bits).<br />
denotes<br />
• N A is a 128 bit nonce chosen by A and K is a 128 bit session key chosen by B.<br />
In the second message, B includes N A to ensure freshness and K as a session key <strong>for</strong><br />
the session just started. When A receives the second message, she thus concludes<br />
that B is alive at the other end and has just chosen a fresh session key K.<br />
Now consider the following scenario: The adversary C eavesdrops on a run of this<br />
protocol between A and B and stores messages sent. Because of an unspecified<br />
mistake by A or B (outside the protocol), C gets hold of K and can of course read<br />
all subsequent messages in the session. But, the situation is worse than that, as we<br />
shall see.<br />
Let message 2 in the run described above be C 0 C 1 C 2 (three blocks; the IV and two<br />
encrypted blocks).<br />
The next day, A and B initiate a new session. C again eavesdrops and now intercepts<br />
the second message C ′ 0 C′ 1 C′ 2 , changes it to C′ 0 C′ 1 C 2 and sends the changed message<br />
to A, pretending to be B. Show that A will accept the message as the reply to her<br />
first message in the new run and that C will know the session key of the new run<br />
and thus can continue the session with A, pretending to be B.<br />
10. We consider the following protocol intended to allow Alice to authenticate herself<br />
to Bob with the help of a trusted third party T . Alice and Bob do not know each<br />
other, but each of them shares a symmetric key, K AT and K BT , respectively, with<br />
T .<br />
1. A −→ B : A.<br />
2. B −→ A : N B .<br />
3. A −→ B : {N B } KAT .<br />
4. B −→ T : {A, {N B } KAT } KBT .<br />
5. T −→ B : {A, N B } KBT .<br />
After receiving message 5, Bob decrypts it and checks that the encrypted message<br />
contains Alice’s name and the nonce he created and sent in message 2. If so, he<br />
accepts the run and Alice is authenticated.<br />
Now consider the following attack, where the adversary C will manage to get himself<br />
authenticated as Alice.<br />
1. C(A) −→ B : A.<br />
2. B −→ C(A) : N B .<br />
3. C(A) −→ B : N B .<br />
3
Note that in message 3, C deviates from the protocol. Your task is to show how<br />
the protocol run is completed by B and C – in fact, C will intercept also message<br />
4 (masquerading as T ) and himself send message 5 to B. Finally, you must explain<br />
B:s reasoning in accepting the run.<br />
11. We consider protocols where Peggy proves her identity to Victor by giving evidence<br />
that she knows a secret x. We have seen the Fiat-Shamir protocol, which is based on<br />
the infeasibility of computing square-roots of composite numbers, and the Schnorr<br />
protocol, based on the difficulty of the discrete log problem. Not surprisingly, one<br />
can also base such protocols on the difficulty of the RSA problem. We will now look<br />
at one such protocol, proposed by Guillou and Quisquater.<br />
The system involves a trusted third party T. Initially, T chooses primes p and q as<br />
in RSA and computes N = p · q and a RSA key pair (e, d). N and e are made public<br />
and can be used by a whole community of Peggies and Victors. T keeps the private<br />
key d <strong>for</strong> himself. All computations below are in Z ∗ N .<br />
Whenever (a new) Peggy wants to use the system, she chooses a public key X ∈ Z ∗ N<br />
(which could be based on her name, email address etc, using some public way of<br />
trans<strong>for</strong>ming this to a number in Z ∗ N<br />
). She sends X to T, who computes Peggy’s<br />
secret key x = X −d and sends it to her in some secure way. Peggy then announces<br />
her public key X.<br />
When Peggy wants to identify herself to Victor, the following protocol is used:<br />
1. Commitment: Peggy chooses a random r ∈ Z ∗ N , computes R = re and sends R<br />
to Victor.<br />
2. Challenge: Victor chooses a random c with 1 ≤ c ≤ e and sends c to Peggy.<br />
3. Response: Peggy computes y = r · x c and sends y to Victor.<br />
Victor now checks that y ≠ 0 and R = y e ·X c ; if this holds he believes that the other<br />
party is Peggy.<br />
(a) Show that a true Peggy, following the protocol, will be identified correctly by<br />
Victor. (4 p)<br />
(b) Why does Victor check that y ≠ 0? (1 p)<br />
(c) Show that a false Peggy, who does not know x, but correctly guesses c be<strong>for</strong>e<br />
she makes her commitment, can arrange to be identified by Victor as Peggy. (2<br />
p)<br />
Remark: Thus, the security level of the system can be decided by choosing e<br />
suitably. A false Peggy who guesses c has probability 1/e of success.<br />
12. We consider yet another published, flawed protocol <strong>for</strong> authentication and session<br />
key agreement, the Neuman-Stubblebine protocol. It employs a trusted third party<br />
and runs as follows:<br />
1. A → B : A, N A<br />
2. B → T : B, {A, N A , T B } KBT , N B<br />
3. T → A : {B, N A , K AB , T B } KAT , {A, K AB , T B } KBT , N B<br />
4. A → B : {A, K AB , T B } KBT , {N B } KAB<br />
The protocol employs both timestamps and nonces. Some remarks:<br />
• Alice initiates the run in message 1, sending her name and a nonce N A to Bob.<br />
4
• Bob contacts the trusted third party Trent, <strong>for</strong>warding Alice’s in<strong>for</strong>mation and<br />
adding a nonce N B of his own and a timestamp T B . Part of the message is<br />
encrypted with the key K BT shared by Bob and Trent.<br />
• Trent generates a session key K AB to be used by Alice and Bob and sends to<br />
Alice a message with two encrypted parts, one <strong>for</strong> Alice and one <strong>for</strong> Bob, and<br />
Bob’s nonce in the clear. The part encrypted <strong>for</strong> Bob, {A, K AB , T B } KBT , is<br />
called the ticket.<br />
• Alice checks her nonce and <strong>for</strong>wards the ticket to Bob, together with Bob’s<br />
nonce encrypted with the session key. This last piece convinces Bob both that<br />
the message is fresh and that the sender is Alice.<br />
However, the system is flawed. Assume that keys and nonces have the same sizes<br />
in bits. Show how an adversary, eavesdropping on messages 1 and 2 of the initial<br />
protocol, may intercept and himself send a valid message 4 to Bob, claiming to<br />
be Alice, and thus complete the initial protocol and communicate with Bob using<br />
encryption with a session key that Bob believes he shares with Alice. (6 p)<br />
Remark: The reason <strong>for</strong> using both nonces and timestamps was that, after running<br />
the above initial protocol, Alice should be able to open many new sessions with<br />
Bob using the same session key, without communicating with Trent, until the ticket<br />
expires. Such repeated authentication uses a separate three-message protocol:<br />
1. A → B : {A, K AB , T B } KBT , N<br />
A<br />
′<br />
2. B → A : {N<br />
A ′ } K AB<br />
, N<br />
B<br />
′<br />
3. A → B : {N<br />
B ′ } K AB<br />
5