Problems for week 5-6, Cryptography

Problems for week 5-6, Cryptography
1. Verify that the method described in lecture 11 for verifying RSA-PSS signatures is
correct.
2. Peggy and Victor use the Schnorr identification protocol. Peggy happens to use the
same r in two different executions of the protocol. Can Victor learn anything about
x?
3. Alice and Bob have invented the following protocol for sending a message securely
from A to B. The protocol is based on the ideas of the one-time pad, but without a
common, shared secret. Instead, for each message, both A and B invent a random
nonce and execute the following protocol to send message M from A to B
1. A → B : M 1 = M ⊕ N A
2. B → A : M 2 = M 1 ⊕ N B
3. A → B : M 2 ⊕ N A
Here, we extend our protocol notation to give names to an entire message M 1 = . . ..
Only the message in the right hand side is sent, but the left hand side can be used
to refer to the message content in subsequent messages.
(a) Show that B can recover M.
(b) Is the system secure?
4. Alice and Bob have a shared secret k and have decided to use it in the following
protocol, which enables Alice to identify Bob as the party at the other end.
1. Alice picks a random bit string r and sends it as challenge to Bob.
2. Bob responds with r ⊕ k.
Alice’s and Bob’s analysis of the protocol is this: The protocol does indeed provide
identification, since Alice can check that the sender of message 2 knows k. It is also
secure, since only random numbers are ever sent on the communication channel.
(a) How does Alice check that the sender of message 2 knows k?
(b) Do you agree with Alice and Bob about the security of their protocol? Motivate
your answer!
5. Your organisation is using the Fiat-Shamir identification protocol (see slides for
lecture 9). Victor shows you what he claims is a transcript of a protocol run where
Peggy has proved her knowledge of x. However, you do not trust Victor; why will
the transcript not convince you?
6. An organization uses a public key encryption scheme E where each user has a key
pair (e, d). Here e is the public encryption key and d is the private decryption key.
Further, the organization has devised the following protocol, where each receiver
acknowledges receipt of a message:
1. A → B : A, B, E eB (m).
2. B → A : B, A, E eA (m).
1

A wants to send message m to B and therefore sends B a message containing the
names of the two parties and the message encrypted for B. B acknowledges the
message by first decrypting the last part to recover m and then sending back a
similarly structured message to A, but with the roles of the two parties interchanged.
A can now decrypt the last part, check that she gets m and conclude that B has
indeed received m.
(a) This protocol is not secure against adversaries within the organization. More
precisely, consider an adversary who himself has a key pair and can send messages
and get them acknowledged. Show that if he, by eavesdropping, gets
access to the two messages sent in a protocol run between A and B, he can go
on to recover m.
(b) Both messages in the protocol have the structure S, R, E eR (m), where S denotes
Sender and R denotes Receiver of the message. It is proposed to modify the
message structure to S, R, E eR (m||X) for some suitable X. For each of the
following three proposals for X, explain why or why not it prevents the attack
from (a).
i. X = S.
ii. X = R.
iii. X = message number within the run, i.e. X = 1 for the first message and
X = 2 for the second.
7. We consider here the Blum-Goldwasser public-key stream cipher. A simplified version
of this scheme goes as follows.
Alice chooses p, q to be primes both congruent to 3 modulo 4 and N = p · q. N is
her public key; p and q are private.
To encrypt message m of length n bits for Alice, Bob first generates a bitstream as
follows. He chooses a random seed s and computes
x 0 = s
x n+1 = x 2 n mod N.
The bitstream is b 2 b 3 . . . b n+1 where b k is the least significant bit of x k . Then Bob
encrypts m by bitwise xor c = m ⊕ b 2 b 2 . . . b n+1 . Note that the least significant bit
of the two first x i are not used. Finally, he sends to Alice the pair (x n , c). The first
component differs from the secret-key stream ciphers as discussed in lecture 11; the
point is that s is not a shared secret between Alice and Bob. Instead, Alice (and only
Alice) can use x n to recover x 2 , which is what she needs to recreate the bitstream.
Let us show this:
(a) Assume Alice receives (x, c). As a first step, she computes d such that d ·
2 n mod Φ(N) = 4, where n is the length of c. Show that she can do this. (Note
also that if message lengths are known she can precompute d and store it as
part of her private key.)
(b) Show that x d = x 2 .
(c) How does Alice decrypt the message?
(d) Why cannot the Adversary decrypt the message?
8. (Requires material from lecture 12). The bitstream generator in the previous exercise
is called the Blum-Blum-Shub generator and is very well-known. It has been
proved to be cryptographically secure. What is its advantage over the RSA bitstream
generator?
2

9. We recall the CBC mode of encryption of a message M = M 1 M 2 M 3 . . . M n , where
M i is block number i of M. Then the encrypted message is C 0 C 1 C 2 . . . C n , where
C 0 = IV
C i = E K (M i ⊕ C i−1 ), i = 1, 2, . . . n.
Now we consider the following beginning of a protocol:
1. A −→ B : N A
2. B −→ A : {N A , K} KAB .
We do not need to know more about the protocol (which may contain further messages)
than the following:
• A and B share a long-term AES key K AB ; the notation {. . .} KAB
encryption of . . . using AES in CBC mode (block size 128 bits).
denotes
• N A is a 128 bit nonce chosen by A and K is a 128 bit session key chosen by B.
In the second message, B includes N A to ensure freshness and K as a session key for
the session just started. When A receives the second message, she thus concludes
that B is alive at the other end and has just chosen a fresh session key K.
Now consider the following scenario: The adversary C eavesdrops on a run of this
protocol between A and B and stores messages sent. Because of an unspecified
mistake by A or B (outside the protocol), C gets hold of K and can of course read
all subsequent messages in the session. But, the situation is worse than that, as we
shall see.
Let message 2 in the run described above be C 0 C 1 C 2 (three blocks; the IV and two
encrypted blocks).
The next day, A and B initiate a new session. C again eavesdrops and now intercepts
the second message C ′ 0 C′ 1 C′ 2 , changes it to C′ 0 C′ 1 C 2 and sends the changed message
to A, pretending to be B. Show that A will accept the message as the reply to her
first message in the new run and that C will know the session key of the new run
and thus can continue the session with A, pretending to be B.
10. We consider the following protocol intended to allow Alice to authenticate herself
to Bob with the help of a trusted third party T . Alice and Bob do not know each
other, but each of them shares a symmetric key, K AT and K BT , respectively, with
T .
1. A −→ B : A.
2. B −→ A : N B .
3. A −→ B : {N B } KAT .
4. B −→ T : {A, {N B } KAT } KBT .
5. T −→ B : {A, N B } KBT .
After receiving message 5, Bob decrypts it and checks that the encrypted message
contains Alice’s name and the nonce he created and sent in message 2. If so, he
accepts the run and Alice is authenticated.
Now consider the following attack, where the adversary C will manage to get himself
authenticated as Alice.
1. C(A) −→ B : A.
2. B −→ C(A) : N B .
3. C(A) −→ B : N B .
3

Note that in message 3, C deviates from the protocol. Your task is to show how
the protocol run is completed by B and C – in fact, C will intercept also message
4 (masquerading as T ) and himself send message 5 to B. Finally, you must explain
B:s reasoning in accepting the run.
11. We consider protocols where Peggy proves her identity to Victor by giving evidence
that she knows a secret x. We have seen the Fiat-Shamir protocol, which is based on
the infeasibility of computing square-roots of composite numbers, and the Schnorr
protocol, based on the difficulty of the discrete log problem. Not surprisingly, one
can also base such protocols on the difficulty of the RSA problem. We will now look
at one such protocol, proposed by Guillou and Quisquater.
The system involves a trusted third party T. Initially, T chooses primes p and q as
in RSA and computes N = p · q and a RSA key pair (e, d). N and e are made public
and can be used by a whole community of Peggies and Victors. T keeps the private
key d for himself. All computations below are in Z ∗ N .
Whenever (a new) Peggy wants to use the system, she chooses a public key X ∈ Z ∗ N
(which could be based on her name, email address etc, using some public way of
transforming this to a number in Z ∗ N
). She sends X to T, who computes Peggy’s
secret key x = X −d and sends it to her in some secure way. Peggy then announces
her public key X.
When Peggy wants to identify herself to Victor, the following protocol is used:
1. Commitment: Peggy chooses a random r ∈ Z ∗ N , computes R = re and sends R
to Victor.
2. Challenge: Victor chooses a random c with 1 ≤ c ≤ e and sends c to Peggy.
3. Response: Peggy computes y = r · x c and sends y to Victor.
Victor now checks that y ≠ 0 and R = y e ·X c ; if this holds he believes that the other
party is Peggy.
(a) Show that a true Peggy, following the protocol, will be identified correctly by
Victor. (4 p)
(b) Why does Victor check that y ≠ 0? (1 p)
(c) Show that a false Peggy, who does not know x, but correctly guesses c before
she makes her commitment, can arrange to be identified by Victor as Peggy. (2
p)
Remark: Thus, the security level of the system can be decided by choosing e
suitably. A false Peggy who guesses c has probability 1/e of success.
12. We consider yet another published, flawed protocol for authentication and session
key agreement, the Neuman-Stubblebine protocol. It employs a trusted third party
and runs as follows:
1. A → B : A, N A
2. B → T : B, {A, N A , T B } KBT , N B
3. T → A : {B, N A , K AB , T B } KAT , {A, K AB , T B } KBT , N B
4. A → B : {A, K AB , T B } KBT , {N B } KAB
The protocol employs both timestamps and nonces. Some remarks:
• Alice initiates the run in message 1, sending her name and a nonce N A to Bob.
4

• Bob contacts the trusted third party Trent, forwarding Alice’s information and
adding a nonce N B of his own and a timestamp T B . Part of the message is
encrypted with the key K BT shared by Bob and Trent.
• Trent generates a session key K AB to be used by Alice and Bob and sends to
Alice a message with two encrypted parts, one for Alice and one for Bob, and
Bob’s nonce in the clear. The part encrypted for Bob, {A, K AB , T B } KBT , is
called the ticket.
• Alice checks her nonce and forwards the ticket to Bob, together with Bob’s
nonce encrypted with the session key. This last piece convinces Bob both that
the message is fresh and that the sender is Alice.
However, the system is flawed. Assume that keys and nonces have the same sizes
in bits. Show how an adversary, eavesdropping on messages 1 and 2 of the initial
protocol, may intercept and himself send a valid message 4 to Bob, claiming to
be Alice, and thus complete the initial protocol and communicate with Bob using
encryption with a session key that Bob believes he shares with Alice. (6 p)
Remark: The reason for using both nonces and timestamps was that, after running
the above initial protocol, Alice should be able to open many new sessions with
Bob using the same session key, without communicating with Trent, until the ticket
expires. Such repeated authentication uses a separate three-message protocol:
1. A → B : {A, K AB , T B } KBT , N
A
′
2. B → A : {N
A ′ } K AB
, N
B
′
3. A → B : {N
B ′ } K AB
5