Problems for week 5-6, Cryptography

More documents

Recommendations

Info

A wants to send message m to B and therefore sends B a message containing the names of the two parties and the message encrypted for B. B acknowledges the message by first decrypting the last part to recover m and then sending back a similarly structured message to A, but with the roles of the two parties interchanged. A can now decrypt the last part, check that she gets m and conclude that B has indeed received m. (a) This protocol is not secure against adversaries within the organization. More precisely, consider an adversary who himself has a key pair and can send messages and get them acknowledged. Show that if he, by eavesdropping, gets access to the two messages sent in a protocol run between A and B, he can go on to recover m. (b) Both messages in the protocol have the structure S, R, E eR (m), where S denotes Sender and R denotes Receiver of the message. It is proposed to modify the message structure to S, R, E eR (m||X) for some suitable X. For each of the following three proposals for X, explain why or why not it prevents the attack from (a). i. X = S. ii. X = R. iii. X = message number within the run, i.e. X = 1 for the first message and X = 2 for the second. 7. We consider here the Blum-Goldwasser public-key stream cipher. A simplified version of this scheme goes as follows. Alice chooses p, q to be primes both congruent to 3 modulo 4 and N = p · q. N is her public key; p and q are private. To encrypt message m of length n bits for Alice, Bob first generates a bitstream as follows. He chooses a random seed s and computes x 0 = s x n+1 = x 2 n mod N. The bitstream is b 2 b 3 . . . b n+1 where b k is the least significant bit of x k . Then Bob encrypts m by bitwise xor c = m ⊕ b 2 b 2 . . . b n+1 . Note that the least significant bit of the two first x i are not used. Finally, he sends to Alice the pair (x n , c). The first component differs from the secret-key stream ciphers as discussed in lecture 11; the point is that s is not a shared secret between Alice and Bob. Instead, Alice (and only Alice) can use x n to recover x 2 , which is what she needs to recreate the bitstream. Let us show this: (a) Assume Alice receives (x, c). As a first step, she computes d such that d · 2 n mod Φ(N) = 4, where n is the length of c. Show that she can do this. (Note also that if message lengths are known she can precompute d and store it as part of her private key.) (b) Show that x d = x 2 . (c) How does Alice decrypt the message? (d) Why cannot the Adversary decrypt the message? 8. (Requires material from lecture 12). The bitstream generator in the previous exercise is called the Blum-Blum-Shub generator and is very well-known. It has been proved to be cryptographically secure. What is its advantage over the RSA bitstream generator? 2
9. We recall the CBC mode of encryption of a message M = M 1 M 2 M 3 . . . M n , where M i is block number i of M. Then the encrypted message is C 0 C 1 C 2 . . . C n , where C 0 = IV C i = E K (M i ⊕ C i−1 ), i = 1, 2, . . . n. Now we consider the following beginning of a protocol: 1. A −→ B : N A 2. B −→ A : {N A , K} KAB . We do not need to know more about the protocol (which may contain further messages) than the following: • A and B share a long-term AES key K AB ; the notation {. . .} KAB encryption of . . . using AES in CBC mode (block size 128 bits). denotes • N A is a 128 bit nonce chosen by A and K is a 128 bit session key chosen by B. In the second message, B includes N A to ensure freshness and K as a session key for the session just started. When A receives the second message, she thus concludes that B is alive at the other end and has just chosen a fresh session key K. Now consider the following scenario: The adversary C eavesdrops on a run of this protocol between A and B and stores messages sent. Because of an unspecified mistake by A or B (outside the protocol), C gets hold of K and can of course read all subsequent messages in the session. But, the situation is worse than that, as we shall see. Let message 2 in the run described above be C 0 C 1 C 2 (three blocks; the IV and two encrypted blocks). The next day, A and B initiate a new session. C again eavesdrops and now intercepts the second message C ′ 0 C′ 1 C′ 2 , changes it to C′ 0 C′ 1 C 2 and sends the changed message to A, pretending to be B. Show that A will accept the message as the reply to her first message in the new run and that C will know the session key of the new run and thus can continue the session with A, pretending to be B. 10. We consider the following protocol intended to allow Alice to authenticate herself to Bob with the help of a trusted third party T . Alice and Bob do not know each other, but each of them shares a symmetric key, K AT and K BT , respectively, with T . 1. A −→ B : A. 2. B −→ A : N B . 3. A −→ B : {N B } KAT . 4. B −→ T : {A, {N B } KAT } KBT . 5. T −→ B : {A, N B } KBT . After receiving message 5, Bob decrypts it and checks that the encrypted message contains Alice’s name and the nonce he created and sent in message 2. If so, he accepts the run and Alice is authenticated. Now consider the following attack, where the adversary C will manage to get himself authenticated as Alice. 1. C(A) −→ B : A. 2. B −→ C(A) : N B . 3. C(A) −→ B : N B . 3
Page 1: Problems for week 5-6, Cryptography
Page 5: • Bob contacts the trusted third

Problems for week 5-6, Cryptography

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?