Document 7433485
Download
Report
Transcript Document 7433485
Week 2
Cryptography
1
Cryptography
Concepts
2
Cryptography
Latin
Cryptography
Crypt
secret
Graphia
writing
• Concerned with developing algorithms:
- Conceal the context of some message from all
except the sender and recipient (privacy or secrecy),
and/or
Every night in
my dream
I see you
I feel you that
Is how I know you
Go on far away a
Cross the distance
in night Every
dream
I you see my
I you that feel
know you Is how I
Go away a on far
distance Cross the
3
Cryptography
• Concerned with developing algorithms:
- Verify the correctness of a message to the recipient
(authentication)
- Form the basis of many technological solution to computer
and communications security problems
cryptography - study of encryption principles/methods
4
Goals & Setting
• To ensure security of communication across
an insecure channel.
• The ideal channel:
Dedicated, untappable, impenetrable
Pipe/tube
Sender
Receiver
5
Secure Channel
ISP/Office6
Secure Channel
7
Secure Channel
8
Secure Channel
9
Secure Channel
10
Secure Channel
11
Secure Channel
Authenticated
12
Secure Channel
13
Secure Channel
Connected
14
Secure Channel
Connection Established
ISP/Office15
Goal & Setting
Adversary (Attacker)
The source of all
possible threats
Sender
Receiver
Not all aspect of an ideal
channel can be emulated
16
Basic Terminology
plaintext - the original message
ciphertext - the coded message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext to plaintext
17
Simple Process
Sender
Receiver
Plaintext
Plaintext
The secret message is:
You can get A-/A+ in
SKR5200; (however depend on
you)
The secret message is:
You can get A-/A+ in
SKR5200; (however depend on
you)
Encryption
Decryption
ciphertext
hjfjghkf@#@#$%^&jklll
098GHJFD!@#$#$#$%
18
Categories of cryptography
19
Comparison between two categories of cryptography
20
Encryption Method
Cryptography
Symmetric Encryption
•conventional / private-key / single-key
•sender and recipient share a common key
•all classical encryption algorithms are
private-key
Asymmetric Encryption
•uses two keys – a public & a private key
•asymmetric since parties are not equal
•uses clever application of number
theoretic concepts to function
•complements rather than replaces
private key crypto
21
Symmetric Encryption
22
Symmetric Encryption Technique
Symmetric Encryption
Classical
Stream cipher
Modern
Block cipher
23
Symmetric Encryption
• conventional / private-key / single-key
• sender and recipient share a common key
• 2 Techniques: Classical & Modern
Classical Techniques:
• Substitution:
Caesar Cipher
Monalphabatic Cipher
Playfair Cipher
Hill Cipher
Polyalphabetic Cipher
One-Time Pad
• Transposition
• Rotor Machines
• Steganography
Modern Techniques:
•DES, 3DES, AES
24
Basic of Symmetric
Cryptography
Classical Substitution
Cipher
Classical Transpositions
Cipher
Summary
25
Symmetric Encryption
or conventional / private-key / single-key
sender and recipient share a common key
all classical encryption algorithms are private-key
was only type prior to invention of public-key in 1970’s
26
Basic Terminology
plaintext - the original message
ciphertext - the coded message
cipher - algorithm for transforming plaintext to ciphertext
key - info used in cipher known only to sender/receiver
encipher (encrypt) - converting plaintext to ciphertext
decipher (decrypt) - recovering ciphertext from plaintext
cryptography - study of encryption principles/methods
cryptanalysis (codebreaking) - the study of principles/ methods of
deciphering ciphertext without knowing key
cryptology - the field of both cryptography and cryptanalysis
27
Symmetric Cipher Model
28
Requirements
two requirements for secure use of symmetric encryption:
a strong encryption algorithm
a secret key known only to sender / receiver, have:
plaintext X
ciphertext Y
key K
encryption algorithm Ek
decryption algorithm Dk
Ciphertext Y = EK(X) Plaintext X = DK(Y)
assume encryption algorithm is known
implies a secure channel to distribute key
29
Cryptography
can characterize by:
type of encryption operations used
substitution / transposition / product
number of keys used
single-key or private / two-key or public
way in which plaintext is processed
block / stream
30
Types of Cryptanalytic Attacks
ciphertext only
only know algorithm / ciphertext, statistical, can identify
plaintext
known plaintext
know/suspect plaintext & ciphertext to attack cipher
chosen plaintext
select plaintext and obtain ciphertext to attack cipher
chosen ciphertext
select ciphertext and obtain plaintext to attack cipher
chosen text
select either plaintext or ciphertext to en/decrypt to attack cipher
31
Simple Question
What are the essential ingredients of a symmetric
cipher?
How many keys are required for two people to communicate via a
cipher?
32
Simple Question
What are the essential ingredients of a symmetric cipher?
Plaintext, encryption algorithm, secret key, ciphertext, decryption
algorithm.
How many keys are required for two people to communicate via a
cipher?
One secret key.
33
Basic of Symmetric
Cryptography
Classical Substitution
Cipher
Classical Transpositions
Cipher
Summary
34
Classical Substitution Ciphers
where letters of plaintext are replaced by other letters or by
numbers or symbols
or if plaintext is viewed as a sequence of bits, then substitution
involves replacing plaintext bit patterns with ciphertext bit patterns
35
Caesar Cipher
earliest known substitution cipher
by Julius Caesar
first attested use in military affairs
replaces each letter by 3rd letter on
example:
meet me after the toga party
PHHW PH DIWHU WKH WRJD SDUWB
36
Caesar Cipher
can define transformation as:
Plain: a b c d e f g h i j k l m n o p q r s t u v w x y z
Cipher:D E F G H I J K L M N O P Q R S T U V W X Y Z A B C
mathematically give each letter a number
a b c
0 1 2
n o
13 14
d e f
3 4 5
p q
15 16
g h i
6 7 8
r s
17 18
j k l m
9 10 11 12
t u v w x y Z
19 20 21 22 23 24 25
then have Caesar cipher as:
C = E(p) = (p + k) mod (26)
p = D(C) = (C – k) mod (26)
37
Example 1
Caesar used a shift of 3
Using this encryption, the message:
• treaty impossible
Would be encoded as :
tr e a t y
WUHDWB
impossibl e
LP S RVVLEOH
38
Example 2
Caesar used a shift of 5
Using this encryption, the message:
• treaty impossible
Would be encoded as :
tr e a t y
impossibl e
39
To test your understanding
Ceasar wants to arrange a secret meeting with Marc
Anthony, either at the Tiber (the river) or at the Colisuem
(the arena). He sends the ciphertext EVIRE. However,
Anthony doest not know the key, so he tries all possibilities.
Where will he meet Caesar?
40
To test your understanding
Ceasar wants to arrange a secret meeting with Marc
Anthony, either at the Tiber (the river) or at the Colisuem
(the arena). He sends the ciphertext EVIRE. However,
Anthony doest not know the key, so he tries all possibilities.
Where will he meet Caesar?
Among the shifts of EVIRE, there are two words: arena and
river. Therefore, Anthony cannot determine where to meet
Caesar.
41
Cryptanalysis of Caesar Cipher
only have 26 possible ciphers
A maps to A,B,..Z
could simply try each in turn
a brute force search
given ciphertext, just try all shifts of letters
do need to recognize when have plaintext
eg. break ciphertext "GCUA VQ DTGCM"
42
Summary of Substitutions
Substitutions are effective cryptographic devices. In fact, they were
the basis of many cryptographic algorithms used for diplomatic
communication through the first half of the century.
But substitution is not only kind of encryption technique. The
goal of substitution is confusion; the encryption method is an
attempt to make it difficult for cryptanalyst or intruder to determine
how a message and key were transformed into ciphertext.
43
Basic of Symmetric
Cryptography
Classical Substitution
Cipher
Classical Transpositions
Cipher
Summary
44
Transpositions (permutations)
A transposition is an encryption in which the letters of the message
are re arranged. With transposition is an encryption in which the
letters of the message are rearranged. With transposition, the
cryptography aims for diffusion, widely spreading the information
from the message or key across the ciphertext. Transpositions try
to break established patterns. Because a transposition is re arranged
of the symbols of a message, it also known as a permutation.
45
Transposition Ciphers
now consider classical transposition or permutation ciphers
these hide the message by rearranging the letter order
without altering the actual letters used
can recognise these since have the same frequency distribution as
the original text
46
Rail Fence cipher
write message letters out diagonally over a number of rows
then read off cipher row by row
eg. write message out as:
“meet me after the toga party”
giving ciphertext
m MEMATRHTGPRYETEFETEOAAT
e
m
a
t
r
h
t
g
p
r
e
t
e
f
e
t
e
o
a
a
y
t
47
Row Transposition Ciphers
a more complex scheme is to write the message in a rectangle, row by row, and read the message off, column by
column, but permute the order of the columns. The order of the columns then becomes the key of the algorithm.
write letters of message out in rows over a specified number of columns
then reorder the columns according to some key before reading off the rows
Key:
4 3 1 2 5 6 7
Plaintext: a t t a c k p
o s t p o n e
d u n t i l t
w o a m x y z
Ciphertext: TTNAAPTMTSUOAODWCOIXKNLYPETZ
48
Product Ciphers
ciphers using substitutions or transpositions are not secure because
of language characteristics
hence consider using several ciphers in succession to make harder,
but:
two substitutions make a more complex substitution
two transpositions make more complex transposition
but a substitution followed by a transposition makes a new
much harder cipher
this is bridge from classical to modern ciphers
49
Basic of Symmetric
Cryptography
Classical Substitution
Cipher
Classical Transpositions
Cipher
Summary
50
Summary
Stream cipher: that is, they convert one symbol of plaintext
immediately into a symbol of ciphertext. (The exception is the
columnar transposition cipher). The transformation depends only
on the symbol, the key, and the control information of the
enciperment algorithm. A model of stream enciphering is shown:
Encryption
wdhuw
Ciphertext
ISSOPMI
Plain text
Key (optional)
51
Summary
Some kinds of errors, such as skipping a character in the key during encryption,
affect the encryption of all future characters. However, such errors can
sometimes be recognized during encryption because the plan text will be
properly recovered up to a point, and then all following characters will be wrong.
Errors can
sometimes be
recognized
#&^&*gjd!@#$%
CID&%$ HJG
Erors can
sometimes be
recognzed
Errors can
#&^&*gjd!@#$%
sometimes be
CID&%$ HJG
recalibrate recognized
If that is the case, the receiver may be able to recover from the error by dropping
a character of the key on the receiving end. Once the receiver has successfully
recalibrated the key with the ciphertext, there will be no further effects from
this error.
To address this problem and make it harder for cryptanalyst to break the
code, Therefore, a block chipper has been introduced.
52
Summary – easy to break
The Caesar Cipher allows simple straightforward encoding and decoding.
Therefore, it allows unauthorized message recipients to crack such encoded
messages easily. If an eavesdropper manages to obtain the encoded message,
he only has to test the 26 possible shifts in order to find the original message.
This message-cracking attack is called “brute force” and is best performed with
the aid of computers. In our example, however, the pen and pencil approach is
sufficient.
53
Summary – easy to break
eulqj
fvmrk
gwnsl
hxotm
iypun
jzqvo
karwp
lbsxq
mctyr
nduzs
oevat
pfwbu
ogxcv
rhydw
sizex
tjafy
ukbgz
vlcha
wmdib
xnejc
yofkd
zpgle
aqhmf
arena
csjoh
dtkpi
54
Classical Techniques
Substitution Technique
•where letters of plaintext are replaced by other letters or by numbers or symbols
•or if plaintext is viewed as a sequence of bits, then substitution involves replacing
plaintext bit patterns with ciphertext bit patterns.
Transposition Technique
• transposition or permutation ciphers
• these hide the message by rearranging the letter order
• without altering the actual letters used
• can recognise these since have the same frequency distribution as the original text
55
Stream Cipher Structure
• A typical stream cipher encrypts plaintext one byte at a time.
• Use a key as input to a pseudorandom bit generator that
produces a stream of 8-bit numbers that are apparently random.
• Pseudorandom stream is one that is unpredictable without knowledge of the
input key.
Key K
Key K
Pseudorandom byte
Generator
(key stream generator)
Pseudorandom byte
Generator
(key stream generator)
K
Plaintext
Byte stream
M
+
Encryption
K
Ciphertext
Byte stream
C
+
Plaintext
Byte stream
M
Decryption
56
Stream Cipher Structure
• The output of the generator, called a keystream, is combined one byte at a time
with the plaintext stream using the bitwise exclusive-OR (XOR) operation.
+
11001100
Plaintext
01101100
key stream
10100000
Ciphertext
Decryption requires the use of the same pseudorandom sequence:
+
10100000
Ciphertext
01101100
key stream
11001100
Plaintext
57
Symmetric Encryption Technique
Symmetric Encryption
Classical
Modern
Focus
Stream cipher
Block cipher
58
Block Ciphers /
Feistel Cipher
59
Block Ciphers
• A block cipher is one in which a block of plaintext is treated as a
whole and used to produce a ciphertext block of equal length.
• Typically, a block size of 64 or 128 bits is used.
• Block cipher algorithms can operate in many Modes. A block cipher
algorithm can be a :
• Electronic Codebook Mode
• Cipher block Chaining Mode
• Cipher Feedback Mode
• Output Feedback Mode
• Counter Mode
• provide secrecy and/or authentication services
60
Feistel Cipher Design Principles
block size
increasing size improves security, but slows cipher
key size
increasing size improves security, makes exhaustive key
searching harder, but may slow cipher
number of rounds
increasing number improves security, but slows cipher
subkey generation
greater complexity can make analysis harder, but slows cipher
round function
greater complexity can make analysis harder, but slows cipher
fast software en/decryption & ease of analysis
are more recent concerns for practical use and testing
61
Block Cipher Design
•
Divide input bit stream into n-bit sections,
encrypt only that section,
no dependency/history between sections
•
In a good block cipher, each output bit
is a function of all n input bits and all k key bits
62
Fiestel Cipher Encryption
Plaintext
Ln
Rn
Kn+1
F
Substitution
+
Permutation
XOR
Ln+1
Encryption Process:
Ln + 1 = Rn
Rn+1
Rn +1 = Ln F(Rn, Kn+1)
63
Fiestel Cipher Encryption
Plaintext
Ln
Rn
K1
F
Round 1
+
Ln+1
Rn+1
Ki
F
Round i
+
Ln+1
Rn+1
Kn
Round n
F
+
Ln+1
Rn+1
Ciphertext
64
Fiestel Cipher Decryption
Plaintext
Decryption Process:
Ln = Rn+1 F(Ln-1, Kn-1)
Rn = Ln - 1
Ln
Rn
Kn-1
F
+
XOR
Ln+1
Rn+1
65
Fiestel Cipher Decryption
Plaintext
Rn
Ln
K1
Round 1
F
+
Ln+1
Rn+1
Ki
Round i
F
+
Ln+1
Rn+1
Round n
Kn
F
+
Ln+1
Rn+1
Ciphertext
66
Fiestel Cipher Decryption
Plaintext
Plaintext
Ln
Rn
Ln
Rn
K1
K1
Round 1
F
F
Round 1
+
+
Ln+1
Ln+1
Rn+1
Rn+1
Ki
Ki
Round i
F
F
+
+
Round i
Ln+1
Ln+1
Rn+1
Rn+1
Kn
Kn
F
Round n
Round n
F
+
+
Ln+1
Rn+1
Ciphertext
Ln+1
Rn+1
Ciphertext
67
Fiestel Cipher Algorithm
Input:
T: 2t bits of clear text
k1, k2, ..., kr: r round keys
f: a block cipher with bock size of t
Output:
C: 2t bits of cipher text
Algorithm:
(L0, R0) = T, dividing T in two t-bit parts
(L1, R1) = (R0, L0 ^ f(R0, k1))
(L2, R2) = (R1, L1 ^ f(R1, k2)) ......
C = (Rr, Lr), swapping the two parts
^ is the XOR operation.
68
One of Security Implementations
ATM PIN SECURITY
69
ATM Introduction
Automated Teller Machines (ATM) have become ubiquitous and let you withdraw money from
your bank account 24 hrs a day and 7 days a week with your ATM card. The ATM card
constitutes of two things:
the Card number and
the Personal Identification Number or PIN.
Each bank issues a card number that is unique to each customer. If it is a debit card, the card
number will also be unique worldwide.
• The PIN is like a password to verify a customer’s authenticity.
• Cash dispensers in the ATM verify both the card number and the PIN.
70
Working Principle of ATM
• The ATM systems have three main components:
Cash dispenser, ATM Server and PIN machine.
• The Cash dispenser reads the Card number and the PIN entered by a customer and sends
them to a central ATM Server.
• The ATM Server has a database which stores ATM card no. and PIN details.
• The third component, the PIN machine is used to authenticate the customer ‘s ATM PIN.
It is directly connected to the ATM Server and is a tamper proof device that stores a single
secret key.
Cash
Dispenser
Leased Line
ATM Server
PIN
Machine
Customer Account
Holding Server
BANK
71
Working Principle of ATM
Cash
Dispenser
Leased Line
PIN
Machine
ATM Server
Customer Account
Holding Server
BANK
Leased Line
PIN Machine
ATM Server
Customer Account
72
Holding Server
Working Principle of ATM
Leased Line
PIN Machine
ATM Server
Customer Account
Holding Server
After the customer enters an ATM counter, he inserts his ATM card into the machine and
types his PIN on a numeric keypad.
The Cash dispenser reads the card number from the magnetic strip and the PIN that he has
typed and sends them to the ATM Server.
The ATM Server verifies the PIN against the card number with the help of the PIN machine
and sends a positive or negative acknowledgement to the Cash dispenser.
At this point, the customer is authenticated and can use his account.
73
ATM PIN Security
• The security of the ATM PIN is a critical element in the entire process.
• There are two ways that an attacker could try to get the ATM PIN:
He could either sniff the network when the Cash dispenser is transmitting the PIN to
ATM Server or
he could compromise the ATM Server and PIN machine to extract the PIN of a user.
• How these threats have been addressed in today’s ATM systems?
how.
74
ATM PIN Security
•To prevent the sniffing of the PIN during the transmission, PIN is encrypted using DES
or 3DES encryption algorithm and then transmitted from Cash dispenser to ATM Server.
• The shared secret key is stored in Cash dispenser as well as in ATM Server. This
application
stores the shared DES key in encrypted form using vendor’s proprietary algorithm (e.g.
ACI
ATM software).
• The solution for the second problem is interesting. The system splits each customer’s PIN
into
two parts and stores them in two different machines. So even if one of the machines is
compromised, the PIN is still secure. Now the problem is of course how to split the PIN
securely into two parts. Here we also have to keep in mind that customer can always
change
his PIN.
75
ATM PIN Security
• An algorithm has been designed that allows the customer’s PIN to be split and
also allows the customer to change his PIN.
• Let the customer PIN be a and let’s say it is split into two parts b and c .
a=b+c
b is a variable part of the PIN and is called PIN Offset.
The PIN Offset is stored in the ATM Server
c is the constant part of the PIN and is called Natural PIN.
The Natural PIN is generated in the PIN machine each time.
How does the PIN Machine generate the constant c for each customer and yet keep it a secret?
Remember that the ATM card number of a customer is unique. So, the constant part c can be
a cryptographic function of the card number.
c = f (card#)
There are different methods to derive a constant number from a card number and a popular
method is to derive it using the DES algorithm. The PIN machine stores a DES key in its
Electrically Erasable Programmable Read Only Memory (EEPROM). This key is used to 76
encrypt the card number and generate DES encrypted value.
ATM PIN Security
There are different methods to derive a constant number from a card number and a popular
method is to derive it using the DES algorithm. The PIN machine* stores a DES key in its
Electrically Erasable Programmable Read Only Memory (EEPROM). This key is used to
encrypt the card number and generate DES encrypted value.
* The DES key is stored in the EEPROM of the machine. EEPROM is chip which is fixed on
machine’s circuit board. To retrieve the key, one has to open the box case, remove the circuit
board from the box, connect the EEPROM to a EEPROM reader to get the key. So physical
security is very important for ATM Server room.
77
ATM PIN Security
Card # + DES key = DES encrypted value
This DES encrypted value is then converted into decimalized form and the first four digits of
the value are taken. That is the Natural PIN, c . Once again, to summarize, the path is:
DES encrypted value → Decimalized value → First 4 digits of the value = c
The Natural PIN, the constant part, c is not stored anywhere in the entire process. Nobody
can get the PIN by compromising the PIN machine*. The PIN Offset or b is the variable part.
When a customer changes his/her PIN only this part is changed. So even if the ATM Server is
compromised only b will be revealed and it is useless without c to get actual Customer PIN a .
* The DES key is stored in the EEPROM of the machine. EEPROM is chip which is fixed on
machine’s circuit board. To retrieve the key, one has to open the box case, remove the circuit
board from the box, connect the EEPROM to a EEPROM reader to get the key. So physical
security is very important for ATM Server room.
78
ATM PIN Authentication Process
• The mechanism for authenticating the ATM PIN is quite simple. When a customer inserts his
ATM card and type the PIN, the card number and PIN are sent to the ATM Server encrypted.
• The ATM Server decrypts the card number and the PIN; it first validates the card number
against its database.
• The valid card number, the PIN Offset b of that card and the PIN typed by the customer are
sent to the PIN machine.
• Now the PIN machine generates the Natural PIN c from the card no., adds it with PIN Offset b
and generates the true Customer PIN a .
• Then it compares the actual Customer PIN a with the customer supplied PIN. If the two of
them matched then it sends positive acknowledgement to ATM Server indicating that the
customer is authenticated.
• Note that in this process, the Natural PIN never leaves the tamper proof PIN Machine, and
the PIN machine does not have to store individual PINs of all the users. Instead, it securely
stores the DES key for generating the Natural PIN from each user’s card number.
79
Generation & Distribution of ATM PIN
• The ATM system deals with critical customer information and is more secure by design.
• But there can still be security risks during the generation and distribution of a new card and PIN .
• The Card number is generated by the ATM Server and the PIN is generated by the PIN
machine from the card number as mentioned above.
• But for the first time, the PIN Offset of the new PIN is randomly generated by the PIN machine.
• There are two ways to print the PIN mailer.
In the first method, the operator will generate a new PIN using the PIN machine,
get the PIN and generate the printout of the PIN mailer.
In the second method, the operator requests the PIN machine to generate a new PIN.
The PIN machine generates the PIN and directly prints it to a connected printer and seals
the print mailer before giving it to the operator.
• The second method is clearly more secure than first one as the operator never comes to know
the secret PIN.
80
Modern Techniques (Block Ciphers)
&
Asymmetric Cipher
81
Using Key in Cryptography
82
Definition of Key
A sequence of symbols that controls the operation of a cryptographic
transformation (e.g. encipherment, decipherment).
In practice a key is normally a string of bits used by a cryptographic
algorithm to transform plain text into cipher text or vice versa. The key
should be the only part of the algorithm that it is necessary to keep
secret.
83
Key Length
The key length is usually expressed in bits, 8 bits to one byte. Bytes are
a more convenient form for storing and representing keys because
most computer systems use a byte as the smallest unit of storage (the
strict term for an 8-bit byte is octet).
Just remember that most encryption algorithms work with bit strings.
It's up to the user to pass them in the required format to the encryption
function they are using. That format is generally as an array of bytes,
but could be in hexadecimal or base64 format.
In theory, the longer the key, the harder it is to crack encrypted data.
The longer the key, however, the longer it takes to carry out encryption
and decryption operations.
84
Analogy - Strength
85
Analogy - Breaking
86
Key Length
Block cipher encryption algorithms like AES and Blowfish work by
taking a fixed-length block of plaintext bits and transforming it into the
same length of ciphertext bits using a key.
Most other block cipher encryption methods have a fixed length key.
For example, DES has a 64-bit key (but only uses 56 of them) and
Triple DES has a 192-bit key (but only uses 168 of them).
IDEA uses a 128-bit key.
The Advanced Encryption Algorithm (AES) has a choice of three key
lengths: 128, 192 or 256 bits.
Public key encryption algorithms like RSA typically have key lengths
in the order of 1000-2000 bits. Be careful with the difference in key
lengths for block cipher algorithms and public key algorithms.
192-bit Triple DES key is equivalent in security terms to a 2048-bit RSA
key, and an AES-128 key is equivalent to a 3072-bit RSA key
87
Relevant of Key Length
To crack some ciphertext encrypted with a 64-bit key by the brute-force
method of trying every combination of keys possible means you have
2^64 possible combinations or 1.8 x 10^19 (that's 18 followed by 18
naughts).
We can expect, on the average, to find a correct answer in half this
number of tries. If we have a computer that can carry out one
encryption operation every millisecond, it will take about 292 million
years to find the correct value. Speed up your computer by a million
times and it will still take about 3 centuries to solve.
The equivalent brute force technique for a 128-bit key will, in theory,
take a "long time", probably past the expected life of the universe. But,
in practice, a set of supercomputers operating in parallel can crack a
64-bit key in a relatively short time.
If an attacker has access to a large selection of messages all encrypted
with the same key, there are other techniques that can be used to
reduce the time to derive the key.
88
How do encryption schemes fail?
Most encryption schemes are cracked not by brute force trying of all
possible combinations of key bits, but by using other knowledge about
how the sender derived the key.
This could be a faulty random number generator known to used by
the system, or knowledge that the user derived the key solely from
a password of only the letters a to z, or just used simple English
words. Or perhaps by finding out the keystrokes typed on the
keyboard by the user with a keystroke logger, or by bribing (or
torturing) someone to give them the key, or by reading the post-it
note the user has conveniently left on the side of the computer with
the password written on it. The traps are many and subtle and even
the experts get it wrong.
Why spend hours trying to pick the expensive security lock when
the owner of the house has left a window open?
89
How do encryption schemes fail?
Strictly, it's not the length of the key, but the "entropy" in the method
used to derive the key. There is approximately one bit of entropy in an
normal ASCII character.
If you derive a 128-bit key from a password or pass phrase, you
will need a very long pass phrase to get enough theoretical entropy
in the key to match the security of the underlying key length: Bruce
Schneier estimates that you need a 98-character English pass phrase
for a 128-bit key. Most people can't be bothered with such a
cumbersome pass phrase.
90
How do encryption schemes fail?
Using AES with a 128-bit key should provide adequate security for
most purposes. The longer you intend to keep the encrypted data
secret, the longer the key you should use, on the principle that cracking
techniques will continue to improve over time. Bruce Schneier
recommends a 256-bit key for data you intend to keep for 20-30 years.
No one is going to criticise you for using a key that is too long
provided your software still performs adequately. However, the
biggest danger in using a key that is too large is the false sense of
security it provides to the implementers and users. "Oh, we have nmillion-bit security in our system" may sound impressive in a
marketing blurb, but the fact that your private key is not adequately
protected or your random number generator is not random or you
have used an insecure algorithm may mean that the total security is
next to useless.
Remember it is the security of the total system that counts, including
procedures followed by users.
91
Choice of Algorithm
Whatever you use, use an accepted algorithm:
DES, Triple DES, RSA, AES, Blowfish, IDEA, etc.
Don't try making up your own algorithm; we (learners) aren't that
good. The only secret should be in the value of the key.
92
Password, Pass Phrase & Key
People often get confused between "password" and "key".
A password is typically a series of ASCII characters typed
at a keyboard, e.g. "hello123" or "my secret pass phrase".
This makes it easier for users to remember. They are, of
course, much easier to crack because there are significantly
fewer combinations to choose from.
A pass phrase is simply a password that consists of several
words in a string, e.g. "she sells sea shells", so the terms
"password" and "pass phrase" are equivalent for our
purposes. In principle, a pass phrase makes it easier for a
user to remember a long combination of characters. In
practice, this adds to security only if the pass phrase is
something known only to the user. Don't use quotes from
famous literature - hackers read them, too.
93
Password, Pass Phrase & Key
A password is typically a series of ASCII characters typed at a keyboard, e.g.
"hello123" or "my secret pass phrase". This makes it easier for users to
remember. They are, of course, much easier to crack because there are
significantly fewer combinations to choose from.
A pass phrase is simply a password that consists of several words in a
string, e.g. "she sells sea shells", so the terms "password" and "pass phrase"
are equivalent for our purposes. In principle, a pass phrase makes it easier
for a user to remember a long combination of characters. In practice, this
adds to security only if the pass phrase is something known only to the user.
A key used by an encryption algorithm is a bit string. A 128-bit key will
have exactly 128 bits in it, i.e. 16 bytes. You will often see keys written in
hexadecimal format where each character represents 4 bits, e.g.
"FEDCBA98765432100123456789ABCDEF" represents 16 bytes or 128 bits.
The actual bits in this example are :
1111 1110 1101 1100 1011 1010 1001 1000 0111 0110 0101 0100 0011 0010
0001 0000 0000 0001 0010 0011 0100 0101 0110 0111 1000 1001 1010 1011
1100 1101 1110 1111
94
Just to test 1
In a university, a student needs to encrypt her password (with a
unique symmetric key) before sending it when she logs in. Does
encryption protect the university or the student? Explain your
answer.
95
Answer for the “Just to test 1”
In a university, a student needs to encrypt her password (with a
unique symmetric key) before sending it when she logs in. Does
encryption protect the university or the student? Explain your
answer.
The encryption protects the student and the university for the first
time. However, the intruder can intercept the encrypted password
and replay the process some other times. The intruder does not
have to know the password in plaintext; the encrypted password
suffices for replaying. The university system cannot determine if
the student has encrypted the message again or the intruder is
replaying it.
96
How should I derive the key?
97
Just to test 2
a. What are two basic functions used in encryption algorithm?
Explain how each of these methods works and please include the
example.
98
Answer for the “Just to test 2”
a. What are two basic functions used in encryption algorithm? Explain how
each of these methods works and please include the example.
Substitution and Transposition/Permutation
Substitution
where letters of plaintext are replaced by other letters or by numbers
or symbols. Or if plaintext is viewed as a sequence of bits, then
substitution involves replacing plaintext bit patterns with ciphertext
bit patterns.
Transposition/Permutation
A transposition is an encryption in which the letters of the message
are re arranged. With transposition is an encryption in which the
letters of the message are rearranged. With transposition, the
cryptography aims for diffusion, widely spreading the information
from the message or key across the ciphertext. Transpositions try to
break established patterns. Because a transposition is re arranged of
the symbols of a message, it also known as a permutation.
99
Block Cipher
A block cipher is a function E: {0,1}k x {0,1}n {0,1}n . This notation
means that E takes two inputs, one being a k-bit string and the other an
n-bit string, and returns an n-bit string. The first input is the key. The
second might be called the plaintext, and the output might be called a
ciphertext. The key-length k and the block-length n are parameters
associated to the block cipher. They vary from block cipher to block
cipher.
Plaintext
Ln
Rn
Kn+1
F
Substitution
+
Permutation
XOR
Ln+1
Encryption Process:
Ln + 1 = Rn
Rn+1
Rn +1 = Ln F(Rn, Kn+1)
100
Block Cipher
For each key K {0,1}k we let Ek: {0,1}n {0,1}n be the function defined
by EK(M) = E(K,M). For any block cipher, and any key K, it is required
that the function EK be a permutation on {0,1}n. This means that it is a
bijection (ie., a one-to-one and onto function) of {0,1}n to {0,1}n . (For
every C {0,1}n there is exactly one M {0,1}n such that EK(M) = C.)
Accordingly EK has an inverse, and we denote it (EK)-1.
Plaintext
Ln
Rn
Kn+1
F
Substitution
+
Permutation
XOR
Ln+1
Encryption Process:
Ln + 1 = Rn
Rn+1
Rn +1 = Ln F(Rn, Kn+1)
101
Block Cipher
This function also maps
{0,1}n {0,1}n , and of course we
have
(EK)-1(EK(M)) = M and
EK ((EK)-1(C)) = C
Plaintext
Rn
Ln
K1
Round 1
F
+
for all M, C {0,1}n .
We let
E-1: {0,1}k x {0,1}n {0,1}n be
defined by E-1(K,C) = (EK)-1(C).
This is the inverse block cipher to
E.
Note:
implies ; ∈ set membership
A B means if A is true then B is also true;
Ln+1
Rn+1
Ki
Round i
F
+
Ln+1
Rn+1
Round n
Kn
F
if A is false then nothing is said about B.
+
a ∈ S means a is an element of the set S
Ln+1
Rn+1
Ciphertext
102
Block Cipher
The block cipher E is a public and fully specified algorithm. Both the
cipher E and its inverse E-1 should be easily computable, meaning
given K,M we can readily compute E(K,M), and given K,C we can
readily compute E-1(K,C). By “readily compute" we mean that there are
public and relatively efficient programs available for these tasks.
103
Before Start, Just Review Back
Block Ciphers /
Feistel Cipher
DES
DES of Modes Operation
104
DES – Data Encryption Standard
A Block cipher
Data encrypted in 64-bit blocks using a 56-bit key
(effective key); Ciphertext is of 64-bit long
Encrypts by series of substitution and transpositions (or
permutations)
105
DES - Basics
DES uses the two basic techniques of cryptography - confusion and
diffusion.
At the simplest level, diffusion is achieved through numerous
permutations and confusions is achieved through the XOR
operation and the S-Boxes.
This is also called an S-P network.
106
DES - Basics
Fundamentally DES performs only two operations on its
input, bit shifting (permutation), and bit substitution.
The key controls exactly how this process works.
By doing these operations repeatedly and in a non-linear
manner you end up with a result which can not be used to
retrieve the original without the key.
107
Input of DES
Data: need to be broken into 64-bit blocks; add pad at the last
message if necessary.
e.g. X=(3 5 0 7 7 F 1 0 A B 1 2 F C 6 5)HEX
Secret key:
Any string of 64 bits long including 8 parity bits.
1 parity bit in each 8-bit byte of the key may be utilized for error
detection in key generation, distribution, and storage;
K=(k1…k7k8… k15k16k17…k24…k32… k40… k48… k56… k64)
The parity bits k8,k16,k24,k32,k40,k48,k56,k64 help ensure that each
byte is of odd parity
108
DES Block cipher
109
DES Encryption
110
DES Encryption Diagram
64-bit plaintext
Initial permutation
K1
Iteration 1
K2
Iteration 2
K16
Iteration 16
16 subkeys of each 48-bits
32-bit Swap
Inverse permutation
64-bit ciphertext
111
How to use DES?
Four modes of operations were defined for DES in ANSI standard
ANSI X3.106-1983 Modes of Use
subsequently now have 5 for DES and AES
have block and stream modes
112
Handle long messages
Block ciphers encrypt fixed size blocks
eg. DES encrypts 64-bit blocks, with 56-bit key
How to encrypt arbitrary amount of information ?
Message is broken into blocks of 64 bits
At end of message, handle possible last short block
by padding either with known non-data value (eg nulls)
or pad last block with count of pad size
– eg. [ b1 b2 b3 0 0 0 0 5] <- 3 data bytes, then 5 bytes
pad+count
Then they are encrypted and decrypted in various combinations
of keys and texts.
113
Details for DES, Please refer and read:
Stallings, W. (2006). Cryptography and Network Security. New
Jersey: Prentice-Hall. Page 63 - 90
114
Chapter 3
Public-Key Cryptography
115
Overview
Symmetric Cryptography
Summary
Public-Key Cryptography
Example: RSA
Discussion
116
Categories of cryptography
117
ASYMMETRIC-KEY CRYPTOGRAPHY
An asymmetric-key (or public-key) cipher uses two
keys: one private and one public. We discuss one
algorithms: RSA
Topics discussed in this section:
RSA
118
Asymmetric Cryptography
119
Comparison between two categories of cryptography
120
Symmetric Cryptography
Summary
Public-Key Cryptography
Example: RSA
Discussion
121
Symmetric Concept
Man needs
Woman,
Woman
Needs
Money for
shopping
E
Message is encrypted
EAB
123456696
096785403
657849302
610395867
567484509
121212347
D
Man needs
Woman,
Woman
Needs
Money for
shopping
Message is decrypted
EAB
Confidentiality – Alice and Bob share the key/
Authentication – only from Alice, therefore is cannot be altered in transit
No signature - Bob could forge the message
- Sender could deny the message
122
Symmetric Cryptography
Summary
Public-Key Cryptography
Example: RSA
Discussion
123
Private-Key Cryptography Definition
public-key/two-key/asymmetric cryptography involves the use of
two keys:
a public-key, which may be known by anybody, and can be
used to encrypt messages, and verify signatures
a private-key, known only to the recipient, used to decrypt
messages, and sign (create) signatures
is asymmetric because
those who encrypt messages or verify signatures cannot decrypt
messages or create signatures
124
Private-Key Cryptography - Concept
allows users to communicate securely without having prior access
to a shared secret key,
by using a pair of cryptographic keys, designated
as public key and
private key, which are related mathematically.
the private key is generally kept secret, while the public key may
be widely distributed.
In a sense, one key "locks" a lock; while the other is required to
unlock it. It should not be possible to deduce the private key of a
pair given the public key.
125
Public-Key Basic Concept
Alice
Message (M)
Plaintext
Message (M)
Plaintext
Bob
Ciphertext
Man needs
Woman,
Woman
Needs
Money for
shopping
123456696
096785403
657849302
610395867
567484509
121212347
Message is encrypted
EB
Bob’s Public Key (EB)
Man needs
Woman,
Woman
Needs
Money for
shopping
Message is decrypted
DB
Bob’s Private Key (DB)
126
Public-Key Basic Concept
Alice
Message (M)
Plaintext
Message (M)
Plaintext
Bob
Ciphertext
Man needs
Woman,
Woman
Needs
Money for
shopping
123456696
096785403
657849302
610395867
567484509
121212347
Message is encrypted
EB
Man needs
Woman,
Woman
Needs
Money for
shopping
Message is decrypted
DB
Confidentiality
• This model provides no authentication because any party
could also use Bob’s “public key” to encrypt Message (M)
127
Private-Key Cryptography
128
Public-Key Cryptography Options
There are many forms of public-key cryptography, including:
public key encryption — keeping a message secret from anyone that does
not possess a specific private key.
public key digital signature — allowing anyone to verify that a message was
created with a specific private key.
key agreement — generally, allowing two parties that may not initially share
a secret key to agree on one.
129
Private-Key Cryptography
The most obvious application of a public key encryption system is confidentiality;
a message which a sender encrypts using the recipient's public key can only be
decrypted by the recipient's paired private key.
Public-key digital signature algorithms can be used for sender authentication.
For instance, a user can encrypt a message with his own private key and send it.
If another user can successfully decrypt it using the corresponding public key, this
provides assurance that the first user (and no other) sent it.
130
To Provide Authentication & Signature
Alice
Message (M)
Plaintext
Man needs
Woman,
Woman
Needs
Money for
shopping
Message (M)
Plaintext
Bob
Ciphertext
E
Message is encrypted
123456696
096785403
657849302
610395867
567484509
121212347
D
Man needs
Woman,
Woman
Needs
Money for
shopping
Message is decrypted
EA
DA
Alice use her private key
Bob user Alice’s public key
Alice has “signed” the message
• This model does provide authentication and digital signature
• But, this scheme not provide confidentiality, because anyone
has Alice’s public key can decrypt the ciphertext.
131
To Provide Confidentiality, Authentication and Signature
Message (M)
Alice Plaintext
Man needs
Woman,
Woman
Needs
Money for
shopping
E
Message (M)
Plaintext Bob
Ciphertext
123456696
096785403
657849302
610395867
567484509
121212347
Message is encrypted
E
123456696
096785403
657849302
610395867
567484509
121212347
Message is encrypted
D
123456696
096785403
657849302
610395867
567484509
121212347
Message is decrypted
D
Man needs
Woman,
Woman
Needs
Money for
shopping
Message is decrypted
EA
EB
DB
DA
Alice use
her private key
Alice use
Bob’s public key
Bob use
his private key
Bob use
Alice’s public key
Digital Signature
&
Authentication
Confidentiality
•Bottleneck: The public-key algorithm is complex and must be exercised
four times rather than two in each communication
132
Why Public-Key Cryptography?
developed to address two key issues:
key distribution – how to have secure communications in
general without having to trust a KDC with your key
digital signatures – how to verify a message comes intact from
the claimed sender
Need to read page:
133
Public-Key Applications
can classify uses into 3 categories:
encryption/decryption (provide secrecy)
digital signatures (provide authentication)
key exchange (of session keys)
some algorithms are suitable for all uses, others are specific to one
134
Security of Public Key Schemes
like private key schemes brute force exhaustive search attack is always theoretically
possible
but keys used are too large (>512bits)
security relies on a large enough difference in difficulty between easy (en/decrypt)
and hard (cryptanalyse) problems
more generally the hard problem is known, its just made too hard to do in practise
requires the use of very large numbers
hence is slow compared to private key schemes
135
Example of Public-Key Cryptographic Techniques
1) Well-regarded public-key techniques include:
• Diffie-Hellman
• RSA encryption algorithm
• ElGamal
• DSS (Digital Signature Standard), which incorporates the
Digital Signature Algorithm.
• Various Elliptic Curve techniques
• Various Password-authenticated key agreement techniques
• Paillier cryptosystem
2) Protocols using asymmetric key algorithms include:
• PGP – Pretty Good Privacy
• GNU Privacy Guard (GPG) an implementation of OpenPGP
• Secure Shell (SSH)
• SSL now implemented as an IETF standard;
Trasnsport Layer Security (TLS)
136
Course Work: Presentation
Symmetric Cryptography
Summary
Public-Key Cryptography
Example: RSA
Discussion
137
Cryptographers
As previously mentioned, this algorithm was created by Ron Rivest,
Adi Shamir, and Len Adleman of MIT.
Dr. Ron Rivest received his Bachelors Degree in Mathematics
from Yale University in 1969, while obtaining his Doctorate
Degree in Computer Science from Stanford University in 1974.
He is most famously known for his work in the RSA algorithm,
along with his creation of the symmetric key encryption
algorithms (RC2, RC4, RC5, and RC6).
Dr. Rivest is currently working as a senior Professor of
Computer Science in the Department of Electrical
Engineering and Computer Science at MIT.
138
Cryptographers
Dr. Adi Shamir received his Bachelors Degree in Mathematics
from Tel-Aviv University in 1973, and received his MSc and PhD
Degrees in Computer Science from the Weizmann Institute of
Israel in 1975 and 1977, respectively. During the latter half of the
1970’s Dr. Shamir participated in research at the facilities of MIT,
where he took part in inventing the RSA algorithm. Apart from
the RSA algorithm, Dr. Shamir is well known for breaking the
Merkle-Hellman cryptosystem and for his creation of the Shamir
secret sharing scheme (cryptography).
Presently, Dr. Shamir is a faculty member of the Weizmann
Institute in the Department of Mathematics and Computer
Science.
139
Cryptographers
Dr. Len Adleman received his Bachelors Degree in Mathematics
in 1968 and his Doctorate Degree in Computer Science in 1976
from the University of California, Berkeley. In addition to his
involvement in designing the RSA algorithm, Dr. Adleman is
widely known for creating the initial field of DNA Computing at
the University of Southern California (USC).
At the present time Dr. Adleman is working as a Professor of
Computer Science and Molecular Biology at USC.
In 2002 Dr. Rivest, Dr. Shamir, and Dr. Adleman received the ACM
Turing Award, awarded on behalf of the Association of Computing
Machinery in recognition of their discovery of the RSA encryption
algorithm. (This award is commonly referred to as the Nobel Prize
of Computer Science.)
140
RSA
141
Selecting Keys
Bob use the following steps to select the private and public keys:
1. Bob chooses two very large prime numbers p and q. Remember that a prime
number is one that can be divided evenly only by 1 and itself.
2. Bob multiplies the above two primes to find n, the modulus for encryption and
decryption. In other words, n = p x q.
3. Bob calculate another number = (p-1) x (q-1).
4. Bob chooses a random integer e. He then calculates d so that d x e = 1 mod .
5. Bob announces e and n to the public; he keeps and d secret.
142
Need To Know
Note
In RSA, e and n are announced to the
public; d and F are kept secret.
143
Encryption
Anyone who needs to send a message to Bob can use n and e. For example, if
Alice needs to send a message to Bob, she can change the message, usually a
short one, to an integer. This is the plaintext. She then calculates the ciphertext,
using e and n.
C = Pe (mod n)
Alice sends C, the ciphertext, to Bob.
144
Decryption
Bob keeps and d private. When he receives the ciphertext, he uses his private key d to
decrypt the message.
P = Cd (mod n)
145
Example 2 - Question
Bob chooses 7 and 11 as p and q and calculates n = 7- 11 = 77. The value
of Ø=(7-1) or 60. Now he chooses two keys, e and d. if he chooses e to be
13, then d is 37. Now Alice sends the plaintext 5 to Bob. She uses the
public key 13 to encrypt 5.
146
Example 2 - Answer
Bob chooses 7 and 11 as p and q and calculates n = 7* 11 = 77. The value of Ø=(7-1) or 60.
Now he chooses two keys, e and d. if he chooses e to be 13, then d is 37. Now Alice sends
the plaintext 5 to Bob. She uses the public key 13 to encrypt 5.
Plaintext: 5
C = 513 =26 mod 77
Ciphertext: 26
Bob receives the ciphertext 26 and uses the private key 37 to decipher the ciphertext:
Ciphertext 26
P 2637= 5 mod 77
Plaintext: 5
Intended message sent by Alice
The plaintext 5 sent by Alice is received as plaintext 5 by Bob.
147
Example 3
Let me give a realistic example. We choose a 512-bit p and q. We calculate n and .
We then choose e and test for relative primeness with (n). We calculate d. Finally,
we show the results of encryption and decryption. A program written in Java/C/C++
to do so; this type of calculation cannot be done by a calculator.
The integer q is a 160-digit number.
148
Example 3
We calculate n. It has 309 digits:
We calculate F. It has 309 digits:
149
Example 3
We choose e = 35,535. We then find d.
Alice wants to send the message “THIS IS A TEST”
which can be changed to a numeric value by using the
00–26 encoding scheme (26 is the space character).
150
Example 3
The ciphertext calculated by Alice is C = Pe, which is.
Bob can recover the plaintext from the ciphertext by
using P = Cd, which is
The recovered plaintext is THIS IS A TEST after
decoding.
151
Example 4
Bob chooses 7 and 11 as p and q and calculates
n = 7 · 11 = 77. The value of F = (7 − 1) (11 − 1) or 60.
Now he chooses two keys, e and d. If he chooses e to be
13, then d is 37. Now imagine Alice sends the plaintext 5
to Bob. She uses the public key 13 to encrypt 5.
152
Example 4
Bob receives the ciphertext 26 and uses the private key 37
to decipher the ciphertext:
The plaintext 5 sent by Alice is received as plaintext 5 by
Bob.
153
Example 5
Jennifer creates a pair of keys for herself. She chooses
p = 397 and q = 401. She calculates n = 159,197 and
F = 396 · 400 = 158,400. She then chooses e = 343 and
d = 12,007. Show how Ted can send a message to Jennifer
if he knows e and n.
154
Example 5
Solution
Suppose Ted wants to send the message “NO” to Jennifer.
He changes each character to a number (from 00 to 25)
with each character coded as two digits. He then
concatenates the two coded characters and gets a fourdigit number. The plaintext is 1314. Ted then uses e and n
to encrypt the message. The ciphertext is 1314343 = 33,677
mod 159,197. Jennifer receives the message 33,677 and
uses the decryption key d to decipher it as 33,67712,007 =
1314 mod 159,197. Jennifer then decodes 1314 as the
message “NO”. Figure 30.25 shows the process.
155
Example 5
156
Example 6 - Question
1.
Alice wants to send a cellphone text message to Bob securely, over an insecure
communication network. Alice's cellphone has a RSA public key KA and matching private
key VA; likewise, Bob's cellphone has KB and VB. Let's design a cryptographic protocol for
doing this, assuming both know each other's public keys. Here is what Alice's cellphone
will do to send the text message m:
(i) Alice's phone randomly picks a new AES session key k and computes c = RSAEncrypt(KB, k), c’ = AES-CBC-Encrypt(k, m), and t = RSA-Sign(VA, (c, c’)).
(ii) Alice's phone sends (c, c’, t) to Bob's phone.
And here is what Bob's cellphone will do, upon receiving (c, c’, t):
(i)
Bob's phone checks that t is a valid RSA signature on (c, c’) under public key KA. If not,
abort.
(ii) Bob's phone computes k’ = RSA-Decrypt(VB, c) and m’ = AES-CBC-Decrypt(k’, c’).
(iii) Bob's phone informs Bob that Alice sent message m’.
157
Example 6 - Question
Does this protocol ensure the confidentiality of Alice's messages? Why
or why not?
Does this protocol ensure authentication and data integrity for every
text message Bob receives? Why or why not?
Suppose that Bob is Alice's stockbroker. Bob hooks up the output of this
protocol to an automatic stock trading service, so if Alice sends a text
message “Sell 100 shares MSFT” using the above protocol, then this
trade will be immediately and automatically executed from Alice's
account. Suggest one reason why this might be a bad idea from a
security point of view.
158
Example 6 - Answer
Does this protocol ensure the confidentiality of Alice's messages? Why
or why not?
Yes. Since AES-CBC-Encrypt is secure, no one can recover m from
c’ without knowledge of k. Also, since RSA-Encrypt is secure,
only someone who knows KB—namely, Bob—can recover k.
Does this protocol ensure authentication and data integrity for every
text message Bob receives? Why or why not?
Yes. Since RSA-Sign is secure, if (c, c’) passes step 1, then only
someone who knew vA—namely, Alice—could have sent (c, c’).
Now (c, c’) uniquely determines m, the message that Alice wanted
to send.
Conclusion: If Bob accepts m in step 3, then Alice sent m.
159
Example 6 - Answer
Suppose that Bob is Alice's stockbroker. Bob hooks up the output of this
protocol to an automatic stock trading service, so if Alice sends a text
message “Sell 100 shares MSFT” using the above protocol, then this
trade will be immediately and automatically executed from Alice's
account. Suggest one reason why this might be a bad idea from a
security point of view.
No protection against replays.
An active attacker could replay a valid ciphertext from Alice 10
times, causing 1000 shares to be sold—even though Alice only
wanted 100 sold.
Denial-of-service.
An active attacker could prevent Alice’s ciphertext from reaching
Bob. Since Alice doesn’t receive any acknowledgement, she will
think her trade was executed, when it actually wasn’t.
If Alice’s cellphone is lost or stolen, then its new owner can cause
160
trades to be executed from Alice’s account without Alice’s
How Do You Want Protect Your Network System
Thank You
See You Next Week
Have A Nice Weekend
161