Intro To Encryption Exercise 8 1

Download Report

Transcript Intro To Encryption Exercise 8 1 

Intro To Encryption
Exercise 8
1
Simple MAC Functions

MACk(x)=int(x||k mod 232)


For any k>232 any x is a forgery
K is exposed so we can calculate any x


MACk(x)=(x[0…15]+k) (x[16…31]+k)



For exposing k we need known x
Any symmetrical message can be forged (result 0)
for any k
Some other vulnerabilities may exist
MACk(x)=x*(32567+k) mod 32767

Simply forge: x’=x+(32767) holds for any k
2
Simple MAC Functions

MACk(x)=int(32768*fraction(x*a+k*b)) ))
where 0<a,b<1



For very low values of a and b the forgery is simpler,
x’=x+1
For higher values, x’ should be larger(or smaller) with
a smaller Delta(ADV knows a and b)
The problem is that int looses precision
3
Problem




Some designs attempt to provide message authentication by
sending the encryption of the message concatenated with its
hash (or simply with an error detection code).
Namely, they send Encrypt(Message||Hash(Message)),
and hope that in so doing, they achieve encryption and
authentication together.
Show that this design is insecure
(an attacker can modify a message and it would still be
considered authentic).
Hint: this is easy to show, when using one-time-pad or OFB
mode encryption.
4
Solution





Assuming OTP is used and ADV knows some
information about the message.
ADV knows the algorithm, so knows which hash
function is used.
Knowing so, he can figure out the key encrypting the
message (known plain text).
Since he knows the message and hash of the
message, he can figure out the key encrypting the
hash.
ADV can now calculate new message and new hash
for the message and replace them.
5
Solution

ADV’s playout:




km=mcm (revealing the key of m)
kh(m)=h(m) ch(m)
Forge: m’km||h(m’)kh(m)
This is a poor MAC because it isn’t even
immune to KMA.
6
Using MAC:
Shared Key Mutual Authentication


Model: Alice and Bob share secret master key k
Goals






Mutual authentication: Alice knows it talked with Bob and
vice verse.
Parties may also send a message; prevent replays.
Allow multiple concurrent connections.
Either party can initiate.
Basic problem, appears (and is) easy
…but also easy to do wrong
7
Two Party Mutual Authentication –
The SNA LU6.2 Protocol (till 1989)

SNA – IBM’s Secure Network Architecture


Predominant network protocol till late eighties
Protocol: (Na, Nb - randomly chosen nonces)
Na
Alice
Nb,Ek(Na)
Bob
Ek(Nb)
8
Attack on SNA LU6.2 Authentication

Idea: Eve opens two connections with
Bob… sending Nb to Bob in 2nd
connection to get Ek(Nb)
Na
Eve
(as
Alice)
Nb,Ek(Na)
Nb
Nb’,Ek(Nb)
Bob
Ek(Nb)
9
Conclusions & Thumb-rules

Prevent re-direction of message to sender


Prevent re-direction of flow i to flow ji


Select new random challenge (nonce) or time
Do not compute values chosen by
Adversary


Ensure different flows are easily distinguished
Prevent use of old challenge


Identify party in challenge
Include self-chosen nonce in the protected
reply
Authenticate with MAC, not encryption
10
Two Party Protocol (2PP) [BGH*93]





Fixed SNA protocol
Use MAC rather than encryption to authenticate
Separate 2nd and 3rd flows – 3 vs. 2 input blocks
Include identities (A,B) to prevent redirections
Proof of security: from MAC properties (Claim 1)

See [BR93] for definition and proof
Na
Alice
Nb,MACk(Na,Nb,A||B)
Bob
MACk(Na,Nb)
11
Authenticating messages


Optionally, authenticate messages mA, mB by
including their hash in the MAC inputs
To authenticate many messages (in order):


Add sequence numbers
Can use same nonces for multiple messages
Na
Alice
Nb, MACk (Na, Nb, h(mB), A||B)
Bob
MACk (Na, Nb, h(mA))
12
Efficient Implementation with CBC MAC

Assume: one block per parameter

MACk(Na,Nb)= Ek(Nb+Ek(Na))
MACk(Na,Nb,B)=Ek(A||B+ Ek(Nb+Ek(Na)))
Potential reuse: MACk(Na,Nb,B)=Ek(B+ MACk(Na,Nb))




Only three `block operations` for entire protocol
Suggested in [BGH*93]
Na
Alice
Nb, Ek(A||B+Ek(Nb+Ek(Na)))
Bob
Ek(Nb+Ek(Na))
13
Implementation with CBC MAC

Is this secure?
Claim 3 (foil 26) [BKR94] shows CBC is a
MAC if inputs are prefix-free
rd
nd flow –
 But here 3 flow is prefix of 2
not prefix free!
 Seems secure… but I’m not aware of proof

Na
Alice
Nb, Ek(A||B+Ek(Nb+Ek(Na)))
Bob
Ek(Nb+Ek(Na))
14
Question: can 2PP authenticate users?


Is 2PP secure using a password for the key k?
Problems:


Password is not uniformly distributed
Limited number of common passwords – attacker can
guess (Dictionary attack)
Na
Alice
Nb,MACk(Na,Nb,A||B)
Bob
MACk(Na,Nb)
15
Problem



A proposal is made to perform hybrid
authentication, in the same manner as hybrid
encryption, but authenticating the message using
MAC instead of encrypting it.
Namely the sender selects key randomly and
sends CipherKey=EncryptPUB(key) as in
Figure 5.1, but appends to it msg, MACkey(msg) for
authenticating message msg.
Criticize: Is this solution secure? Is there a better
way to authenticate a long message with a single
public key encryption operation?
16
Solution

Mackey(msg) may provide ADV information
about msg.

Why?


A possible solution may be


MAC requirements don’t require privacy.
Encryptpub(msg||mackey(msg))
What may be the possible problems with the
following scheme?

Performance wise it may be preferred to compute
the following

Mackey(Encryptpub(msg)), Encryptpub(msg) why?
17
Problem

is it secure to use the same RSA modulus
N=pq for multiple users, keeping q and p
secret and giving each user x just his private
key d_x?
18
Solution



NO!!! (fact from lecture)
Fact : d must be roughly the size of n
Fact: e may be small (or not)







If e is only co-prime to (n) it is easier to find (n)
Fact: de=1 mod((n))
The parties know: e,d,n
The parties don’t know: p,q,(n)
de=(n)+1.
Finding  isn’t trivial but it is possible.
See sketch proof in
handbook of applied cryptography
19
Explenation



How come de=(n)+1?
Little Fermat: m(p-1)mod p=1 (p is prime)
Euler: m((p-1)(q-1))mod n=1
(p,q are primes, n=pq)




m*m((p-1)(q-1))mod n=m 
m1*m((p-1)(q-1))mod n=m 
m((p-1)(q-1)+1)mod n=m
ed=((p-1)(q-1)+1)=(n)+1
20
Problem

In RSA, given that the primes p and q are
approximately same size, approximately
how big is phi(n) compared to n?
21
Solution




Since for simplicity we may assume pq.
This means n=p*p=p2
Since (n)=(p-1)(q-1)(p-1)2p2-2p+1
Meaning (n)n-2p O(n)
22
Problem
The following protocol is proposed for sending a
secret message and acknowledging its receipt:






send message: A -> B: E_B(m)
[message m encrypted with B's public key]
send acknowledgement: B -> A: E_A(m)
This protocol is secure against a passive attacker,
but not against an active attacker.
Why?
Propose a fix. (hint: the attacker C is a valid party,
i.e. A and B may send and receive messages to C
using the above protocol)
23
Solution

Flaws:



Charlie may listen on the wire and transmit to
Bob:
C -> B : E_B(m)
Bob replies to Charlie:
B -> C : m
Fix:


Alice sends a random challenge with the message
A -> B: E_B(m,r)
Bob replies
B -> A: r
24
Problem


Suppose that Eve discovers a polynomialtime algorithm that, given RSA encryption of
m, say Ea(m) for a random message m, has
a 1% probability of returning m and a 99%
probability of returning "Sorry, I failed to
break it for this input".
Show that Eve can, within polynomial time,
decipher almost all messages.
25
Solution

Problem with RSA multiplicative properties







ERSA(m1)=m1e mod n
ERSA(m2)=m2e mod n
ERSA(m1 m2)=(m1 m2 )e mod n=
=(m1e mod n)(m2e mod n) mod n
ERSA(m1 m2)= ERSA (m1) ERSA(m2)
Meaning Eve can start multiplying ERSA(m1)
After the more she multiplies the better chance she has.
She need a polynomial times multiplication.
Then what?
26
Solution


After I multiplications Eve receives mi.
Eve only needs to calculate the Ith root of m.
27