1 Intro To Encryption Exercise 8

2 Simple MAC Functions MAC k (x)=int(x||k mod 2 32 )  For any k>2 32 any x is a forgery  K is exposed so we can calculate any x For exposing k we need known x MAC k (x)=(x[0…15]+k)  (x[16…31]+k)  Any symmetrical message can be forged (result 0) for any k  Some other vulnerabilities may exist MAC k (x)=x*(32567+k) mod  Simply forge: x’=x+(32767) holds for any k

3 Simple MAC Functions MAC k (x)=int(32768*fraction(x*a+k*b)) )) where 0<a,b<1  For very low values of a and b the forgery is simpler, x’=x+1  For higher values, x’ should be larger(or smaller) with a smaller Delta(ADV knows a and b)  The problem is that int looses precision

4 Problem Some designs attempt to provide message authentication by sending the encryption of the message concatenated with its hash (or simply with an error detection code). Namely, they send Encrypt(Message||Hash(Message)), and hope that in so doing, they achieve encryption and authentication together. Show that this design is insecure (an attacker can modify a message and it would still be considered authentic). Hint: this is easy to show, when using one-time-pad or OFB mode encryption.

5 Solution Assuming OTP is used and ADV knows some information about the message. ADV knows the algorithm, so knows which hash function is used. Knowing so, he can figure out the key encrypting the message (known plain text). Since he knows the message and hash of the message, he can figure out the key encrypting the hash. ADV can now calculate new message and new hash for the message and replace them.

6 Solution ADV’s playout:  k m =m  c m (revealing the key of m)  k h(m) =h(m)  c h(m)  Forge: m’  k m ||h(m’)  k h(m) This is a poor MAC because it isn’t even immune to KMA.

7 Using MAC: Shared Key Mutual Authentication Model: Alice and Bob share secret master key k Goals  Mutual authentication: Alice knows it talked with Bob and vice verse.  Parties may also send a message; prevent replays.  Allow multiple concurrent connections.  Either party can initiate. Basic problem, appears (and is) easy …but also easy to do wrong

8 Two Party Mutual Authentication – The SNA LU6.2 Protocol (till 1989) SNA – IBM’s Secure Network Architecture  Predominant network protocol till late eighties Protocol: ( N a, N b - randomly chosen nonces)

9 Attack on SNA LU6.2 Authentication Idea: Eve opens two connections with Bob… sending N b to Bob in 2 nd connection to get E k (N b )

10 Conclusions & Thumb-rules Prevent re-direction of message to sender  Identify party in challenge Prevent re-direction of flow i to flow j  i  Ensure different flows are easily distinguished Prevent use of old challenge  Select new random challenge (nonce) or time Do not compute values chosen by Adversary  Include self-chosen nonce in the protected reply Authenticate with MAC, not encryption

11 Two Party Protocol (2PP) [BGH*93] Fixed SNA protocol Use MAC rather than encryption to authenticate Separate 2 nd and 3 rd flows – 3 vs. 2 input blocks Include identities (A,B) to prevent redirections Proof of security: from MAC properties (Claim 1)  See [BR93] for definition and proof

12 Authenticating messages Optionally, authenticate messages m A, m B by including their hash in the MAC inputs To authenticate many messages (in order):  Add sequence numbers  Can use same nonces for multiple messages

13 Efficient Implementation with CBC MAC Assume: one block per parameter MAC k (N a,N b )= E k (N b +E k (N a )) MAC k (N a,N b,B)=E k (A||B+ E k (N b +E k (N a ))) Potential reuse: MAC k (N a,N b,B)=E k (B+ MAC k (N a,N b ))  Only three `block operations` for entire protocol Suggested in [BGH*93] AliceBob NaNa N b, E k (A||B+E k (N b +E k (N a ))) E k (N b +E k (N a ))

14 Implementation with CBC MAC Is this secure?  Claim 3 (foil 26) [BKR94] shows CBC is a MAC if inputs are prefix-free  But here 3 rd flow is prefix of 2 nd flow – not prefix free!  Seems secure… but I’m not aware of proof AliceBob NaNa N b, E k (A||B+E k (N b +E k (N a ))) E k (N b +E k (N a ))

15 Question: can 2PP authenticate users? Is 2PP secure using a password for the key k? Problems:  Password is not uniformly distributed  Limited number of common passwords – attacker can guess (Dictionary attack)

16 Problem A proposal is made to perform hybrid authentication, in the same manner as hybrid encryption, but authenticating the message using MAC instead of encrypting it. Namely the sender selects key randomly and sends CipherKey=Encrypt PUB (key) as in Figure ‎5.1, but appends to it msg, MAC key (msg) for authenticating message msg. Criticize: Is this solution secure? Is there a better way to authenticate a long message with a single public key encryption operation?

17 Solution Mac key (msg) may provide ADV information about msg.  Why? MAC requirements don’t require privacy. A possible solution may be  Encrypt pub (msg||mac key (msg)) What may be the possible problems with the following scheme?  Performance wise it may be preferred to compute the following Mac key (Encrypt pub (msg)), Encrypt pub (msg) why?

18 Problem is it secure to use the same RSA modulus N=pq for multiple users, keeping q and p secret and giving each user x just his private key d_x?

19 Solution NO!!! (fact from lecture) Fact : d must be roughly the size of n Fact: e may be small (or not)  If e is only co-prime to  (n) it is easier to find  (n) Fact: de=1 mod(  (n)) The parties know: e,d,n The parties don’t know: p,q,  (n) de=  (n)+1. Finding  isn’t trivial but it is possible. See sketch proof in handbook of applied cryptography

20 Explenation How come de=  (n)+1? Little Fermat: m (p-1) mod p=1 (p is prime) Euler: m ((p-1)(q-1)) mod n=1 (p,q are primes, n=pq)  m*m ((p-1)(q-1)) mod n=m   m 1 *m ((p-1)(q-1)) mod n=m   m ((p-1)(q-1)+1) mod n=m ed=((p-1)(q-1)+1)=  (n)+1

21 Problem In RSA, given that the primes p and q are approximately same size, approximately how big is phi(n) compared to n?

22 Solution Since for simplicity we may assume p  q. This means n=p*p=p 2 Since  (n)=(p-1)(q-1)  (p-1) 2  p 2 -2p+1 Meaning  (n)  n-2p  O(n)

23 Problem The following protocol is proposed for sending a secret message and acknowledging its receipt:  send message: A -> B: E_B(m) [message m encrypted with B's public key]  send acknowledgement: B -> A: E_A(m) This protocol is secure against a passive attacker, but not against an active attacker. Why? Propose a fix. (hint: the attacker C is a valid party, i.e. A and B may send and receive messages to C using the above protocol)

24 Solution Flaws:  Charlie may listen on the wire and transmit to Bob: C -> B : E_B(m)  Bob replies to Charlie: B -> C : m Fix:  Alice sends a random challenge with the message A -> B: E_B(m,r)  Bob replies B -> A: r

25 Problem Suppose that Eve discovers a polynomial- time algorithm that, given RSA encryption of m, say E a (m) for a random message m, has a 1% probability of returning m and a 99% probability of returning "Sorry, I failed to break it for this input". Show that Eve can, within polynomial time, decipher almost all messages.

26 Solution Problem with RSA multiplicative properties  E RSA (m 1 )=m 1 e mod n  E RSA (m 2 )=m 2 e mod n  E RSA (m 1 m 2 )=(m 1 m 2 ) e mod n= =(m 1 e mod n)(m 2 e mod n) mod n  E RSA (m 1 m 2 )= E RSA (m 1 ) E RSA (m 2 ) Meaning Eve can start multiplying E RSA (m 1 ) After the more she multiplies the better chance she has. She need a polynomial times multiplication. Then what?

27 Solution After I multiplications Eve receives m i. Eve only needs to calculate the I th root of m.