Download presentation
Presentation is loading. Please wait.
1
1 Intro To Encryption Exercise 10
2
2 Analyze the following scenario: Sender: Cipher1= Encrypt message with symmetric key algorithm RSA_Encrypt (SHA1(message) + symmetric key) with sender's RSA private key Cipher2 = Encrypt cipher1 with symmetric key algorithm RSA_Encrypt (symmetric key2) with receiver's RSA public key Send super-encrypted message Receiver: RSA_Decrypt (symmetric key2) with receiver's RSA private key Decrypt(cipher2) RSA_Decrypt (symmetric key1), parse out digest, i.e., SHA1(message) Decrypt(cipher1) compare digest with SHA1(Decrypt(cipher1))
3
3 Scenario Cont’ SymmetricKey1 = 3DES_IV1, 3DES_Key1 Cipher1 = 3DES_Encrypt(message) Digest = SHA1(message) RSA_Key1 = RSA_Private_Encrypt(Digest || 3DES_Key1) SymmetricKey2 = 3DES_IV2, 3DES_Key2 Cipher2 = 3DES_Encrypt(Cipher1) RSA_Key2 = RSA_Public_Encrypt(3DES_Key2) Leading question: What does the author want to do here?
4
4 Do we really need Cipher1??? Encryption with sender’s private key??? Don’t you mean sign? RSA_Encrypt RSA_Sign(SHA1(message) + symmetric key) Why sign symmetric key??? The attacker will know it. May fix by signing only SHA1(message) Why encrypt CIpher2??? Isn’t it already encrypted? Or do you wish to cascade? This isn’t an efficient cascade. Why encrypt using AES? Don’t you mean CBC-AES for CPA-IND and VIL messages? Some point to think about
5
5 Some more points to think about The following May be written in a single notation as they are classical Hybrid Encryption Instead of: Cipher2 = Encrypt cipher1 with symmetric key algorithm RSA_Encrypt (symmetric key2) with receiver's RSA public key Write: Encrypt_RSA_AES_receiverPK(cipher1)
6
6 Some even more points to think about Regarding SIGN sk (SHA1(message)) It is a good idea NOT to let the attacker see SHA1(message). SHA1 does not require to reserve COMPLETE confidentiality of the message, i.e. bits may fall into ADV hands message (m) may be of a small set of messages (i.e. S={ “buy”, “sell”, “wait”, “bid” …}). So attacker may be able to calculate: For each message in S do :SHA1(S[message]) Fix: instead of sending Encryption and Authentication in parallel, Send Encrypt (Message, SHA1(message))
7
7 Last (but not least) point You wish to achieve verification of: 1. The sender who originated the message 2. The receiver is the intended receiver 3. The message was not altered during transport However, point 2 is not correct from the following scheme. Basically you sign-then-encrypt. Meaning Eve may decrypt the messages sent to her and re-encrypt them and send them forward implicating the original sender.
8
8 Existential Forgery CMA on Signature Given algorithm A with oracle to D key, i.e. CMA-EF A,,k,q : (pk, sk) KG (1 k ); /* k is security parameter */ s A Sign[sk] (“forge”, pk, 1 k ); /* M is the set of messages chosen by A */ Return “win” if: Ver pub (s)=Ok, and Msg pub (s) was not an input to the Sign oracle, and There were at most q queries to the Sign oracle. Exercise: Define {selective, random, universal} forgery CMA, KMA
9
9 Problem Define CMA selective forgery Given algorithm A with oracle to D key, i.e. CMA-EF A,,k,q : m A Choose (M) /* M is the set of messages chosen by A */ (pk, sk) KG (1 k ); /* k is security parameter */ s A Sign[sk] (“forge”, pk, 1 k ); Return “win” if: Ver pub (s)=Ok, and Msg pub (s) was not an input to the Sign oracle, and There were at most q queries to the Sign oracle.
10
10 Problem Design a simple protocol for sending certified e-mail using a post-office trusted by sender and recipient. The recipient should receive proof of the sender's identity and time of transmission, which he can later present to the post office. Similarly, the sender should receive proof of the recipient's identify and time of transmission. You may involve the post-office in the protocol do not use public key cryptography and do not require the post-office to maintain long-term records.
11
11 Solution Let there be 3 parties: Alice, Bob and PostOffice. The following are keys for the parties: kp: shared among Alice, Bob and Post kpr: secret key of Post When Post send Message to sender, it delivers MAC kp (message,date,receiver,sender) – for receiver to verify delivery MAC kpr (message,date,receiver,sender) – for proof of delivery (receipt) Verification: The receipt is sent to the post office along with the message and ids of sender and receiver. Verification is done on MAC kpr
12
12 Problem Describe the full solution for the protocol, i.e. the safe transport of messages from Alice, using Post to send message to Bob. This without Eve being able to know Message or forge message.
13
13 Problem Consider RSA signatures where messages are hashed and then raised by the private key Sign d (m)=(h(m)) d mod n. Show a weakness with these signatures, when h() is not Multiplicative-resistant hash function Multiplicative(a,b,c)=True if and only if ab=c.
14
14 Solution Using RSA multiplicative weakness In case a non multiplicative resistant hash is used ADV can multiply the messages again and again and forge as many as he/she wants. This may be the case for any message signed by the signer.
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.