Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Intro To Encryption Exercise 8. 2 Simple MAC Functions MAC k (x)=int(x||k mod 2 32 )  For any k>2 32 any x is a forgery  K is exposed so we can calculate.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Intro To Encryption Exercise 8. 2 Simple MAC Functions MAC k (x)=int(x||k mod 2 32 )  For any k>2 32 any x is a forgery  K is exposed so we can calculate."— Presentation transcript:

1 1 Intro To Encryption Exercise 8

2 2 Simple MAC Functions MAC k (x)=int(x||k mod 2 32 )  For any k>2 32 any x is a forgery  K is exposed so we can calculate any x For exposing k we need known x MAC k (x)=(x[0…15]+k)  (x[16…31]+k)  Any symmetrical message can be forged (result 0) for any k  Some other vulnerabilities may exist MAC k (x)=x*(32567+k) mod 32767  Simply forge: x’=x+(32767) holds for any k

3 3 Simple MAC Functions MAC k (x)=int(32768*fraction(x*a+k*b)) )) where 0<a,b<1  For very low values of a and b the forgery is simpler, x’=x+1  For higher values, x’ should be larger(or smaller) with a smaller Delta(ADV knows a and b)  The problem is that int looses precision

4 4 Problem Some designs attempt to provide message authentication by sending the encryption of the message concatenated with its hash (or simply with an error detection code). Namely, they send Encrypt(Message||Hash(Message)), and hope that in so doing, they achieve encryption and authentication together. Show that this design is insecure (an attacker can modify a message and it would still be considered authentic). Hint: this is easy to show, when using one-time-pad or OFB mode encryption.

5 5 Solution Assuming OTP is used and ADV knows some information about the message. ADV knows the algorithm, so knows which hash function is used. Knowing so, he can figure out the key encrypting the message (known plain text). Since he knows the message and hash of the message, he can figure out the key encrypting the hash. ADV can now calculate new message and new hash for the message and replace them.

6 6 Solution ADV’s playout:  k m =m  c m (revealing the key of m)  k h(m) =h(m)  c h(m)  Forge: m’  k m ||h(m’)  k h(m) This is a poor MAC because it isn’t even immune to KMA.

7 7 Using MAC: Shared Key Mutual Authentication Model: Alice and Bob share secret master key k Goals  Mutual authentication: Alice knows it talked with Bob and vice verse.  Parties may also send a message; prevent replays.  Allow multiple concurrent connections.  Either party can initiate. Basic problem, appears (and is) easy …but also easy to do wrong

8 8 Two Party Mutual Authentication – The SNA LU6.2 Protocol (till 1989) SNA – IBM’s Secure Network Architecture  Predominant network protocol till late eighties Protocol: ( N a, N b - randomly chosen nonces)

9 9 Attack on SNA LU6.2 Authentication Idea: Eve opens two connections with Bob… sending N b to Bob in 2 nd connection to get E k (N b )

10 10 Conclusions & Thumb-rules Prevent re-direction of message to sender  Identify party in challenge Prevent re-direction of flow i to flow j  i  Ensure different flows are easily distinguished Prevent use of old challenge  Select new random challenge (nonce) or time Do not compute values chosen by Adversary  Include self-chosen nonce in the protected reply Authenticate with MAC, not encryption

11 11 Two Party Protocol (2PP) [BGH*93] Fixed SNA protocol Use MAC rather than encryption to authenticate Separate 2 nd and 3 rd flows – 3 vs. 2 input blocks Include identities (A,B) to prevent redirections Proof of security: from MAC properties (Claim 1)  See [BR93] for definition and proof

12 12 Authenticating messages Optionally, authenticate messages m A, m B by including their hash in the MAC inputs To authenticate many messages (in order):  Add sequence numbers  Can use same nonces for multiple messages

13 13 Efficient Implementation with CBC MAC Assume: one block per parameter MAC k (N a,N b )= E k (N b +E k (N a )) MAC k (N a,N b,B)=E k (A||B+ E k (N b +E k (N a ))) Potential reuse: MAC k (N a,N b,B)=E k (B+ MAC k (N a,N b ))  Only three `block operations` for entire protocol Suggested in [BGH*93] AliceBob NaNa N b, E k (A||B+E k (N b +E k (N a ))) E k (N b +E k (N a ))

14 14 Implementation with CBC MAC Is this secure?  Claim 3 (foil 26) [BKR94] shows CBC is a MAC if inputs are prefix-free  But here 3 rd flow is prefix of 2 nd flow – not prefix free!  Seems secure… but I’m not aware of proof AliceBob NaNa N b, E k (A||B+E k (N b +E k (N a ))) E k (N b +E k (N a ))

15 15 Question: can 2PP authenticate users? Is 2PP secure using a password for the key k? Problems:  Password is not uniformly distributed  Limited number of common passwords – attacker can guess (Dictionary attack)

16 16 Problem A proposal is made to perform hybrid authentication, in the same manner as hybrid encryption, but authenticating the message using MAC instead of encrypting it. Namely the sender selects key randomly and sends CipherKey=Encrypt PUB (key) as in Figure ‎5.1, but appends to it msg, MAC key (msg) for authenticating message msg. Criticize: Is this solution secure? Is there a better way to authenticate a long message with a single public key encryption operation?

17 17 Solution Mac key (msg) may provide ADV information about msg.  Why? MAC requirements don’t require privacy. A possible solution may be  Encrypt pub (msg||mac key (msg)) What may be the possible problems with the following scheme?  Performance wise it may be preferred to compute the following Mac key (Encrypt pub (msg)), Encrypt pub (msg) why?

18 18 Problem is it secure to use the same RSA modulus N=pq for multiple users, keeping q and p secret and giving each user x just his private key d_x?

19 19 Solution NO!!! (fact from lecture) Fact : d must be roughly the size of n Fact: e may be small (or not)  If e is only co-prime to  (n) it is easier to find  (n) Fact: de=1 mod(  (n)) The parties know: e,d,n The parties don’t know: p,q,  (n) de=  (n)+1. Finding  isn’t trivial but it is possible. See sketch proof in handbook of applied cryptography

20 20 Explenation How come de=  (n)+1? Little Fermat: m (p-1) mod p=1 (p is prime) Euler: m ((p-1)(q-1)) mod n=1 (p,q are primes, n=pq)  m*m ((p-1)(q-1)) mod n=m   m 1 *m ((p-1)(q-1)) mod n=m   m ((p-1)(q-1)+1) mod n=m ed=((p-1)(q-1)+1)=  (n)+1

21 21 Problem In RSA, given that the primes p and q are approximately same size, approximately how big is phi(n) compared to n?

22 22 Solution Since for simplicity we may assume p  q. This means n=p*p=p 2 Since  (n)=(p-1)(q-1)  (p-1) 2  p 2 -2p+1 Meaning  (n)  n-2p  O(n)

23 23 Problem The following protocol is proposed for sending a secret message and acknowledging its receipt:  send message: A -> B: E_B(m) [message m encrypted with B's public key]  send acknowledgement: B -> A: E_A(m) This protocol is secure against a passive attacker, but not against an active attacker. Why? Propose a fix. (hint: the attacker C is a valid party, i.e. A and B may send and receive messages to C using the above protocol)

24 24 Solution Flaws:  Charlie may listen on the wire and transmit to Bob: C -> B : E_B(m)  Bob replies to Charlie: B -> C : m Fix:  Alice sends a random challenge with the message A -> B: E_B(m,r)  Bob replies B -> A: r

25 25 Problem Suppose that Eve discovers a polynomial- time algorithm that, given RSA encryption of m, say E a (m) for a random message m, has a 1% probability of returning m and a 99% probability of returning "Sorry, I failed to break it for this input". Show that Eve can, within polynomial time, decipher almost all messages.

26 26 Solution Problem with RSA multiplicative properties  E RSA (m 1 )=m 1 e mod n  E RSA (m 2 )=m 2 e mod n  E RSA (m 1 m 2 )=(m 1 m 2 ) e mod n= =(m 1 e mod n)(m 2 e mod n) mod n  E RSA (m 1 m 2 )= E RSA (m 1 ) E RSA (m 2 ) Meaning Eve can start multiplying E RSA (m 1 ) After the more she multiplies the better chance she has. She need a polynomial times multiplication. Then what?

27 27 Solution After I multiplications Eve receives m i. Eve only needs to calculate the I th root of m.

Download ppt "1 Intro To Encryption Exercise 8. 2 Simple MAC Functions MAC k (x)=int(x||k mod 2 32 )  For any k>2 32 any x is a forgery  K is exposed so we can calculate."

Similar presentations

The Diffie-Hellman Algorithm

The Diffie-Hellman Algorithm
Last Class: The Problem BobAlice Eve Private Message Eavesdropping.

Last Class: The Problem BobAlice Eve Private Message Eavesdropping.
Intro To Secure Comm. Exercise 3. Problem The following scenario is suggested for establishing session keys  Alice and Bob share a secret (key phrase/password)

Intro To Secure Comm. Exercise 3. Problem The following scenario is suggested for establishing session keys  Alice and Bob share a secret (key phrase/password)
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.

1 Digital Signatures & Authentication Protocols. 2 Digital Signatures have looked at message authentication –but does not address issues of lack of trust.
1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,

1 Chapter 13 – Digital Signatures & Authentication Protocols Fourth Edition by William Stallings Lecture slides by Lawrie Brown (modified by Prof. M. Singhal,
15-251 Great Theoretical Ideas in Computer Science.

Great Theoretical Ideas in Computer Science.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
Homework #4 Solutions Brian A. LaMacchia Portions © 2002-2006, Brian A. LaMacchia. This material is provided without.

Homework #4 Solutions Brian A. LaMacchia Portions © , Brian A. LaMacchia. This material is provided without.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.

CNS2010handout 10 :: digital signatures1 computer and network security matt barrie.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Similar presentations

Ads by Google