Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Intro To Encryption Exercise 7. 2 Problem Show a OWHF and distribution of passwords s.t. both unix and S/Key fail.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Intro To Encryption Exercise 7. 2 Problem Show a OWHF and distribution of passwords s.t. both unix and S/Key fail."— Presentation transcript:

1 1 Intro To Encryption Exercise 7

2 2 Problem Show a OWHF and distribution of passwords s.t. both unix and S/Key fail

3 3 Solution Let h(x) be a OWHF. Let h’(x) return:  0 if 3 final chars of x end with AAA  h(x) otherwise What kinds of an attack should ADV use?  For Unix Password Scheme  For S/Key password scheme

4 4 Problem Lets assume a SALT mechanism is proposed for the previous problem. How should you implement it using the proposed h’ without changing its internal design?

5 5 Solution h’’(x)=h’(x||salt) with salt being != AAA.

6 6 Problem Assuming UNIX password scheme is secure enough when used properly (i.e. users refresh passwords once in a while). Suggest a scenario to justify the S/KEY password scheme. Hint: A naïve authentication scenario.

7 7 Solution

8 8

9 9 Using UNIX scheme may lead to replay attacks by adversary. When transmitting h(password) an adversary intercepts the hash and uses it as its own. Using S/KEY prevents the adversary from attacking using a stolen hash.

10 10 Problem (If we have the time) Design a safe login mechanism without using the S/Key mechanism, only the Unix like mechanism.  i.e. no limitation on number of logins as a function of password hashing.

11 11 Problem Why does brute-force attack on Target Collision Resistant takes O(2 n ) guesses (not O(2 n/2 )-from bithday paradox)

12 12 Solution Since ADV picks x, x’ he may be able to find a collision with O(2 n/2 ). BUT!!! ADV does not know key k prior to his choice. The key is chosen AFTER his original choise. So? So ADV can’t efficiently calculate hashes for x, x’ because he does not know which hash function The user may choose. In other words for some key k f(x)=f(x’) but for other key k’ f(x)!=f(x’)

13 13 Problem Computer viruses modify executable program files to `infect` them. One common protection against viruses is to maintain, in read-only storage, a list containing a short `fingerprint` of each executable file, allowing the antivirus program to validate that an executable was not modified. Which of the hash function properties are necessary for computing the fingerprint?

14 14 Solution We need collision resistance features. Do we need Weakly, Strong or target collision resistance requirements?

15 15 Problem We wish to build hash functions from block ciphers. We wish Same function as OWF that is constructed as: h(x)=E x (0) where E is a PRP. Prove or supply a counter example.

16 16 Solution E is a PRP. This means that for some key k it is infeasible to distinguish between its output (E k (x) for some input x) to a random output without knowing k. Since PRP is immune to known plaintext attacks, the fact that ADV knows x=0 does not help him. In fact if ADV can find key k when knowing x=0 implies that E is not a PRP. This is a contradiction to our assumption.

17 17 Solution Since E is a PRP and ADV can’t find efficiently k from E k (0) implies that E x (0) IS a OWF.

18 18 Problem We wish to build hash functions from block ciphers. We wish Same functionality as WCRHF that is constructed like so: h(x)=E x (0) [if we use a block cipher which allows arbitrary long keys] Does this construction provides WCRHF?

19 19 Solution No!!! Proof by counter example: Assume E k (x) is a block cipher. Assume E’ k1,k2 (x)=k1  E k2 (X).  Is this still a block cipher??? Prove!!! Let our input X=X 1 ||X 2 (without the limitation of generality) Let h(x 1 ||x 2 )=E’ x1,x2 (0)=x1  E x2 (0)

20 20 Solution For example assume X=10011100 X 1 =1001, X 2 =1100 For example assume E 1100 (0)=1101 (may be any permutation) Let h(x)=1001  E 1100 (0)= 1001  1101=0101 Let ADV A find a collision to X=10011100 with h(x)=0101

21 21 Solution ADV generates arbitrary Y. for example Y=10001110 -> Y 1= 1000,Y 2= 1110. Y may be any other value. ADV calculates: Y 2 ‘=E y2 (0)=0011. ADV calculates: Y 1 ‘=h(x)  E y2’ (0) =0101  0011=0110

22 22 Solution For our construction: Let h(Y 1 ’||Y 2 )=Y 1 ’  E y2 (0). i.e. h(01101110). Y 1 ’  E y2 (0)=(h(x)  E y2’ (0))  E y2 (0)=h(x). i.e.: 0110  0011 = 0101.

23 23 Problem Alice and Bob use the phone line to send information. Eve may eavesdrop on their communication. Alice wishes to establish a secret key using Charlie as a courier. Since Charlie does not use the common phone lines, Eve can’t eavesdrop to his transmissions. Bob does not know Charlie. How can Alice use only a OWF so that the secret may be passed to Bob from Charlie and that Eve can’t impersonate Charlie?

24 24 Solution Alice sends h(x) to Bob and gives Charlie X. Since h(x) is OWF Eve can’t find out x from h(x). Bob verifies x from Charlie by computing h(x).

25 25 Simple MAC Functions MAC k (x)=int(x||k mod 2 32 )  For any k>2 32 any x is a forgery  K is exposed so we can calculate any x For exposing k we need known x MAC k (x)=(x[0…15]+k)  (x[16…31]+k)  Any symmetrical message can be forged (result 0) for any k  Some other vulnerabilities may exist MAC k (x)=x*(32567+k) mod 32767  Simply forge: x’=x+(32767) holds for any k

26 26 Simple MAC Functions MAC k (x)=int(32768*fraction(x*a+k*b)) )) where 0<a,b<1  For very low values of a and b the forgery is simpler, x’=x+1  For higher values, x’ should be larger(or smaller) with a smaller Delta(ADV knows a and b)  The problem is that int looses precision

27 27 Problem Some designs attempt to provide message authentication by sending the encryption of the message concatenated with its hash (or simply with an error detection code). Namely, they send Encrypt(Message||Hash(Message)), and hope that in so doing, they achieve encryption and authentication together. Show that this design is insecure (an attacker can modify a message and it would still be considered authentic). Hint: this is easy to show, when using one-time-pad or OFB mode encryption.

28 28 Solution Assuming OTP is used and ADV knows some information about the message. ADV knows the algorithm, so knows which hash function is used. Knowing so, he can figure out the key encrypting the message (known plain text). Since he knows the message and hash of the message, he can figure out the key encrypting the hash. ADV can now calculate new message and new hash for the message and replace them.

29 29 Solution ADV’s playout:  k m =m  c m (revealing the key of m)  k h(m) =h(m)  c h(m)  Forge: m’  k m ||h(m’)  k h(m) This is a poor MAC because it isn’t even immune to KMA.

30 30 Using MAC: Shared Key Mutual Authentication Model: Alice and Bob share secret master key k Goals  Mutual authentication: Alice knows it talked with Bob and vice verse.  Parties may also send a message; prevent replays.  Allow multiple concurrent connections.  Either party can initiate. Basic problem, appears (and is) easy …but also easy to do wrong

31 31 Two Party Mutual Authentication – The SNA LU6.2 Protocol (till 1989) SNA – IBM’s Secure Network Architecture  Predominant network protocol till late eighties Protocol: ( N a, N b - randomly chosen nonces)

32 32 Attack on SNA LU6.2 Authentication Idea: Eve opens two connections with Bob… sending N b to Bob in 2 nd connection to get E k (N b )

33 33 Conclusions & Thumb-rules Prevent re-direction of message to sender  Identify party in challenge Prevent re-direction of flow i to flow j  i  Ensure different flows are easily distinguished Prevent use of old challenge  Select new random challenge (nonce) or time Do not compute values chosen by Adversary  Include self-chosen nonce in the protected reply Authenticate with MAC, not encryption

34 34 Two Party Protocol (2PP) [BGH*93] Fixed SNA protocol Use MAC rather than encryption to authenticate Separate 2 nd and 3 rd flows – 3 vs. 2 input blocks Include identities (A,B) to prevent redirections Proof of security: from MAC properties (Claim 1)  See [BR93] for definition and proof

35 35 Authenticating messages Optionally, authenticate messages m A, m B by including their hash in the MAC inputs To authenticate many messages (in order):  Add sequence numbers  Can use same nonces for multiple messages

36 36 Efficient Implementation with CBC MAC Assume: one block per parameter MAC k (N a,N b )= E k (N b +E k (N a )) MAC k (N a,N b,B)=E k (A||B+ E k (N b +E k (N a ))) Potential reuse: MAC k (N a,N b,B)=E k (B+ MAC k (N a,N b ))  Only three `block operations` for entire protocol Suggested in [BGH*93] AliceBob NaNa N b, E k (A||B+E k (N b +E k (N a ))) E k (N b +E k (N a ))

37 37 Implementation with CBC MAC Is this secure?  Claim 3 (foil 26) [BKR94] shows CBC is a MAC if inputs are prefix-free  But here 3 rd flow is prefix of 2 nd flow – not prefix free!  Seems secure… but I’m not aware of proof AliceBob NaNa N b, E k (A||B+E k (N b +E k (N a ))) E k (N b +E k (N a ))

38 38 Question: can 2PP authenticate users? Is 2PP secure using a password for the key k? Problems:  Password is not uniformly distributed  Limited number of common passwords – attacker can guess (Dictionary attack)

Download ppt "1 Intro To Encryption Exercise 7. 2 Problem Show a OWHF and distribution of passwords s.t. both unix and S/Key fail."

Similar presentations

Lecture 5: Cryptographic Hashes

Lecture 5: Cryptographic Hashes
ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.

ECE454/CS594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2011.
CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.

CS470, A.SelcukCryptographic Authentication1 Cryptographic Authentication Protocols CS 470 Introduction to Applied Cryptography Instructor: Ali Aydin Selcuk.
Intro To Secure Comm. Exercise 3. Problem The following scenario is suggested for establishing session keys  Alice and Bob share a secret (key phrase/password)

Intro To Secure Comm. Exercise 3. Problem The following scenario is suggested for establishing session keys  Alice and Bob share a secret (key phrase/password)
1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.

1 Security Handshake Pitfalls. 2 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: –Authenticate.
1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.

1 Cryptanalysis-tolerant CPA crypt. ● Suppose E, E’ are two encryption schemes which on of them is CPA - secure  E.g., a standard and a proprietary, a.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.

CS426Fall 2010/Lecture 81 Computer Security CS 426 Lecture 8 User Authentication.
Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.

Implementation of a Two-way Authentication Protocol Using Shared Key with Hash CS265 Sec. 2 David Wang.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.

Intro To Secure Comm. Exercise 2. Problem  You wish for your users to access a remote server via user and password.  All of the users have modems and.
CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.

CSE331: Introduction to Networks and Security Lecture 21 Fall 2002.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from

Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.

Chap 3: Key exchange protocols In most systems, we distinguish the short term keys from the long term ones: –A short term key (session key) is used to.
CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 16 Jonathan Katz.
Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.

Cryptography (continued). Enabling Alice and Bob to Communicate Securely m m m Alice Eve Bob m.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 Intro To Encryption Exercise 10. 2 Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)

1 Intro To Encryption Exercise Analyze the following scenario: Sender:  Cipher1= Encrypt message with symmetric key algorithm  RSA_Encrypt (SHA1(message)
1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.

1 Intro To Encryption Exercise 4. 2 Defining Pseudo-Random Permutation Let A be alg. with oracle to a function from {0,1} k to {0,1} k Notation: let A.

Similar presentations

Ads by Google