Loading in 5 sec....

Putting it all together: using multiple primitives togetherPowerPoint Presentation

Putting it all together: using multiple primitives together

Download Presentation

Putting it all together: using multiple primitives together

Loading in 2 Seconds...

- 42 Views
- Uploaded on
- Presentation posted in: General

Putting it all together: using multiple primitives together

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Putting it all together: using multiple primitives together

- Say you have a signature scheme

SScheme = (KGen, Sign, Vf)

- Say this scheme is unforgeable against CMA

- Modify the signature algorithm:

iff. &

= 1

- Is this still unforgeable against CMA?

- We have an arbitrary unforgeable signature scheme:

SScheme = (KGen, Sign, Vf)

- And we also have any IND-CCA encryption scheme

EScheme = (KGen, Enc, Dec)

- Say we want to ensure that a confidentialmessage comes from a given party. Can we send:

- ?

- ?

- ?

- What would we use in order to:

- Send a confidential message

- Encrypt a large document

- Send a confidential AND authenticated message

- Authenticate a message with non-repudiation

- Authenticate a message without non-repudiation

- Find correspondences

- Confidentiality

- Hash function

- Collision-resistance

- MAC code

- Authenticity

- Symmetric encryption

- Non-repudiation

- PK Encryption

- Integrity

- Digital Signatures

- The Hash paradigm for signatures :

- Improves the security of signature schemes

- Improves efficiency for signatures, making their size the same, irrespective of the message length

- Can we do the same for encryption schemes, i.e. use instead of

- Can we send just instead of

- Symmetric encryption is faster than PK encryption

- Suppose Amélie generates a symmetric encryption key (e.g. for AES 128) and encrypts a message for Baptiste withthis key.

- Baptiste does not know the secret key.

- By using one (or more) of the following mechanisms, show how Amélie can ensure that Baptiste can decrypt.

- A public key encryption scheme

- A symmetric encryption scheme

- A signature scheme

- A MAC scheme

- A hash scheme

- Amélie and Baptiste share a secret key for a MAC scheme

………

Amélie

Baptiste

- They exchange some messages, without signing each one, but at the end, each party will send a MAC of the message: {<Name> || || || || … || }

- How does CBC-mode symmetric encryption work? Why would this method be indicated for long conversations?

- Consider the DSA signature scheme

- Say Amélie signs two different messages with the sameephemeral value (and obviously the sameprivate key )

- How would an attacker know from the signatures that the same ephemeral value was used for both signatures?

- Show how to retrieve given the two signatures for and

- Amélie wants to do online shopping, say on Ebay

- She needs to establish a secure channel with an Ebay server, i.e. be able to exchange message confidentially and integrally/authentically with its server

- This is actually done by sharing one MAC key and one symmetric encryption key between them

- The server has a certified RSA public encryption key, but Amélie does not

- How can Amélie make sure they share the two secret keys?

- How can they check that they are sharing the same keys?

- List the properties of a hash function. Think of: input size, output size, who can compute it etc.

- Imagine we have a public key encryption scheme. We generate and , but throw away and publish

- We implement a hash scheme by using the PKE scheme, by using

- Should the PKE scheme be deterministic or probabilistic?

- Analyse the case of Textbook RSA as the encryption scheme. Which properties of the hash function are guaranteed?

- Assume the generic PKE scheme ensures that a plaintext cannot be recovered from the ciphertext. Which properties of the hash scheme does the PKE scheme guarantee?

- A pseudo-random generator is a deterministic function thattakes as input a fixed-length string (a seed) and which outputs a much longer string , suchthat looks random to anyadversary

- Assume Amélie and Baptiste share a seed

- Consider symmetric encryption with key , whereencryptionisdone as , for messages of lengthequal to that of (and paddedotherwise)

- Is this scheme deterministic or probabilistic?

- Show that this scheme is insecure if the adversary can request the decryption of even a single ciphertext.

- How can we make it secure even if the adversary can decrypt arbitrary ciphertexts?

Thanks!