1 / 38

Intro To Encryption Exercise 7

Intro To Encryption Exercise 7. Problem. Show a OWHF and distribution of passwords s.t. both unix and S/Key fail. Solution. Let h(x) be a OWHF. Let h’(x) return: 0 if 3 final chars of x end with AAA h(x) otherwise What kinds of an attack should ADV use? For Unix Password Scheme

orly
Download Presentation

Intro To Encryption Exercise 7

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intro To EncryptionExercise 7

  2. Problem • Show a OWHF and distribution of passwords s.t. both unix and S/Key fail

  3. Solution • Let h(x) be a OWHF. • Let h’(x) return: • 0 if 3 final chars of x end with AAA • h(x) otherwise • What kinds of an attack should ADV use? • For Unix Password Scheme • For S/Key password scheme

  4. Problem • Lets assume a SALT mechanism is proposed for the previous problem. • How should you implement it using the proposed h’ without changing its internal design?

  5. Solution • h’’(x)=h’(x||salt) with salt being != AAA.

  6. Problem • Assuming UNIX password scheme is secure enough when used properly (i.e. users refresh passwords once in a while). • Suggest a scenario to justify the S/KEY password scheme. • Hint: A naïve authentication scenario.

  7. Solution

  8. Solution

  9. Solution • Using UNIX scheme may lead to replay attacks by adversary. • When transmitting h(password) an adversary intercepts the hash and uses it as its own. • Using S/KEY prevents the adversary from attacking using a stolen hash.

  10. Problem (If we have the time) • Design a safe login mechanism without using the S/Key mechanism, only the Unix like mechanism. • i.e. no limitation on number of logins as a function of password hashing.

  11. Problem • Why does brute-force attack on Target Collision Resistant takesO(2n) guesses (not O(2n/2)-from bithday paradox)

  12. Solution • Since ADV picks x, x’ he may be able to find a collision with O(2n/2). • BUT!!! ADV does not know key k prior to his choice. The key is chosen AFTER his original choise. • So? • So ADV can’t efficiently calculate hashes for x, x’ because he does not know which hash function The user may choose. • In other words for some key kf(x)=f(x’) but for other key k’f(x)!=f(x’)

  13. Problem • Computer viruses modify executable program files to `infect` them. • One common protection against viruses is to maintain, in read-only storage, a list containing a short `fingerprint` of each executable file, allowing the antivirus program to validate that an executable was not modified. • Which of the hash function properties are necessary for computing the fingerprint?

  14. Solution • We need collision resistance features. • Do we need Weakly, Strong or target collision resistance requirements?

  15. Problem • We wish to build hash functions from block ciphers. • We wish Same function as OWF that is constructed as:h(x)=Ex(0) where E is a PRP. • Prove or supply a counter example.

  16. Solution • E is a PRP. This means that for some key k it is infeasible to distinguish between its output (Ek(x) for some input x) to a random output without knowing k. • Since PRP is immune to known plaintext attacks, the fact that ADV knows x=0 does not help him. • In fact if ADV can find key k when knowing x=0 implies that E is not a PRP.This is a contradiction to our assumption.

  17. Solution • Since E is a PRP and ADV can’t find efficiently k from Ek(0) implies that Ex(0) IS a OWF.

  18. Problem • We wish to build hash functions from block ciphers. • We wish Same functionality as WCRHF that is constructed like so:h(x)=Ex(0) [if we use a block cipher which allows arbitrary long keys] • Does this construction provides WCRHF?

  19. Solution • No!!! Proof by counter example: • Assume Ek(x) is a block cipher. • Assume E’k1,k2(x)=k1Ek2(X). • Is this still a block cipher??? Prove!!! • Let our input X=X1||X2(without the limitation of generality) • Let h(x1||x2)=E’x1,x2(0)=x1Ex2(0)

  20. Solution • For example assume X=10011100 X1=1001, X2=1100 • For example assume E1100(0)=1101 (may be any permutation) • Let h(x)=1001 E1100(0)=10011101=0101 • Let ADV A find a collision to X=10011100 with h(x)=0101

  21. Solution • ADV generates arbitrary Y.for example Y=10001110 -> Y1=1000,Y2=1110. Y may be any other value. • ADV calculates: Y2 ‘=Ey2(0)=0011. • ADV calculates: Y1 ‘=h(x)  Ey2’(0)=0101  0011=0110

  22. Solution • For our construction: • Let h(Y1’||Y2)=Y1’Ey2(0).i.e. h(01101110). • Y1’Ey2(0)=(h(x)  Ey2’(0))  Ey2(0)=h(x).i.e.: 0110  0011 = 0101.

  23. Problem • Alice and Bob use the phone line to send information. • Eve may eavesdrop on their communication. • Alice wishes to establish a secret key using Charlie as a courier. • Since Charlie does not use the common phone lines, Eve can’t eavesdrop to his transmissions. • Bob does not know Charlie. • How can Alice use only a OWF so that the secret may be passed to Bob from Charlie and that Eve can’t impersonate Charlie?

  24. Solution • Alice sends h(x) to Bob and gives Charlie X. • Since h(x) is OWF Eve can’t find out x from h(x). • Bob verifies x from Charlie by computing h(x).

  25. Simple MAC Functions • MACk(x)=int(x||k mod 232) • For any k>232 any x is a forgery • K is exposed so we can calculate any x • For exposing k we need known x • MACk(x)=(x[0…15]+k) (x[16…31]+k) • Any symmetrical message can be forged (result 0) for any k • Some other vulnerabilities may exist • MACk(x)=x*(32567+k) mod 32767 • Simply forge: x’=x+(32767) holds for any k

  26. Simple MAC Functions • MACk(x)=int(32768*fraction(x*a+k*b)) ))where 0<a,b<1 • For very low values of a and b the forgery is simpler, x’=x+1 • For higher values, x’ should be larger(or smaller) with a smaller Delta(ADV knows a and b) • The problem is that int looses precision

  27. Problem • Some designs attempt to provide message authentication by sending the encryption of the message concatenated with its hash (or simply with an error detection code). • Namely, they send Encrypt(Message||Hash(Message)),and hope that in so doing, they achieve encryption and authentication together. • Show that this design is insecure (an attacker can modify a message and it would still be considered authentic). • Hint: this is easy to show, when using one-time-pad or OFB mode encryption.

  28. Solution • Assuming OTP is used and ADV knows some information about the message. • ADV knows the algorithm, so knows which hash function is used. • Knowing so, he can figure out the key encrypting the message (known plain text). • Since he knows the message and hash of the message, he can figure out the key encrypting the hash. • ADV can now calculate new message and new hash for the message and replace them.

  29. Solution • ADV’s playout: • km=mcm (revealing the key of m) • kh(m)=h(m) ch(m) • Forge: m’km||h(m’)kh(m) • This is a poor MAC because it isn’t even immune to KMA.

  30. Using MAC: Shared Key Mutual Authentication • Model: Alice and Bob share secret master keyk • Goals • Mutual authentication: Alice knows it talked with Bob and vice verse. • Parties may also send a message; prevent replays. • Allow multiple concurrent connections. • Either party can initiate. • Basic problem, appears (and is) easy • …but also easy to do wrong

  31. Two Party Mutual Authentication –The SNA LU6.2 Protocol (till 1989) • SNA – IBM’s Secure Network Architecture • Predominant network protocol till late eighties • Protocol: (Na, Nb- randomly chosen nonces)

  32. Attack on SNA LU6.2 Authentication • Idea: Eve opens two connections with Bob… sending Nb to Bob in 2nd connection to get Ek(Nb)

  33. Conclusions & Thumb-rules • Prevent re-direction of message to sender • Identify party in challenge • Prevent re-direction of flow i to flow ji • Ensure different flows are easily distinguished • Prevent use of old challenge • Select new random challenge (nonce) or time • Do not compute values chosen by Adversary • Include self-chosen nonce in the protected reply • Authenticate with MAC, not encryption

  34. Two Party Protocol (2PP) [BGH*93] • Fixed SNA protocol • Use MAC rather than encryption to authenticate • Separate 2nd and 3rd flows – 3 vs. 2 input blocks • Include identities (A,B) to prevent redirections • Proof of security: from MAC properties (Claim 1) • See [BR93] for definition and proof

  35. Authenticating messages • Optionally, authenticate messages mA, mBby including their hash in the MAC inputs • To authenticate many messages (in order): • Add sequence numbers • Can use same nonces for multiple messages

  36. Efficient Implementation with CBC MAC • Assume: one block per parameter • MACk(Na,Nb)= Ek(Nb+Ek(Na)) • MACk(Na,Nb,B)=Ek(A||B+ Ek(Nb+Ek(Na))) • Potential reuse: MACk(Na,Nb,B)=Ek(B+ MACk(Na,Nb)) • Only three `block operations` for entire protocol • Suggested in [BGH*93] Alice Bob Na Nb, Ek(A||B+Ek(Nb+Ek(Na))) Ek(Nb+Ek(Na))

  37. Implementation with CBC MAC • Is this secure? • Claim 3 (foil 26) [BKR94] shows CBC is a MAC if inputs are prefix-free • But here 3rd flow is prefix of 2nd flow – not prefix free! • Seems secure… but I’m not aware of proof Alice Bob Na Nb, Ek(A||B+Ek(Nb+Ek(Na))) Ek(Nb+Ek(Na))

  38. Question: can 2PP authenticate users? • Is 2PP secure using a password for the key k? • Problems: • Password is not uniformly distributed • Limited number of common passwords – attacker can guess (Dictionary attack)

More Related