intro to encryption exercise 7
DESCRIPTION
Intro To Encryption Exercise 7. Problem. Show a OWHF and distribution of passwords s.t. both unix and S/Key fail. Solution. Let h(x) be a OWHF. Let h’(x) return: 0 if 3 final chars of x end with AAA h(x) otherwise What kinds of an attack should ADV use? For Unix Password Scheme - PowerPoint PPT PresentationTRANSCRIPT
1
Intro To EncryptionExercise 7
2
Problem
Show a OWHF and distribution of passwords s.t. both unix and S/Key fail
3
Solution
Let h(x) be a OWHF. Let h’(x) return:
0 if 3 final chars of x end with AAA h(x) otherwise
What kinds of an attack should ADV use? For Unix Password Scheme For S/Key password scheme
4
Problem
Lets assume a SALT mechanism is proposed for the previous problem.
How should you implement it using the proposed h’ without changing its internal design?
5
Solution
h’’(x)=h’(x||salt) with salt being != AAA.
6
Problem
Assuming UNIX password scheme is secure enough when used properly (i.e. users refresh passwords once in a while).
Suggest a scenario to justify the S/KEY password scheme.
Hint: A naïve authentication scenario.
7
Solution
Client Eve Server
User,h(password)
Ack()
User,h(password)
Ack
8
Solution
Client Eve Server
User,h^(n-1)(password)
Ack
User,h^(n-1)(password)
Reject
9
Solution
Using UNIX scheme may lead to replay attacks by adversary.
When transmitting h(password) an adversary intercepts the hash and uses it as its own.
Using S/KEY prevents the adversary from attacking using a stolen hash.
10
Problem (If we have the time) Design a safe login mechanism without using
the S/Key mechanism, only the Unix like mechanism. i.e. no limitation on number of logins as a function
of password hashing.
11
Problem
Why does brute-force attack on Target Collision Resistant takesO(2n) guesses (not O(2n/2)-from bithday paradox)
12
Solution
Since ADV picks x, x’ he may be able to find a collision with O(2n/2).
BUT!!! ADV does not know key k prior to his choice. The key is chosen AFTER his original choise.
So? So ADV can’t efficiently calculate hashes for x, x’
because he does not know which hash function The user may choose.
In other words for some key k f(x)=f(x’) but for other key k’ f(x)!=f(x’)
13
Problem
Computer viruses modify executable program files to `infect` them.
One common protection against viruses is to maintain, in read-only storage, a list containing a short `fingerprint` of each executable file, allowing the antivirus program to validate that an executable was not modified.
Which of the hash function properties are necessary for computing the fingerprint?
14
Solution
We need collision resistance features. Do we need Weakly, Strong or target collision
resistance requirements?
15
Problem
We wish to build hash functions from block ciphers.
We wish Same function as OWF that is constructed as:h(x)=Ex(0) where E is a PRP.
Prove or supply a counter example.
16
Solution
E is a PRP. This means that for some key k it is infeasible to distinguish between its output (Ek(x) for some input x) to a random output without knowing k.
Since PRP is immune to known plaintext attacks, the fact that ADV knows x=0 does not help him.
In fact if ADV can find key k when knowing x=0 implies that E is not a PRP.This is a contradiction to our assumption.
17
Solution
Since E is a PRP and ADV can’t find efficiently k from Ek(0) implies that Ex(0) IS a OWF.
18
Problem
We wish to build hash functions from block ciphers.
We wish Same functionality as WCRHF that is constructed like so:h(x)=Ex(0) [if we use a block cipher which allows arbitrary long keys]
Does this construction provides WCRHF?
19
Solution
No!!! Proof by counter example: Assume Ek(x) is a block cipher.
Assume E’k1,k2(x)=k1Ek2(X). Is this still a block cipher??? Prove!!!
Let our input X=X1||X2 (without the limitation of generality)
Let h(x1||x2)=E’x1,x2(0)=x1Ex2(0)
20
Solution
For example assume X=10011100 X1=1001, X2=1100
For example assume E1100(0)=1101 (may be any permutation)
Let h(x)=1001 E1100(0)= 10011101=0101 Let ADV A find a collision to X=10011100
with h(x)=0101
21
Solution
ADV generates arbitrary Y.for example Y=10001110 -> Y1=1000,Y2=1110. Y may be any other value.
ADV calculates: Y2 ‘=Ey2(0)=0011.
ADV calculates: Y1 ‘=h(x) Ey2’(0)=0101 0011=0110
22
Solution
For our construction: Let h(Y1’||Y2)=Y1’Ey2(0).
i.e. h(01101110). Y1’Ey2(0)=(h(x) Ey2’(0)) Ey2(0)=h(x).
i.e.: 0110 0011 = 0101.
23
Problem
Alice and Bob use the phone line to send information.
Eve may eavesdrop on their communication. Alice wishes to establish a secret key using Charlie
as a courier. Since Charlie does not use the common phone
lines, Eve can’t eavesdrop to his transmissions. Bob does not know Charlie. How can Alice use only a OWF so that the secret
may be passed to Bob from Charlie and that Eve can’t impersonate Charlie?
24
Solution
Alice sends h(x) to Bob and gives Charlie X. Since h(x) is OWF Eve can’t find out x from
h(x). Bob verifies x from Charlie by computing h(x).
25
Simple MAC Functions
MACk(x)=int(x||k mod 232) For any k>232 any x is a forgery K is exposed so we can calculate any x
For exposing k we need known x
MACk(x)=(x[0…15]+k) (x[16…31]+k) Any symmetrical message can be forged (result 0)
for any k Some other vulnerabilities may exist
MACk(x)=x*(32567+k) mod 32767 Simply forge: x’=x+(32767) holds for any k
26
Simple MAC Functions
MACk(x)=int(32768*fraction(x*a+k*b)) ))where 0<a,b<1 For very low values of a and b the forgery is simpler,
x’=x+1 For higher values, x’ should be larger(or smaller) with
a smaller Delta(ADV knows a and b) The problem is that int looses precision
27
Problem
Some designs attempt to provide message authentication by sending the encryption of the message concatenated with its hash (or simply with an error detection code).
Namely, they send Encrypt(Message||Hash(Message)),and hope that in so doing, they achieve encryption and authentication together.
Show that this design is insecure (an attacker can modify a message and it would still be considered authentic).
Hint: this is easy to show, when using one-time-pad or OFB mode encryption.
28
Solution
Assuming OTP is used and ADV knows some information about the message.
ADV knows the algorithm, so knows which hash function is used.
Knowing so, he can figure out the key encrypting the message (known plain text).
Since he knows the message and hash of the message, he can figure out the key encrypting the hash.
ADV can now calculate new message and new hash for the message and replace them.
29
Solution
ADV’s playout: km=mcm (revealing the key of m)
kh(m)=h(m) ch(m)
Forge: m’km||h(m’)kh(m)
This is a poor MAC because it isn’t even immune to KMA.
30
Using MAC: Shared Key Mutual Authentication Model: Alice and Bob share secret master key k
Goals Mutual authentication: Alice knows it talked with Bob and
vice verse. Parties may also send a message; prevent replays. Allow multiple concurrent connections. Either party can initiate.
Basic problem, appears (and is) easy …but also easy to do wrong
31
Two Party Mutual Authentication – The SNA LU6.2 Protocol (till 1989) SNA – IBM’s Secure Network Architecture
Predominant network protocol till late eighties Protocol: (Na, Nb - randomly chosen nonces)
32
Attack on SNA LU6.2 Authentication Idea: Eve opens two connections with Bob…
sending Nb to Bob in 2nd connection to get Ek(Nb)
33
Conclusions & Thumb-rules Prevent re-direction of message to sender
Identify party in challenge Prevent re-direction of flow i to flow ji
Ensure different flows are easily distinguished Prevent use of old challenge
Select new random challenge (nonce) or time Do not compute values chosen by Adversary
Include self-chosen nonce in the protected reply Authenticate with MAC, not encryption
34
Two Party Protocol (2PP) [BGH*93]
Fixed SNA protocol Use MAC rather than encryption to authenticate Separate 2nd and 3rd flows – 3 vs. 2 input blocks Include identities (A,B) to prevent redirections Proof of security: from MAC properties (Claim 1)
See [BR93] for definition and proof
35
Authenticating messages Optionally, authenticate messages mA, mB by
including their hash in the MAC inputs To authenticate many messages (in order):
Add sequence numbers Can use same nonces for multiple messages
36
Efficient Implementation with CBC MAC Assume: one block per parameter MACk(Na,Nb)= Ek(Nb+Ek(Na)) MACk(Na,Nb,B)=Ek(A||B+ Ek(Nb+Ek(Na))) Potential reuse: MACk(Na,Nb,B)=Ek(B+ MACk(Na,Nb))
Only three `block operations` for entire protocol Suggested in [BGH*93]
Alice Bob
Na
Nb, Ek(A||B+Ek(Nb+Ek(Na)))
Ek(Nb+Ek(Na))
37
Implementation with CBC MAC Is this secure?
Claim 3 (foil 26) [BKR94] shows CBC is a MAC if inputs are prefix-free
But here 3rd flow is prefix of 2nd flow – not prefix free!
Seems secure… but I’m not aware of proof
Alice Bob
Na
Nb, Ek(A||B+Ek(Nb+Ek(Na)))
Ek(Nb+Ek(Na))
38
Question: can 2PP authenticate users? Is 2PP secure using a password for the key k? Problems:
Password is not uniformly distributed Limited number of common passwords – attacker can
guess (Dictionary attack)