Protocols%20Chapter%202

1
Protocols Chapter 2

• Protocol
• A series of steps, involving two or more parties,
  designed to accomplish a task.
• All parties involved must know the protocol
• All parties must agree to follow it
• Must be unambiguous
• Must be complete

2
The Playersdramatis personae

• Alice First participant
• Bob Second
• Carol Third
• Eve Eavesdropper
• Mallory Malicious attacker
• Trent Trusted arbitrator
• Peggy Prover
• Victor Verifier

3
Types of Protocols

• Arbitrated Protocols
• Intermediary trusted by all parties
• Lawyer is involved
• Adjudicated Protocols
• In case of a dispute a third party becomes
  involved
• Judge is involved
• Self-Enforcing Protocols
• The protocol itself guarantees fairness
• No third party is involved

4
Attacks against Protocols

• Passive attack
• Passive eavesdropper e.g. network sniffing
• Difficult to detect
• Active attack
• Alter protocol
• Pretend to be someone else
• Cheaters
• Not following the protocol
• Liars

5
Protocol Building Blocks

• Symmetric key cryptography
• One-Way Hash functions
• Public-key cryptography
• Digital signatures
• Random sequence generators

6
Symmetric Key Cryptography

• Secure communications
• Secure storage
• Computationally efficient
• Depends on a shared secret

7
Symmetric Key Cryptography

• Alice and Bob want to communicate securely.
• Alice Bob agree on a crypto algorithm
• Alice Bob agree on a key
• Alice encrypts message with the key
• Alice sends ciphertext to Bob
• Bob decrypts with the key and reads the message

8
Symmetric Key Cryptography
C
Alice
Bob
Key K Message M Ciphertext C EK(M)
Key K Ciphertext C Message M DK(C)
DK(EK(M))
9
Symmetric Key CryptographyAttacks

• Passive attack
• Eve can only try a ciphertext only attack
• Eve can attempt to determine the key during the
  key exchange
• Active attack
• Intercept Alice's message and substitute his own
• Break communication channel
• Cheaters
• Alice can give the key to Eve, so Eve can read
  Bob's message

10
One-Way Hash functions

• One-way functions
• No inverse (known to exist)
• Hash function
• No known collisions
• Variable length inputs
• Fixed length outputs

11
Message Authentication Code

• Uses a secret key
• One-way hash of both the pre-image and the secret
  key
• K symmetric key
• M Message
• MAC H(EncK(M))
• Only those who have the key K can calculate
  H(EncK(M).

12
Public-Key Cryptography

• Public key and private key
• Each player has their own key pair
• Computationally intensive
• Vulnerable to chosen-plaintext attacks
• Very difficult to deduce the private key from the
  public key

13
Public-Key Cryptography

• Let
• Pr Alice's private key
• Pu Alice's public key
• (Pr, Pu) is the key pair, and must go together.
• M Plaintext from Bob
• Ciphertext C EPu (M) is calculated by Bob with
  Alice's public key.
• Only Alice has access to her private key. Thus
  only she can calculate
• the plaintext M DPr (EPu (M)).

14
Public-Key Cryptography
BPu
Alice
Bob
C
Message M Ciphertext C EBPu(M)
Key pair BPu, BPr Ciphertext C Message M
DBPr(C) DBPr(EBPu(M))
15
Digital Signatures

• Authentic
• Not forgeable
• Not reusable
• Unalterable
• Cannot be repudiated

16
Digital Signatures with Symmetric Crypto

• Alice wants to sign a digital message and send it
  to Bob with Trent's help.
• Alice/Trent key, KA. Bob/Trent key, KB.
• Alice encrypts her message to Bob with KA and
  sends it to Trent.
• Trent decrypts the message with KA.
• Trent encrypts Alice's message to Bob along with
  a message that it is from Alice.
• Trent sends the encrypted bundle to Bob.
• Bob decrypts the bundle with KB. Bob can read
  Alice's message along with Trent's certification.

17
Digital SignaturesPublic-Key Crypto

• Alice wants to sign a digital message and send it
  to Bob without Trent's help
• Alice's public key, KA-pu, private key, KA-pr..
• Alice encrypts her document with her private key,
  KA-pr.
• Alice sends the signed document to Bob.
• Bob decrypts the document with KA-pu, thereby
  verifying the signature.

18
Digital Signatures Public-Key Crypto Hash
Functions

• Alice wants to sign a large digital message and
  send it to Bob without the public-key's compute
  hit.
• Alice's public key, KA-pu, private key, KA-pr..
• Alice produces a one-way hash of her document.
• Alice encrypts the hash with her private key,
  KA-pr.
• Alice sends the document and the encrypted hash
  to Bob.
• Bob decrypts the hash with KA-pu, calculates the
  hash of the document himself and compares them,
  thereby verifying the signature.

19
Digital SignaturesVulnerabilities

• Alice can cheat.
• She can sign a document.
• She can claim that her private key was
  compromised.
• Time stamps help.
• Escrow agents are expensive.
• Tamper resistant modules.

20
Random Sequence Generators
Pseudo-random generator Looks random Passes
all of the statistical tests. Cryptographically
Secure
21
Cryptographically SecureRandom Sequence
Generators
It is unpredictable. Computationally infeasible
to predict what the next random bit will be given
complete knowledge of the algorithm and all
previous bits. It cannot be reliably reproduced.
22
Basic Protocols Chapter 3

• Protocols
• Key Exchange
• Authentication and key exchange
• Secret splitting
• Secret sharing

23
Key Exchange with Symmetric Crypto

• Alice/Trent key, KA. Bob/Trent key, KB.
• Alice calls Trent and requests a session key to
  communicate with Bob.
• Trent generates a random session key.
• Trent encrypts the session key with KA and
  encrypts another copy with KB.
• Trent sends both copies to Alice.
• Alice decrypts her copy with KA and sends Bob his
  copy.
• Bob decrypts his copy with KB.
• Alice and Bob can communicate securely with the
  shared session key.

24
Key Exchangewith Public-Key Crypto

• Bob sends Alice his public key, Pu.
• Alice generates a random session key, K.
• Alice encrypts K using Bob's public key, EPu(K).
• Alice sends EPu(K) to Bob.
• Bob decrypts Alice's message using his private
  key,
• DPr(EPu(K)) K.
• Alice and Bob encrypt their communications using
  the same session key, K.

25
Authentication

• Passwords and pass phrases
• Dictionary attacks
• Hashed passwords subject to dictionary attacks
• Salted passwords
• Public key encryption
• Requires key pairs
• Key management

26
AuthenticationPublic Key Encryption

• 1. Host sends Alice a random string.
• 2. Alice encrypts with her private key and sends
  it back to the host along with her name.
• 3. Host looks up Alice's public key and decrypts
  the messsage.
• 4. If the message matches the string the host
  sent Alice then the host permits access to Alice.

27
Key Exchange with Authentication

• All involve a trust intermediary Trent
• All subject to man in the middle attack
• Want to be sure you know who you are talking to.

28
Kerberos
Guarding the Gates of Hell. No one leaves.
29
Authentication Key ExchangeKerberos

• Maintained by MIT
• Up to version 5-1.10.3 - Release 1.9.4
• Strong authentication
• Uses symmetric key encryption
• Uses a trusted intermediary

30
Authentication Key ExchangeKerberos
Trent
A Alice's ID B Bob's ID KAT Alice/Trent
symmetric key KBT Bob/Trent symmetric key
KAT
KBT
Alice
Bob
31
Alice sends message to Trent
Trent
A Alice's ID B Bob's ID
A, B
Alice
Bob
32
Trent responds to Alicewith info for Alice and
Bob
Trent generates TS Time stamp L Lifetime
for the key KAB Session key M1 (TS, L,
KAB, A) M2 (TS, L, KAB, B)
Trent
A Alice's ID B Bob's ID
EKAT (M2) EKBT (M1)
Alice
Bob
33
Alice gets message from Trent
Trent generates TS Time stamp L Lifetime
for the key KAB Session key M1 (TS, L,
KAB, A) M2 (TS, L, KAB, B)
Trent
A Alice's ID B Bob's ID
EKAT (M2) EKBT (M1)
Alice
Bob
Alice calc's DKAT (EKAT (M2)). She now
knows TS, L, KAB , B and EKBT (M1) which she
cannot decrypt. Alice also calc's EKAB(A, TS).
34
Alice sends message to Bob
Trent generates TS Time stamp L Lifetime
for the key KAB Session key M1 (TS, L,
KAB, A) M2 (TS, L, KAB, B)
Trent
A Alice's ID B Bob's ID
EKAT (M2) EKBT (M1)
EKAB(A, TS), EKBT (M1)
Alice
Bob
Alice calc's DKAT (EKAT (M2)). She now
knows TS, L, KAB , B and EKBT (M1) which she
cannot decrypt. Alice also calc's EKAB(A, TS).
Bob calc's DKBT (EKBT (M1)). He now knows TS,
L, KAB , A. He can also calc DKAB (EKAB(A, TS)).
35
Bob gets message from Alice and replies to Alice
Trent generates TS Time stamp L Lifetime
for the key KAB Session key M1 (TS, L,
KAB, A) M2 (TS, L, KAB, B)
Trent
A Alice's ID B Bob's ID
EKAT (M2) EKBT (M1)
EKAB(A, TS), EKBT (M1)
Alice
Bob
EKAB(A, TS 1)
Alice calc's DKAT (EKAT (M2)). She now
knows TS, L, KAB , B and EKBT (M1) which she
cannot decrypt. Alice also calc's EKAB(A, TS).
Bob calc's DKBT (EKBT (M1)). He now knows TS,
L, KAB , A. He can also calc DKAB (EKAB(A, TS)).
36
Secret Splitting Protocol

• Secret splitting
• Split a message up into n-pieces
• Give each to a person
• The message can be read only if all n-people put
  their pieces together

37
Secret Splitting Protocol

• Trent wants send a message to Alice and Bob that
  they can only read together.
• Trent generates a random bit string R, the same
  length as the message, M.
• Trent XOR's M with R to generate S.
• M Å R S
• Trent gives R to Alice and S to Bob.
• Alice and Bob XOR their pieces together to
  reconstruct the message
• R Å S R Å M Å R M

38
Secret Splitting Protocol n parties

• 1. Trent generates random bit strings R1, ...
  Rn-1 the same length as the message, M.
• 2. Trent XOR's M with R1, ... Rn-1 to generate
  Rn.
• M R1 ... Rn-1 Rn
• 3. Trent gives Ri to Alicei.
• 4. The Alicei's XOR their pieces together to
  reconstruct the message
• R1 ... Rn M

39
Secret Sharing Protocol n parties

• Goal To share a message among 5 people so that
  any 3 can reconstruct the message.
• Threshold Scheme (m, n) threshold scheme.
• A message is divided into n pieces called shadows
  or shares so that any m of them can be used to
  reconstruct the original message.

40
Intermedate Protocols Chapter 4

• Time Stamping
• Subliminal Channels
• Bit Commitment

41
Time Stamping

• Goals
• The document itself must be time stamped.
• Impossible to change any part of the document
  without it being apparent.
• Impossible to timestamp the document with a
  date/time different from the present one.

42
Time Stamping

• Arbitrated Solution
• Alice transmits a copy of the document to Trent
• Trent records the date/time he received the
  document and retains a copy of the document for
  safekeeping.
• Storage problems
• Privacy problems

43
Time Stamping

• Improved Arbitrated Solution
• Alice produces a one-way hash of the document.
• Alice transmits the hash to Trent
• Trent appends the date/time he received the hash
  onto the hash. H(M) dtg
• Trent signs the rersult. ETpri (H(M) dtg)
• Trent sends the result back to Alice.

44
Subliminal Channels

• Secret messages sent within other messages
• Often within the digital signature of an
  innocuous message
• Useful enough for a lot of work to be done in
  this area

45
Computing with Encrypted Data

• Alice wants to calculate f(x) on Bob's machine.
• Alice does not want Bob to know x.
• You want to know the value of your portfolio
  without the news service knowing what your
  portfolio is.

46
Bit Commitment

• Alice picks a winner for tomorrow's race.
• Alice doesn't want Bob to know.
• Bob doesn't want Alice to be able to change her
  choice tomorrow.

47
Bit Commitment

1. Bob generates a random-bit string, R, and sends
   it to Alice.
2. Alice creates a message of her commitment, b and
   R.
3. Alice generates a random key, K, and encrypts Rb
   with it and sends the result to Bob. Result is
   EK(R,b)
4. Later Alice sends Bob the key, K.
5. Bob decrypts the message and checks his random
   string.

48
Zero-Based KnowledgeProblem

• Zero-Knowledge Protocol
• Alice knows a secret
• Alice wants to prove to Bob she knows the secret
• Alice does not want to reveal the secret to Bob.

49
Zero-Knowledge Protocol

• Alice claims she knows the secret combination to
  the door in the back of the cave. She wants to
  prove so to Bob.
• Bob stands at point A.
• Alice goes to point C or D.
• Bob goes to B and asks Alice come out of the cave
  either on the left or the right.
• Alice complies using her secret combination if
  she has to.
• Repeat n times until Bob is convinced.

50
Zero-Knowledge Protocol
A
B
C
D