Slide - Cristina Onete

advertisement
Putting it all together: using multiple
primitives together
Cristina Onete
maria-cristina.onete@irisa.fr
Rennes, 23/10/2014
οƒ˜ Exercise 1
οƒ˜ Say you have a signature scheme
SScheme = (KGen, Sign, Vf)
οƒ˜ Say this scheme is unforgeable against CMA
οƒ˜ Modify the signature algorithm:
𝑆𝑖𝑔𝑛′ π‘ π‘˜ π‘š = π‘†π‘–π‘”π‘›π‘ π‘˜ (π‘š) π‘š]
𝑉𝑓′π‘π‘˜ 𝜎, π‘š∗ , π‘š = 1 iff. π‘š = π‘š∗ &
π‘‰π‘“π‘π‘˜ (𝜎, π‘š) = 1
οƒ˜ Is this still unforgeable against CMA?
Cristina Onete ||
23/10/2014
||
2
οƒ˜ Exercise 2
οƒ˜ We have an arbitrary unforgeable signature scheme:
SScheme = (KGen, Sign, Vf)
οƒ˜ And we also have any IND-CCA encryption scheme
EScheme = (KGen, Enc, Dec)
οƒ˜ Say we want to ensure that a confidential message
comes from a given party. Can we send:
• π‘†π‘–π‘”π‘›π‘ π‘˜ πΈπ‘›π‘π‘π‘˜π‘’π‘›π‘ π‘š
?
• πΈπ‘›π‘π‘π‘˜π‘’π‘›π‘ π‘š ; π‘†π‘–π‘”π‘›π‘ π‘˜ π‘š
?
• πΈπ‘›π‘π‘π‘˜π‘’π‘›π‘ π‘š|π‘†π‘–π‘”π‘›π‘ π‘˜ (π‘š)
?
Cristina Onete ||
23/10/2014
||
3
οƒ˜ Interlude
οƒ˜ What would we use in order to:
• Send a confidential message
• Encrypt a large document
• Send a confidential AND authenticated message
• Authenticate a message with non-repudiation
• Authenticate a message without non-repudiation
οƒ˜ Find correspondences
• Confidentiality
οƒΌ Hash function
• Collision-resistance
οƒΌ MAC code
• Authenticity
οƒΌ Symmetric encryption
• Non-repudiation
οƒΌ PK Encryption
• Integrity
οƒΌ Digital Signatures
Cristina Onete ||
23/10/2014
||
4
οƒ˜ Exercise 3
οƒ˜ The Hash paradigm for signatures π‘†π‘–π‘”π‘›π‘ π‘˜ 𝐻 π‘š :
• Improves the security of signature schemes
• Improves efficiency for signatures, making their size the
same, irrespective of the message length
οƒ˜ Can we do the same for encryption schemes, i.e. use
πΈπ‘›π‘π‘π‘˜ 𝐻 π‘š instead of πΈπ‘›π‘π‘π‘˜ π‘š
οƒ˜ Can we send just 𝐻(πΈπ‘›π‘π‘π‘˜ π‘š ) instead of πΈπ‘›π‘π‘π‘˜ π‘š
Cristina Onete ||
23/10/2014
||
5
οƒ˜ Exercise 4
οƒ˜ Symmetric encryption is faster than PK encryption
οƒ˜ Suppose Amélie generates a symmetric encryption key
(e.g. for AES 128) and encrypts a message π‘š for
Baptiste with this key.
οƒ˜ Baptiste does not know the secret key.
οƒ˜ By using one (or more) of the following mechanisms,
show how Amélie can ensure that Baptiste can decrypt.
• A public key encryption scheme
• A symmetric encryption scheme
• A signature scheme
• A MAC scheme
• A hash scheme
Cristina Onete ||
23/10/2014
||
6
οƒ˜ Exercise 5
οƒ˜ Amélie and Baptiste share a secret key for a MAC scheme
𝑏1
π‘Ž1
Amélie
………
Baptiste
𝑏2
π‘Ž2
οƒ˜ They exchange some messages, without signing each
one, but at the end, each party will send a MAC of the
message: {<Name> || 𝑏1 || π‘Ž1 || 𝑏2 || π‘Ž2 … 𝑏𝑛 || π‘Žπ‘› }
οƒ˜ How does CBC-mode symmetric encryption work? Why
would this method be indicated for long conversations?
Cristina Onete ||
23/10/2014
||
7
οƒ˜ Exercise 6
οƒ˜ Consider the DSA signature scheme
οƒ˜ Say Amélie signs two different messages π‘š1 ≠ π‘š2 with
the same ephemeral value π‘˜ (and obviously the same
private key π‘ π‘˜)
οƒ˜ How would an attacker know from the signatures that
the same ephemeral value was used for both
signatures?
οƒ˜ Show how to retrieve π‘ π‘˜ given the two signatures for
π‘š1 and π‘š2
Cristina Onete ||
23/10/2014
||
8
οƒ˜ Exercise 7
οƒ˜ Amélie wants to do online shopping, say on Ebay
οƒ˜ She needs to establish a secure channel with an Ebay
server, i.e. be able to exchange message confidentially
and integrally/authentically with its server
οƒ˜ This is actually done by sharing one MAC key and one
symmetric encryption key between them
οƒ˜ The server has a certified RSA public encryption key, but
Amélie does not
οƒ˜ How can Amélie make sure they share the two secret
keys?
οƒ˜ How can they check that they are sharing the same keys?
Cristina Onete ||
23/10/2014
||
9
οƒ˜ Exercise 8
οƒ˜ List the properties of a hash function. Think of: input
size, output size, who can compute it etc.
οƒ˜ Imagine we have a public key encryption scheme. We
generate π‘ π‘˜ and π‘π‘˜, but throw away π‘ π‘˜ and publish π‘π‘˜
οƒ˜ We implement a hash scheme by using the PKE scheme,
by using 𝐻 π‘š ∢= πΈπ‘›π‘π‘π‘˜ (π‘š)
• Should the PKE scheme be deterministic or probabilistic?
• Analyse the case of Textbook RSA as the encryption scheme.
Which properties of the hash function are guaranteed?
• Assume the generic PKE scheme ensures that a plaintext
cannot be recovered from the ciphertext. Which properties of
the hash scheme does the PKE scheme guarantee?
Cristina Onete ||
23/10/2014
||
10
οƒ˜ Exercise 9
οƒ˜ A pseudo-random generator is a deterministic function 𝐺
that takes as input a fixed-length string (a seed) π‘˜ and
which outputs a much longer string 𝑛, such that 𝑛 looks
random to any adversary
οƒ˜ Assume Amélie and Baptiste share a seed π‘˜
οƒ˜ Consider symmetric encryption with key π‘˜, where
encryption is done as 𝐸𝑛𝑐 π‘š ≔ 𝐺 π‘˜ 𝑋𝑂𝑅 π‘š, for messages
π‘š of length equal to that of 𝐺(π‘˜) (and padded otherwise)
• Is this scheme deterministic or probabilistic?
• Show that this scheme is insecure if the adversary can request
the decryption of even a single ciphertext.
• How can we make it secure even if the adversary can decrypt
arbitrary ciphertexts?
Cristina Onete ||
23/10/2014
||
11
Thanks!
CIDRE
Download