Putting it all together: using multiple primitives together Cristina Onete maria-cristina.onete@irisa.fr Rennes, 23/10/2014 ο Exercise 1 ο Say you have a signature scheme SScheme = (KGen, Sign, Vf) ο Say this scheme is unforgeable against CMA ο Modify the signature algorithm: ππππ′ π π π = πππππ π (π) π] ππ′ππ π, π∗ , π = 1 iff. π = π∗ & ππππ (π, π) = 1 ο Is this still unforgeable against CMA? Cristina Onete || 23/10/2014 || 2 ο Exercise 2 ο We have an arbitrary unforgeable signature scheme: SScheme = (KGen, Sign, Vf) ο And we also have any IND-CCA encryption scheme EScheme = (KGen, Enc, Dec) ο Say we want to ensure that a confidential message comes from a given party. Can we send: • πππππ π πΈπππππππ π ? • πΈπππππππ π ; πππππ π π ? • πΈπππππππ π|πππππ π (π) ? Cristina Onete || 23/10/2014 || 3 ο Interlude ο What would we use in order to: • Send a confidential message • Encrypt a large document • Send a confidential AND authenticated message • Authenticate a message with non-repudiation • Authenticate a message without non-repudiation ο Find correspondences • Confidentiality οΌ Hash function • Collision-resistance οΌ MAC code • Authenticity οΌ Symmetric encryption • Non-repudiation οΌ PK Encryption • Integrity οΌ Digital Signatures Cristina Onete || 23/10/2014 || 4 ο Exercise 3 ο The Hash paradigm for signatures πππππ π π» π : • Improves the security of signature schemes • Improves efficiency for signatures, making their size the same, irrespective of the message length ο Can we do the same for encryption schemes, i.e. use πΈππππ π» π instead of πΈππππ π ο Can we send just π»(πΈππππ π ) instead of πΈππππ π Cristina Onete || 23/10/2014 || 5 ο Exercise 4 ο Symmetric encryption is faster than PK encryption ο Suppose Amélie generates a symmetric encryption key (e.g. for AES 128) and encrypts a message π for Baptiste with this key. ο Baptiste does not know the secret key. ο By using one (or more) of the following mechanisms, show how Amélie can ensure that Baptiste can decrypt. • A public key encryption scheme • A symmetric encryption scheme • A signature scheme • A MAC scheme • A hash scheme Cristina Onete || 23/10/2014 || 6 ο Exercise 5 ο Amélie and Baptiste share a secret key for a MAC scheme π1 π1 Amélie ……… Baptiste π2 π2 ο They exchange some messages, without signing each one, but at the end, each party will send a MAC of the message: {<Name> || π1 || π1 || π2 || π2 … ππ || ππ } ο How does CBC-mode symmetric encryption work? Why would this method be indicated for long conversations? Cristina Onete || 23/10/2014 || 7 ο Exercise 6 ο Consider the DSA signature scheme ο Say Amélie signs two different messages π1 ≠ π2 with the same ephemeral value π (and obviously the same private key π π) ο How would an attacker know from the signatures that the same ephemeral value was used for both signatures? ο Show how to retrieve π π given the two signatures for π1 and π2 Cristina Onete || 23/10/2014 || 8 ο Exercise 7 ο Amélie wants to do online shopping, say on Ebay ο She needs to establish a secure channel with an Ebay server, i.e. be able to exchange message confidentially and integrally/authentically with its server ο This is actually done by sharing one MAC key and one symmetric encryption key between them ο The server has a certified RSA public encryption key, but Amélie does not ο How can Amélie make sure they share the two secret keys? ο How can they check that they are sharing the same keys? Cristina Onete || 23/10/2014 || 9 ο Exercise 8 ο List the properties of a hash function. Think of: input size, output size, who can compute it etc. ο Imagine we have a public key encryption scheme. We generate π π and ππ, but throw away π π and publish ππ ο We implement a hash scheme by using the PKE scheme, by using π» π βΆ= πΈππππ (π) • Should the PKE scheme be deterministic or probabilistic? • Analyse the case of Textbook RSA as the encryption scheme. Which properties of the hash function are guaranteed? • Assume the generic PKE scheme ensures that a plaintext cannot be recovered from the ciphertext. Which properties of the hash scheme does the PKE scheme guarantee? Cristina Onete || 23/10/2014 || 10 ο Exercise 9 ο A pseudo-random generator is a deterministic function πΊ that takes as input a fixed-length string (a seed) π and which outputs a much longer string π, such that π looks random to any adversary ο Assume Amélie and Baptiste share a seed π ο Consider symmetric encryption with key π, where encryption is done as πΈππ π β πΊ π πππ π, for messages π of length equal to that of πΊ(π) (and padded otherwise) • Is this scheme deterministic or probabilistic? • Show that this scheme is insecure if the adversary can request the decryption of even a single ciphertext. • How can we make it secure even if the adversary can decrypt arbitrary ciphertexts? Cristina Onete || 23/10/2014 || 11 Thanks! CIDRE