CS 1653 - Applied Cryptography - Midterm

Merkle-Damgård construction

A "template" for constructing cryptographic hash functions

Specification

A collection of statements describing the desired functionality of a system

Shamir's scheme

A threshold cryptography system. Give each user a point (x, y coordinates) on a polynomial graph with (k-1) degrees. The secret D is the point at which the polynomial crosses the y axis. It can only be recovered if you have k points.

Scytale

A tool used to perform a transposition cipher, consisting of a cylinder with a strip of parchment wound around it on which is written a message

An implementation...

Creates a functional system based on the design

Complete Mediation (principle c, Saltzer and Schroeder)

Every access to every object must be checked for authority.

Vigenere cipher

Uses a repeated key phrase to apply a different variant of the Caesar cipher to each plaintext letter. Basically, set up a 2D mapping between alphabet letters, and use the character in the plaintext for the column and the character in the key for the row.

Security is based on _____ and _____

assumptions, trust

How can you use two challenges for mutual authentication?

(Bob ↔︎ Server) → I am Bob ← R1 → f(Kbs, R1) . . . server has authenticated Bob → R2 → f(Kbs, R2) . . . Bob has authenticated server

Vulnerability

A situation or condition that allows a threat to be realized (e.g., bad assumptions, bugs, backdoors)

In error prone environments, use the _____ block cipher mode of operation.

OFB

Zero knowledge (ZK) protocol

Prove knowledge of a secret without revealing that secret (e.g. [RSA], prove that you know the private key by decrypting something encrypted with the public key)

Steps in creating mechanisms

Specification, design, and implementation

Two types of stream ciphers

Synchronous and self-synchronizing

Availability

The ability to use information or resources

What are FAR and FRR in biometric authentication?

False Acceptance Rate (unauthorized entry) and False Rejection Rate (denial of service)

Steganography

Hiding secret messages within other nonsecret data

Assurance

How much a system can be trusted

Economy of Mechanism (principle a, Saltzer and Schroeder)

Keep the design as simple and as small as possible.

Atbash cipher

Maps A to Z, B to Y, C to X, etc.

SHA

Secure Hash Algorithm

A cryptosystem can be represented as a 5-tuple...

Tuple (E, D, M, C, K): - M is a message space - K is a key space - E: M × K → C is an encryption function - C is a ciphertext space - D: C × K → M is a decryption function

Using CBC for confidentiality as well as integrity

You need two keys. - Encrypt the message M using k1 to get ciphertext C1 = {c11, ..., c1n} - Encrypt M using k2 to get C2 = {c21, ..., c2n} - Transmit 〈C1, c2n〉

The word cryptography means (linguistically)...

hidden, secret (kryptos) and writing (grafis)

Detecting malicious availability violations is _____

non-trivial

Saltzer and Schroeder's eight principles for building secure and functional systems

(a) Economy of Mechanism; (b) Fail-Safe Defaults; (c) Complete Mediation; (d) Open Design; (e) Separation of Privilege; (f) Least Privilege; (g) Least Common Mechanism; (h) Psychological Acceptability

One time pad

- Choose a key that is as long as the plaintext that you wish to encrypt - E(p) = p ⊕ k - D(c) = c ⊕ k

Three properties of cryptographic hash functions

- Preimage resistance (given a hash output value z, it should be infeasible to calculate a message x such that H(x) = z) - Second preimage resistance (given a message x, it is infeasible to calculate a second message y such that H(x) = H(y)) - Collision resistance (it is infeasible to find two messages x and y such that H(x) = H(y))

Hash function (definition, also called)

A function that maps a variable-length input to a fixed-length code. Also called message digest functions.

Threat

A potential violation of security (something you want to prevent from happening). Note: a violation need not occur for a threat to exist.

Block cipher

A symmetric key cipher that encrypts fixed-length blocks of plaintext at a time

How does salting passwords work (for storing them)? Why do this?

- Choose a random salt value. - Encrypt the password with the salt. - Store the username, salt, and encrypted password. Pro: this helps prevent using codebooks to crack hashed passwords.

What do you need to do to break RSA (four things)?

- Factor n to find p and q - Determine ɸ(n) without factoring n - Determine d without factoring n or learning ɸ(n) - Learn to take eth roots modulo n

How does a hybrid cryptosystem with RSA work?

- Generate a symmetric key kˢ - Encrypt m with kˢ - Use RSA to encrypt kˢ using public key k - Transmit Eᵏˢ(m), Eᵏ(kˢ)

RSA (threshold variant)

- Split the RSA decryption exponent 𝑑 into shares using Shamir's secret sharing approach. - Given a message 𝑚, each signer can compute a partial signature of 𝑚 using his or her share of the decryption exponent - These partial signatures can be multiplied together - Result: A signature on 𝑚

Digital signatures with public key cryptography

- To sign a message, compute D(m, k-1) (i.e. "encrypt" m with the private key) - Transmit m and D(m, k-1) to the recipient - The recipient uses the sender's public key to verify that E(D(m, k-1), k) = m

Proactive secret sharing (threshold cryptography)

- Update secret shares at the start of each epoch - New shares should invalidate old shares! - Secret should not change (despite new shares) - Shares from new epoch cannot be used in conjunction with old shares

Steps in creating security

1. Identify threats 2. Define policies to protect against threats 3. Develop mechanisms to enforce policies 4. Operate and maintain 5. Repeat

Basic login-only protocol

1. Server asks for password. 2. User sends password to server. 3. Server responds OK.

Stream cipher

A symmetric key cipher where plaintext bytes are combined with a pseudorandom cipher byte stream (keystream). Each plaintext byte is encrypted one at a time with the corresponding byte of the keystream, to give a byte of the ciphertext stream.

Semantic security

A system is semantically secure if the adversary cannot pass the test. Test: adversary chooses two equal-length messages (m0 and m1), sends them to challenger. Challenger randomly chooses b (0 or 1) one, encrypts its message (mb), and sends the message back. Attacker has to guess b. If he has a non-negligible advantage in guessing, the system is not semantically secure.

Three properties of computer security

Confidentiality, Integrity, and Availability

CTR mode (definition, pros, con)

Counter Mode. Generates a key stream independently of the data. Increments IV for each block, encrypts that IV, and XORs it with the plaintext. Pros: we can do the expensive cryptographic operations offline; encryption/decryption is just an XOR; you can encrypt/decrypt starting anywhere in the message. Con: don't use the same (key, IV) for different files.

Reference monitor

Design requirements which enforce access control over users' ability to perform operations on objects in a system

ECB mode (definition, pros, cons)

Electronic CodeBook Mode (block cipher mode). The most obvious mode. Splits the message into blocks of the cipher's block size, and encrypts each block independently with the key. Pro: errors in ciphertext do not propagate past a single block. Cons: can make codebooks, block replay attacks.

MD5

Message Digest algorithm (version 5)

Least Common Mechanism (principle g, Saltzer and Schroeder)

Minimize the amount of mechanism common to more than one user and depended on by all users (e.g., virtual memory, virtual machines).

Pros and cons of integrity mechanisms that DETECT violations

Pro: often easier to design than prevention mechanisms; Con: causes of violations often remain unknown

Pros and cons of the following one-message protocol: Bob → I am Bob, { timestamp }Kbs → Server

Pros: Better than protocols that send cleartext passwords. Only requires one message. Server doesn't have to maintain history of challenges. Cons: Bob and the server need synchronized clocks. Attackers can reuse Bob's encrypted timestamp to log into other servers within the time window. If attacker can rollback server clock, they can reuse old timestamps.

Transposition cipher

Reorders (i.e., transposes) the characters in the plaintext message

Separation of Privilege (principle e, Saltzer and Schroeder)

Requiring two keys is more robust than requiring a single key.

Two security properties of proactive secret sharing

Robustness (new shares still correspond to the secret D) and Secrecy (an adversary that at any time period knows no more than 𝑘 − 1 shares learns nothing about the secret)

How can Bob send Alice a secret message using encryption, HMAC, an encryption key (ke), and an authentication key (ka)?

Send: E[ke](m), HMAC(ka, E[ke](m))

Caesar cipher

Shift the letters in the plaintext by an index, wrapping around the alphabet at the ends

Digraph ciphers

Substitute pairs of letters—rather than single letters—for one another

Open Design (principle d, Saltzer and Schroeder)

The design of a system should not be secret.

Attack

The exploitation of a vulnerability to realize a threat

Confidentiality

The need to conceal information or resources

Authentication

The process through which an identity is bound to a subject

Problem with the reference monitor approach

We have to trust the OS kernel to uphold the access control requirements

Security is not a(n) _____ _____, it is a(n) _____

absolute property, process

Example types of confidentiality

Data (know bank balance), existence (know I shop at XYZ.com), and configuration (know what software I run)

Two types of integrity

Data integrity (Is my bank balance correct?) and origin integrity (Was this software written by Microsoft?)

Psychological Acceptability (principle h, Saltzer and Schroeder)

Design the human interface for ease of use, so that users automatically apply the protection mechanisms correctly.

Four categories of threats

Disclosure (information leakage), Deception (acceptance of false information), Disruption (interruption or prevention of correct operation), and Usurpation (unauthorized control of some part of the system)

Least Privilege (principle f, Saltzer and Schroeder)

Every program and every user of the system should operate using the least set of privileges necessary.

Encryption guarantees integrity/authenticity (T/F)

False. CRCs can by used to detect random errors in a message (bit flipping), but bad guys can recompute these CRCs.

Playfair cipher

First build a 5x5 table using a secret keyphrase - Write keyphrase left to right, top to bottom - Skip any repeated letters - Fill in any remaining letters with rest of alphabet (usually combining I/J, or skipping Q) To encrypt a message: - Insert an X between any pair of repeated letters - Break string into pairs of letters - Encrypt digraphs using the table (if letters are on the same row, use letters to the right; if same column, use letters below; if form corners of a box, use other corners)

How does AES work (high and mid levels)?

High level: apply confusion and diffusion to 128-bit blocks. Mid level: - Key expansion to get 10 round keys - SubBytes via some crazy S-Box - ShiftRows to spread around the bytes - MixColumns to further spread around the bytes - XOR with round key, and repeat

RSA key generation and usage

Key generation: - Choose two large prime numbers p and q, compute n = pq - Compute φ(n) = (p-1)(q-1) - Choose an integer e such that gcd(e, φ(n)) = 1 - Calculate d such that ed ≡ 1 (mod φ(n)) - Public key: n, e - Private key: p, q, d Usage: - Encryption: Mᵉ (mod n) - Decryption: Cᵈ (mod n) = Mᵉᵈ (mod n) = M^(kφ(n) + 1) (mod n) = M¹ (mod n) = M

HMAC

Keyed-Hash Message Authentication Code. A cryptographically strong MAC. It can use any hash function (e.g., HMAC-SHA-1).

MAC

Message Authentication Code. An algorithm which takes as input a message and a secret key and produces a fixed-sized output which can be later on verified to match the message; the verification also requires the same secret key.

OFB mode (definition, pro, con)

Output Feedback Mode. Can be used to construct a synchronous stream cipher from a block cipher. Encrypts the IV over and over, XORing the result with the plaintext at each iteration. Pro: key stream generation can occur offline. Con: loss of synchronization is a killer....

The secrecy of a stream cipher depends entirely on __________

PNRG "randomness"

Problems with one time pads

Predictable keys, key reuse, and key distribution

"Something you know" authentication pro and con

Pro: easy to implement; Con: many times, the assumption of secrecy is questionable

Pros and cons of integrity mechanisms that PREVENT violations

Pro: keeps system consistent; Con: difficult to design ("easy to keep bad guys out," but how to identify malicious insiders?)

Three general types of authentication

Something you know, have, or are

Substitution cipher

Substitute one or more characters in the plaintext alphabet with one or more characters in the ciphertext alphabet

Chosen plaintext attack

The adversary has access to the cryptographic algorithm and may encrypt anything that he chooses. The resulting (plaintext, ciphertext) pairs are then used to guide attempts at breaking the cipher.

Ciphertext only attack

The adversary has ciphertext that can be analyzed offline to attempt to break the cipher

Known plaintext attack

The adversary has some number of (plaintext, ciphertext) pairs that can be used to guide his attempt at breaking the cipher

Cryptography proves _____ confidentiality, but not always _____ confidentiality.

data, existence (i.e., you can still tell that information is being sent from a source to a certain destination)

There are two defining features (spectrums) of biometric authentication. Is the biometric login _____ or _____? Will it provide _____ or _____ authentication?

monitored or unmonitored; primary or secondary

Using CBC residue as a MAC

- Use a block cipher in CBC mode to encrypt m using the shared key k - Save the CBC residue r - Transmit m and r to the remote party - The remote party recomputes and verifies the CBC residue of m Con: this gives integrity, but not confidentiality.

Malleable cryptosystem

Allows meaningful modifications to be made to ciphertexts without revealing the underlying plaintext

Diffie-Hellman protocol

Allows two parties to agree on a shared secret using an entirely public channel (key exchange)

Initialization Vector

An IV is data used as input to the first round of a block cipher. It needs to be random (to prevent chosen plaintext attacks) but not secret (so that it can be used to decrypt).

Fail-Safe Defaults (principle b, Saltzer and Schroeder)

Base decisions on permissions rather than exclusions.

Why does the following protocol (merging the two-challenge mutual authentication protocol into three lines) allow for a reflection attack? (Bob ↔︎ Server) → I am Bob, R2 ← R1, f(Kbs, R2) → f(Kbs, R1)

Because a symmetric key is used, the malicious attacker can get the server to reveal the encryption of one of the challenges: (Malicious User ↔︎ Server) → I am Bob, R2 ← R1, f(Kbs, R2) [NEW SESSION] → I am Bob, R1 ← R3, f(Kbs, R1) [OLD SESSION] → f(Kbs, R1)

What are some problems with the following authentication protocol? (Bob ↔︎ Server) → I am Bob ← R → f(Kbs, R)

Bob does not authenticate the server, so someone could pose as the server. Or someone could launch a man-in-the-middle attack, because the protocol ends after the user is authenticated. The rest of the messages aren't encrypted, so a malicious user can hijack the conversation after f(Kbs, R) is sent.

For encrypting streams of characters entered at, e.g., a text terminal, use the _____ block cipher mode of operation.

CFB (usually 8-bit CFB)

CBC mode (definition, pro)

Cipher Block Chaining (block cipher mode). Each plaintext block is XORed with the previous ciphertext block prior to encryption. The first block uses an Initialization Vector (IV). Pro: this eliminates block replay attacks (each ciphertext depends on the previous).

CFB mode (definition, pro)

Cipher Feedback Mode (block cipher mode). Encrypt the IV, then XOR it with plaintext 1 to generate ciphertext 1. Then encrypt ciphertext 1 and XOR it with plaintext 2, etc. Pro: can be used to develop an m-bit cipher based upon an n-bit block cipher, where m ≤ n by using a shift-register approach.

CRC (definition)

Cyclic Redundancy Check. An error-detecting code for detecting accidental changes to data.

Self-synchronizing stream cipher (definition, pros, and cons)

The key stream is a function of some number of ciphertext bits (i.e., uses several of the previous N ciphertext digits to compute the keystream). Advantages: decryption key stream automatically synchronized with encryption key stream after receiving n ciphertext bits; and less frequent key changes, since key stream is a function of key and ciphertext. Disadvantage: vulnerable to replay attack.

Synchronous stream cipher (definition, pros, and cons)

The key stream is generated independently of the ciphertext. Advantages: does not propagate transmission errors, prevents insertion attacks, and the keystream can be pre-generated. Disadvantage: may need to change keys often if periodicity of PRNG is low.

Integrity

The trustworthiness of information or resources

Rail fence cypher

To encrypt, write the message across a number of "fence posts," then read down each post for the ciphertext. To decrypt, set up fence posts and write message down posts.

A system design...

Translates a specification into components that will actually be implemented