Cryptographic Protocols Flashcards
What is a cryptographic protocol?
A cryptographic protocol is defined as a series of steps and message exchanges between multiple entities in order to achieve a specific security objective.
Which additional characteristic a cryptographic protocol has that the others protocols doesn’t?
It should not be possible to do or learn more than what is specified in the protocol.
What is data origin authentication?
Data origin authentication is the security service that enables entities to verify that a message has been originated by a particular entity and that it has not been altered afterwards
data integrity is a synonym for which security service?
Data origin authentication
What is entity authentication?
Entity authentication is the security service, that enables
communication partners to verify the identity of their peer entities
why entity authentication is more than
an exchange of (data-origin-) authentic messages?
Because timeliness is also important to be sure that old messages are not being used to reply and that the person answering is really present on that moment.
What are the two principle means to ensure timeliness in cryptographic protocols?
Timestamps (require more or less synchronized clocks) and Random numbers (challenge-response exchanges)
which are the two main categories of protocols for entity authentication?
Arbitrated authentication and Direct authentication.
How does the arbitrated authentication protocol work?
an arbiter, also called trusted third party
(TTP) is directly involved in every authentication exchange
What are the main advantages of the arbitrated authentication protocol ?
- This allows two parties A and B to authenticate to each other without knowing any pre-established secret
- Even if A and B do not know each other, symmetric cryptography can be used
What are the drawbacksof the arbitrated authentication protocol ?
- The TTP can become a bottleneck, availability of TTP is critical
- The TTP can monitor all authentication activity
How does the Direct authentication protocol work?
A and B directly authenticate to each other
What is the main advantage of direct authentication protocol?
no online participation of a third party is required and no
possible performance bottleneck is introduced
What is the main drawback of direct authentication protocol?
requires asymmetric cryptography or pre-established secret keys
How does the Needham-Schroeder Protocol work?
It uses a trusted third party (TTP). first A sends a message asking the TTP for a key to send message to B. The message contains:
- A - > TTP: (A, B, r A )
The ttp then generates a key KA,B and send to A
- TTP → A: {r A , B, K A,B , {K A,B , A} K B,TTP } K A,TTP
A decrypts the message and by the random number rA A knows that it is a fresh message from TTP. After A sends a message to B:
- A → B: {K A,B , A} K B,TTP
B decrypts the message and obtains KB,TTP and send a random number to A:
- B → A: {r B } K A,B
A decrypts and answer with rB -1 and send it back to B.
- A → B: {r B -1} K A,B
B checks if the result is valid.
There are any mean to impersonate someone using the Needham-Schroeder Protocol?
Yes, since old messages continue to be valid, if someone knows K A,B, it can use latter to impersonate A party during a communication.
Which protocol solve the impersonate problem of the Needham-Schroeder one?
Otway-Rees Protocol, by adding a index to the exchange messages.
how the Otway-Rees Protocol solve the problem of replying old messages?
Instead of only send message to TTP, A send the random number either to TTP and to B. B sends a random number by its own and then share with TTP attaching the index and the random number from A. TTP send the message with both encrypted random number to B. B verifies its random number and then send the A part to A. A check i A and r A to see if they are unchanged. If yes, then A is sure about the authenticity of the key.
What is X.509?
X.509 is an international recommendation of ITU-T and defines a framework for provision of authentication
services, comprising Certification of public keys and certificate handling (format, hierarchy, revocation list) and Three different dialogues for direct authentication (one way and two way [requiring synchronized clocks] authentication and three way mutual authentication [entirely based on random numbers].
What happened when the private key of a
certification authority is compromised?
This implies, that all certificates signed with this key have to be revoked.
How Certificate revocation is realized?
by maintaining certificate revocation lists (CRL):
- CRLs are stored in the X.500 directory
- When checking a certificate, it has also to be checked that the certificate has not yet been revoked
- Certificate revocation is a relatively slow and expensive operation
What is Perfect Forward Secrecy?
It is a characteristic in which is guaranteed that a compromise of a key in the future will not allow to compromise any data that has been protected with this key exchanged before that compromise.
How can we guarantee the property of perfect forward secrecy (PFS)?
By doing the separation of key exchange and authentication of the exchange is possible to guarantee the property of perfect forward.
Which cryptographic protocol for key exchange does not realize any authentication?
The Diffie-Hellman protocol
What happens if it is used the diffie-hellman protocol to key exchange without authentication?
It cannot guarantee privacy of a communication following the exchange, it has to be combined with authentication.
How does secret splitting work?
The Trend generate n-1 random strings (where n is the number of people to share the secret) and XOR with the original message. Distribute the random strings and the result of the XOR to each one of the participants. To recover it, just XOR the result and the random strings to recover the message.
Secret splitting scheme is also known as…
all-or-nothing scheemes.
What is a Secret Sharing?
It is a Scheme to distribute a secret among a group of participants.
How does the (m,n)-threshold scheme work?
A secret is divided into n pieces, called shadows.
Any m of the shadows can be used to reconstruct the message M.
Example
Trent can divide his secret burger recipe among Alice, Bob, Carol, and Dave, such that any three of them can put their shadows together and reconstruct the burger recipe.
it is called a (3,4)-threshold scheme
how does Shamir‘s Secret Sharing Scheme work?
It is an (m,n)-threshold scheme and uses a polynomial to “solve” and keep the secret.
- Choose a public prime p, which is larger than the number of possible shadows and larger than the largest possible secret.
- Generate an arbitrary polynomial of degree m – 1.
e. g., for a (3,n)-threshold scheme, generate a quadratic polynomial (ax 2 + bx + M) mod p. - The coefficients are chosen randomly, they are kept secret and discarded after the shadows are handed out.
- The shadows are obtained by evaluating the polynomial at n different
points: k i = F(x i ), i=1,…,n.
How can a secret be shared by two hostile delegations?
To share the secret such that 2 out of 7 from Delegation A and 3 out of 12 from delegation B are required to reconstruct the secret.
To solve this problem, make a polynomial of degree 3 which is the product of a linear and a quadratic expression.
Then give all members of delegation A a shadow that is the result of an evaluation of the linear equation
And give all members of delegation B a shadow that is the result of an evaluation of the quadratic equation
This way, the delegations have to cooperate in order to reconstruct the secret, because none of them has enough knowledge on its own.
What is the Bit Commitment?
A protocol that allows a user to commit to a value while keeping it hidden and preserving the user’s ability to reveal the committed value later.
How does the protocol of Bit Commitment Using Symmetric Encryption work?
- Bob generates a random number R and sends it to Alice.
- Alice generates a random symmetric key k, sends back:
E k (R, committed bit) - Bob does not know k, so he cannot recover the committed bit.
- Later, Alice reveals the key k, so Bob can verify the
committed bit.
How does the Bit Commitment Using One-Way Functions work?
Alice generates two random-bit strings, R 1 and R 2 .
1. Alice creates a message consisting of her random strings and the bit she wishes to commit to: (R 1 , R 2 , b).
2. Alice computes a one-way function on the message and sends the result, as well as one of the random strings, to Bob: H(R 1 , R 2 , b) R 1 .
3. Later, when Alice reveals her bit, she sends Bob the
original message: (R 1 , R 2 , b).
4. Bob computes the hash value and compares it and R 1 ,
with the hash value and the random string he received in 3.
What is the goal of Fair Coin Tossing?
Create a random bit in a distributed setting between two parties without any party dictating.
How does the Fair Coin Tossing work?
Alice has a secret: the factorization of a number n=pq with p,q being large primes and
p congruent q congruent 3 mod n
- A sends n to B
- B picks a random x in sqr(n) < x < n with gcd(x,n)=1.
B computes a = x² mod n and sends it to A. - Knowing p and q, A computes the four solutions for the modular square root of a (using the Chinese Remainder Theorem). Call these x, n-x, y, and
n-y. A cannot distinguish between x or n-x and y or n-y. She choses one of the four at random and sends it to B. - If B receives x or n-x, he learns nothing. But, if he receives y or n-y, he can factor n by by computing gcd(x+y,n)=p or q. B tells A whether he got the
secret and if so wins, otherwise loses.
