Cryptography III Flashcards
What is the role of a Digital Signature?
- it proves that a message is from a certain someone
What are the goals for a Digital Signature?
- Authenticity
- binds identity to a message
- provides assurance of the signer - Unforgeability
- attacker cannot forge a signature for a diff identity - Nonrepudiation
- signer cannot deny signing a message - Integrity
-attacker cannot take A’s signature for a message and use it to sign another message
How does Digital Signing work with public-key encryption?
- since the order of enc and decr can be reversed:
- to get digital signature on M => decrypt plaintext message m with the secret key
- knowing A’s PK, B can verify validity of S on M
- B encrypts S with PK, checks if result is M
How does Digital Signature work with Hashes?
Sign: S = DSK (h(M))
Verify: h(M) == EPK (S)
- combines security of sigital signature with Collision resistance property of hash functions
What is the issue with Encrypt then Sign? How to fix?
- adversary can unsign and sign with own signature => reciever thinks the message comes from attacker
FIX: Sign then Encrypt
What is MAC? what does it guarantee
= Message Authentication Codes
- similar to Dig Sign but SYMMETRIC
=> does not provide nonrepudiation (since whoever can verify can also sign)
-provides guarantee that message came from a certain sender and has not been changed
Properties of MACs
- Unforgeability
-even after seeing many MAC-message pairs, attacker cannot produce valid MAC for new M - Integrity
-if MAC or message altered, recipient can detect it
What are the ways to implement MACs?
- CBC-MAC
- using a block cipher in CBC mode, encrypt message and use last cipher block as MAC
- tweaks: fix IV to 0; prepend each message with its length - HMAC
- use HF, shared secret
What is a possible attack on CBC-MAC?
an attacker knows two messages and their MAC tags:
Message 1: m=P[0],P[1] → MAC tag is t
Message 2: m′=P[0]′,P[1]′ → MAC tag is t’
create a fake message: m′′=P[0],P[1],P[0]′⊕t,P[1]′
=> last block is the correct MAC for tag t’ (valid tag)
=> this is a valid message (even if it might be basically garbage, attacker still shouldnt be able to impersonate someone)
What is MAC-then-Encrypt (MtE)?
A cryptographic approach where a MAC is computed on the plaintext, then the message and MAC are encrypted together.
What are the steps of MAC-then-Encrypt (MtE)?
Compute MAC(Message).
Append MAC to the message: Message || MAC.
Encrypt everything: E(Message || MAC).
Send the ciphertext.
Why was MAC-then-Encrypt (MtE) used in TLS?
It was used to provide confidentiality and integrity in older versions of TLS, but it required special padding schemes to reduce vulnerabilities.
What is a major weakness of MAC-then-Encrypt (MtE)?
It does not protect the integrity of the ciphertext, making it vulnerable to modification attacks and padding oracle attacks.
What is MAC-and-Encrypt (M&E)?
A cryptographic approach where the message is encrypted and MACed separately, then both the ciphertext and MAC are sent.
What are the steps of MAC-and-Encrypt (M&E)?
- Encrypt the message: C = E(Message).
- Compute MAC on the plaintext: MAC = MAC(Message).
3.Send (Ciphertext, MAC).
Why is MAC-and-Encrypt (M&E) insecure?
The MAC is computed on the plaintext, so an attacker can compare MAC values to check if two messages are the same, even if encryption hides this information.
What is a major weakness of MAC-and-Encrypt (M&E)?
It can leak message equality because identical plaintexts will have the same MAC, even if encryption prevents direct comparison.
What is Encrypt-then-MAC (EtM)?
A cryptographic approach where a message is first encrypted, then a MAC is computed on the ciphertext.
What are the steps of Encrypt-then-MAC (EtM)?
- Encrypt the message: C = E(Message).
- Compute MAC(Ciphertext): MAC = MAC(C).
- Send (Ciphertext, MAC).
What security guarantees does Encrypt-then-MAC (EtM) provide?
Integrity and authenticity for both ciphertext and plaintext, preventing tampering and forgery.
Why is Encrypt-then-MAC (EtM) recommended over MtE and M&E?
It ensures that any modification of the ciphertext is detected, protecting against tampering attacks.
What is the purpose of the Diffie-Hellman key exchange?
Allow two parties to establish a shared secret key
What are the main steps of the Diffie-Hellman key exchange?
A picks a secret x and computes X = f(x), then sends X.
B picks a secret y and computes Y = f(y), then sends Y.
Both compute the shared secret:
A : K = g(x, Y)
B : K = g(y, X)
Both now have the same key K without transmitting it directly.
What information does an attacker see in a Diffie-Hellman exchange?
The attacker can capture X and Y, but cannot reconstruct the shared key K without knowing x or y.
Why is Diffie-Hellman secure?
The security relies on the Discrete Logarithm Problem (DLP), which is computationally hard to reverse (i.e., deriving x from X = f(x) is very difficult).
Can an attacker compute K from just X and Y?
No, because they would need to solve the Discrete Logarithm Problem, which is infeasible for large numbers.
What is a common attack against Diffie-Hellman?
Man-in-the-middle attack (MITM), where an attacker intercepts X and Y, replacing them with their own values X and Y, to establish separate keys with each party.
How can Diffie-Hellman be protected against MITM attacks?
By using authentication mechanisms like digital signatures or public key certificates to verify identities.
What is a Merkle Tree?
Each node is a hash of its children, ensuring data integrity and efficient verification.
How does a Merkle Tree ensure integrity?
It uses collision-resistant hash functions => a small change in data will produce a diff Merkle Root.
How can one prove that a piece of data exists in a Merkle Tree?
- Merkle Proof = authentication path (sibling hashes needed to compute the Merkle Root).
Why is a Merkle Proof efficient?
Instead of sending the entire tree, you only need to send log(n) hashes, where n is the number of elements in the tree.
How are Merkle Trees used in secure cloud storage?
- The Merkle Root is stored locally by the user.
- When retrieving a file, the cloud provider gives the file along with a Merkle Proof.
- The user verifies that the proof leads to the correct Merkle Root.
How do Merkle Trees improve Certificate Transparency?
- Web certificates are stored in a public Merkle Tree log.
- Anyone can check if a certificate is valid by verifying its inclusion in the log.
