L6 - Introduction to Cryptographic Protocols

Question 1

What is a protocol?

Answer 1

a series of steps,
involving two or more
parties,
designed to accomplish a task

Question 2

What is an arbitrator?

Answer 2

A disinterested third party,

trusted to complete the protocol.

Question 3

What is the purpose of an arbitrator?

Answer 3

Arbitrators can help complete protocols between parties

that don’t trust each other

Question 4

Name three examples of real-world arbitrators.

Answer 4

Banks
Public Notaries
Lawyers

Question 5

What are problems with arbitrators in the virtual world?

Answer 5

• It’s more difficult for people to trust a faceless entity
• An arbitrator can become a bottleneck, as he has to deal with every transaction (-> delays)
• Lots of damage can be caused if arbitrator is subverted
• Someone has to pay for running an arbitration service

Question 6

What is an adjudicator?

Answer 6

An arbitrator that only gets activated in case of disputes.

Question 7

What is the reason for using adjudicated protocols?

Answer 7

Arbitrators have high costs, so arbitrated protocols can be split into two sub-protocols:

• A non-arbitrated part
• An arbitrated part that is executed only if there is a dispute = adjudicated protocol

Question 8

What is a real-world example of an adjudicator?

Answer 8

Judges:

Example: Alice and Bob can enter a contract without a judge; a judge only sees the contract if it is brought before a court

Question 9

How do adjudicated protocols in the virtual world deter someone from cheating?

Answer 9

• if someone SUSPECTS cheating, the protocol
  provides enough evidence to be able to detect this
• In a good adjudicated protocol, this EVIDENCE also identifies the cheating party
• Instead of PREVENTING cheating, adjudicated protocols DETECT cheating
• The inevitability of detection acts as a deterrent

Question 10

What is a self-enforcing protocol?

Answer 10

• a self-enforcing protocol does not need an arbitrator or adjudicator
• the protocol itself guarantees fairness

Question 11

How do self-enforcing protocols work?

Answer 11

• If one party tries to cheat, the other party is able to detect this immediately
• the protocol then stops and/or punishes the cheating party

Question 12

What is an example of a self-enforcing protocol?

Answer 12

dividing up things, e.g. a cake
1 Alice divides up the piece of cake
2 Bob chooses which piece to take

Question 13

Name three applications of protocols involving cryptography.

Answer 13

• secure communication
• user authentication
• key exchange

Question 14

What could a SYMMETRIC cryptographic protocol look like?

Answer 14

1) Alice and Bob agree on a cryptosystem
2) Alice and Bob agree on a key
3 Alice encrypts her plaintext message using the
cryptosystem and key
4) Alice sends ciphertext to Bob
5) Bob decrypts ciphertext using the cryptosystem and
key

Question 15

Name two potential problems (for world-spanning communication) in a SYMMETRIC cryptographic protocol which arise from the fact that Alice on Bob’s agreement on a key has to take place in secret?

Answer 15

Key management

Compromised Secrecy

Question 16

How does one generally calculate the number of keys required in a SYMMETRIC cryptographic protocol?

Answer 16

(n/2)(n − 1)

Question 17

Explain how COMPROMISED SECRECY would be problematic in a SYMMETRIC cryptographic protocol used for world-spanning communication.

Answer 17

If the key is compromised, then
– Eve can decrypt all messages encrypted with that key
– Mallory could intercept messages and send his own,
pretending to be Alice or Bob
– This protocol assumes that Alice and Bob trust each other: Either one could claim that the key has been compromised and publish the communication anonymously

Question 18

Explain how KEY MANAGEMENT would be problematic in a SYMMETRIC cryptographic protocol used for world-spanning communication.

Answer 18

– If each pair of users in a network have their own key
then the total number of keys increases rapidly with the
number of users
– Sharing keys among users is not a solution:
If someone leaves the network or is not trusted anymore, all users sharing keys with that person have to change their
keys

Question 19

Conventionally, which are the Dramatis Personae in cryptographic protocols?

Answer 19

Alice: 1st participant
Bob: 2nd participant
Carol, Dave: more participants for multi-party protocols
Eve: Eavesdropper
Mallory: malicious active attacker
Trent: trusted arbitrator

Question 20

What could communication with an ASYMMETRIC cryptographic protocol (public-key cryptosystem) look like?

Answer 20

1) Alice and Bob agree on a public-key cryptosystem
2) Bob sends Alice his public key
3) Alice encrypts her plaintext message using Bob’s public key
4) Alice sends ciphertext to Bob
5) Bob decrypts ciphertext using his private key

Question 21

What are the advantages of ASYMMETRIC crypto communication?

Answer 21

The key exchange does not have to take place in secret
anymore!

!Compromised Secrecy:
Even if Eve listens in on step 2 and 4, she only has the public key and the ciphertext; This will not help her in recovering the private key or the plaintext

Key Management
Everyone who wants to communicate with Bob uses Bob’s
public key- There’s no need to have a separate key for each pair of users

Question 22

How can an ASYMMETRIC crypto communication protocol be attacked (other than chosen plaintext)?

Answer 22

a man-in-the-middle attack!
- In step 2, Mallory intercepts Bob’s public key and sends his own to Alice
- Alice encrypts her message using Mallory’s public key
(thinking it’s Bob’s) and sends it to Bob
- On the way back Mallory intercepts Alice’s ciphertext,
decrypts it, encrypts it with Bob’s public key, then sends it to Bob
- Mallory could even change the message
- Alice and Bob think they have a secure connection

Question 23

Why are public-key algorithms not used all the time instead of symmetric algorithms?

Answer 23

Public-key algorithms are much slower than most
symmetric algorithms
Public-key algorithms are vulnerable to chosen-plaintext
attacks:

Question 24

What is a chosen-plaintext attack?

Answer 24

• If there are only a few possible messages, then it’s possible to recover the plaintext (although not the private key)
• Encrypt all possible messages with the public key
• If one of the generated ciphertexts matches the message ciphertext, then you know what was sent

Question 25

What could communication with HYBRID CRYPTOSYSTEM look like?

Answer 25

• protocol combining symmetric algorithm with a public-key algorithm
  1) Alice and Bob agree on a public-key cryptosystem and a symmetric cryptosystem
  2) Bob sends Alice his public key
  3) Alice generates a random session key for the symmetric algorithm
  4) She encrypts the session key using Bob’s public key
  5) Alice sends ciphertext to Bob
  6) Bob decrypts ciphertext using his private key to recover the
  session key
  7) Alice and Bob can now continue with the symmetric
  algorithm

Question 26

Summarise the advantages of a HYBRID CRYPTOSYSTEM.

Answer 26

• Using public-key cryptography for distributing a key
  improves key management
• The key exchange can take place in public, even though a symmetric algorithm is used for the bulk of communication
• The session key is only used for a limited time and then destroyed
• The longer a key sits around, the higher the chances that it is vulnerable to compromise
• The public-key cryptosystem is only used very sporadically, generating a very small number of ciphertexts
• The less data, the harder it is to break a code

Question 27

What are some different names for a one-way hash function?

Answer 27

• message digest
• fingerprint
• (cryptographic) checksum
• message integrity check
• manipulation detection code

Question 28

What is a hash function?

Answer 28

A hash function is a function that takes a variable-length
input string (called pre-image) and converts it to a
fixed-length (generally smaller) output string (called hash
value)

Question 29

What is an example use case of a hash function?

Answer 29

Can be used as a quick check if two pre-images are the

same: same pre-images have the same hash value

Question 30

What could be a simple example hash function?

Answer 30

A simple example is a function that takes the pre-image and returns a byte consisting of the XOR (exclusive-or) of all input bytes

Question 31

What is a ONE-WAY hash function?

Answer 31

A one-way hash functions is a hash function that works in one direction
It’s easy to compute a hash value from a pre-image, but it is hard to generate a pre-image that hashes to a particular value

Question 32

What does it mean that, a good one-way has function is collision-free?

Answer 32

it’s hard to generate two pre-images with the same hash value

Question 33

How to one-way functions achieve security?

Answer 33

The hash function is public, the security lies in its
one-wayness: it is computationally infeasible to find a
pre-image hashing to a particular hash value

Question 34

How is authentication performed using hashed values?

Answer 34

Instead of storing passwords, a host stores one-way hash
values of the passwords
1 Alice sends the host her password
2 The host performs a one-way hash function on the
password
3 Host compares the result to the stored value

Question 35

What is the benefit of storing one-way hashed passwords rather than cleartext passwords?

Answer 35

If someone breaks into the host, they cannot steal the

passwords. The one-way hash function cannot be reversed to obtain the passwords.

Question 36

Why is a file of passwords encrypted with a one-way hash function still vulnerable?

Answer 36

Dictionary Attacks!

Question 37

How can a Dictionary Attack be performed on a list of one-way hashed passwords?

Answer 37

Mallory can take a list of the most popular passwords and a dictionary and run it through the one-way hash function
After stealing the password file, he can then compare the password list with the generated hash values to find
matches

Question 38

What can be done to combat Dictionary Attacks when storing one-way hashed passwords?

Answer 38

Salting the passwords!

Question 39

What is Salt?

Answer 39

A Salt is an string that is combined with the password

Question 40

How does Salting work?

Answer 40

For example, assume the password selected by the user is ‘hello’, the computer will automatically create a salt, say‘e6f20fd420’
Another user also selects the same password, the
computer generates another salt,‘a30e26e83b2’
Simply appending the salt to the password, can generate
different representations for the same password in the
password file
SHA-256(“helloe6f20fd420”)=
50815056236f8b36a0c182de286f2786c87d8ec684ec85dd6ea0bce062b950b7
SHA-256(“helloa30e26e83b2”)=
c058814af38cee43c7deb31cd686a895d20b77cb7636a15c7b507a34a7e613aa
Note, we need to record the salt with each account

Question 41

What is considered best practice when salting passwords?

Answer 41

Don’t use the same salt, it should be unique per-user
per-password
Don’t make the salt too short, otherwise it is vulnerable to a brute force attack (going through every possible
combination of salt)
Salts should be selected as randomly as possible, so they are not predictable given prior knowledge of salts already used.

Question 42

What is Key Stretching?

Answer 42

using a Hash Function that deliberately

takes a long time to evaluate is called key stretching, the hash function is applied repeatedly.

Question 43

What is the purpose of Key Stretching?

Answer 43

The rationale is to reduce the rate at which hashes can be generated during brute force attacks.

Question 44

What is Password Eavesdropping?

Answer 44

Eve can intercept the password anywhere on the network or on the host before it is hashed
For example, early electronic locks sent serial number in clear

Question 45

What can we do to combat password eavesdropping?

Answer 45

Authentication with Public-Keys

Question 46

How could a sample protocol for Authentication with Public-Keys (rather than passwords) work?

Answer 46

The host keeps a file of every user’s public key, all users keep their private key
1) The host sends Alice a random string
2) Alice encrypts the string with her private key and sends it
back (along with her name)
3) The host looks up Alice’s public key and decrypts the
message with it
4) If the decrypted string matches what the host originally sent, then access is granted

Question 47

What are two potential weaknesses of public-key authentication (challenge-response-protocol)?

Answer 47

Cipher and plaintext are transmitted

Random numbers issued by host may not be truly random

Question 48

Explain how the transmission of cipher and plaintext within a challenge response protocol may present a security weakness?

Answer 48

Having access to (a large number of) plaintexts and
corresponding ciphertexts makes the job of a cryptanalyst easier
Eve could listen in on Alice’s authentication attempts to
obtain information to deduce private key

Question 49

Explain how a lack of true randomness among the numbers (challenges) issued by the host within a challenge response protocol may present a security weakness?

Answer 49

• Mallory (knowing the sequence of future random number) could intercept host’s challenge
• Mallory forwards one of the future random numbers, gets it encrypted by Alice; Alice’s login will fail
• However, Mallory now has a correct response to a future challenge

Question 50

How can a simple challenge-response protocol public-key authentication protocol be improved in terms of the lack of truly random numbers??

Answer 50

Random number generator has to be implemented very

carefully

Question 51

How can a simple challenge-response protocol public-key authentication protocol be improved in terms of the the transmission of cipher and plaintext?

Answer 51

use the following protocol
(derived from SSHv2)
1) Alice sends her public key with a request for authentication to the host.
2) The host sends Alice a random number encrypted using Alice’s public key
3) Alice decrypts the message with her private key. She then uses a hashing algorithm to create a hashed version of the number and sends it to the host.
4) The host computes its own hashed version of the data in Step 2.
5) If the two outcomes match, access is granted.

Alice proves to the host, that she knows her private key
without giving away any information on her private key and without actually encrypting plaintext with her private key