Lecture 7-Basic Key Exchange

Question 1

What is TLS and why shouldn’t we use it?

Answer 1

It is a form of authenticated encryption but don’t use it because it uses unidirectional keys (so lot of overhead) and also using MAC-then-Encrypt

Question 2

How does TLS decryption work?

Answer 2

Essentially it will send back the unique symbol with bad_record_mac error if tag or pad format is invalid (this provides AE)

Question 3

What is the padding oracle attack on TLS?

Answer 3

Attacker can submit ciphertext and learn if last bytes of plaintext are a valid pad (because attacker can tell the difference between errors “pad error” and “MAC error”)

You can observe the timing, bad pad timing returns faster

Question 4

Why are padding oracle attacks even an issue?

Answer 4

Because we pad after mac so pad is not authenticated (MAC then encrypt or MAC then CBC ) (So eve can learn the pad by XOR-ing bytes)

Question 5

Why would Encrypt then MAC avoid padding oracle?

Answer 5

Because MAC is checked first and ciphertext gets discarded if it is invalid

Question 6

Why shouldn’t you use SSH protocol?

Answer 6

Uses Encrypt-and-MAC where MAC is computed over plaintext. Also the protocol checks and uses the packet length before verifying the MAC tag which means Eve can send an encrypted block byte by byte to learn the length before MAC tag error gets out

Question 7

How to avoid SSH attack?

Answer 7

Authenticate length with MAC first!

Question 8

How does TTP work?

Answer 8

TTP sends Alice shared key + encrypted key that only Bob can decrypt. Alice sends Bob to decrypt the shared key on his end

Question 9

Merkle Puzzle (Quadratic gap)

Answer 9

A way to share messages without TTP: Alice prepared a bunch of puzzles and sends it. Bob picks a puzzle at random to solve it, he gets decrypted key and he successfully decrypts a puzzle. Sends puzzle id so Alice knows which puzzle key to use. (THIS IS A WAY OF SYMMETRIC KEY EXCHANGE WITHOUT TTP)

Question 10

Diffie-Hellman

Answer 10

Fix a large prime # + generator and compute the keys. Even cannot compute g^ab (mod P) ..considered discrete log problem (Hard)

Question 11

When is diffie-hellman insecure?

Answer 11

Man in the middle attacks: Eve can generate her own a’ and send to bob and generate her own b’ to send to Alice

Question 12

What is the diffie-hellman non-interactive property?

Answer 12

Each person has their own public key that can be used by someone else to raise it to their secret key: Kac = g^ac where a is secret key for Alice and g^c is already public information for Charlie

Question 13

Can you do non-interactive DH for more than two people?

Answer 13

Super complicated as you add more people

Question 14

Public Key Encryption

Answer 14

• another way for key exchange apart from merkle puzzles and DH
• public key used to encrypt, secret key to decrypt

Question 15

What are some public key applications?

Answer 15

HTTPS exchange: encrypt using Alice’s public key and send an encrypted email to her that she can decrypt.

Also key escrow: same encryption encrypted with an escrow’s public key so that if a fight happens, the message can still be decrypted

Question 16

Public Key semantic security

Answer 16

Challenger generates key pair and sends public key to eve (no CPA attack needed!)

Even will send two messages for challenger to encrype and Eve needs to figure out which message (secure because Eve doesn’t have secret key to decrypt and encryption itself is random)

Question 17

When is Public Key Encryption insecure?

Answer 17

Man-in-the-middle: Eve impersonates Alice and sends a diff public key to Bob one of which she has the secret key of