Module 10 Flashcards

1
Q

What is authenticated encryption?

A

In the decryption algorithm, we either output the message or an error message (if the message was tampered with).

two guarantees:

  1. semantic security (IND-CPA)
  2. ciphertext integrity
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Describe the integrity security game

A

A ciphertext E guarantees INT-CTXT if for all PPT A:
the probability that the adversary manages to construct a forgery a fake cipher text that it hasn’t seen before the decrypted properly. And we’re going to say that a cipher is secure if that is negligible. If the probability that the adversary can trick the Challenger can construct forgery is negligible.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

What are the options for combining MAC and encryption?

A
Option 1 (SSH): Encrypt and MAC
Option 2 (SSL): MAC then encrypt
Option 3 (IPSec): Encrypt then MAC
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

What are pros and cons of each option?

A

SSH: Encrypt AND MAC
-MAC does not guarantee confidentiality so it is possible for the tag to reveal one or more bits about the message; so the combination would no longer be semantically secure; even though ssh itself is not broken, it is problematic and shouldn’t be used

SSL: MAC then encrypt
-does not have the issue of SSH because the ciphertext hides the message; but there are some examples where even though the MAC and encryption are secure the combination is not; this method is also discouraged

IPSec: Encrypt then MAC

  • always secure! if your encryption is secure and your MAC is secure then your output will also always be secure.
  • WHY: Well, one reason that this is true is that after you encrypt the message, the cipher text is going to be semantically secure. Okay. Which means that signing the cipher text cannot possibly reveal any information about the message. Because if it did, then you could imagine an adversary that could use this signing algorithm as part of a statistical test to try to break the underlying crypto system. But we know that because the crypto system is semantically secure, there doesn’t exist such an adversary that doesn’t exist such a statistical test. And therefore signing cannot possibly extract information about the message from the cipher text. Because we’re working directly with the semantically secure object. So, anything we do on top of that cannot possibly extract information about the message.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

describe the goal and threat model of the key exchange protocol.

A

goal: for alice and bob to agree on a shared secret even though they’ve never had a prior interaction before

threat model:

  • adversary can only eavesdrop on the communication
  • no tampering with any messages
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

describe the goal and threat model of the key exchange protocol.

A

goal: for alice and bob to agree on a shared secret even though they’ve never had a prior interaction before

threat model:

  • adversary can only eavesdrop on the communication
  • no tampering with any messages
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Describe the Diffie-Hellman Key exchanage

A

both compute the same thing with different components

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Why is Diffie-Hellman Key exchange secure?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

true/false: DHKE protocol can be non-interactive

A

true.

the way alice and bob compute the key are independent of A and B

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

What is the drawback of Diffie-Hellman?

A

It is not secure against active attacks.
The attacker can replace sent messages with a message of her choosing.
Attacker can intercept read, reencrypt and send to bob.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Describe the public key encryption scheme?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

What’s a key difference between the public key encryption scheme described here and the DHKE?

A

it’s very interactive. the messages depend on each other.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what is a trapdoor function?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Why is this a BAD way to use trapdoor functions?

A

Not semantically secure because the decryption function is deterministic. The adversary has access to pk and in the IND-CPA game the adversary picks the messages and then can figure out decryption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

What do we need to build a public key cryptosystem?

A
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Describe a secure construction of a public key encryption cryptosystem?

A

trapdoor function (KeyGen)

encryption:

  1. generate a random input for trapdoor function
  2. compute trapdoor function
  3. hash x and use output as symmetric key
  4. encrypt using authenticated encryption scheme

decryption:

  1. use trapdoor to invert function
  2. hash x and use output as symmetric key
  3. decrypt using authenticated encryption scheme
16
Q

why is that construction secure?

A

First of all, this is a randomized algorithm now because we’re sampling randomness, and this is deterministic. There is no randomness here. We have the two features that we wanted, so randomized deterministic and this encryption scheme is going to be semantically secure because observe that c is itself semantically secure and y is just the trapdoor function evaluated at some random input. By the security definition of the trapdoor function, it’s going to be very hard to invert. It’s going to be very hard for an adversary to reconstruct x from y unless they know the secret key. That’s what it means for f to be a trapdoor function. Whereas the entity when the decryption will know the secret key, so they will be able to reverse it.

17
Q

What is a common way to build public encryption out of the RSA trapdoor function?

A

RSA-PKCS#1 v1.5 mode 2

this solves the problem of the trapdoor function being deterministic by first adding a randomized padding to the message.

18
Q

What is a padding oracle attack?

A

the attacker exploits the fact that the server sends back information to the user about malformed messages. so the attacker can continuously send “corrupted” ciphertexts to the server and bit by bit she can learn the message/password.

19
Q

What is IND-CCA? (security for chosen-ciphertext attacks)

How is it stronger than IND-CPA?

A

the adversary can send a ciphertext test and ask for the challenger to send back the decryption. this accounts for the possible attack in the RSA encryption.

20
Q

RSA-PKCS#1 v.1.5 mode 2 - is it secure?

A

IND-CPA secure (as far as we know)

NOT IND-CCA secure (see padding oracle attack)

21
Q

Is symmetric key encryption immune to oracle padding attacks?

A
  • block cipher in CBC mode (remember there is padding)
  • –> no, has similar attacks
  • authenticated encryption (e.g. encrypt then MAC)
  • –> provides IND-CCA2 security and prevents padding oracle attacks
22
Q

IND-CCA RSA Encryption

A

two ways to do it:

  1. generic construction for trapdoor functions
  2. optimal asymmetric encryption padding (OAEP - recommended)
23
Q

RSA-KEM (key encapsulation mechanism) / option 1

A

3 assumptions for security of RSA-KEM

  1. trapdoor function is secure
    - –> in RSA-KEM this means that the RSA assumption holds
  2. H is a random oracle from Z_N to {0,1}^k
  3. authenticated encryption scheme is secure
24
Q

Option 2: RSA-OAEP (PKCS#1 v2.2)

A

this is better because if an adversary messes with the ciphertext then this will make everything be off. when you decrypt you won’t get the right message. an error will be thrown but not on a particular field.

25
Q

describe RSA-OAEP security

A

IND-CCA2 secure assuming

  • -> random oracle
  • -> RSA assumption holds

is optimal in that the ciphertext is a single element in Z_N

  • -> in contrast, RSA-KEM sends (y,c):
    1. y is an element in Z_N
    2. c is the output of an authenticated encryption scheme (ciphertext and MAC)

BUT RSA-KEM can continue using the symmetric key which is more efficient

26
Q

What are the 3 algorithms for a digital signature?

A
27
Q

What is the well-formedness condition for digital signatures?

A
28
Q

What are some issues with textbook RSA?

A
  1. if message is big we need to compute multiple signatures and need a way to stitch them togther
  2. it is trivial to construct forgeries
    - start with the random signature sigma in Z_N (instead of message)
    - compute m = sigma^e mod N
    - sigma is now a valid signature for message m
    - and then the verification algorithm will pass

to be secure, the attacker should not be able to construct ANY forgeries, even if they are total garbage

29
Q

What is the key idea of full domain hash RSA signatures?

A

hash the message before signing it

think about why hashing the message before signing prevents forgeries

30
Q

problem with full domain hash RSA

A

needs a very specific random oracle

this is annoying because this is very specific to N

the minute we change the modulus (N), then we need a new random oracle

30
Q

problem with full domain hash RSA

A

needs a very specific random oracle

this is annoying because this is very specific to N

the minute we change the modulus (N), then we need a new random oracle

31
Q

a summary

A