PRTCLS

Question 1

Protocols

Answer 1

A protocol is a set of rules for exchanging messagesbetween 2 (or more) principals over a network.

The word ‘protocol’ in the OSI model is reserved and refers to rules governing communication between a pair of peer entities.

Question 2

Secure Protocol

Answer 2

When acting honestly, principals (participants) achieve the

stated aim of the protocol

• E.g.: Alice successfully authenticates to Bob, or Alice and Bob establish a key.

Neither passive eavesdropper (Eve) nor malicious, active adversary (Mallory) can defeat this aim (e.g. by successfully impersonating Alice in an authentication protocol with Bob).

This all pre-supposes that the stated aim is actually clearly stated!

Question 3

Entity Authentication

Answer 3

• origin authentication (verifying the origin of received data) and
• entity authentication (verification of a claimed identity).

An origin authentication service can be built from a data integrity mechanism, e.g. a MAC

Typically achieved by exchange of messages called anauthentication protocol

Question 4

Why Entity Authentication?

Answer 4

Entity authentication provides a fundamental service:

• It allows one host or user on the network to check with which other host or user it is communicating.

Successful entity authentication can be a precursor to (or part of) the use of more complex security services.

Question 5

Entity authentication:

Answer 5

• the corroboration that an entity is the one claimed at a particular point in time (but not necessarily any guarantees after that time).

Question 6

Unilateral authentication:

Answer 6

• entity authentication which provides one entity with assurance of the other’s identity but not vice versa.

Question 7

Mutual authentication:

Answer 7

• entity authentication which provides both entities with assurance of each other’s identity.

Answer 8

• No – Mallory can easily impersonate A.
• Authentication protocols can be built from a number of different assumptions:
• A and B share a secret (e.g. a password, a PIN, biometric information, a symmetric key).
• A and B have authentic copies of each other’s public keys.

Question 9

Challenge/Response Authentication

Answer 9

In challenge-response authentication, one entity ‘proves’ its identity to another by demonstrating knowledge of a secret known to be associated with that entity, without revealing that secret itself during the protocol.

Typically use cryptographic mechanisms to protect the messages in the protocol:

• Encryption.
• Integrity mechanism (e.g. MAC).
• Digital signature.

Question 10

User Authentication

Answer 10

Here, the objective is to authenticate a user to a system (and possibly vice-versa).

User authentication usually based on (a combination of):

• Something you know (password, PIN).
• Something you have (a smartcard or token,…)
• Something you are (a biometric)

User authentication is limited by what a user can remember, carry, etc.

• The problem may be harder when user and system are remote, because credentials/data may need to be protected in transit.
• We can’t expect users to remember long cryptographic keys or carry unwieldy equipment.

Authentication not directly involving users (i.e. machine to machine) is not generally limited in this way.

Question 11

Encryption based Authentication

Answer 11

Assume Alice and Bob share a secret key K. Design goal: Alice to be authenticated.

1. Alice sends an initiating message.

2. Bob sends Alice a challenge message R.

3. Alice responds with {R || B}_K, message R concatenated with B, encrypted using shared key K.

4. Bob checks that the message he received decrypts to give message R || B.

5. If it does, then Alice is authenticated to Bob (or Bob authenticates Alice)

Question 12

The Protocol

Answer 12

A →B: ‘Hi Bob, I’m Alice’

B →A: R (challenge)

A →B: {R || B}_K(response)

Question 13

Security of the Protocol -1

Answer 13

• Why can Bob be sure that message 3 in the protocol came from Alice?

Only Alice (and Bob) know secret key K.

• Why can Bob be sure that message 3 in the protocol is not a replay of a message from an earlier run of the protocol between himself and Alice?

Bob chose R at random just before sending message 2. This R should never have been used before. This means that message 3, which includes R in encrypted form, has never been produced before.

Assumption: Mallory cannot observe an old protocol run and then alter an old message {R’ || B}_K to make it an acceptable response to Bob’s new challenge R (stream ciphers might be vulnerable to bit flipping attacks!)

• Why can Bob be sure that message 3 in the protocol is intended for him?

Alice includes Bob’s identity ‘B’ in the encrypted message. This prevents Mallory taking a message intended for someone else and sending it to Bob.

• Can an attacker learn the value of secret key K by observing multiple runs of the protocol?

No, not if the encryption algorithm is strong.

• Is Alice authenticated to Bob in this protocol?

Yes.

• Is Bob authenticated to Alice in this protocol?

No. (In fact Mallory could impersonate Bob in the protocol, but our design goal was a protocol in which Alice is authenticated, not Bob, so this is not a problem.)

• Does the protocol provide mutual or unilateral authentication?

Unilateral: authentication of Alice.

Question 14

Assumption of the Security of this Protocol

Answer 14

We’re making an assumption that Mallory cannot observe an old protocol run and then alter an old message {R’ || B}_K in such a way as to make it an acceptable response to Bob’s new challenge R.

This has implications for the kind of encryption primitive that Alice and Bob should use:

• For example, they should not use a stream cipher with this protocol, as Mallory can just flip bits in the message {R’||B}_K to turn it into {R||B }_K .

Question 15

Replay Attack

Answer 15

Mallory begins by hijacking a session between Alice and Bob and firstly impersonates Bob to Alice in a protocol run initiated by Alice:

A → M(B): ‘Hi Bob, I’m Alice’

• *M(B) → A: R** (M predicts which R will be used later by B)
• *A → M(B):** {R || B}_K

Mallory keeps hold of {R || B}_K: it’s going to come in handy later:

1. M(A) → B: ‘Hi Bob, I’m Alice’
2. B → M(A): R (M predicted this R would be used by B)
3. M(A) → B: {R || B}_K

Question 16

Liveness and Freshness

Answer 16

The replay attack shows that it is vital that the protocol contains a means of checking liveness of principals.

Liveness: assurance that message sent by a principal within an acceptably recent timeframe.

• Usually after an event known to be recent to the other principal.
• Liveness of principals usually ensured via freshness of messages.

Freshness: assurance that a message has not been used previously and originated within an acceptably recent timeframe.

• freshness of message together with authenticity of origin of message can assure liveness of principal.

Two main methods for providing freshness:

• Nonce (Number used once).
• Time-stamps (clock-based or `logical’ time-stamps).

Question 17

Nonces

Answer 17

Most important: ‘one-time’ property - nonce should not have been used before.

• So one could in theory use a counter?

Many protocols need nonces to be unpredictable (to Mallory), rather than simply previously unused.

• For example, our protocol needs this property for R to prevent the replay attack.
• One could form R by generating a long string of bits at random.
• How long is long enough?
• How can we ensure R is sufficiently random?

Notice that in our protocol, R, the nonce is unpredictable but not secret.

Question 18

logical time stamps

Answer 18

Alternative to clocks: Alice and Bob could use pair of sequence numbers N_AB and N_BA in their communications.

Every time A sends B a message she includes value N_AB, and increments it. Likewise for B.

Needs pair of sequence numbers for every pair of communicating parties.

Sequence numbers may need to be kept secret in protocol runs.

• May otherwise be predictable to Mallory.

Question 19

Using MACs for Entity Authentication

Answer 19

Replace encryption mechanism with a MAC:

A → B: ‘Hi Bob, I’m Alice’

B → A: R (challenge)

A → B: MAC_K(R || B) (response)

- Security as for encryption-based protocol: only Alice can prepare correct response for Bob;

- Freshness of R guarantees liveness of Alice.

Question 20

Signature based Entity Authentication

Answer 20

Instead of challenge/response, now challenge/signature.

Use nonce or time-stamps for freshness.

Rather than a shared secret key, Bob needs to have authenticated version of Alice’s public key (and vice-versa for mutual authentication).

Question 21

Signature-based Mutual Authentication

Answer 21

B→A: R_B

A→B: R_A,S_A{R_A ||R_B||B}

B→ A: S_B{R_B||R_A ||A}

SA{X} denotes A’s signature on string X.

Protocol achieves mutual authentication (via two signatures and two nonces).

A and B must check the signatures to ensure their correctness.

Signatures are on both nonces: messages are fresh and have been signed by the other party

Question 22

Signature based Mutual authentication

Answer 22

B→A: R_B

A→B: R_A,S_A{R_A ||R_B||B}

B→ A: S_B{R_B||R_A ||A}

A’s signature is on a message containing B’s identity.

Otherwise, Mallory might be able to take messages signed by A intended for another party C and re-direct them to B. Likewise for B.

Why are the orders of the nonces swopped in messages 2 and 3?

This is to avoid a symmetry that can also be exploited by Mallory to mount an attack.

It’s important that Alice’s signature is on a message that contain randomness contributed by her.

Otherwise, Alice can be used as a signature oracle by Mallory: Alice can be forced to sign on messages of Mallory’s choosing.

Question 23

Using Digital Signatures

Answer 23

Alice and Bob have to be sure that they are verifying each other’s signatures.

Trust in authenticity of public keys instead of shared secrets is needed

Reminder:

• Public keys can be certified by applying the digital signature of a Trusted Third Party (TTP) called a Certificate Authority (CA).
• Result (public key + entity name + expiry date + CA signature on three items) called a certificate.

Question 24

Using Certificates

Answer 24

To check a certificate signed by a CA requires an authentic copy of the CA’s public key.

• If two entities have certificates signed by different TTPs, then a cross-certificate is needed (i.e. one a copy of one TTP’s public verification key signed by the other TTP).
• certification path, sequence of cross-certificates with the subject of one certificate being the signer of the next certificate in the sequence.

For the long-term memory: public-key cryptography for signatures does not solve the problem of distributing symmetric keys; it shifts it to the problem of verifying the authenticity of public keys.

Question 25

Authenticated Key Establishment – 1

Answer 25

Entity authentication is only achieved for a single moment in time, typically provided at start of a connection/session.

• Mallory might be able to hijack the connection after that point.

What if a secure session is needed?

• Session = combination of confidentiality, integrity, and data origin authenticity for remainder of a communications session.

Solution: securely agree session keys as part of the authentication protocol.

• Then use those session keys in encryption and MAC mechanisms to build a secure session.
• Bind the session keys to the authentication to get an authenticated key establishment (AKE) protocol.

Question 26

Session Keys

Answer 26

If Alice and Bob already share key K, what is the point of them agreeing a second key SK?

• SK can be used for a short period of time (the lifetime of the session) while key K, their `long term secret’ is used only to encrypt a single message.
• The long-term secret is only exposed as much as it needs to be. It can be `deleted’ from Alice’s local memory as soon as the message is transmitted.

Question 27

Authenticated Key Establishment 2

Answer 27

As a simple example, we can adapt our one message time-stamp based protocol:

• *A → B: {T || B}_K**
• *simply by adding a session key SK in Alice’s message:**

A → B: {T || B || SK}_K

Alice is authenticated to Bob and they now share session key SK.

• Because SK is agreed as part of the authentication protocol, it is bound to that protocol run.
• So Bob can be sure that only Alice knows SK.
• Alice can be sure that only Bob could know SK: only Bob could decrypt the message to extract SK.

Question 28

Authenticate Key Establishment 3

Answer 28

Public-key encryption can also be used to create authenticated session keys:

• Alice checks the authenticity of Bob’s public encryption key PKB using a certificate.

A → B: {SK}_{PK_B}

• Bob can obtain the session key SK by decrypting using his private key.
• Alice and Bob both use SK to derive encryption and MAC keys to protect their session.
• Alice can be sure that only Bob could know the session key.

Question 29

Authenticated Key Establishment – 4

Answer 29

In the previous protocol, Alice is not authenticated (anyone can encrypt messages for Bob).

B is only implicitly authenticated to A:

• A is only assured she’s talking to B if messages in the subsequent session make sense (e.g. MACs compute correctly with SK).
• These subsequent messages will usually contain redundancy or nonces which allow A to be sure they originated only from someone who could decrypt the message {SK}PKB, i.e. B.

A (much) more complicated version of this protocol is an option in SSL

Question 30

Diffie-Hellman Key Exchange Set-up

Answer 30

Alice and Bob agree ahead of time on a large prime p (phas, say, 2048 bits) and a number g (more on g later…).

Alice chooses a random x and computes

g_x mod p.

Bob chooses a random y and computes

g_y mod p.

Recall: Time for computing discrete logarithms is O(e ^{(log n)3}), exponentiation is only O((log n)³)

Question 31

Diffie-Hellman Key Exchange

Answer 31

Given: prime p, PRg

A → B: g^x mod p (x < p, chosen by A and kept secret)

B → A: g^y mod p (y

,chosenbyBandkeptsecret)

The trick:

(g^x mod p)^y mod p

• =** *g^xy mod p (easy to compute for B)
• =** *g^yx mod p (rules of modular arithmetic)
• =** *(g^y mod p)^x mod p (easy to compute for A)

A and B now share a common key gxy mod p

Question 32

Primitive Root

Answer 32

If p is prime, a primitive root (or generator) g is a number, such that:

for n from 1,…,p-1, gn mod p enumerates 1,…,(p-1) in some order.

Question 32

Primitive Root

Answer 32

If p is prime, a primitive root (or generator) g is a number, such that:

for n from 1,…,p-1, gn mod p enumerates 1,…,(p-1) in some order.

Question 33

DFH and Eve

Answer 33

Eve sees only the public values, gx mod p and gy mod p. But to derive the key, Eve needs to compute

g^xy mod p.

• DH depends on the discrete logarithm problem: It is believed tobe computationally infeasible to calculate the shared secret key k = gxy mod p given the two public values gx mod p and gy mod p when the prime p is sufficiently large
• Then Diffie-Hellman key exchange protocol will be secure against Eve, a passive adversary.

Question 34

DFH and Mallory

Answer 34

Question 35

Man in the middle attack

Answer 35

Alice thinks she has exchanged key K₁ with Bob.

• Instead, it’s with Mallory.

Bob thinks he has exchanged key K₂ with Alice.

• Instead, it’s with Mallory.

Mallory can now

• intercept all messages from A intended for to B,
• decrypt them using K₁,
• read them,
• re-encrypt them under K₂ and
• pass them on to B.

And vice-versa for messages from B to A.

Question 36

What went wrong?

Answer 36

Alice and Bob exchanged a key without any performing any entity authentication.

• keys were exchanged, but Alice and Bob have no guarantees about with whom their exchange took place!

For the long-term memory:

• The Diffie-Hellman key exchange protocol is not secure against MiM-Attacks!

Question 37

Station-to-Station Protocol

Answer 37

A → B: g^x

B → A: g^y, {S_B{g^y , g^x}}^_gxy

A → B: {S_A{g^x, g^y}}^_gxy

B can compute the shared key g^xy after step 1, A after 2Why are the additional messages encrypted and signed?

The station-to-station (Diffie, van Oorschot, Wiener) protocol adds authentication (via signatures) to DHKE:

• Encryption alone not enough – Mallory can easily break this with a MIM attack.
• Encryption with key K assures both Alice and Bob that the sender of the messages really does know K.
• This property is called key confirmation. It’s an important valuable property for a key agreement protocol.

Question 38

Key Distribution via TTPs

Answer 38

Scenario:

• A network with n hosts,
• All pairs of hosts might want to be able to communicate securely.
• Would need n(n-1)/2 symmetric keys, each host holding n-1 keys.

Option: Use public-key techniques with trust in keys based on certificates

Alternatively, use a trusted third party called a Key Distribution Centre (KDC) who co-operates to enable users to authenticate one another and share session keys.

• The Needham-Schroeder protocol.

Question 39

Keys in Needham-Schroeder

Answer 39

Each host H shares a single long-term key KH,T with the KDC,

T; thus:

• Alice shares a long-term key KA,T with KDC.
• Bob also shares a long-term key KB,T with KDC.
• Alice and Bob do not initially share a key.

Question 40

Needham-Schroeder Protocol

Answer 40

Question 41

Needham-Schroeder

Answer 41

1. A → T: A || B || N_A
2. T → A: {N_A || B| | K || {K || A}_^KB,T}_^KA,T
3. A → B: {K||A}K_B,T
4. B → A: {N_B}_K
5. A → B: {N_B-1}_K

In messages 1 and 2, Alice and Trent (the TTP) interact: Trent gives Alice a session key K and authenticates himself.

In messages 3, 4, and 5, the interaction is between Alice and Bob. Alice transfers an encrypted copy of the session key to Bob in message 3 and is authenticated to Bob in messages 4 and 5.

There’s no need to make the Alice/Trent interaction mutually authenticated: if Mallory tries to impersonate Alice to Trent, all he gets back in step 2 is a message encrypted under the Alice/Trent shared key.

Question 42

Considering Security

Answer 42

T is authenticated by A.

A is not authenticated by T, but A can only decrypt message 2 if she has the correct key K_A,T.

A is authenticated to B (challenge/response based on N_B).

If key K is used for subsequent encryption or MACing, then we get implicit authentication of B to A.

• Recipient of message 3 can only obtain K if he knows correct key K_B,T.

We can make authentication between A and B mutual.

• E.g. A issues a challenge to B as part of message 3 and B responds in message 4.

Session key established: chosen by T, the KDC.

Question 43

Needham Schroeder Advantages

Answer 43

• Key storage efficiency: only n keys to look after at KDC.
• Only one long-term key per client (K_A,T) instead of n-1.
• Simple symmetric key cryptography is used.
• Bob can be off-line in steps 1 & 2 and TTP can be off-line in steps 3,4 & 5.
• So Alice can obtain K from TTP, cache it and then use it later with Bob.
• Trent never has to interact with Bob. This fits nicely with a client-server model: Trent can grant Alice a session key for communicating with Bob (another server say) without having to check the status of Bob.

Question 44

Needham Schroeder disadvantages

Answer 44

• KDC is a single point of failure – in terms of security and availability.
• KDC can be a computation/communication bottleneck.
• An on-line, trusted server is needed:
• *TTP knows all session keys and all long-term keys.**
• How can we ensure clients look after their long-term keys properly?
• If long-term key is compromised, then entities can be impersonated.
• An issue in non-TTP based solutions too.

Question 45

Needham-Schroeder Weakness

Answer 45

Old session keys are valuable: Assume Mallory can get hold of an old K and has recorded message 3 of the old protocol run

1. A → T:A||B||N_A
2. T → A: {N_A ||B||K||{K||A}K_B,T}K_A,T
3. M → B: {K || A}_^KB,T
4. B → M: {N_B}_K
5. M → B: {N_B-1}_K

Bob won’t realize a replay attack.

Cure: Introduction of a time stamp in step 2

• Needs accurate & trusted clocks

Question 46

Application Scenario

Answer 46

A corporate network, with KDC being a server managed by IT department (say), and hosts being networked resources or users’ machines.

• Printers
• Storage
• Computational Resources

The Needham-Schroeder approach simplifies key management in such a network.

Question 47

Kerberos

Answer 47

• Kerberos is a TTP-based authentication protocol developedfrom Needham-Schroeder.

Question 48

Kerberos Principals

Answer 48

Authentication Server (AS)

• Authenticated by client at login based on long-term key,
• AS gives client ticket granting ticket and short-term key.
• AS provides an authentication service.

Ticket Granting Server (TGS)

• Authentication with client based on short-term key and ticket
• TGS then issues tickets to client which give client access to further servers.
• TGS provides an access control/authorization service.

Question 49

Advantages of Kerberos

Answer 49

Logical separation of authentication and authorisation/access control.

• But: AS and TGS are often implemented on same physical platform.

Differentiated control over lifetime of ticket granting tickets (typically 10 hours) and session tickets for actual access to services (typically 5 minutes).

A user only needs to use his long-term secret key once per 10 hour session, to establish short-term key and ticket granting ticket.

• Convenient for users.
• Reduces possibility of exposure of long-term key.

Answer 50

Messages 1 and 2 are exchanged between the client and the AS. This typically happens only once per ‘log in’. A short-term key is provided by the AS. Message 2 contains the ticket granting ticket and a version of that ticket encrypted under KAS,TGS for the client to forward to the TGS.

Messages 3 and 4 are exchanged between the client and the TGS (using the short- term key provided by the AS). Message 3 and 4 can be repeated a number of times without repeating messages 1 and 2. 3,4 messages exchange happens whenever the client wants to communicate with a new server.

Messages 5 and 6 are exchanged between the client and server (using a key provided by the TGS). Message 5 and 6 can be repeated a number of times without repeating messages 3 and 4, during the lifetime of the key set up between the client and the server.

Question 51

Kerberos Phases

Answer 51

Phase 1: In messages 1 and 2, C and AS use long-term key to authenticate. AS gives C short-term key and ticket granting ticket (TGT).

Phase 2: In messages 3 and 4, C and TGS use short-term key and ticket granting ticket to authenticate. TGS gives C session key and ticket.

Phase 3: In messaged 5 and 6, C and S use session key and ticket to authenticate and set up secure session.

Phases 2 and 3 will usually be repeated many times for each execution of Phase 1.

Question 52

Keys Used in Kerberos

Answer 52

K_AS,TGS is a long-term key shared by AS and TGS.

K_AS,C is a long-term key shared by AS and C.

K_TGS,S is a long-term key shared by TGS and S.

-> These keys need to be established in advance!

K_C,TGS is a short-term key shared by C and TGS (established by messages 1 and 2).

• This key is transported securely from C to TGS in the ticket granting ticket.

K_C,S is a session key shared by C and S (established by messages 3 and 4).

• This key is transported securely from C to S in the ticket.

Question 53

Tickets in Kerberos

Answer 53

{K_C,TGS||C||from||to}_^KAS,TGS

• Is the ticket granting ticket.
• Received by C in message 2 and forwarded to TGS in message 3
• Only TGS can decrypt it to obtain short-term key K_C,TGS and validity period from||to. These parameters determine ticket given to C in message 4.

{K_C,S||C||from||to}K_TGS,S

• Is the ticket.
• Received by C in message 4 and forwarded to S in message 5.
• Only S can decrypt it to obtain session key K_C,S and validity period from||to. These parameters determine access given to C in subsequent session with server S.

These tickets are similar to message 3 in Needham- Schroeder: {K || A}_^KB,T

• Now extended with validity periods for keys.

Question 54

Entitiy Authentication in Kerberos

Answer 54

Entity authentications are achieved using a mixture of nonces and timestamps.

Methods are similar to the protocols discussed earlier (and in particular the Needham-Schroeder protocol).

For example: AS is authenticated to C using challenge/response protocol based on encryption, shared key K_AS,C and nonce N_C in messages 1 and 2.

C is not authenticated to AS explicitly, but C can only decrypt message 2 if it has the correct key K_AS,C.

Other authentications: C and TGS; C and S.

Question 55

Use of Cryptography in Kerberos

Answer 55

• Kerberos uses symmetric encryption and MACs.
• uses DES combined with one of MD4, MD5, or a CRC

Question 56

Kerberos Issues

Answer 56

Lack of revocation: ticket granting tickets valid until they expire, typically 10 hours. What if compromised?

Key management: within realms (domains): long-term keys need to be established between AS and TGS, TGS and Servers and AS and clients.

Scalability: authentication across realms is complicated.

Synchronous clocks needed, protected against attacks. Caches of recent messages to protect against replay within clock skew.

Availability: need for on-line AS and TGS, trusted by clients not to eavesdrop.

Key storage: short-term keys and ticket granting tickets located on largely unprotected client hosts.

Denial of Service: potential for DoS attacks on clock service or on AS/TGS?

Passwords: in most deployments, the Client-AS long-term key KAS,C is usually based on password entered by user at start of session

Kerberos vulnerable to dictionary attacks

Ultimately, then, security is dependent on users and the quality of the passwords they can be persuaded to remember.

Code Vulnerabilities: many found over the years.

Question 57

Single Sign On

Answer 57

Kerberos is an example of a Single Sign On (SSO) system.

User enters a single password, and obtains seamless access to multiple network services or applications.

Microsoft Passport: an example of a web-based SSO solution, aimed at e-commerce consumers.

Liberty Alliance: an open, standards-based effort at achieving federated network identity, a concept related to SSO.

Many vendors currently offer similar SSO/password management products.

Question 58

Protocols: A Few Secret Weapons

Answer 58

Interlock Protocol

Secret Splitting

SKEY

Question 59

Key Exchange with Public Keys

Answer 59

Full Version of „Authenticated Key Establishment – 3 “:

1. A→B: PK_A
2. B→A: PK_B
3. A→B: {SK}_^PKB
4. B→A: {SK}_^PKA

If Mallory can modify 1 and 2, he can put himself in the middle by distributing PK_M to Alice and Bob

-> M must be able to intercept and modify traffic; how hard this is depends on the network (cf. Internet, GSM, Broadcast media,… )

Question 60

Interlock protocol

Answer 60

• A and B want to send messages to each other.
• A sends first half to B.
• B sends first half to A.
• A sends second half to B.
• B sends second half to A.

Since the man-in-the-middle cannot decrypt half of a message, it must pass something on.

• Secure if the attacker cannot intelligibly mimic A or B.

Question 61

Simple Authentication using SKEY

Answer 61

Let f be a one-way (trap door) function and R a random number

• Bob computes and (securely) transmits f(R), f²(R), … f^n-i(R) to Alice
• Bob remembers only one value: current := fⁿ(R)
• Alice remembers all fⁱ(R), 1 < i < n-1

Alice‘s ith authentication: A → B: f^n-i(R)

• Bob authenticates A by checking f(f^n-i(R)) = current

and sets current := f^n-i(R)

→ Knowing what Bob knows cannot compromise Alice!

Question 62

(Dis)Advantages ZK Protocols

Answer 62

Advantages of Zero-Knowledge Protocols:

• Not requiring the revelation of one’s secret.
• Does not involve complex encryption methods.

Disadvantages of Zero-Knowledge Protocols:

• Limited:
• *Secret must be numerical, otherwise a translation is needed.**
• Lengthy:
• *Each computation requires a certain amount of running time.**
• Imperfect:
• *Mallory can still intercept the transmission (i.e. messages to the Verifier or the Prover might be modified or destroyed).**

Question 63

Properties of ZKPs

Answer 63

Completeness:

• The Verifier will always accept a proof from the Prover, given that they both follows the correct protocol.

Soundness:

• The Verifier will not accept any “incorrect” proof from the Prover, given that the Verifier follows the correct protocol.

Zero-Knowledge:

• During the whole “proving” process, the Verifier will learn nothing about the Prover’s secret, nor will she be able to prove that secret to any other party.

Question 64

Zero Knowledge Proofs of Identity

Answer 64

The Chess Grandmaster Problem

Anyone can defeat or beat a grandmaster in Chess:

• Choose a second grandmaster and act as a man-in-the- middle

Problem with ZKP:

• Mallory can act as a man in the middle and pass Alice‘s answers to Bob
• Can be „fixed“ with timestamps, where each answer must be given at an exact time: no time left to pass messages … of little value in practice