Report

Putting it all together: using multiple primitives together Cristina Onete [email protected] Rennes, 23/10/2014 Exercise 1 Say you have a signature scheme SScheme = (KGen, Sign, Vf) Say this scheme is unforgeable against CMA Modify the signature algorithm: ′ = () ] ′ , ∗ , = 1 iff. = ∗ & (, ) = 1 Is this still unforgeable against CMA? Cristina Onete || 23/10/2014 || 2 Exercise 2 We have an arbitrary unforgeable signature scheme: SScheme = (KGen, Sign, Vf) And we also have any IND-CCA encryption scheme EScheme = (KGen, Enc, Dec) Say we want to ensure that a confidential message comes from a given party. Can we send: • ? • ; ? • | () ? Cristina Onete || 23/10/2014 || 3 Interlude What would we use in order to: • Send a confidential message • Encrypt a large document • Send a confidential AND authenticated message • Authenticate a message with non-repudiation • Authenticate a message without non-repudiation Find correspondences • Confidentiality Hash function • Collision-resistance MAC code • Authenticity Symmetric encryption • Non-repudiation PK Encryption • Integrity Digital Signatures Cristina Onete || 23/10/2014 || 4 Exercise 3 The Hash paradigm for signatures : • Improves the security of signature schemes • Improves efficiency for signatures, making their size the same, irrespective of the message length Can we do the same for encryption schemes, i.e. use instead of Can we send just ( ) instead of Cristina Onete || 23/10/2014 || 5 Exercise 4 Symmetric encryption is faster than PK encryption Suppose Amélie generates a symmetric encryption key (e.g. for AES 128) and encrypts a message for Baptiste with this key. Baptiste does not know the secret key. By using one (or more) of the following mechanisms, show how Amélie can ensure that Baptiste can decrypt. • A public key encryption scheme • A symmetric encryption scheme • A signature scheme • A MAC scheme • A hash scheme Cristina Onete || 23/10/2014 || 6 Exercise 5 Amélie and Baptiste share a secret key for a MAC scheme 1 1 Amélie ……… Baptiste 2 2 They exchange some messages, without signing each one, but at the end, each party will send a MAC of the message: {<Name> || 1 || 1 || 2 || 2 … || } How does CBC-mode symmetric encryption work? Why would this method be indicated for long conversations? Cristina Onete || 23/10/2014 || 7 Exercise 6 Consider the DSA signature scheme Say Amélie signs two different messages 1 ≠ 2 with the same ephemeral value (and obviously the same private key ) How would an attacker know from the signatures that the same ephemeral value was used for both signatures? Show how to retrieve given the two signatures for 1 and 2 Cristina Onete || 23/10/2014 || 8 Exercise 7 Amélie wants to do online shopping, say on Ebay She needs to establish a secure channel with an Ebay server, i.e. be able to exchange message confidentially and integrally/authentically with its server This is actually done by sharing one MAC key and one symmetric encryption key between them The server has a certified RSA public encryption key, but Amélie does not How can Amélie make sure they share the two secret keys? How can they check that they are sharing the same keys? Cristina Onete || 23/10/2014 || 9 Exercise 8 List the properties of a hash function. Think of: input size, output size, who can compute it etc. Imagine we have a public key encryption scheme. We generate and , but throw away and publish We implement a hash scheme by using the PKE scheme, by using ∶= () • Should the PKE scheme be deterministic or probabilistic? • Analyse the case of Textbook RSA as the encryption scheme. Which properties of the hash function are guaranteed? • Assume the generic PKE scheme ensures that a plaintext cannot be recovered from the ciphertext. Which properties of the hash scheme does the PKE scheme guarantee? Cristina Onete || 23/10/2014 || 10 Exercise 9 A pseudo-random generator is a deterministic function that takes as input a fixed-length string (a seed) and which outputs a much longer string , such that looks random to any adversary Assume Amélie and Baptiste share a seed Consider symmetric encryption with key , where encryption is done as ≔ , for messages of length equal to that of () (and padded otherwise) • Is this scheme deterministic or probabilistic? • Show that this scheme is insecure if the adversary can request the decryption of even a single ciphertext. • How can we make it secure even if the adversary can decrypt arbitrary ciphertexts? Cristina Onete || 23/10/2014 || 11 Thanks! CIDRE