Exercises - Modern Cryptography Theory & Practice pdf

1.1 What is the difference between a protocol and an algorithm?

1.2 In Prot 1.1 Alice can decide HEADS or TAILS. This may be an unfair advantage for some applications. Modify the protocol so that Alice can no longer have this advantage.

Hint: let a correct guess decide the side.

1.3 Let function f map from the space of 200-bit integers to that of 100-bit ones with the following mapping rule:

here " " denotes bit-by-bit XOR operation, i.e.,

Is f efficient?

Does f have the "Magic Property I"?

ii.

Does f have the "Magic Property II"?

iii.

Can this function be used in Prot 1.1?

iv.

1.4 Is an unbroken cryptographic algorithm more secure than a known broken one? If not, why?

1.5 Complex systems are error-prone. Give an additional reason for a complex security system to be even more error-prone.

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing

cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography.

Chapter 2. Wrestling Between Safeguard

and Attack

Section 2.1. Introduction

Section 2.2. Encryption

Section 2.3. Vulnerable Environment (the Dolev-Yao Threat Model)

Section 2.4. Authentication Servers

Section 2.5. Security Properties for Authenticated Key Establishment

Section 2.6. Protocols for Authenticated Key Establishment Using Encryption

Section 2.7. Chapter Summary

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

2.1 Introduction

One reason for the existence of many cryptographic protocols is the consequence of a fact: it is very difficult to make cryptographic protocols correct. Endless endeavors have been made to design correct protocols. Many new protocols were proposed as a result of fixing existing ones in which security flaws were discovered. A security flaw in a cryptographic protocol can always be described by an attack scenario in which some security services that the protocol purports to provide can be sabotaged by an attacker or by a number of them via their collusion. In the area of cryptographic protocols it is as if there is a permanent wrestling between protocol designers and attackers: A protocol is proposed, an attack is discovered, a fix follows, then another attack, and another fix …

In this chapter we shall demonstrate a series of examples of a wrestling battle between attack and fix. We shall start from an artificial protocol which is made flawed deliberately. From that protocol we will go through a "fix, attack, fix again and attack again" process. Eventually we will reach two protocols which have been proposed for solving information security problems in the real world (all of the flawed and "fixed" then broken protocols prior to these two final results are artificial protocols). The two real protocol results from our "attack, fix, attack, fix, …" process are not only real protocols, but also well-known ones for two reasons. They have played seminal roles both in applications and in underlying an important study on formal analysis of

cryptographic protocols.

Unfortunately, these two real protocols from our fixing attempts still contain security flaws which were only discovered long after their publication. One flaw in one of them was found three years after the publication, and another flaw in the other protocol was exposed after another fourteen years passed! Having revealed these flaws, we will make a final attempt for fixing, although we will delay the revelation of some further security problems in the result from our final fixation to a later chapter when we become technically better prepared to deal with the problems. Leaving security problems unsolved in this chapter, we intend this chapter to serve an "early-warning" message: cryptographic algorithms, protocols and systems readily contain security flaws. This chapter also serves a technical introduction to material and ideas that will enable us (in particular, readers who are new to the areas of cryptography, cryptographic protocols and information security) to establish some common and important concepts, definitions and agreements in the areas of study. These include some basic terminologies and the meanings behind them (a term appearing for the first time will be in bold form), and the naming convention for the protocol participants whom we will frequently be meeting throughout the book. Also, the attacks on these flawed protocols will let us become familiar with some typical behavior of a special role in our game play: the enemy, against whom we design cryptographic protocols.

2.1.1 Chapter Outline

In §2.2 we introduce a simplified notion of encryption which will be used for this chapter only. In §2.3—§2.5 we introduce the standard threat model, environment and goal for cryptographic, in particular authentication, protocols. Finally, in §2.6 we develop a series of authentication protocols.

• Table of Contents

Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company

Publisher: Prentice Hall PTR Pub Date: July 25, 2003

ISBN: 0-13-066943-1 Pages: 648

2.2 Encryption

All protocols to be designed in this chapter will use encryption. We should provide an early warning on this "one-thing-for-all-purpose" style of using encryption: in many cases such uses are incorrect and some other cryptographic primitives should be used instead. In this book we will gradually develop the sense of precisely using cryptographic primitives for obtaining precise security services. However, to ease our introduction, let us rely on encryption solely in this chapter.

Encryption (sometimes called encipherment) is a process to transform a piece of information into an incomprehensible form. The input to the transformation is called plaintext (or

cleartext) and the output from it is called ciphertext (or cryptogram). The reverse process of transforming ciphertext into plaintext is called decryption (or decipherment). Notice that plaintext and ciphertext are a pair of respective notions: the former refers to messages input to, and the latter, output from, an encryption algorithm. Plaintext needn't be in a comprehensible form; for example, in the case of double encryption, a ciphertext can be in the position of a plaintext for re-encryption; we will also see many times in this chapter that encryption of random number is very common in cryptographic protocols. Usually, cleartext means messages in a small subset of all possible messages which have certain recognizable distributions. In §3.7

we will study the distribution of a message.

The encryption and decryption algorithms are collectively called cryptographic algorithms

(cryptographic systems or cryptosystems). Both encryption and decryption processes are controlled by a cryptographic key, or keys. In a symmetric (or shared-key) cryptosystem, encryption and decryption use the same (or essentially the same) key; in an asymmetric (or

public-key) cryptosystem, encryption and decryption use two different keys: an encryption key and a (matching) decryption key, and the encryption key can be made public (and hence is also called public key) without causing the matching decryption key being discovered (and thus a decryption key in a public-key cryptosystem is also called a private key). Fig 2.1

illustrates a simplified pictorial description of a cryptographic system. A more complete view of a cryptosystem will be given in Chapter 7 (Fig 7.1).

In document Modern Cryptography Theory & Practice pdf (Page 42-45)