Chapter 2: Protocol Building Blocks Dulal C. Kar

Intro To Protocols A protocol is a series of steps, involving two or more parties, designed to accomplish a task Characteristics of a protocol All parties must know the protocol All parties must agree to follow it Must be unambiguous Must be complete A cryptographic protocol is a protocol that uses cryptography to prevent or detect eavesdropping and cheating

Arbitrated Protocols Arbitrator Protocol example with lawyer A disinterested third party trusted to complete a protocol Ex: lawyer, banker, notary public Protocol example with lawyer Alice gives title to lawyer Bob gives check to Alice Alice deposits check Lawyer gives title to Bob if check gets cleared within a specific time; otherwise lawyer returns title back to Alice

Problems with Computer Arbitrators Two parties are likely to be suspicious of a faceless arbitrator Computer network must bear the cost of maintaining an arbitrator Delay inherent in any arbitrated protocol Arbitrator becomes a vulnerable point for attackers Trent Arbitrator Bob Alice

Adjudicated Protocols Arbitrated protocols are costly Arbitrated protocols can be subdivided into two lower-level subprotocols Non-arbitrated subprotocol Arbitrated subprotocol Executed only in exceptional cases when there is a dispute. Special arbitrator – called adjudicator

Adjudicated Protocols (cont’d) Non-arbitrated subprotocol (executed every time) Alice and Bob negotiate the terms of the contract Alice signs the contract Bob signs the contract Adjudicated subprotocol (executed only in case of a dispute): Alice and Bob appear before a judge Alice presents her evidence Bob presents his evidence The judge rules on the evidence

Adjudicated Computer Protocols Rely on parties to be honest A body of data exists so that a trusted third party could determine if someone cheated Cheater’s identity can be detected Inevitability of detection acts as a preventive and discourages cheating

Self-Enforcing Protocols No arbitrator required Protocol itself guarantees fairness A party can detect whether other party is trying to cheat and therefore, can stop immediately Unfortunately, there is not a self-enforcing protocol for every situation

Attacks Against Protocols Cryptographic attacks Attacks against cryptographic algorithms used in protocols Attacks against cryptographic techniques used to implement the algorithms and protocols Attacks against the protocols themselves Passive attacks Eavesdrop on some or all of the protocol Active attacks Introduce new messages, delete messages, interrupt, alter, reply Passive cheaters Follow protocol, but try to obtain more info Active cheaters Disrupt protocol in progress in an attempt to cheat

Communications Using Symmetric Cryptography Alice and Bob agree on a cryptosystem Alice and Bob agree on a key Alice encrypts her plaintext using the key and the algorithm Alice sends ciphertext to Bob Bob decrypts ciphertext with the same key and the algorithm Problems Keys must be distributed in secret In case of compromise, not only messages can be decrypted but false messages can be produced Total number of keys increases rapidly as the number of users increases. For n users, we need n(n-1)/2 keys Note: A good cryptosystem is one in which all the security is inherent in knowledge of the key and none is inherent in knowledge of the algorithm

One-Way Functions Central to public-key cryptography Relatively easy to compute, but significantly harder to reverse. That is. given x it is easy to compute f(x), but given f(x) it is hard to compute x. Meaning of “hard” in cryptographic sense Would take millions of years to compute x from f(x) with world’s all computers Note One-way functions are not useful for encryption because a message encrypted with a one-way function cannot be decrypted Trapdoor one-way function Special type of one-way function It is easy compute f(x) given x, and hard to compute x given f(x) However, given f(x) and some secret information y, it is easy to compute x

One-Way Hash Functions Building block of many protocols Also called compression functions, contraction functions, message digests, fingerprints, cryptographic checksums, message integrity checks (MIC), manipulation detection codes (MDC) A hash function takes a variable-length input string (called a pre-image) and converts it to a fixed-length, smaller output string (called a hash value) A good one-way hash function is also collision-free It is hard to generate two pre-images with the same hash value

Message Authentication Codes (MAC) Also known as data authentication codes (DAC) One-way hash functions with addition of a secret key Hash value is a function of both the pre-image and the key Exactly same as hash functions except only someone with the key can verify the hash value

Communications Using Public-Key Cryptography 1976, Whitfield Diffie and Martin Hellman first described public-key cryptography Two different keys – one public and the other private Computationally hard to deduce the private key from the public key Mathematically, process is based on trap-door one-way functions previously discussed Secret or trapdoor is the private key Public-key cryptography solves the key management problem with symmetric cryptosystems

Sending Message Using Public-Key Cryptography Alice sending a message to Bob Alice and Bob agree on a public-key cryptosystem Bob sends Alice his public key Alice encrypts her message using Bob’s public key and sends it to Bob Bob decrypts Alice’s message using his private key

Public-key Cryptosystem A database of the public keys of all users is to be maintained for public access Protocol Alice gets Bob’s public key from the database Alice encrypts her message using Bob’s public key and sends it to Bob Bob then decrypts Alice’s message using his private key

Problems with Public-key Cryptography In the real world, public-key algorithms are not used to encrypt messages but to encrypt keys. Why? Public-key algorithms are slow Public-key cryptosystems are vulnerable to chosen-plaintext attacks. If C = E(P), when P is one plaintext out of n possible plaintexts, one has to encrypt all n possible plaintexts and compare with C. Cryptanalyst doesn’t need to know the private key to determine P this way

Hybrid Cryptosystems Public-key cryptography is used to secure and distribute session keys Session keys are used with symmetric algorithms Example Protocol Bob sends Alice his public key Alice generates a random session key, K, encrypts it using Bob’s public key, and sends it to Bob. EB(K). Bob decrypts Alice’s message using his private key to recover the session key. DB(EB(K)) = K Both of them encrypt their communications using the same session key

Signatures Handwritten Signatures’ characteristics Authentic Unforgeable Not reusable Unalterable Cannot be repudiated In reality, none of these characteristics about signatures is completely true

Signing Documents with Symmetric Cryptosystems and an Arbitrator Example: Alice: signer; Bob: Receiver; Trent: Arbitrator Trent shares secret keys KA with Alice and KB with Bob Alice encrypts her message to Bob with KA and sends it to Trent Trent decrypts the message with KA Using KB ,Trent encrypts the decrypted message and a statement that he has received this message from Alice Bob decrypts the bundle with KB. He reads Alice’s message and Trent’s certification Check above protocol for five characteristics in the previous slide

Problems with the Protocol Time-consuming for Trent Trent is a bottleneck in the communication systems A trust-worthy computer system like Trent is difficult to maintain on the network (Trust) Trent has to be completely secure (Security)

Signing Documents with Public-Key Cryptography First invented by Diffie and Hellman Examples: RSA and DSA Basic protocol Alice encrypts the document with her private key, thereby signing the document Alice sends the signed document to Bob Bob decrypts the document with Alice’s public key, thereby verifying the signature Check the protocol for five characteristics in the previous slide

Signing Documents and Timestamps Previous protocol has at least one problem: Bob can cheat Alice in some circumstances. How? Problem with signed digital check: Copies of the digital check maybe used repeatedly Solution: Include timestamps in digital signatures Date and time of the signature are attached to message and signed along the rest of the message

Signing Documents with Public-Key Cryptography and One-Way Hash Functions In practical implementations, public-key algorithms are inefficient to sign long documents Protocol example Alice produces a one-way hash of a document Alice encrypts the hash with her private key, thereby signing the document Alice sends the document and the signed hash to Bob Bob produces one-way hash of the document. He decrypts the signed hash with Alice’s public key for matching and signature verification

Benefits of the Protocol Speed increases. Signature of the hash is the signature of the document Signature can be kept separate from the document Recipient’s storage requirements for document and signature are much smaller An archival system can use this type of protocol to verify the existence of documents without storing their contents

Algorithms and Terminology All digital signature algorithms are public-key algorithms with secret information (private key) to sign documents and public information (public key) to verify signatures. Notation for signing a message with private key K is: Sk(M) Notation for verifying a signature with the corresponding public key is: Vk(M) Digital signature Bit string attached to the document when signed Authentication The protocol by which the receiver is convinced of the identity of the sender and the integrity of the message

Multiple Signatures With one-way hash functions: Alice signs the hash of the document Bob signs the hash of the document Bob sends his signature to Alice Alice sends the document, her signature, and Bob’s signature to Carol Carol verifies both Alice’s signature and Bob’s signature Carol can verify both signatures independently

Non-Repudiation and Digital Signatures Problem with digital signature protocol Alice can sign a document and later claim she did not. She can lie telling that someone has stolen her private key Nothing can be done in this case

Non-Repudiation and Digital Signatures (cont’d) Preserving validity of old signatures using timestamps Alice signs a message Alice includes a signed identified header with the signed message and sends it to Trent Trent verifies Alice’s identity, adds a timestamp, signs it all, and sends it to both Alice and Bob. Bob verifies Trent’s signature, the identifying information, Alice’s signature Alice verifies the message Trent sent to Bob. If she did not originate the message, she speaks up quickly.

Digital Signatures With Encryption Combining digital signatures with public-key cryptography (Authentication + privacy) Alice signs the message with her private key. SA(M) Alice encrypts the signed message with Bob’s public key and sends it to Bob. EB(SA(M)) Bob decrypts the message with his private key. DB(EB(SA(M))) = SA(M) Bob verifies with Alice’s public key and recovers the message. VA(SA(M)) = M Timestamps should be used in this protocol to prevent reuse of messages

Resending the Message as a Receipt Whenever Bob receives a message, he returns it as a confirmation of receipt Alice signs a message with her private key, encrypts it with Bob’s public key and sends it to Bob. EB(SA(M)) Bob decrypts the message with his private key and verifies the signature with Alice’s public key. VA(DB(EB(SA(M)))) = M Bob signs the message with his private key, encrypts it with Alice’s public key, and sends it back to Alice. EA(SB(M)) Alice decrypts the message with private key and verifies signature with Bob’s public key Digital signature verification is subject to possible attack! How? Refer to text.

Attacks Against Public-Key Cryptography A secured but publicly accessible database maintains all public keys Attacker can substitute a public key during transmission To prevent this, a key certification authority or key distribution center (KDC) can sign the public key with its private key

Random and Pseudo-Random-Sequence Generation Problem A random-number generator does not really produce a random sequence The best a computer can produce is a pseudo-random-sequence generator Cryptographically Secure Pseudo-Random Sequences Must be computationally infeasible to predict