Chapter 2: Protocol Building Blocks

Dulal C. Kar

Intro To Protocols

• A protocol is a series of steps, involving two or more parties, designed to accomplish a task

• Characteristics of a protocol– All parties must know the protocol– All parties must agree to follow it– Must be unambiguous– Must be complete

• A cryptographic protocol is a protocol that uses cryptography to prevent or detect eavesdropping and cheating

Arbitrated Protocols• Arbitrator

– A disinterested third party trusted to complete a protocol

– Ex: lawyer, banker, notary public

• Protocol example with lawyer1. Alice gives title to lawyer

2. Bob gives check to Alice

3. Alice deposits check

4. Lawyer gives title to Bob if check gets cleared within a specific time; otherwise lawyer returns title back to Alice

Problems with Computer Arbitrators

• Two parties are likely to be suspicious of a faceless arbitrator

• Computer network must bear the cost of maintaining an arbitrator

• Delay inherent in any arbitrated protocol• Arbitrator becomes a vulnerable point for

attackers

AliceBob

Trent

Arbitrator

Adjudicated Protocols

• Arbitrated protocols are costly

• Arbitrated protocols can be subdivided into two lower-level subprotocols– Non-arbitrated subprotocol– Arbitrated subprotocol

• Executed only in exceptional cases when there is a dispute. Special arbitrator – called adjudicator

Adjudicated Protocols (cont’d)• Non-arbitrated subprotocol (executed every

time)1. Alice and Bob negotiate the terms of the contract2. Alice signs the contract3. Bob signs the contract

• Adjudicated subprotocol (executed only in case of a dispute):

1. Alice and Bob appear before a judge2. Alice presents her evidence3. Bob presents his evidence4. The judge rules on the evidence

Adjudicated Computer Protocols

• Rely on parties to be honest

• A body of data exists so that a trusted third party could determine if someone cheated

• Cheater’s identity can be detected

• Inevitability of detection acts as a preventive and discourages cheating

Self-Enforcing Protocols

• No arbitrator required

• Protocol itself guarantees fairness

• A party can detect whether other party is trying to cheat and therefore, can stop immediately

• Unfortunately, there is not a self-enforcing protocol for every situation

Attacks Against Protocols• Cryptographic attacks

– Attacks against cryptographic algorithms used in protocols– Attacks against cryptographic techniques used to implement the

algorithms and protocols– Attacks against the protocols themselves

• Passive attacks– Eavesdrop on some or all of the protocol

• Active attacks– Introduce new messages, delete messages, interrupt, alter,

reply• Passive cheaters

– Follow protocol, but try to obtain more info• Active cheaters

– Disrupt protocol in progress in an attempt to cheat

Communications Using Symmetric

Cryptography 1. Alice and Bob agree on a cryptosystem2. Alice and Bob agree on a key3. Alice encrypts her plaintext using the key and the algorithm4. Alice sends ciphertext to Bob5. Bob decrypts ciphertext with the same key and the algorithm

• Problems– Keys must be distributed in secret– In case of compromise, not only messages can be decrypted but

false messages can be produced– Total number of keys increases rapidly as the number of users

increases. For n users, we need n(n-1)/2 keys

• Note: A good cryptosystem is one in which all the security is inherent in knowledge of the key and none is inherent in knowledge of the algorithm

One-Way Functions

• Central to public-key cryptography• Relatively easy to compute, but significantly harder to

reverse. That is. given x it is easy to compute f(x), but given f(x) it is hard to compute x.

• Meaning of “hard” in cryptographic sense– Would take millions of years to compute x from f(x) with world’s

all computers• Note

– One-way functions are not useful for encryption because a message encrypted with a one-way function cannot be decrypted

• Trapdoor one-way function– Special type of one-way function– It is easy compute f(x) given x, and hard to compute x given f(x)– However, given f(x) and some secret information y, it is easy to

compute x

One-Way Hash Functions• Building block of many protocols• Also called compression functions, contraction

functions, message digests, fingerprints, cryptographic checksums, message integrity checks (MIC), manipulation detection codes (MDC)

• A hash function takes a variable-length input string (called a pre-image) and converts it to a fixed-length, smaller output string (called a hash value)

• A good one-way hash function is also collision-free

• It is hard to generate two pre-images with the same hash value

Message Authentication Codes (MAC)

• Also known as data authentication codes (DAC)

• One-way hash functions with addition of a secret key

• Hash value is a function of both the pre-image and the key

• Exactly same as hash functions except only someone with the key can verify the hash value

Communications Using Public-Key Cryptography

• 1976, Whitfield Diffie and Martin Hellman first described public-key cryptography

• Two different keys – one public and the other private• Computationally hard to deduce the private key from the

public key• Mathematically, process is based on trap-door one-way

functions previously discussed• Secret or trapdoor is the private key• Public-key cryptography solves the key management

problem with symmetric cryptosystems

Sending Message Using Public-Key Cryptography

Alice sending a message to Bob1. Alice and Bob agree on a public-key

cryptosystem

2. Bob sends Alice his public key

3. Alice encrypts her message using Bob’s public key and sends it to Bob

4. Bob decrypts Alice’s message using his private key

Public-key Cryptosystem

• A database of the public keys of all users is to be maintained for public access

• Protocol1. Alice gets Bob’s public key from the

database

2. Alice encrypts her message using Bob’s public key and sends it to Bob

3. Bob then decrypts Alice’s message using his private key

Problems with Public-key Cryptography

• In the real world, public-key algorithms are not used to encrypt messages but to encrypt keys. Why?

• Public-key algorithms are slow• Public-key cryptosystems are vulnerable to

chosen-plaintext attacks. If C = E(P), when P is one plaintext out of n possible plaintexts, one has to encrypt all n possible plaintexts and compare with C. Cryptanalyst doesn’t need to know the private key to determine P this way

Hybrid Cryptosystems

• Public-key cryptography is used to secure and distribute session keys

• Session keys are used with symmetric algorithms

• Example Protocol1. Bob sends Alice his public key2. Alice generates a random session key, K, encrypts it

using Bob’s public key, and sends it to Bob. EB(K).3. Bob decrypts Alice’s message using his private key

to recover the session key. DB(EB(K)) = K4. Both of them encrypt their communications using the

same session key

Signatures

• Handwritten Signatures’ characteristics– Authentic– Unforgeable– Not reusable– Unalterable– Cannot be repudiated

• In reality, none of these characteristics about signatures is completely true

Signing Documents with Symmetric

Cryptosystems and an Arbitrator – Example: Alice: signer; Bob: Receiver; Trent:

Arbitrator– Trent shares secret keys KA with Alice and KB with

Bob

1. Alice encrypts her message to Bob with KA and sends it to Trent

2. Trent decrypts the message with KA

3. Using KB ,Trent encrypts the decrypted message and a statement that he has received this message from Alice

4. Bob decrypts the bundle with KB. He reads Alice’s message and Trent’s certification

Check above protocol for five characteristics in the previous slide

Problems with the Protocol

• Time-consuming for Trent

• Trent is a bottleneck in the communication systems

• A trust-worthy computer system like Trent is difficult to maintain on the network (Trust)

• Trent has to be completely secure (Security)

Signing Documents with Public-Key Cryptography

• First invented by Diffie and Hellman• Examples: RSA and DSA• Basic protocol

– Alice encrypts the document with her private key, thereby signing the document

– Alice sends the signed document to Bob– Bob decrypts the document with Alice’s public key,

thereby verifying the signature

• Check the protocol for five characteristics in the previous slide

Signing Documents and Timestamps

• Previous protocol has at least one problem: Bob can cheat Alice in some circumstances. How? Problem with signed digital check: Copies of the digital check maybe used repeatedly

• Solution: Include timestamps in digital signatures• Date and time of the signature are attached to

message and signed along the rest of the message

Signing Documents with Public-Key Cryptography and One-Way Hash

Functions

• In practical implementations, public-key algorithms are inefficient to sign long documents

• Protocol example1. Alice produces a one-way hash of a document

2. Alice encrypts the hash with her private key, thereby signing the document

3. Alice sends the document and the signed hash to Bob

4. Bob produces one-way hash of the document. He decrypts the signed hash with Alice’s public key for matching and signature verification

Benefits of the Protocol

• Speed increases. Signature of the hash is the signature of the document

• Signature can be kept separate from the document

• Recipient’s storage requirements for document and signature are much smaller

• An archival system can use this type of protocol to verify the existence of documents without storing their contents

Algorithms and Terminology• All digital signature algorithms are public-key

algorithms with secret information (private key) to sign documents and public information (public key) to verify signatures.

• Notation for signing a message with private key K is: Sk(M)

• Notation for verifying a signature with the corresponding public key is: Vk(M)

• Digital signature– Bit string attached to the document when signed

• Authentication– The protocol by which the receiver is convinced of the

identity of the sender and the integrity of the message

Multiple Signatures

• With one-way hash functions:1. Alice signs the hash of the document2. Bob signs the hash of the document3. Bob sends his signature to Alice4. Alice sends the document, her signature,

and Bob’s signature to Carol5. Carol verifies both Alice’s signature and

Bob’s signature

• Carol can verify both signatures independently

Non-Repudiation and Digital Signatures

• Problem with digital signature protocol– Alice can sign a document and later claim she

did not. She can lie telling that someone has stolen her private key

– Nothing can be done in this case

Non-Repudiation and Digital Signatures (cont’d)

• Preserving validity of old signatures using timestamps1. Alice signs a message2. Alice includes a signed identified header with the

signed message and sends it to Trent3. Trent verifies Alice’s identity, adds a timestamp,

signs it all, and sends it to both Alice and Bob.4. Bob verifies Trent’s signature, the identifying

information, Alice’s signature5. Alice verifies the message Trent sent to Bob. If

she did not originate the message, she speaks up quickly.

Digital Signatures With Encryption

• Combining digital signatures with public-key cryptography (Authentication + privacy)

1. Alice signs the message with her private key. SA(M)

2. Alice encrypts the signed message with Bob’s public key and sends it to Bob. EB(SA(M))

3. Bob decrypts the message with his private key. DB(EB(SA(M))) = SA(M)

4. Bob verifies with Alice’s public key and recovers the message. VA(SA(M)) = M

• Timestamps should be used in this protocol to prevent reuse of messages

Resending the Message as a Receipt

• Whenever Bob receives a message, he returns it as a confirmation of receipt1. Alice signs a message with her private key, encrypts

it with Bob’s public key and sends it to Bob. EB(SA(M))

2. Bob decrypts the message with his private key and verifies the signature with Alice’s public key. VA(DB(EB(SA(M)))) = M

3. Bob signs the message with his private key, encrypts it with Alice’s public key, and sends it back to Alice. EA(SB(M))

4. Alice decrypts the message with private key and verifies signature with Bob’s public key

• Digital signature verification is subject to possible attack! How? Refer to text.

Attacks Against Public-Key Cryptography

• A secured but publicly accessible database maintains all public keys

• Attacker can substitute a public key during transmission

• To prevent this, a key certification authority or key distribution center (KDC) can sign the public key with its private key

Random and Pseudo-Random-Sequence Generation

• Problem– A random-number generator does not really

produce a random sequence– The best a computer can produce is a

pseudo-random-sequence generator

• Cryptographically Secure Pseudo-Random Sequences– Must be computationally infeasible to predict