1.
Security Protocols and Applications of Cryptography By: Abhijit MondalNeedham-Schroeder Protocol :Suppose A wants to talk with B over the network. How will B know that he is really talking to A.This protocol authenticates A to B at the same time allowing them to exchange session keys overthe network. 1. A sends a message to Trent( a trusted individual or a computer program over the network) consisting of his name a, Bs name b and a random number rA 2. Trent generates a random session key k . Trent then computes c2 = (beA , keA , rA eA , keAeB , aeAeB , teAeB ) mod p , where eA and eB are the secret keys that Trent shares with A and B respectively, and t is the current system time. Trent sends c2 to A. The time t is sent to prevent replay attacks, i.e. an adversary pretending to be A may sent an old message to Bob. 3. A decrypts the message with eA and extracts the session key k and confirms that rA is the same value that he sent to Trent. Then A sends to B, c3 = ( keB , aeB , teB ) mod p. 4. B decrypts the message with eB and extracts the session key k, generates a random value rB , and sends to A the message c4 = rBk mod p. 5. A decrypts the message with k and computes rB -1 and send to B the message c5 = (rB -1)k mod p. 6. B decrypts the message with k and verifies that it is rB -1 so A must have the same session key and he is the real person.Kerberos Protocol :Suppose A wants some service from a server S. Then A must authenicate himself to the serverbefore using its services. In this symmetric key cryptographic protocol (using DES as encryptionalgorithm) , there are 2 doors that needs to be opened before getting access to the server. The firstdoor is guarded by Kerberos and the second is the Ticket Granting Service(TGS) of the server. 1. A sends a message to the Kerberos server with his identity/password a and the identity of the Ticket Granting Service(TGS) of the server tgs. 2. The Kerberos server generates a timestamp t, a lifetime for the timestamp l, a random session key Ka,tgs . It then computes Ta,tgs = {tgs, DES(a, N, l, Ka,tgs ) (etgs) } , where N is the network address of A, and etgs is the secret key of the TGS shared with Kerberos. The Kerberos then encrypts the following with As secret key eA , c1 = DES(Ka,tgs)(eA) and the following with the TGSs secret key etgs : c2 = DES(Ta,tgs)(etgs). It then sends c1 and c2 to A. 3. A decrypts c1 and extracts Ka,tgs and computes the following Aa,tgs = {DES(a, t, key) (Ka,tgs) }, where key is an additional session key . Then A computes c3 = DES(Aa,tgs)(Ka,tgs ) and sends c2 and c3 to the TGS of the server. 4. The TGS then decrypts c2 using etgs and extracts Ta,tgs . Then uses Ta,tgs to extract Ka,tgs . The TGS then decrypt c3 using Ka,tgs and extracts Aa,tgs . The TGS then decrypts Aa,tgs and compares the information in Aa,tgs with the information in Ta,tgs . If they match then the TGS sends the following to the client A: c4 = {DES( Ka,s) (Ka,tgs )} and c5 = {DES(Ta,s) ( es )}, where Ta,s = {s, DES(a, N, l, Ka,s ) (es) }, Ka,s is the secret session key for A and the server and es is the secret key the TGS shares with the server. 5. A then decrypts c4 with Ka,tgs and computes the following Aa,s = {DES(a, t, key) (Ka,s) }and then c6 = {DES(Aa,s ) (Ka,s )}. A then sends c5 and c6 to the server for communication.Secret Sharing Protocol :Handing over the control of a missile to one military general or handing over the key of the locker
2.
at the Swiss bank to any one individual would be a risky issue since he may turn out to be crooked.So to minimise risk of a missile disaster or a bankruptcy is to partition the single key into n partsand give each part to a trusted individual responsible for the control of the missile or the locker atSwiss Bank, such that no less than m individuals can recover the orginal key from their share of thekeys. e.g. If the key is K and n = 3, and m =3 then choose k1 and k2 and compute K⊕k1⊕k2 = k3 .Then distribute k1 , k2 and k3 to three trusted individuals. To construct the original key K , they needall three keys such that k1⊕k1⊕k3 = K.Algorithm : 1. Construct a (m-1) degree polynomial f(x) = am-1xm-1 + am-2xm-2 +.....+ a1x + K, where K is the original secret key and ai ∈Zp for prime p, ai s are the secrets that must be destroyed. 2. Evaluate f(1), f(2),....., f(n) (mod p) and distribute these values to the n trusted officials assigned for the execution of the task. 3. To find K atleast m officials must come together and disclose their values, then perform Gaussian elimination to solve the linear system of equations for ai s and K. Less than m individual cannot find K without a brute force search over Zp .Zero Knowledge Proofs :How to prove someone your identity without revealing information about you? How do you provesomeone that you know the proof of a problem without showing him/her the actual proof ?This is called Zero Knowledge Proofs since you are not revealing information about your secret tothe verifier at the same time convincing him/her that you are the authentic person. The verifier maybe a spy who is looking to know your secret and pass on that secret to his nation.e.g. Proving Graph Isomorphism to a verifier V.Problem : P wants to prove to V the isomorphism between graphs G1 and G2 . 1. P generates a random permutation H of G1 such that H is isomorphic to G1 . P knows the isomorphism between H and G2 . Finding the isomorphism between G1 and H or G2 and H is as hard as finding the isomorphism between G1 and G2 , hence nobody knows the relations between them. 2. P sends H to V. 3. V flips a coin and if its a head then V asks P to prove that H and G1 are isomorphic, else if its a tail then V asks P to prove that H and G2 are isomorphic. 4. P then complies and proves to V either H and G1 are isomorphic or H and G2 are isomorphic. 5. P then again generates a random permutation graph H isomorphic to either G1 or G2 and both of them then follows the steps through 1 to 4. They do these n times until V is convinced that P knows the isomorphism between G1 and G2 .Here is how it works:If P knows the isomorphism between G1 and G2 :Then whether V asks P to prove H and G1 are isomorphic or H and G2 are isomorphic, P will be ableto prove V everytime until V is convinced of Ps identity.If P does not know the isomorphism between G1 and G2 :Then if V asks P to prove H and , the graph from which P generated H, are isomorphic then P willbe able to fool V else P will be caught as some false guy. The probability that P will be able to foolV after n round is 1 in 2n because in one round P fools V with a chance of ½. For n large, thechances of a false P passing the test is very small.Here is another variant of Zero Knowledge Proof :Suppose P wants to prove to V that he knows the solution to the DLP : my = x (mod p) withouttelling V what is the value of y. 1. P sends to V the values m, x and p. 2. V generates a random number a and computes the four combinations{am, a-1m-1, a-1m, am-1}
3.
(mod p) in any random order and sends the quadruple to P, but does not reveal to P what is the ordering of the values. V only sends {u,v,w,z} ∈ {am, a-1m-1, a-1m, am-1} (mod p) and asks P to compute {uy, vy, wy, zy} (mod p). 3. P computes {uy, vy, wy, zy} (mod p) and sends them to V. 4. V then sends a (mod p) to P and asks him to find ay (mod p). 5. P computes ay (mod p) and sends to V. 6. Now V checks : {uy, vy, wy, zy} (mod p) ∈{ayx, a-yx-1, a-yx, ayx-1} (mod p) expects to be in the correct order as he sent it before. 7. If all of the above relations hold and are in the correct order then V starts another round of computation from step 2 and continues until V is convinced that P truly knows the value of y. If any of the above results does not match then P is an impostor.If P knows the ordering of {am, a-1m-1, a-1m, am-1} (mod p), then P can compute a and P canconstruct values such that they give the same relations as when V computes them, thus V has nochance of knowing whether P really did the computation V desired or P just constructed values tofool him. Thus an impostor P has a chance of 1 in 24 of correctly guessing the exact permutationand thus fooling V. In n rounds the chances that an impostor P successfully passes the test is 1/(24)n,which is extremely small for large n. For n=10, chances that P fools V is of the order of 10-14.V can still decrease this probability by choosing s random numbers and sending a permutation of2s+1 elements modulo p. In that case chances of P fooling V in n rounds is 1/(2s+1 !)n . But for large sthe computation performed on the part of V increases exponentially, so s = 2 and n = 10 will be agood enough choice to catch even the most notorious masterminds.
Clipping is a handy way to collect and organize the most important slides from a presentation. You can keep your great finds in clipboards organized around topics.
Be the first to comment