Appendix A: Introduction To Cryptographic Algorithms and Protocols

Security and Cooperation
in Wireless Networks
http://secowinet.epfl.ch/
Appendix A: Introduction to cryptographic

algorithms and protocols
symmetric and
asymmetric key
encryption;
hash functions;
MAC functions;
digital signatures;
key establishment
protocols;
advanced
authentication
techniques;
© 2007 Levente Buttyán and Jean-Pierre Hubaux
Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions
A.4 Message authentication codes
A.5 Digital signatures
A.6 Session key establishment protocols
A.7 Pseudo-random number generators
A.8 Advanced authentication techniques
Security and Cooperation in Wireless Networks

Appendix A: Intro to cryptographic algorithms and protocols
2/80
Introduction
 security is about how to prevent attacks, or -- if prevention is not
possible -- how to detect attacks and recover from them
 an attack is a a deliberate attempt to compromise a system; it usually

exploits weaknesses in the system’s design, implementation, operation,
or management
 attacks can be
– passive
• attempts to learn or make use of information from the system but does not affect
system resources
• examples: eavesdropping message contents, traffic analysis
• difficult to detect, should be prevented
– active
• attempts to alter system resources or affect their operation
• examples: masquerade (spoofing), replay, modification (substitution, insertion,
destruction), denial of service
• difficult to prevent, should be detected

A.1 Introduction 3/80
Main security services
 authentication
– aims to detect masquerade
– provides assurance that a communicating entity is the one that it claims to be
 access control
– aims to prevent unauthorized access to resources
 confidentiality
– aims to protect data from unauthorized disclosure
– usually based on encryption
 integrity
– aims to detect modification and replay
– provides assurance that data received are exactly as sent by the sender
 non-repudiation
– provides protection against denial by one entity involved in a communication
of having participated in all or part of the communication
– two basic types: non-repudiation of origin and non-repudiation of delivery

Some security mechanisms
 encryption
– symmetric key, asymmetric (public) key
 digital signature
 access control schemes

– access control lists, capabilities, security labels, ...
 data integrity mechanisms

– message authentication codes, sequence numbering, time stamping,
cryptographic chaining
 authentication protocols
– passwords, cryptographic challenge-response protocols, biometrics
 traffic padding, route control, …

Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions

6/80
Classical model of encryption
EK(m)
ciphertext
m E D DK’ (EK(m)) = m
plaintext
K eavesdropping K’
encryption key adversary decryption key
 goal of the adversary:

– to systematically recover plaintexts from ciphertexts
– to deduce the (decryption) key
 Kerckhoff’s principle:
– we must assume that the adversary knows all details of E and D
– security of the system should be based on the protection of the
decryption key

A.2 Encryption 7/80
Adversary models
 ciphertext-only attack
– the adversary can only observe ciphertexts produced by the same
encryption key
 known-plaintext attack
– the adversary can obtain corresponding plaintext-ciphertext pairs
produced with the same encryption key
 (adaptive) chosen-plaintext attack

– the adversary can choose plaintexts and obtain the corresponding
ciphertexts
 (adaptive) chosen-ciphertext attack

– the adversary can choose ciphertexts and obtain the corresponding
plaintexts
 related-key attack
– the adversary can obtain ciphertexts, or plaintext-ciphertext pairs that
are produced with different encryption keys that are related in a
known way to a specific encryption key

A.2 Encryption 8/80
Security of encryption schemes
 an encryption scheme is secure in a given adversary model if
it is computationally infeasible for the adversary to determine
the target decryption key under the assumptions of the given
model
 for many encryption schemes used in practice, no proof of

security exists
– these schemes are used, nevertheless, because they are efficient and
they resist all known attacks
 some encryption schemes are provably secure, however

these schemes are often inefficient

A.2 Encryption 9/80
Basic classification encryption schemes
 symmetric-key encryption
– it is easy to compute K’ from K (and vice versa)
– usually K’ = K
– two main types:
• stream ciphers – operate on individual characters of the plaintext
• block ciphers – process the plaintext in larger blocks of characters
 asymmetric-key encryption
– it is hard (computationally infeasible) to compute K’ from K
– K can be made public ( public-key cryptography)

A.2 Encryption 10/80
Block ciphers
an n bit block cipher is a function E: {0, 1}n x {0, 1}k  {0, 1}n, such
that for each K  {0, 1}k, E(x, K) = EK(x) is an invertible mapping from
{0, 1}n to {0, 1}n
k bit key
n bit input
E n bit output
…
…
Security and Cooperation in Wireless Networks A.2 Encryption

Appendix A: Intro to cryptographic algorithms and protocols Block ciphers
11/80
Block cipher design criteria
 completeness
– each bit of the output block should depend on each bit of the input
block and on each bit of the key
 avalanche effect
– changing one bit in the input block should change approximately half
of the bits in the output block
– similarly, changing one key bit should result in the change of
approximately half of the bits in the output block
 statistical independence
– input and output should appear to be statistically independent

12/80
How to satisfy the design criteria?
 complex encryption function can be built by composing
several simple operations which offer complementary – but
individually insufficient – protection
 simple operations:
– elementary arithmetic operations
– logical operations (e.g., XOR)
– modular multiplication
– transpositions
– substitutions
– ...
 combine two or more transformations in a manner that the

resulting cipher is more secure than the individual
components
13/80
Example: DES (Data Encryption Standard)
X (64)
Initial Permutation
 input size: 64
(32) (32)
 output size: 64
+ F (48)
K1  key size: 56
 16 rounds
+ F (48)
 Feistel structure
Key Scheduler
K2
(56)
K
+ F (48)
K3
…
+ F (48)
K16
Initial Permutation-1
Y (64)

14/80
Example: the DES round function F
key
++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ ++++++ injection
S1 S2 S3 S4 S5 S6 S7 S8
Si – substitution box (S-box)

P – permutation box (P-box)

15/80
Example: the DES key scheduler
K
(56)
each key bit is used in

Permuted Choice 1
around 14 out of 16
(28) (28)
rounds
Left shift(s) Left shift(s)
(28) (28)
(48)
K1 Permuted Choice 2
Left shift(s) Left shift(s)
(48)
K2 Permuted Choice 2
…

16/80
Exhaustive key search attack
 given a small number of plaintext-ciphertext pairs encrypted under a key
K, K can be recovered by exhaustive key search with 2k-1 processing
complexity (expected number of operations)
– input: (X, Y), (X’, Y’), …
– progress through the entire key space, and for each candidate key K’, do the
following:
• decrypt Y with K’
• if the result is not X, then throw away K’
• if the result is X, then check the other pairs (X’, Y’), …
• if K’ does not work for at least one pair, then throw away K’ and take another key
• if K’ worked for all pairs (X, Y), (X’, Y’), …, then output K’ as the target key
– on average, the target key is found after searching half of the key space
 if the plaintexts are known to contain redundancy, then ciphertext-only

exhaustive key search is possible with a relatively small number of
ciphertexts
 in practice, key size should be at least 128 bits

Appendix A: Intro to cryptographic algorithms and protocols Block ciphers 17/80
Algebraic attacks
 having a large key size is only a necessary condition for the
security of a block cipher
– a block cipher can be broken due to the weaknesses in its internal
(algebraic) structure, even if it uses large keys
 example:
– naïve exhaustive key search against DES: 255
– attack using the complementation property of DES: 254
Y = DESK(X) implies Y* = DESK*(X*), where X* denotes the bitwise
complement of X
– differential cryptanalysis of DES: 247
– linear cryptanalysis of DES: 243

18/80
Block cipher modes of operation
 ECB – Electronic Codebook
– used to encipher a single plaintext block (e.g., a DES key)
 CBC – Cipher Block Chaining

– repeated use of the encryption algorithm to encipher a message
consisting of many blocks
 CFB – Cipher Feedback

– used to encipher a stream of characters, dealing with each character
as it comes
 OFB – Output Feedback

– another method of stream encryption, used on noisy channels
 CTR – Counter
– simplified OFB with certain advantages

Appendix A: Intro to cryptographic algorithms and protocols Block cipher modes of operation
19/80
ECB mode
 encrypt
P1 P2 PN
K E K E … K E
C1 C2 CN
 decrypt
C1 C2 CN
K D K D … K D
P1 P2 PN

20/80
Properties of the ECB mode
 identical plaintext blocks result in identical ciphertext blocks
(under the same key, of course)
– messages to be encrypted often have very regular formats
– repeating fragments, special headers, string of 0s, etc. are quite
common
 blocks are encrypted independently of other blocks

– reordering ciphertext blocks result in correspondingly reordered
plaintext blocks
– ciphertext blocks can be cut from one message and pasted in
another, possibly without detection
 error propagation: one bit error in a ciphertext block affects

only the corresponding plaintext block (results in garbage)
 overall: not recommended for messages longer than one

block, or if keys are reused for more than one block
21/80
CBC mode
 encrypt
P1 P2 P3 PN
IV + + + CN-1 +
K E K E K E … K E
C1 C2 C3 CN
 decrypt
C1 C2 C3 CN
K D K D K D K D
IV + + + CN-1 +
P1 P2 P3 PN

22/80
Properties of the CBC mode
 encrypting the same plaintexts under the same key, but different IVs
result in different ciphertexts
 ciphertext block Cj depends on Pj and all preceding plaintext blocks

– rearranging ciphertext blocks affects decryption
– however, dependency on the preceding plaintext blocks is only via the
previous ciphertext block Cj-1
– proper decryption of a correct ciphertext block needs a correct preceding
ciphertext block only
 error propagation:
– one bit error in a ciphertext block Cj has an effect on the j-th and (j+1)-st
plaintext block
• Pj’ is complete garbage and Pj+1’ has bit errors where Cj had
• an attacker may cause predictable bit changes in the (j+1)-st plaintext block
 error recovery:
– recovers from bit errors (self-synchronizing)
– cannot, however, recover from frame errors (“lost” bits)

23/80
Integrity of the IV in the CBC mode
 the IV need not be secret, but its integrity should be
protected
– malicious modification of the IV allows an attacker to make
predictable changes to the first plaintext block recovered
 one solution is to send the IV in an encrypted form at the

beginning of the CBC encrypted message

24/80
Padding
 the length of the message may not be a multiple of the block
size of the cipher
 one can add some extra bytes to the short end block until it
reaches the correct size – this is called padding
 usually the last byte indicates the number of padding bytes

added – this allows the receiver to remove the padding
short end block padding
05

25/80
CFB mode
 encrypt  decrypt
initialized with IV initialized with IV

(s)
(s)
shift register (n) shift register (n)
(n) (n)
K E K E
(n) (n)
select s bits select s bits

(s) (s)
(s) (s) (s) (s)
Pi + Ci Ci + Pi

26/80
Properties of the CFB mode
 encrypting the same plaintexts under the same key, but different IVs
result in different ciphertexts
 the IV can be sent in clear
 ciphertext block Cj depends on Pj and all preceding plaintext blocks

– rearranging ciphertext blocks affects decryption
– proper decryption of a correct ciphertext block needs the preceding n/s
ciphertext blocks to be correct
– one bit error in a ciphertext block Cj has an effect on the decryption of that
and the next n/s ciphertext blocks (the error remains in the shift register for
n/s steps)
• Pj’ has bit errors where Cj had, all the other erroneous plaintext blocks are garbage
• an attacker may cause predictable bit changes in the j-th plaintext block
 error recovery:
– self synchronizing, but requires n/s blocks to recover

27/80
OFB mode
initialized with IV initialized with IV
(s) (s)
shift register (n) shift register (n)
(n) (n)
K E K E
(n) (n)
select s bits select s bits
(s) (s)
(s) (s) (s) (s)
Pi + Ci Ci + Pi

28/80
Properties of the OFB mode
 a different IV should be used for every new message, otherwise
messages will be encrypted with the same key stream
 the IV can be sent in clear
– however, if the IV is modified by the attacker, then the cipher will never
recover (unlike CFB)
 ciphertext block Cj depends on Pj only (does not depend on the

preceding plaintext blocks)
– however, rearranging ciphertext blocks affects decryption
– one bit error in a ciphertext block Cj has an effect on the decryption of only
that ciphertext block
• Pj’ has bit errors where Cj had
• an attacker may cause predictable bit changes in the j-th plaintext block
 error recovery:
– recovers from bit errors
– never recovers if bits are lost or the IV is modified

29/80
CTR mode
counter + i counter + i
(n) (n)
K E K E
(n) (n)
(n) (n) (n) (n)

Pi + Ci Ci + Pi

30/80
Properties of the CTR mode
 similar to OFB
 cycle length depends on the size of the counter (typically 2n)
 the i-th block can be decrypted independently of the others

– parallelizable (unlike OFB)
– random access
 the values to be XORed with the plaintext can be pre-computed
 at least as secure as the other modes
note1: in CFB, OFB, and CTR mode only the encryption algorithm is used
(decryption is not needed), that is why some ciphers (e.g., AES) is
optimized for encryption
note2: the OFB and CTR modes essentially make a synchronous stream
cipher out of a block cipher, whereas the CFB mode converts a block
cipher into a self-synchronizing stream-cipher

31/80
Stream ciphers
 while block ciphers simultaneously encrypt groups of
characters, stream ciphers encrypt individual characters
– may be better suited for real time applications
 stream ciphers are usually faster than block ciphers in
hardware (but not necessarily in software)
 limited or no error propagation
– may be advantageous when transmission errors are probable
 note: the distinction between stream ciphers and block

ciphers is not definitive
– stream ciphers can be built out of block ciphers using CFB, OFB, or
CTR modes
– a block cipher in ECB or CBC mode can be viewed as a stream cipher
that operates on large characters

Appendix A: Intro to cryptographic algorithms and protocols Stream ciphers
32/80
Synchronous stream ciphers
pi
fk
si+1
zi
si gk h
ci
 the key stream is generated independently of the plaintext and of the

ciphertext
 needs synchronization between the sender and the receiver
– if a character is inserted into or deleted from the ciphertext stream then
synchronization is lost and the plaintext cannot be recovered
– additional techniques must be used to recover from loss of synch.
 no error propagation
– a ciphertext character that is modified during transmission affects only the
decryption of that character
 an attacker can make changes to selected ciphertext characters and know
exactly what effect these changes have on the plaintext (if h = XOR)

33/80
Self-synchronizing stream ciphers
pi
register
zi
gk h
…
ci
 the key stream is generated as a function of a fixed number of previous

ciphertext characters
 self-synchronizing
– since the size t of the register is fixed, a lost ciphertext character affects only
the decryption of the next t ciphertext characters
 limited error propagation

– if a ciphertext character is modified, then decryption of the next t ciphertext
characters may be incorrect
 ciphertext characters depend on all previous plaintext characters

– better diffusion of plaintext statistics

34/80
The Vernam cipher and the one-time pad
 Vernam cipher
– ci = pi  ki for i = 1, 2, …
where pi are the plaintext digits, ki are the key stream digits, ci are
the ciphertext digits, and  is the bitwise XOR operation
 one-time pad
– a Vernam cipher where the key stream digits are generated
independently and uniformly at random
– the one-time pad is unconditionally secure [Shannon, 1949]
• I(P; C) = H(P) - H(P|C) = 0
– a necessary condition for a symmetric key cipher to be
unconditionally secure is that H(K)  H(P) [Shannon, 1949]
• practically, the key must have as many bits as the compressed plaintext
• impractical because of key management problems

35/80
Asymmetric-key encryption
EK(m)
ciphertext
m E D DK’ (EK(m)) = m
plaintext
K attacker K’
(public) encryption key (private) decryption key
 asymmetric-key encryption
– it is hard (computationally infeasible) to compute K’ from K
 K can be made public (public-key cryptography)

– no need for key setup before communication
 public-keys are not confidential but they must be authentic !
 the security of asymmetric-key encryption schemes is usually based on

some well-known or widely believed hard problems

Appendix A: Intro to cryptographic algorithms and protocols A.2.2 Asymmetric-key encryption
36/80
Examples for hard problems
 factoring problem
– given a positive integer n, find its prime factors
• true complexity is unknown
• it is believed that it does not belong to P
 discrete logarithm problem

– given a prime p, a generator g of Zp*, and an element y in Zp*, find
the integer x, 0  x  p-2, such that gx mod p = y
 Diffie-Hellman problem
– given a prime p, a generator g of Zp*, and elements gx mod p and
gy mod p, find gxy mod p
37/80
The RSA encryption scheme
 key generation
– select p, q large primes (about 500 bits each)
– n = pq, f(n) = (p-1)(q-1)
– select e such that 1 < e < f(n) and gcd(e, f(n)) = 1
– compute d such that ed mod f(n) = 1 (this is easy if f(n) is known)
– the public key is (e, n)
– the private key is d
 encryption
– represent the message as an integer m in [0, n-1]
– compute c = me mod n
 decryption
– compute m = cd mod n

38/80
Relation to factoring
 the problem of computing d from (e, n) is computationally
equivalent to the problem of factoring n
– if one can factor n, then one can easily compute d
– if one can compute d, then one can efficiently factor n
 the problem of computing m from c and (e, n) (called the

RSA problem) is believed to be computationally equivalent to
factoring
– if one can factor n, then one can easily compute m from c and (e, n)
– there’s no formal proof for the other direction

39/80
The need for salting
 let us assume that the adversary observes a ciphertext
c = EK(m)
 let the set of possible plaintexts be M
 if M is small, then the adversary can try to encrypt every

message in M with the publicly known key K until she finds
the message m that maps into c
 the usual way to prevent this attack is to randomize the

encryption
– some random bytes are added to the plaintext message before
encryption through the application of the PKCS #1 formatting rules
– when the message is decrypted, the recipient can recognize and
discard these random bytes

40/80
The ElGamal encryption scheme
 key generation
– generate a large random prime p and choose generator g of the multiplicative
group Zp* = {1, 2, …, p-1}
– select a random integer a, 1  a  p-2, and compute A = ga mod p
– the public key is (p, g, A)
– the private key is a
 encryption
– represent the message as an integer m in [0, p-1]
– select a random integer r, 1  r  p-2, and compute R = gr mod p
– compute C = mAr mod p
– the ciphertext is the pair (R, C)
 decryption
– compute m = CRp-1-a mod p
 proof of decryption
CRp-1-a  mArRp-1-a  mgargr(p-1-a)  m(gp-1)r  m (mod p)

41/80
Relation to hard problems
 security of the ElGamal scheme is said to be based on the
discrete logarithm problem in Zp*, although equivalence has
not been proven yet
 recovering m given p, g, A, R, and C is equivalent to solving

the Diffie-Hellman problem

42/80
Digital enveloping
 most popular public-key encryption methods are several orders of
magnitude slower than the best known symmetric key schemes
 public-key encryption is used together with symmetric-key encryption;

the technique is called digital enveloping
plaintext message
generate random
symmetric key
symmetric-key
cipher bulk encryption key
(e.g., in CBC mode)
asymmetric-key public key

cipher of the receiver
digital envelop
43/80
Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions

44/80
Hash functions
 a hash function maps bit strings of arbitrary finite length to

bit strings of fixed length (n bits)
 many-to-one mapping  collisions are unavoidable
 however, finding collisions are difficult  the hash value of a
message can serve as a compact representative image of the
message (similar to fingerprints)
message of arbitrary length
hash
function
fix length
hash value / message digest / fingerprint

A.3 Hash functions 45/80
Desirable properties of hash functions
 ease of computation
– given an input x, the hash value h(x) of x is easy to compute
 weak collision resistance (2nd preimage resistance)

– given an input x, it is computationally infeasible to find a second input
x’ such that h(x’) = h(x)
 strong collision resistance (collision resistance)

– it is computationally infeasible to find any two distinct inputs x and x’
such that h(x) = h(x’)
 one-way property (preimage resistance)

– given a hash value y (for which no preimage is known), it is
computationally infeasible to find any input x s.t. h(x) = y

The Birthday Paradox
 Given a set of N elements, from which we draw k elements randomly
(with replacement). What is the probability of encountering at least one
repeating element?
 first, compute the probability of no repetition:

– the first element x1 can be anything
– when choosing the second element x2, the probability of x2 x1 is 1-1/N
– when choosing x3, the probability of x3 x2 and x3 x1 is 1-2/N
– …
– when choosing the k-th element, the probability of no repetition is 1-
(k-1)/N
– the probability of no repetition is (1 - 1/N)(1 - 2/N)…(1 – (k-1)/N)
– when x is small, (1-x)  e-x
– (1 - 1/N)(1 - 2/N)…(1 – (k-1)/N) = e-1/Ne-2/N … e-(k-1)/N = e-k(k-1)/2N
 the probability of at least one repetition after k drawing is

1 – e-k(k-1)/2N

The Birthday Paradox (cont’d)
 How many drawings do you need, if you want the probability of at least
one repetition to be e ?
 solve the following for k:

e = 1 – e-k(k-1)/2N
k(k-1) = 2N ln(1/1-e)
k  sqrt(2N ln(1/1-e))
 examples:
e = ½  k  1.177 sqrt(N)
e = ¾  k  1.665 sqrt(N)
e = 0.9  k  2.146 sqrt(N)
 origin of the name “Birthday Paradox”:

– elements are dates in a year (N = 365)
– among 1.177 sqrt(365)  23 randomly selected people, there will be at least
two that have the same birthday with probability ½

Choosing the output size of a hash function
 the Birthday Paradox have a profound impact on the design
of hash functions (and other cryptographic algorithms and
protocols)!
– let n be the output size of a hash function
– among ~sqrt(2n) = 2n/2 randomly chosen messages, with high
probability, there will be a collision pair
– it is easier to find collisions than to find preimages or 2nd preimages
for a given hash value
 in order to resist birthday attacks, 2n/2 should be sufficiently large
(e.g., n = 160 bits)

Iterated hash functions
 input is divided into fixed length blocks x1, x2, …, xL
 last block is padded if necessary

– Merkle-Damgard strengthening: padding contains the length of the message
 each input block is processed according to the following scheme
x1 x2 x3 xL
(b) (b) (b) (b)
…
(n) f (n) f (n) f (n) f (n)
CV0 h(x) = CVL
CV1 CV2 CV3 CVL-1
 f is called the compression function

– can be based on a block cipher, or
– can be a dedicated compression function

Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions

51/80
Message authentication codes (MACs)
 MAC functions can be viewed as hash functions with two
functionally distinct inputs: a message and a secret key
 they produce a fixed size output (say n bits) called the MAC
 practically it should be infeasible to produce a correct MAC
for a message without the knowledge of the secret key
 MAC functions can be used to implement data integrity and
message origin authentication services
message of arbitrary length
MAC
function secret key
fix length
MAC

A.4 Message authentication codes 52/80
MAC generation and verification
secret key
generation
message MAC
MAC
message MAC
MAC
verification
compare
secret key
yes/no

Desirable properties of MAC functions
 ease of computation
– given an input x and a secret key k, it is easy to compute MACk(x)
 key non-recovery
– it is computationally infeasible to recover the secret key k, given one
or more text-MAC pairs (xi, MACk(xi)) for that k
 computation resistance
– given zero or more text-MAC pairs (xi, MACk(xi)), it is computationally
infeasible to find a text-MAC pair (x, MACk(x)) for any new input x  xi
– computation resistance implies key non-recovery but the reverse is
not true in general

CBC MAC
x1 x2 x3 xN
0 + + + cN-1 +
k E k E k E … k E
cN
c1 c2 c3
k’ E-1
optional
k E
 CBC MAC is secure for messages of a fixed
number of blocks
MAC
 (adaptive chosen-text existential) forgery is
possible if variable length messages are
allowed
 it is recommended to involve the length of
the message in the CBC MAC computation

HMAC
k+ ipad xL|padding1
x1
hash fn
f f … f
CV0
CV1inner
M
k+ opad M|padding2
HMACk(X) = H( k’’|H( k’|X ))
hash fn
f f
CV0 HMACk(x)
CV1outer

Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions

57/80
Digital signatures
 similar to MACs but
– unforgeable by the receiver
– verifiable by a third party
 used for message authentication and non-repudiation (of

message origin)
 based on public-key cryptography

– private key defines a signing transformation SA
• SA(m) = s
– public key defines a verification transformation VA
• VA(m, s) = true if SA(m) = s
• VA(m, s) = false otherwise

A.5 Digital signatures 58/80
Attacks on digital signature schemes
 key-only attack
– only the public key is available to the adversary
 known-message attack
– the adversary has signatures for a set of messages known to her but
not chosen by her
 chosen-message attack
– the adversary obtains signatures for messages chosen by her before
attempting to break the signature scheme
 adaptive chosen-message attack

– the adversary is allowed to use the signer as an oracle
– she may request signatures for messages which depend on previously
obtained signatures

“Hash-and-sign” paradigm
 public/private key operations are slow
 hash the message first and apply public/private key operations to the
hash value only
private key
of sender
generation
message hash signature

h enc
message hash signature

dec
verification
compare public key

of sender
yes/no

Examples of digital signature scheme
 RSA
– essentially identical to the RSA encryption scheme
– signature = decryption with private key
– typical signature length is 1024 bits
 DSA (Digital Signature Algorithm)

– based on the ElGamal signature scheme
– typical signature length is 1024 bits
 ECDSA (Elliptic Curve DSA)

– same as DSA but works over elliptic curves
– reduced signature length (typically 320 bits)

Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions

62/80
Session key establishment protocols
 goal of session key establishment protocols
– to setup a shared secret between two (or more) parties
– it is desired that the secret established by a fixed pair of parties
varies on subsequent executions of the protocol (dynamicity)
– established shared secret is used as a session key to protect
communication between the parties
 motivation for use of session keys

– to limit available ciphertext for cryptanalysis
– to limit exposure caused by the compromise of a session key
– to avoid long-term storage of a large number of secret keys (keys are
created on-demand when actually required)
– to create independence across communication sessions or
applications

A.6 Session key establishment protocols 63/80
Basic classification
 key transport protocols
– one party creates or otherwise obtains a secret value, and securely
transfers it to the other party
 key agreement protocols

– a shared secret is derived by the parties as a function of information
contributed by each, such that no party can predetermine the
resulting value

Further services
 entity authentication
 implicit key authentication

– one party is assured that no other party aside from a specifically identified
second party (and possibly some trusted third parties) may gain access to
the established session key
 key confirmation
– one party is assured that a second (possibly unidentified) party actually
possesses the session key
– possession of a key can be demonstrated by
• producing a one-way hash value of the key or
• encryption of known data with the key
 explicit key authentication

– implicit key authentication + key confirmation
 key freshness
– one party is assured that the key is new (never used before)

Further protocol characteristics
 reciprocity
– guarantees are provided unilaterally
– guarantees are provided mutually
 efficiency
– number of message exchanges (passes) required
– total number of bits transmitted (i.e., bandwidth used)
– complexity of computations by each party
– possibility of precomputations to reduce on-line computational complexity
 third party requirements

– on-line, off-line, or no third party at all
– degree and type of trust required in the third party
 system setup
– distribution of initial keying material

The Wide-Mouth-Frog protocol
Alice Server Bob
generate k
A, EKas( B, k, Ta )
EKbs( A, k, Ts )
summary: a simple key transport protocol that uses a trusted third party
Alice generates the session key and sends it to Bob via the trusted third party
characteristics: implicit key authentication for Alice

explicit key authentication for Bob
key freshness for Bob with timestamps (flawed)
unilateral entity authentication of Alice
on-line third party (Server) trusted for secure relaying of keys and
verification of freshness,
in addition A is trusted for generating good keys
initial long-term keys between the parties and the server are required

A flaw in the Wide-Mouth-Frog protocol
Server Trudy Bob
B, EKbs( A, k, Ts )
EKas( B, k, Ts(1))
A, EKas( B, k, Ts(1))
EKbs( A, k, Ts(2))
...
EKbs( A, k, Ts(n))
summary: after observing one run of the protocol, Trudy can continuously use the Server
as an oracle until she wants to bring about re-authentication between Alice and Bob

Signed encrypted keys
Alice Bob
generate k
A, EKb(k), Ta, SKa(B,EKb(k),Ta)
summary: Alice generates a session key, encrypts it with Bob’s public key, then sings it,
and sends it to Bob
characteristics: unilateral entity authentication (of Alice), mutual implicit key authentication,
no key confirmation, key freshness with timestamp, clock synchronization,
off-line third party for issuing public key certificates may be required, initial
exchange of public keys between the parties may be required, Alice is trusted
to generate keys, non-repudiation guarantee for Bob

The Diffie-Hellman protocol
Alice Bob
select random x
compute gx mod p
gx mod p
select random y
compute gy mod p
gy mod p
compute k = (gy)x mod p compute k = (gx)y mod p
summary: a key agreement protocol based on one-way functions; in particular, security

of the protocol is based on the hardness of the discrete logarithm problem and
that of the Diffie-Hellman problem
assumptions: p is a large prime, g is a generator of Zp*, both are publicly known system
parameters
characteristics: NO AUTHENTICATION, key freshness with randomly selected exponents,
no party can control the key, no need for a trusted third party

Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions

71/80
Pseudo-random number generators (PRNGs)
 a random number is a number that cannot be predicted by
an observer before it is generated
– if the number is generated within the range [0, N-1], then its value
cannot be predicted with any better probability than 1/N
– the above is true even if the observer is given all previously
generated numbers
 a cryptographic pseudo-random number generator (PRNG) is

a mechanism that processes somewhat unpredictable inputs
and generates pseudo-random outputs
– if designed, implemented, and used properly, then even an adversary
with enormous computational power should not be able to distinguish
the PRNG output from a real random sequence

A.7 Pseudo-random number generators 72/80
General operation of PRNGs
unpredictable
input samples entropy
…
(from physical pool
processes)
re-keying
internal one-way fn
pseudo-random bits
state indistinguishable from
state update real random bits

Desirable properties of PRNGs
 the adversary cannot compute the internal state of the
PRNG, even if she has observed many outputs of the PRNG
 the adversary cannot compute the next output of the PRNG,

even if she has observed many previous outputs of the PRNG
 if the adversary can observe or even manipulate the input

samples that are fed in the PRNG, but she does not know the
internal state of the PRNG, then the adversary cannot
compute the next output and the next internal state of the
PRNG
 if the adversary has somehow learned the internal state of

the PRNG, but she cannot observe the input samples that
are fed in the PRNG, then the adversary cannot figure out
the internal state of the PRNG after the re-keying operation

Chapter outline
A.1 Introduction
A.2 Encryption
A.3 Hash functions

75/80
Hash chains
 a hash chain is a sequence of hash values that are computed by iteratively calling
a one-way hash function on an initial value v0
h h h h … h
v0 v1 v2 v3 vn-1 vn
 properties:
– given vi, it is easy to compute any vj for j > i (vj = h(j-i)(vi))
– but it is difficult to compute vk for k < i (one-way property of h)
 hash chains can be used for repeated authentications at the cost of a single
digital signature
– Alice computes a hash chain and commits to it by signing vn and distributing it to
potential verifiers
– later on, Alice can authenticate herself repeatedly (at most n times) by revealing the
elements of the hash chain in reverse order
– when vn-i is revealed, verifiers can check if h(i)(vn-i) = vn (or h(vn-i) = vn-i+1 if they
remember the last revealed element)
– each hash chain element can be used only once for authenticating Alice
– verifiers are assured that only Alice could have released the next hash chain element
 hash chains can be stored efficiently with a storage complexity that is logarithmic
in the length of the hash chain

A.8 Advanced authentication techniques 76/80
Merkle-trees
 the limitation of hash chains is that elements can only be revealed sequentially
 Merkle-trees overcome this problem by allowing for the pre-authentication of a
set of values with a single digital signature (on the root u0 of the tree) and for
the revelation of those values in any order
 when revealing a value vi, Alice must also reveal all the values assigned to the
sibling vertices on the path from vi’ to the root (e.g., v3 is revealed together with
v4’, u12, u5678)
 verifiers hash the revealed values appropriately and check if the result is u0
TESLA
 a broadcast authentication mechanism based on symmetric key
cryptographic primitives
 main idea: asymmetry through delayed disclosure of authentication keys

– Alice wants to broadcast a message m
– Alice computes a MAC on m with a key unknown to the verifiers
– verifiers receive message m with the MAC, but they cannot immediately verify
authenticity
– later, Alice discloses the key used to compute the MAC
– verifiers can now verify the MAC; if it is correct, they know that the message
was sent by Alice, because at the time of reception nobody else knew the key
 assumptions:
– loose time synchronization between the participants
– each party knows an upper bound on the maximum synchronization error
– initial secret between the parties to bootstrap the whole mechanism

TESLA (cont’d)
 MAC keys are consecutive elements in a one-way key chain:
– K0  K1  …  Kn
– Ki = h(Ki-1)
 protocol operation:
– setup: Alice sends Kn to each verifier in an authentic manner
– time is divided into epochs
– each message sent in epoch i is authenticated with key Kn-i
– Kn-i is disclosed in epoch i+d, where d is a system parameter
– Kn-i is verified by checking h(Kn-i) = Kn-i+1
 example:
Kn-1 Kn-2 Kn-3 Kn-4
Kn P1 P2 P3 P4 P5 P6 P7 time
key disclosure schedule Kn-1 Kn-2 Kn-3

Conclusions
 security services are implemented by using security
mechanisms
 many security mechanisms are based on cryptography (e.g.,

encryption, digital signature, message authentication codes,
…)
 but be cautious:
“If you think cryptography is going to solve your problem, you don't understand
cryptography and you don't understand your problem.”
-- Roger Needham
 other important aspects are
– physical protection
– procedural rules
– education

80/80

Appendix A: Introduction To Cryptographic Algorithms and Protocols

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Appendix A: Introduction To Cryptographic Algorithms and Protocols

Uploaded by

Copyright:

Available Formats

Security and Cooperation

Appendix A: Introduction to cryptographic

Security and Cooperation in Wireless Networks

 an attack is a a deliberate attempt to compromise a system; it usually

Security and Cooperation in Wireless Networks

Security and Cooperation in Wireless Networks

 access control schemes

 data integrity mechanisms

 traffic padding, route control, …

Security and Cooperation in Wireless Networks

Security and Cooperation in Wireless Networks

 goal of the adversary:

Security and Cooperation in Wireless Networks

 (adaptive) chosen-plaintext attack

 (adaptive) chosen-ciphertext attack

Security and Cooperation in Wireless Networks

 for many encryption schemes used in practice, no proof of

 some encryption schemes are provably secure, however

Security and Cooperation in Wireless Networks

Security and Cooperation in Wireless Networks

Security and Cooperation in Wireless Networks A.2 Encryption

Security and Cooperation in Wireless Networks A.2 Encryption

 combine two or more transformations in a manner that the

Security and Cooperation in Wireless Networks A.2 Encryption

Si – substitution box (S-box)

Security and Cooperation in Wireless Networks A.2 Encryption

each key bit is used in

Left shift(s) Left shift(s)

Security and Cooperation in Wireless Networks A.2 Encryption

 if the plaintexts are known to contain redundancy, then ciphertext-only

 in practice, key size should be at least 128 bits

Security and Cooperation in Wireless Networks A.2 Encryption

 CBC – Cipher Block Chaining

 CFB – Cipher Feedback

 OFB – Output Feedback

Security and Cooperation in Wireless Networks A.2 Encryption

Security and Cooperation in Wireless Networks A.2 Encryption

 blocks are encrypted independently of other blocks

 error propagation: one bit error in a ciphertext block affects

 overall: not recommended for messages longer than one

Security and Cooperation in Wireless Networks A.2 Encryption

 ciphertext block Cj depends on Pj and all preceding plaintext blocks

Security and Cooperation in Wireless Networks A.2 Encryption

 one solution is to send the IV in an encrypted form at the

Security and Cooperation in Wireless Networks A.2 Encryption

 usually the last byte indicates the number of padding bytes

short end block padding

Security and Cooperation in Wireless Networks A.2 Encryption

initialized with IV initialized with IV

select s bits select s bits

Security and Cooperation in Wireless Networks A.2 Encryption

 the IV can be sent in clear

 ciphertext block Cj depends on Pj and all preceding plaintext blocks

Security and Cooperation in Wireless Networks A.2 Encryption

initialized with IV initialized with IV

select s bits select s bits

Security and Cooperation in Wireless Networks A.2 Encryption

 ciphertext block Cj depends on Pj only (does not depend on the

Security and Cooperation in Wireless Networks A.2 Encryption

(n) (n) (n) (n)

Security and Cooperation in Wireless Networks A.2 Encryption

 cycle length depends on the size of the counter (typically 2n)

 the i-th block can be decrypted independently of the others