Homework #5 Solutions Brian A. LaMacchia [email protected] [email protected] Portions ©...

Homework #5Homework #5SolutionsSolutions

Brian A. LaMacchiaBrian A. [email protected]@[email protected]@microsoft.com

Portions © 2002-2006, Brian A. LaMacchia. This material is provided without warranty of any kind including, without limitation, warranty of non-infringement or suitability for any purpose. This material is not guaranteed to be error free and is intended for instructional use only.

February 7, 2006February 7, 2006 Practical Aspects of Modern CryptographyPractical Aspects of Modern Cryptography 22

Question 1 - Question 1 - TimestampingTimestamping Clients send the timestamping Clients send the timestamping

service a hash value.service a hash value. The service signs the hash The service signs the hash

value together with the current value together with the current time, producing a time, producing a timestamping timestamping receipt.receipt.

The timestamping receipt is The timestamping receipt is then sent back to the client, then sent back to the client, who can do whatever he wants who can do whatever he wants with it (typically, archive it with it (typically, archive it and/or send it along with the and/or send it along with the signature).signature).


Question 1aQuestion 1a What information would you What information would you

include in the receipt?include in the receipt? Why are you including it?Why are you including it? What’s the minimum size in What’s the minimum size in

bytes of the information you bytes of the information you have to include?have to include?

Assumptions:Assumptions: Hash values sent to you by clients Hash values sent to you by clients

are all SHA2-256 hashes and are are all SHA2-256 hashes and are thus 32 bytes in size.thus 32 bytes in size.

Time is expressed using the Time is expressed using the GeneralizedTime structure, which GeneralizedTime structure, which is 15 bytes in length. is 15 bytes in length.


Question 1aQuestion 1a Minimum set:Minimum set:

The hash value the client submitted to the The hash value the client submitted to the timestamp service (32 bytes)timestamp service (32 bytes)

The timestamping time (15 bytes)The timestamping time (15 bytes) An identifier for the signature algorithm the An identifier for the signature algorithm the

timestamp service is going to use to sign timestamp service is going to use to sign the receiptthe receipt This includes the algorithm the service This includes the algorithm the service

uses to hash the receipt contents (e.g. uses to hash the receipt contents (e.g. “RSA-SHA2-256”)“RSA-SHA2-256”)

Variable length, could be as small as 1 Variable length, could be as small as 1 byte, but is probably at least 4 bytes. byte, but is probably at least 4 bytes. Anything reasonable is OK so long as you Anything reasonable is OK so long as you justified it.justified it.

The timestamp server’s signature will The timestamp server’s signature will take another 256 bytes (assuming RSA take another 256 bytes (assuming RSA with 2048-bit keys)with 2048-bit keys) Per my e-mail, since by “included” I had Per my e-mail, since by “included” I had

intended “included in the to-be-signed intended “included in the to-be-signed part”, you didn’t have to include the part”, you didn’t have to include the signature (it’s OK if you did)signature (it’s OK if you did)


Question 1aQuestion 1a What additional information What additional information

would you include? Some would you include? Some possibilities:possibilities: Version numbersVersion numbers

E.g. For the receipt format (~4 E.g. For the receipt format (~4 bytes typically)bytes typically)

Public key of the timestamp Public key of the timestamp authorityauthority Assume ~260 bytes (256 bytes Assume ~260 bytes (256 bytes

for a 2048-bit public key, 4 for a 2048-bit public key, 4 bytes for e if it’s short)bytes for e if it’s short)

Certificates for the timestamp Certificates for the timestamp authorityauthority These would be at least 512 These would be at least 512

bytes each (subject public key + bytes each (subject public key + issuer signature), probably 1K issuer signature), probably 1K or more in practice.or more in practice.


Question 1bQuestion 1b Describe how you could modify Describe how you could modify

the operation of your the operation of your timestamping service to defend timestamping service to defend against fraudulent insertion of against fraudulent insertion of timestamps “after the fact”. timestamps “after the fact”.

What additional information do What additional information do you have to add to the you have to add to the timestamping receipt to effect timestamping receipt to effect this change?this change?


Question 1bQuestion 1b One way to do this is to link the One way to do this is to link the

timestamping receipts together by timestamping receipts together by “hash chaining”“hash chaining” Include the hash of the nth receipt Include the hash of the nth receipt

within the to-be-signed info of the within the to-be-signed info of the (n+1)st receipt.(n+1)st receipt.

Every so often (daily, weekly) widely Every so often (daily, weekly) widely publish (e.g. NYT classifieds) the hash publish (e.g. NYT classifieds) the hash of the last issued timestamp.of the last issued timestamp.

Only adds 32 bytes to the receipt (size Only adds 32 bytes to the receipt (size of a SHA2-256 hash)of a SHA2-256 hash)

"How to Timestamp a Digital Document," "How to Timestamp a Digital Document," S. Haber, W. Stornetta, Journal of S. Haber, W. Stornetta, Journal of Cryptology, Vol. 3, No. 2, pp. 99-111, 1991. Cryptology, Vol. 3, No. 2, pp. 99-111, 1991. Available at Available at http://www.surety.com/dataintegrity.phphttp://www.surety.com/dataintegrity.php


Question 2 – Question 2 – Encrypting Mail to Encrypting Mail to Mailing ListsMailing Lists

Sender

Mailing ListServer

Recipient 1

Recipient 2

Recipient 3

Recipient n-1

Recipient n

...


Question 2aQuestion 2a What information does the What information does the

sender have to know about sender have to know about each mailing list recipient if it each mailing list recipient if it wants to be able to send them wants to be able to send them encrypted messages?encrypted messages? Nothing—in this scenario the Nothing—in this scenario the

sender doesn’t need to know sender doesn’t need to know anything about the ultimate anything about the ultimate recipients of mailing list recipients of mailing list messages.messages.

The sender just has to know the The sender just has to know the public encryption key of the public encryption key of the central mailing list server.central mailing list server.


Question 2aQuestion 2a What information does each What information does each

recipient have to know about recipient have to know about the mailing list server?the mailing list server? Nothing in order to decrypt Nothing in order to decrypt

messages sent to them.messages sent to them. If the server If the server signssigns messages in messages in

any of your protocols, then any of your protocols, then recipients would have to know the recipients would have to know the public part of the server’s signing public part of the server’s signing key pair.key pair.


Question 2aQuestion 2a If there are M members of the If there are M members of the

mailing list, how many public mailing list, how many public keys does each member need to keys does each member need to know and how many keys does know and how many keys does the server need to know?the server need to know? Each member needs to know 1 Each member needs to know 1

public encryption key (the public public encryption key (the public key of the server).key of the server).

They also need to know their own They also need to know their own public & private key.public & private key.

The central server needs to know The central server needs to know M public encryption keys (one per M public encryption keys (one per subscriber), plus his own private subscriber), plus his own private key pairkey pair


Question 2bQuestion 2b When the sender encrypts a When the sender encrypts a

message that he wants to send message that he wants to send to the mailing list, how many to the mailing list, how many RecipientInfos will his S/MIME RecipientInfos will his S/MIME message have?message have? One (for the mailing list server)One (for the mailing list server)

Does it make a difference if the Does it make a difference if the sender wants to archive a copy sender wants to archive a copy of his encrypted message in his of his encrypted message in his “Sent Items” folder in case he “Sent Items” folder in case he wants to look at it later? wants to look at it later? Yes, in this case the sender needs Yes, in this case the sender needs

to include a second RecipientInfo to include a second RecipientInfo for himself.for himself.


Question 2cQuestion 2c

Describe one way that the Describe one way that the server could verify that the server could verify that the message came from a mailing message came from a mailing list subscriber.list subscriber. The server could maintain a The server could maintain a

database of members public database of members public signing keys along with their e-signing keys along with their e-mail addresses and require that mail addresses and require that senders digitally sign all senders digitally sign all messages sent to the mailing list.messages sent to the mailing list.


Question 2cQuestion 2c

Does the server need to know Does the server need to know any additional information any additional information about the sender beyond what about the sender beyond what you already indicated in you you already indicated in you answer to Question 2(a)?answer to Question 2(a)? Yes, in the general case. The Yes, in the general case. The

server would need to know a server would need to know a public signature key for each public signature key for each mailing list participant. While this mailing list participant. While this could conceivably be the same as could conceivably be the same as the encryption key if RSA is being the encryption key if RSA is being used, in general subscribers would used, in general subscribers would have separate signing and have separate signing and encryption keys.encryption keys.


Question 2dQuestion 2d If the mailing list has M If the mailing list has M

members, how many public key members, how many public key encryptions does the server encryptions does the server have to perform to prepare the have to perform to prepare the message for sending?message for sending? The server needs to perform at The server needs to perform at

least M-1 public key encryptions – least M-1 public key encryptions – one for every recipient except the one for every recipient except the sender (assuming the sender sender (assuming the sender included a second RecipientInfo included a second RecipientInfo for himself). If the sender didn’t for himself). If the sender didn’t do that then it’s M encryptions.do that then it’s M encryptions.

For each recipient the server For each recipient the server needs to create a RecipientInfo needs to create a RecipientInfo (content encryption key (content encryption key encrypted with the recipient’s encrypted with the recipient’s public key).public key).


Question 2dQuestion 2d

Does it make a difference if the Does it make a difference if the server prepares one message server prepares one message with many RecipientInfos vs. a with many RecipientInfos vs. a separate message for every separate message for every recipient?recipient? No, not in terms of the number of No, not in terms of the number of

public key encryptions required. public key encryptions required. The server has to perform the The server has to perform the same number of PK encryptions same number of PK encryptions whether it’s one message to M whether it’s one message to M recipients or M separate recipients or M separate messages.messages.


Question 2eQuestion 2e

How much How much symmetric keysymmetric key decryption and encryption does decryption and encryption does the server need to do in order the server need to do in order to properly relay the message?to properly relay the message? This depends on your answer to This depends on your answer to

2(c). If you said in 2(c) “have the 2(c). If you said in 2(c) “have the signer sign the message”, then signer sign the message”, then the server is going to have to the server is going to have to decrypt the message decrypt the message onceonce in in order to reveal and verify the order to reveal and verify the signer’s signature.signer’s signature.


Question 2eQuestion 2e

Re-encryption of the message Re-encryption of the message body:body: If the mailing list is not If the mailing list is not

anonymous, then the server can anonymous, then the server can re-use the encrypted content re-use the encrypted content from the inbound message, and from the inbound message, and no further symmetric operations no further symmetric operations are required.are required.

If the mailing list *is* anonymous, If the mailing list *is* anonymous, then the server will have to re-then the server will have to re-encrypt the message body after encrypt the message body after removing the signature, so one removing the signature, so one symmetric encryption of the symmetric encryption of the content will be required.content will be required.


Question 3 – Subscribe Question 3 – Subscribe ProtocolProtocol Describe a protocol that the Describe a protocol that the

new subscribing user and new subscribing user and the server can use to send the server can use to send this information to the this information to the server and authenticate server and authenticate that it came from the entity that it came from the entity that receives e-mail at the that receives e-mail at the subscribing address. subscribing address. That is, the server needs to That is, the server needs to

know that the subscriber isn’t know that the subscriber isn’t maliciously signing someone maliciously signing someone else up to the mailing list. else up to the mailing list.


Question 3 – SolutionQuestion 3 – Solution

1.1. Subscribing client C Subscribing client C randomly generates a new randomly generates a new public/private encryption public/private encryption key pair (Kkey pair (KPubPub, K, KPrivPriv))

2.2. C C Server S: K Server S: KPub Pub along with along with his subscribing e-mail his subscribing e-mail addressaddress

3.3. S randomly generates a S randomly generates a nonce Nnonce N

4.4. S S C the nonce encrypted C the nonce encrypted with the public key Kwith the public key KPubPub::

{N}K{N}KPubPub


Question 3 – SolutionQuestion 3 – Solution

5.5. C decrypts {N}KC decrypts {N}KPubPub to obtain to obtain N.N.

6.6. C encrypts the hash H(N) to C encrypts the hash H(N) to S using S’s public key KS using S’s public key KSPubSPub

7.7. C C S: {H(N)}K S: {H(N)}KSPubSPub

8.8. S decrypts {H(N)}KS decrypts {H(N)}KSPub SPub to to obtain H(N) and verifies that obtain H(N) and verifies that H(N) is the hash of the H(N) is the hash of the nonce originally sent to C. nonce originally sent to C.


Question 4 – Group Symmetric Question 4 – Group Symmetric KeyKey Design the “group symmetric Design the “group symmetric

key” system. Describe how:key” system. Describe how:1.1. The server can ensure that new The server can ensure that new

subscribers get the current group subscribers get the current group symmetric keysymmetric key

2.2. The group symmetric key is used The group symmetric key is used to encrypt a particular messageto encrypt a particular message

3.3. What happens to the current What happens to the current group symmetric key when a group symmetric key when a member unsubscribes from the member unsubscribes from the mailing list. mailing list.


Question 4 – Group Symmetric Question 4 – Group Symmetric KeyKey1.1. Describe how the server can Describe how the server can

ensure that new subscribers ensure that new subscribers get the current group get the current group symmetric keysymmetric key The server can communicate the The server can communicate the

GSK as part of the registration GSK as part of the registration process. We can modify the process. We can modify the solution to Q3 above as followssolution to Q3 above as follows


Question 4Question 4

[Steps 1-6 same as in Q3][Steps 1-6 same as in Q3]

7.7. C C S: {H(N)}K S: {H(N)}KSPubSPub

8.8. S decrypts {H(N)}KS decrypts {H(N)}KSPub SPub to obtain to obtain H(N) and verifies that H(N) is H(N) and verifies that H(N) is the hash of the nonce originally the hash of the nonce originally sent to C.sent to C.

9.9. S S C: {GSK}K C: {GSK}KPubPub

10.10. If we want confirmation,If we want confirmation,C C S: H(GSK,N), or S: H(GSK,N), orC C S: {H(GSK)}K S: {H(GSK)}KSPubSPub


Question 4 – Group Symmetric Question 4 – Group Symmetric KeyKey2.2. Describe how the group symmetric Describe how the group symmetric

key is used to encrypt a particular key is used to encrypt a particular message.message. When the server receives an inbound When the server receives an inbound

message, it will decrypt the message, it will decrypt the RecipientInfo addressed to it to obtain RecipientInfo addressed to it to obtain the content encryption key (CEK).the content encryption key (CEK).

Now, instead of performing a public key Now, instead of performing a public key encryption for each recipient, the encryption for each recipient, the server encrypts the content encryption server encrypts the content encryption key with the group symmetric key. The key with the group symmetric key. The result is stored in a RecipientInfo that’s result is stored in a RecipientInfo that’s common to all recipients.common to all recipients.

We use the “KEKRecipientInfo” form of We use the “KEKRecipientInfo” form of RecipientInfo in S/MIME, which allows RecipientInfo in S/MIME, which allows us to encrypt a content encryption key us to encrypt a content encryption key with another symmetric key.with another symmetric key.


Question 4 – Group Symmetric Question 4 – Group Symmetric KeyKey3.3. What happens to the current group What happens to the current group

symmetric key when a member symmetric key when a member unsubscribes from the mailing list.unsubscribes from the mailing list. When a user unsubscribes, the current When a user unsubscribes, the current

GSK becomes invalid and the server has GSK becomes invalid and the server has to generate a new GSK and send it to to generate a new GSK and send it to the remaining list members.the remaining list members.

One way to do this is to have the server One way to do this is to have the server send a separate message to each list send a separate message to each list member containing the new GSK member containing the new GSK encrypted with their respective public encrypted with their respective public encryption keys.encryption keys.

Clients could then send a confirmatory Clients could then send a confirmatory message to the server to indicate that message to the server to indicate that they’ve received the new GSK. they’ve received the new GSK. [Optional step][Optional step]


Question 4 – Group Symmetric Question 4 – Group Symmetric KeyKey Another possibility is to have Another possibility is to have

the server send the GSK the server send the GSK (encrypted to each recipient) as (encrypted to each recipient) as part of the next mailing list part of the next mailing list message. message. Form the S/MIME message using Form the S/MIME message using

the GSK to encrypt the CEK.the GSK to encrypt the CEK. Include the KEKRecipientInfo with Include the KEKRecipientInfo with

{CEK}GSK (CEK encrypted with {CEK}GSK (CEK encrypted with GSK)GSK)

Include M additional Include M additional RecipientInfos, one per member i, RecipientInfos, one per member i, containing {GSK}Kcontaining {GSK}KPub,iPub,i

Date post:	15-Jan-2016
Category:	Documents
View:	214 times
Download:	0 times

Homework #5 Solutions Brian A. LaMacchia [email protected] [email protected] Portions ©...

Documents