Perfect secrecy
Example of CPA secure system that’s not CCA secure
Consider this scheme:
Adversary sends and to the encryption oracle.
He gets back , where .
Since the decryption oracle will not accept the encryption of the challenge messages ( or ) as input, the attacker will do the next best thing. They can flip the first bit in the encryption of .
The decryption oracle will gladly decrypt the new ciphertext .
The adversary can now tell from what he gets back (either or ) whether or was encrypted.
Constructing CCA-secure encryption schemes (Common approach: CPA-ENC + EU-MAC)
Most CCA attacks rely on attacker modifying encryption of the m
and then feeding it to the decryption oracle, whose answer tells the attacker which message was encrypted. If you add a MAC on top of the encryption, disallowing the attacker to fiddle with the ciphertext, then you essentially render the decryption oracle useless.
Let 𝜋 = (𝐸𝑛𝑐, 𝐷𝑒𝑐, 𝐺𝑒𝑛). The generator now has to generate two keys, one for the MAC and one for the encryption scheme.
Message Authentication Codes
For and , the tag is equally valid, so it is not a secure MAC.
Suppose the following scheme exists. Is it secure?
No, because an attacker can slice the tag from two different messages and then use it to reproduce messages for other values of that are from the messages they send initially.
Remember, that you shouldn’t be able to produce a MAC on any message without the key. Imagine you can ask for a MAC on any message m that you want and I’ll give it to you. Your goal is to try and produce a MAC that is correct on a message for which you never asked for a MAC. For example, you could ask for MACs on m1, m2, m3, . . . , m . You win if you can produce a MAC on some fresh message m, that isnt in the set .
Signatures
These are public key versions of MAC.
Suppose the following scheme exists:
: Compute $\sigma_1 \larr Sign(m_1,sk_2), \sigma_2 \larr Sign(m_2, sk_2), output \space\sigma=\sigma_1||\sigma_2 $
(Split the message in half. Use the first secret key to sign the first half of the message and the second secret key to sign the second half of the message. The signature is just the concatenation of these two sub-signatures)
: Compute . Output .
(Verify a signature by splitting the signature in half and the messsage in half and verifying each half on its own. If both verification algorithms output 1, output 1.)
UF-CMA: Secure in that you cannot produce a verifying signature on a message without the secret key, even if you get to see lots of other signatures.
Show that (Gen’ , Sign’ , Vrfy’ ) is not a UF-CMA secure digital signature scheme.
Answer: Not secure and this is why - Attacker knows the digital signature scheme, they know a signature request will output a string of length , which is a concatenation of two strings Signature functions. They can get a bunch of signatures back, and then piece together a signature for a function that was never intended to be signed.
Key exchange
Suppose Alice chooses (meaning two random bitstrings of length ) and sends a= to Bob. Bob randomly chooses b1, b2, and sends b = b1 xor b2 to Alice. Alice computes c=b xor a1, and sends it to Bob. Alice outputs a1 and bob outputs c xor b. Do they get the same key? Is this secure?
Answer: Alice outputs a1, Bob outputs b⊕c=b⊕b⊕a1, since b⊕b=0. Now since attacker knows a,b,c, they can also recalculate to a1.
Man in the middle
Diffie-Hellman key exchange
Now suppose the following scenario: The client chooses a random exponent a and sends g^a to the server. The server chooses a random exponent b and sends g^b to the client. Both client and server compute the key k = g^ab, each by raising the message they received to the private exponent they chose. The client sends Enc_k(m) to the server who can decrypt it since it has the key k.
(a) What, if anything, can be learned by an eavesdropper who may not tamper with messages?
The attacker can either use leaked metadata to do malicious activity (such as email patterns and such) but learns nothing about the content itself.
(b) How can an attacker hijack and attack this scheme?
ARP (Address Resolution Protocol) and BGP (Border Gateway Protocol) are two fundamental protocols used in computer networks, but they serve different purposes. Let's dive into each protocol individually:
In summary, ARP helps in resolving IP addresses to MAC addresses within a local network, enabling devices to communicate with each other.
BGP is essential for maintaining a reliable and efficient routing system on the internet. It enables autonomous systems to communicate and exchange routing information, allowing packets to traverse multiple networks to reach their destinations.
In summary, ARP is responsible for resolving IP addresses to MAC addresses within a local network, while BGP is used for interconnecting different autonomous systems and exchanging routing information on a global scale.
BGP values specificity and shortness of path - due to which two major attacks are prefix hijacking and one-hop attack.
RPKI (Resource Public Key Infrastructure) is a cryptographic framework used to secure the routing infrastructure of the internet. It is designed to prevent the propagation of invalid or unauthorized route announcements and mitigate the risks associated with BGP hijacking and route leaks. RPKI provides a mechanism for verifying the authenticity and authorization of route announcements by associating them with the rightful owner of IP address prefixes. Here's how RPKI works:
Resource Certification Authorities (RCAs):
RCAs are trusted entities that issue digital certificates to resource holders, such as internet service providers (ISPs) and autonomous systems (ASes). These certificates bind the IP address prefixes to the cryptographic keys of the resource holders. RCAs are responsible for verifying the ownership and authorization of the resources.
Route Origin Authorization (ROA):
A ROA is a digitally signed object created by a resource holder using their private key. It contains the IP address prefix and the AS number authorized to originate that prefix. The ROA also includes other attributes, such as the maximum prefix length and validity period. The ROA is then published in the RPKI repository.
RPKI Repository:
The RPKI repository is a centralized or distributed collection of digital objects that store the ROAs and related certificates. It acts as a publicly accessible database that contains the cryptographic proof of ownership and authorization of IP address prefixes.
Relying Party:
A relying party is typically an ISP or network operator that wants to validate the authenticity and authorization of route announcements received from its peers. The relying party performs the following steps:
a. Retrieval: The relying party retrieves the ROAs and certificates from the RPKI repository using the Resource Public Key Infrastructure/Router Protocol (RPKI/RTR) or other protocols.
b. Validation: The relying party verifies the digital signatures of the certificates and ROAs using the public keys obtained from the certificates. It also checks the relationship between the AS number in the route announcement and the authorized AS number in the corresponding ROA. If the validation process succeeds, it confirms that the route announcement is legitimate.
c. Route Filtering: Based on the validation results, the relying party decides whether to accept or reject the received route announcement. If the route is invalid or unauthorized, it can be filtered out to prevent its propagation.
By deploying RPKI, network operators can enhance the security and reliability of their routing infrastructure. It provides a means to validate the legitimacy of route announcements, reducing the risk of BGP hijacks, route leaks, and other routing incidents that can disrupt network connectivity and compromise data integrity.
Overall, RPKI plays a crucial role in securing the BGP routing system by enabling resource holders to cryptographically prove their ownership of IP address prefixes and allowing network operators to validate the authenticity of route announcements.
Here's a simplified example of a chain of cryptographic certificates in RPKI:
Resource Holder Certificate 1:
Resource Holder Certificate 2:
These certificates form a chain of trust, where the Root CA certificate is self-signed, the Sub-CA certificate is signed by the Root CA, and the Resource Holder certificates are signed by the Sub-CA.
When a relying party retrieves the certificates from the RPKI repository, it can verify the digital signatures using the corresponding public keys. This validation process establishes the authenticity and authorization of the IP address prefixes associated with the resource holders.
Please note that this example provides a simplified representation of the certificate chain in RPKI. In practice, there may be additional levels of hierarchy and more complex certificate structures depending on the RPKI deployment.
BGPsec (Border Gateway Protocol Security) is an extension to the BGP protocol designed to enhance the security and integrity of BGP routing information. BGPsec addresses the vulnerabilities in BGP, such as the potential for route hijacking, route leaks, and the injection of unauthorized routing information. It uses cryptographic mechanisms to validate the authenticity and integrity of BGP route announcements. Here's how BGPsec works:
Certificate Authorities (CAs):
BGPsec relies on a public key infrastructure (PKI) that includes one or more trusted CAs. These CAs are responsible for issuing digital certificates to participating BGP routers. The certificates bind the routers' public keys to their identity, ensuring the authenticity of their BGP route announcements.
Router Certificates:
Each BGP router participating in BGPsec is required to have a digital certificate issued by a trusted CA. The router certificate contains the router's public key, identity information, and the CA's digital signature.
Route Origin Validation (ROV):
ROV is a critical component of BGPsec that verifies the authenticity of route announcements. It involves the following steps:
a. Origin Validation:
b. Path Validation:
BGPsec Signaling:
To indicate BGPsec support and enable secure BGP sessions, routers exchange BGPsec-specific attributes and signaling messages during the BGP session establishment process.
BGPsec Path Attribute:
BGPsec introduces a new path attribute, called the BGPsec path attribute, which carries the cryptographic information necessary for path validation. This attribute includes digital signatures and cryptographic hashes that provide proof of authenticity and integrity.
By deploying BGPsec, network operators can significantly improve the security of BGP routing. It enables routers to validate the legitimacy of route announcements, preventing the propagation of unauthorized or tampered routing information. BGPsec helps to mitigate the risks of BGP hijacking, route leaks, and other attacks that can lead to connectivity disruptions and data compromise.
It's important to note that BGPsec adoption requires coordination and support from both network operators and router vendors. The successful deployment of BGPsec relies on establishing a robust PKI infrastructure, ensuring wide-scale adoption, and implementing secure routing policies across ASes.
BGPsec vs RPKI
BGPsec and RPKI are two complementary technologies that aim to enhance the security of BGP routing, but they address different aspects of the routing infrastructure. Let's compare BGPsec and RPKI:
In summary, while BGPsec focuses on securing the integrity of BGP route announcements, RPKI addresses the verification of IP address ownership and authorization. Both technologies play important roles in enhancing the security of the BGP routing system, and their combined deployment can provide a more robust and secure routing infrastructure.
TLS (Transport Layer Security) is a cryptographic protocol designed to provide secure communication over a network, typically the internet. It ensures the confidentiality, integrity, and authenticity of data exchanged between client and server applications. TLS is the successor to SSL (Secure Sockets Layer) and is widely used to secure various types of communication, including web browsing, email, instant messaging, and more. Here's a detailed explanation of TLS:
Encryption and Data Transfer:
Once the handshake is complete, the client and server use the negotiated session keys to encrypt and decrypt data during the TLS session. TLS supports various symmetric encryption algorithms, such as AES (Advanced Encryption Standard), and authentication mechanisms, such as HMAC (Hash-based Message Authentication Code), to ensure data confidentiality and integrity.
Certificate Validation:
During the handshake, the client verifies the server's certificate to ensure its authenticity. This involves checking the certificate's validity, verifying the digital signature, and ensuring it is issued by a trusted CA. If the validation fails, the client may terminate the connection or prompt the user with a warning.
Renegotiation and Session Resumption:
TLS supports renegotiation, allowing the client and server to modify the parameters of an established session. Renegotiation is used, for example, to switch to a different cipher suite or extend the session's duration. Additionally, TLS supports session resumption, where a client can reuse a previously established session, avoiding the need for a full handshake.
TLS is a crucial component of secure communication on the internet, providing privacy and integrity for sensitive data transmission. It protects against eavesdropping, tampering, and impersonation attacks, ensuring that communication between clients and servers remains secure.
OPAQUE (Oblivious Password Authentication with Strong Security) is a password-based authentication protocol that aims to enhance the security and privacy of user passwords during the authentication process. It allows users to authenticate themselves to a server without revealing their passwords or vulnerable password-equivalent information, such as hashed passwords or verifiers. OPAQUE achieves this by leveraging a cryptographic technique called password-authenticated key exchange (PAKE). Here's an explanation of how OPAQUE passwords work:
OPAQUE provides security against offline dictionary attacks, where an attacker attempts to guess a user's password by repeatedly submitting password guesses to the server. It ensures that the server cannot obtain any useful information to perform password cracking, even if it becomes compromised.
By using OPAQUE, users can authenticate themselves securely without disclosing their passwords or password-equivalent information to the server, preserving their privacy and reducing the risk of password-based attacks.
The Onion Router (Tor) is a privacy-focused network protocol and software system that enables anonymous communication over the internet. Tor is designed to protect the privacy and anonymity of users by routing their network traffic through a series of volunteer-operated servers called Tor relays. Here's a detailed explanation of how the Onion Router works, along with an example:
Onion Routing Concept:
The core concept behind Tor is "onion routing." This involves wrapping data packets in multiple layers of encryption, similar to the layers of an onion, before transmitting them through the Tor network. Each layer is peeled off at each relay, revealing the next destination in the route, until the final destination is reached.
Tor Network Architecture:
The Tor network consists of three types of nodes:
Establishing a Circuit:
Before transmitting data, Tor establishes a circuit through a series of relays. The circuit is a path consisting of multiple relays that the user's data will traverse. Tor selects these relays randomly and changes them periodically to enhance anonymity. The circuit is encrypted end-to-end, ensuring that no individual relay can decrypt the entire route.
Data Transmission:
Once the circuit is established, data transmission occurs in the following manner:
Example Scenario:
Let's say a user wants to access a website anonymously using Tor:
Throughout this process, the user's anonymity is preserved as no single relay knows the complete path or the user's identity, and the website only sees the exit node's IP address.
Tor's design and implementation provide a robust system for anonymous communication, enabling users to browse the internet and access online resources without revealing their identity or location.
Tor Cells
Attacking Tor: Timing Attacks and Traffic Analysis.
The Tor directory service is a critical component of the Tor network that provides information about the network's relays, their current status, and network topology. It acts as a central directory where Tor clients (users) can obtain necessary information to establish circuits and communicate securely. Here's an overview of the Tor directory service:
Directory Authorities:
The Tor directory service is maintained by a set of trusted servers known as Directory Authorities (DAs). These DAs are operated by trusted individuals or organizations within the Tor community. They are responsible for collecting information about Tor relays, verifying their authenticity, and publishing the directory information.
Directory Structure:
The directory service maintains a hierarchical structure of directories, with multiple levels of information. The top-level directory is known as the "consensus" document, which contains high-level information about all Tor relays currently active in the network. This includes their IP addresses, cryptographic identities, and other details.
Below the consensus document, there are separate directories for different aspects of the network, such as network statuses, relay descriptors, and statistics. These directories provide more detailed information about relays, their bandwidth capacity, exit policies, and other relevant metadata.
The Tor directory service plays a vital role in facilitating the operation of the Tor network. It provides Tor clients with up-to-date information about relays, enabling them to build circuits, select entry and exit points, and establish secure and anonymous communication. By relying on the directory service, Tor clients can navigate the network and utilize its anonymity features effectively.