• Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. After ElGamal's original work, several variations of the ElGamal signature scheme emerged. Two influential ones are the Schnorr signature scheme [ 256 , 257 ] and the Digital Signature Standard (DSS) [ 215 , 216 ]. 10.4.8.1 The Schnorr Signature The Schnorr signature scheme is a variation of the ElGamal signature scheme but possesses a feature which forms an important contribution to public-key cryptography: a considerably shortened representation of prime field elements without having degenerated the underlying intractable problem (which is the DL problem, see § 8.4 ). This idea is later further developed to finite fields of a more general form in a new cryptosystem: the XTR public-key system [ 175 ]. The shortened representation is realized by constructing a field F p such that it contains a much smaller subgroup of prime order q . We notice that the current standard parameter setting for p in ElGamal-like cryptosystems is p 2 1024 . We should further notice that the size for p is likely to grow to suit the advances in solving the DL problem. However, after Schnorr's work, it has become a standard convention (a rule of thumb) that parameter setting for q is q 2 160 . It is quite possible that this setting is more or less a constant regardless of the growth of the size of p . This is because that the subgroup information does not play a role in general methods for solving the DL problem in F p , even if the target element is known in the given subgroup. The constant-ish 2 160 setting for q is merely imposed by the lower-bound requirement due to the square-root attack (see § 3.6 ). The Schnorr signature scheme is specified in Alg 10.4 Notice that in the setting-up of public parameters, a generator g can be found quickly. This is because for q|p – 1, i.e., the probability of random chosen f satisfying g (mod ) is negligibly small. By Fermat's Little Theorem (Theorem 6.10 in § 6.4 ), we have Therefore g indeed generates a subgroup of q elements. The signature verification works correctly because if ( m , ( s, e )) is a valid message-signature pair created by Alice, then As we have discussed earlier, working in the order- q subgroup of , a signature in the Schnorr signature scheme is much shorter than that of a signature in the ElGamal signature scheme: 2| q | bits are required for transmitting a Schnorr signature, in comparison with 2| p | bits for • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. transmitting an ElGamal signature. The shortened signature also means fewer operations in signature generation and verification: O B (log 2 q log 2 p ) in Schnorr vs. O B (log 3 p ) in ElGamal. Further notice that in signature generation, the modulo p part of the computation can be conducted in an off-line manner. With this consideration, real-time signature generation only needs to compute one multiplication modulo q , the hardwork is done in offline time. Such a design arrangement is suitable for a small device to perform. Same as the case of the ElGamal signature, the ephemeral key should never be reused, and should be uniformly random. Under these conditions, the ephemeral key and the signer's private key protect one another in an information-theoretical secure sense. 10.4.8.2 The Digital Signature Standard (DSS) In August 1991, the US standards body, National Institute of Standards and Technology (NIST), announced a new proposed digital signature scheme called the Digital Signature Standard (DSS) [ 215 , 216 ]. The DSS is essentially the ElGamal signature scheme, but like the Schnorr signature scheme, it works in a much smaller prime-order subgroup of a larger finite field in which the DL problem is believed to be hard. Therefore, the DSS has a much reduced signature size than that for the ElGamal signature scheme. Algorithm 10.4: The Schnorr Signature Scheme Setup of System Parameters Setup two prime numbers p and q such that q | p – 1; (* typical sizes for these parameters: | p | = 1024 and | q | = 160 *) 1. Setup an element of order q ; (* this can be done by picking and setting (mod ). If g = 1, repeat the procedure until g 1 *) 2. Setup a cryptographic hash function ; (* for example, SHA-1 is a good candidate for H *) 3. The parameters ( p, q, g, H ) are publicized for use by system-wide users. Setup of a Principal's Public/Private Key User Alice picks a random number and computes • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Alice's public-key material is ( p, q, g, y, H ); her private key is x . Signature Generation To create a signature of message m {0, 1}*, Alice picks a random number and computes a signature pair ( e, s ) where Signature Verification Let Bob be a verifier who knows that the public-key material ( p, q, g, y, H ) belongs to Alice. Given a message-signature pair ( m , ( e, s )), Bob's verification procedure is Algorithm 10.5: The Digital Signature Standard Setup of System Parameters (* the system parameters are identical to those for the Schnorr signature scheme; thus, parameters ( p, q, g, H ), which have the same meaning as those in Alg 10.4 , are publicized for use by the system-wide users. *) Setup of a Principal's Public/Private Key User Alice picks a random number as her private key, and computes her public key by Alice's public-key material is ( p, q, g, y, H ); her private key is x . Signature Generation To create a signature of message m {0, 1}*, Alice picks a random number and computes a signature pair ( r, s ) where • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Signature Verification Let Bob be a verifier who knows that the public-key material ( p, q, g, y, h ) belongs to Alice. Given a message-signature pair ( m , ( r, s )), Bob's verification procedure is The DSS is specified in Alg 10.5 Signature verification works correctly because if ( m , ( r, s )) is a valid message-signature pair created by Alice, then comparing the right-hand side with the first equation for signature generation, this congruence should return r if is further operated modulo q . The communication bandwidth and the computational requirements for the DSS are the same as those for the Schnorr signature scheme if the public parameters of these two schemes have the same size. The DSS has been standardized together with a compatible standardization process for its hash function, namely SHA-1 [ 217 ]. The use of the standard hash function provides the needed property for message recognizability and so prevents existential forgery. Finally, the caution for the ephemeral key is also necessary as in all signature schemes in the ElGamal signature family. 10.4.9 Formal Security Proof for Digital Signature Schemes Analogous to our discussion in § 8.14 on the need for stronger security notions for public-key cryptosystems, we should also provide a brief discussion on the issue of provable security for digital signature schemes. The reader may have noticed that in this chapter we have not provided any formal evidence on showing security for the digital signature schemes introduced. Indeed, as we have remarked in Remark 10.2, in this chapter we will not consider formal proof for signature schemes. There are two reasons behind this. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. To explain the first reason, we notice that it is reasonable to expect that forging a signature "from scratch" should be harder than doing the job by making use of some available message- signature pairs which an attacker may have in possession before it starts to forge. The forgery task may be further eased if the attacker can interact with a targeted signer and persuade the latter to provide a signing service, i.e., to issue signatures of messages chosen by the attacker. Signature forgery based on making use of a targeted signer's signing service is called forgery via adaptive chosen-message attack . In reality, message-signature pairs with respect to a given public key are abundantly available. Also, adaptive attacks are hard to prevent in applications of digital signatures: to issue signatures of given messages can be a perfectly legitimate service in many applications. Consequently, a fit-for-application notion of security for digital signatures is necessary. Such a security notions will be defined in Chapter 16 . This is the first reason why we have deferred formal security proof for digital signature schemes. For the second reason, we have also seen that it is generally easy to forge a message-signature pair, even to forge it "from scratch" if the "message" is not recognizable (in general, see Remark 10.1 for ease of existential forgery and in specific, review many concrete cases of existential forgery in our description of various concrete schemes). To prevent such easy ways of forgery, any digital signature scheme must be equipped with a message formatting mechanism which renders a message to be signed into a recognizable one. Most frequently, message formatting mechanisms use cryptographic hash functions. It is thus reasonable to expect that a formal evidence for security of a digital signature scheme should be supplied together with a formally modeled behavior of a cryptographic hash function. In absence of a formally modeled hash function behavior, we have not been able to provide formal argument on security for digital signature schemes introduced so far in this chapter. This is the second reason why we have deferred formal security proof for digital signature schemes. We have discussed in § 10.3.1.2 that cryptographic hash functions try to emulate random functions. For cryptographic schemes which use hash functions, a notion for establishing formal evidence for their security is called random oracle model (ROM) for provable security. This notion will be available in Chapter 16 . There, we shall see that under the ROM, we will be able to provide formal evidence to relate the difficulty of signature forgery (even via adaptive chosen- message attack) to some well-known computational assumptions in the theory of computational complexity. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 10.5 Asymmetric Techniques II: Data Integrity Without Source Identification In a data integrity mechanism realized by a digital signature scheme, the usual setting for key parameters stipulates that Ke is a private key and Kv is the matching public key. Under this setting, a correct integrity verification result of a message provides the message verifier the identity of the message transmitter who is the signer of the message, i.e., the owner of the public key Kv . We should notice however that this "usual setting for key parameters," while being a necessary element for achieving a digital signature scheme, is unnecessary for a data-integrity system. In fact, in Definition 10.1 we have never put any constraint on the two keys for constructing and for verifying MDC . Thus, for example, we can actually set the two keys, Ke and Kv , opposite to that for a digital signature scheme, that is, let Ke be a public key and Kv be a private key. Under such a key setting, anybody is able to use the public key Ke to create a consistent (i.e., cryptographicly integral) pair ( Data, MDC ) or a "message-signature pair" ( m, s ), while only the holder of the private key Kv is able to verify the consistency of the pair ( Data, MDC ) or the validity of the "signature" ( m, s ). Of course, under such an unusual key setting, the system can no longer be regarded as a digital signature scheme. However, we must notice that, according to Definition 10.1 , the system under such an unusual key setting remains a data-integrity system! Since anybody can have used the public key Ke to create the consistent pair ( Data, MDC ), we shall name this kind of data-integrity system data-integrity without source identification . From our familiarity with the behavior of Malice (the bad guy), there is no danger for us to conveniently rename this data-integrity service " data integrity from Malice ." Let us now look at an example of a public-key encryption scheme which provides this sort of service. This is a scheme with such a property: Malice can send to Alice a confidential message such that the message is "non-malleable" (e.g., by other friends of Malice), that is, it's computationally hard for any other member in the clique of Malice to modify the message without being detected by Alice, the message receiver. This algorithm, with its RSA instantiation being specified in Alg 10.6 , is named Optimal Asymmetric Encryption Padding (OAEP) and is invented by Bellare and Rogaway [ 24]. If the ciphertext has not been modified after its departure from the sender, then from the encryption algorithm we know that Alice will retrieve the random number r correctly, and therefore Therefore, Alice will see k 1 zeros trailing the retrieved plaintext message. On the other hand, any modification of the ciphertext will cause an alteration of the message sealed under the RSA function. This alteration will further cause "uncontrollable" alteration to the plaintext message, including the random input and the redundancy of k 1 zeros trailing the plaintext message, which have been input to the OAEP function. Intuitively, the "uncontrollable" alteration is due to a so-called "random oracle" property of the two hash functions used in the scheme (see our discussions of random oracles in § 10.3.1.2 ). The uncontrollable alteration will show itself up by damaging the redundancy (the string of k 1 zeros) added into the plaintext with • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. a probability at least 1 – 2 – k 1 . Given 2 – k 1 being negligible, 1 – 2 – k 1 is significant. Thus, indeed, the scheme provides a data-integrity protection on the encrypted message. Notice that the data-integrity protection provided by the RSA-OAEP encryption algorithm is a strange one: although upon seeing the string of k 1 zeros Alice is assured that the ciphertext has not been modified, she can have no idea who the sender is. That is why in Alg 10.6 we have deliberately specified Malice as the sender. The notion of "data integrity from Malice" is very useful and important. This notion became apparent as a result of advances in public-key encryption schemes secure with respect to adaptively chosen ciphertext attack (CCA2, see Definition 8.3 , in § 8.6 ). In a public-key cryptosystems secure with respect to CCA2, the decryption procedure includes a data-integrity verification step. Such a cryptosystem is considered to be invulnerable even in the following extreme form of abuse by an attacker: The attacker and a public-key owner play a challenge-response game. The attacker is in the position of a challenger and is given freedom to send, as many as he wishes (of course the attacker is polynomially bounded), " adaptively chosen ciphertext " messages to the owner of the public key for decryption in an oracle-service manner (review our discussion on "oracle services" in § 8.2 and see a concrete example of an oracle encryption service in § 8.2 ). The owner of the public key is in the position of a responder. If the data-integrity verification in the decryption procedure passes, the key owner should simply send the decryption result back regardless of the fact that the decryption request may even be from an attacker who may have created the ciphertext in some clever and unpublicized way with the intention to break the target cryptosystem (either to obtain a plaintext message which the attacker is not entitled to see, or to discover the private key of the key owner). Algorithm 10.6: Optimal Asymmetric Encryption Padding for RSA (RSA-OAEP) [24] Key Parameters Let ( N, e, d, G, H, n, k 0 , k 1 ) U Gen (1 k ) satisfy: ( N, e, d ) is the RSA key material where d = e –1 (mod f ( N )) and | N | = k = n + k 0 + k 1 with 2 – k 0 and 2 – k 1 being negligible quantities; G, H are two hash functions satisfying n is the length for the plaintext message. Let ( N, e ) be Alice's RSA public key and d be her private key. Encryption To send a message m {0, 1} n to Alice, Malice performs the following steps: r U {0, 1} k 0 ; s ( m || 0 k 1 ) G (r ); t r H ( s );1. If [a] ( s || t N ) go to 1; 2. 3. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 1. 2. c ( s || t ) e (mod N ).3. The ciphertext is c . (* here, "||" denotes the bit string concatenation, " ," the bit-wise XOR operation, and "0 k 1 ," the string of k 1 zeros functioning as redundancy for data-integrity checking in decryption time. *) Decryption Upon receipt of the ciphertext c , Alice performs the following steps: s || t c d (mod N ) satisfying | s | = n + k 1 = k – k 0 , | t | = k 0 ; 1. u t H ( s ); v s G ( u );2. (* when REJECT is output, the ciphertext is deemed invalid *) 3. [a] We use trial-and-error test in order to guarantee that the padding result as an integer is always less than N . The probability of repeating the test i times is 2 – i . An alternative way is to make r and H , and hence t , one-bit shorter than the length of N , see a "PSS Padding" algorithm in § 16.4.2 If a ciphertext has the correct data integrity, then it is considered that the sender should have known already the plaintext encrypted in. This is a notion known as " plaintext awareness ." If the attacker has known already the encrypted plaintext, then an oracle decryption service should provide him no new information, not even in terms of providing him with a cryptanalysis training for how to break the target cryptosystem. On the other hand, if the attacker has tried an adaptive way to modify the ciphertext, then with an overwhelming probability the data integrity checking will fail, and then the decryption will be a null message. So against a cryptosystem with data integrity protection on the ciphertext, an active attacker won't be effective. In Chapter 14 we will introduce a formal model for capturing the security notion under adaptively chosen ciphertext attack (CCA2). We will also study some public-key cryptosystems which are formally provably secure with respect to such attacks in Chapter 15 . The RSA-OAEP is one of them. In § 15.2 we shall provide a detailed analysis on the security of the RSA-OAEP encryption scheme. The analysis will be a formal proof that the RSA-OAEP is secure under a very strong attacking scenario: indistinguishability against an adaptively chosen ciphertext attacker. Due to this stronger security quality, the RSA-OAEP is no longer a textbook encryption algorithm; it is a fit-for-application public-key cryptosystem. As having been shown in the RSA-OAEP algorithm, the usual method to achieve a CCA2-secure cryptosystem is to have the cryptosystem include a data-integrity checking mechanism without having the least concern of message source identification . Message source identification is part of authentication service called data-origin authentication. Authentication is the topic for the next chapter. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. 10.6 Chapter Summary In this chapter we have introduced the basic cryptographic techniques for providing data- integrity services. These techniques include (i) symmetric techniques based on using MACs constructed from hash functions or from block cipher algorithms, and (ii) asymmetric techniques based on digital signatures. Data-integrity served by these techniques comes together with a sub-service: message source identification. The security notion for digital signature schemes provided is this chapter is a textbook version and hence is a very weak one. For some digital signature schemes introduced here we have also provided early warning signals on their (textbook) insecurity. The strengthening work for both security notions and for constructing strong signature schemes will be conducted in Chapter 16 . Finally, we also identified a peculiar data-integrity service which does not come together with identification of the message source, and exemplified the service by introducing a public-key cryptosystem which makes use of this service for obtaining a strong security (not reasoned here). In Chapter 15 we will see the important role played by this peculiar data-integrity service in formalizing a general methodology for achieving fit-for-application cryptosystems. • Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13-066943-1 Pages : 648 Many cryptographic schemes and protocols, especially those based on public-keycryptography, have basic or so-called "textbook crypto" versions, as these versionsare usually the subjects for many textbooks on cryptography. This book takes adifferent approach to introducing cryptography: it pays much more attention tofit-for-application aspects of cryptography. It explains why "textbook crypto" isonly good in an ideal world where data are random and bad guys behave nicely.It reveals the general unfitness of "textbook crypto" for the real world by demonstratingnumerous attacks on such schemes, protocols and systems under variousreal- world application scenarios. This book chooses to introduce a set of practicalcryptographic schemes, protocols and systems, many of them standards or de factoones, studies them closely, explains their working principles, discusses their practicalusages, and examines their strong (i.e., fit-for-application) security properties, oftenwith security evidence formally established. The book also includes self-containedtheoretical background material that is the foundation for modern cryptography. Exercises 10.1 What is a manipulation detection code (MDC)? How is an MDC generated and used? Is a message authentication code (MAC) an MDC? Is a digital signature (of a message) an MDC? 10.2 What is a random oracle? Does a random oracle exist? How is the random oracle behavior approximated in the real world? 10.3 Let the output space of a hash function have magnitude 2 160 . What is the expected time cost for finding a collision under this hash function? 10.4 Why is a hash function practically non-invertible? 10.5 What is the main difference between a symmetric data-integrity technique and an asymmetric one? 10.6 What is existential forgery of a digital signature scheme? What are practical mechanisms to prevent existential forgery? 10.7 Why is the textbook security notion for digital signatures inadequate? Hint: consider the fatal vulnerability of the Rabin signature against an active attacker. 10.8 What is the security notion "data integrity from Malice?" 10.9 Is a ciphertext output from the RSA-OAEP algorithm ( Alg 10.6 ) a valid MDC? [...]... Introduction Modern Cryptography: Theory and Practice Section 11.2 Authentication and Refined Notions ByWenbo Mao Hewlett-Packard Company Section 11.3 Convention Publisher: Prentice Hall PTR Pub Date: July 25, 2003 Section 11.4 Basic Authentication Techniques ISBN: 0-13- 066 943-1 Section 11.5 Password-based Authentication Pages: 64 8 Section 11 .6 Authenticated Key Exchange Based on Asymmetric Cryptography. .. mechanisms have been documented in ISO/IEC standards • Table of Contents The ISO/IEC standardization for mechanism (11.4.5) is called "ISO One-Pass Unilateral Modern Cryptography: Theory and Practice Authentication with Cryptographic Check Functions" [149], and is as follows: ByWenbo Mao Hewlett-Packard Company 1.A B : TokenAB Publisher: Prentice Hall PTR Pub Date: July 25, 2003 ISBN: 0-13- 066 943-1 || B ||... analysis and criticism of that undesirable feature to §17.2.1 where we investigate formal approaches to developing correct authentication protocols • Table of Contents Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR Pub Date: July 25, 2003 ISBN: 0-13- 066 943-1 Pages: 64 8 Many cryptographic schemes and protocols, especially those based on public-keycryptography,... Mutual Authentication Protocol Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR Pub Date: July 25, 2003 PREMISE: In addition to that of prot 11.1, ISBN: 0-13- 066 943-1 Pages: 64 8 1 Malice("B") Malice has public key certificate CertM; A:R B Many cryptographic schemes and protocols, especially those based on public-keycryptography, 2 A Malice("B")... activities, business transactions and government services have been, and more and more of them will be, conducted and offered over an open and vulnerable communications network such as the Internet It is vitally essential to establish • Table of Contents that the intended communication partners and the messages transmitted are bona fide The Modern Cryptography: Theory and Practice security service needed... Authentication Protocol • Table of Contents Modern Cryptography: Theory and Practice PREMISE: User U and Host H have setup U's password entry (IDU,f(P U)) where f is a one-way function;U memorizes password P U; ByWenbo Mao Hewlett-Packard Company Publisher: Prentice Hall PTR GOAL: Pub Date: July 25, 2003 U logs in H using her/his password ISBN: 0-13- 066 943-1 Pages: 64 8 1 U H : ID U; 2 H U : "Input Password:";... of Contents As Modern Cryptography: Theory and Practice R A forms part of the measure preventing preparation.Hewlett-Packard Company ByWenbo Mao A from inadvertently signing a message of B's Publisher: Prentice Hall PTR 11.4.1.3 Timestamp Mechanisms Pub Date: July 25, 2003 ISBN: 0-13- 066 943-1 In a timestamp mechanism, Alice adds the current time to her message composition which Pages: 64 8 involves a... several ways in order for them to serve as an introduction to a culture of caution and vigilance • the areas of cryptography and information security Table of Contents in Modern Cryptography: Theory and Practice InWenbochapter we return to the topic of authentication The purpose of returning to the topic is By this Mao Hewlett-Packard Company for us to have a more comprehensive study of the area Our... authentication and unilateral authentication was not clearly understood in an early stage of the ISO/IEC standardization process for prot 11.1 In several early standardization drafts for prot 11.1 [143,130], Protocol 11.1: ISO Public Key Three-Pass Mutual Authentication Protocol • Table of Contents Modern Cryptography: Theory and Practice ByPREMISE: Hewlett-Packard A has public Wenbo Mao Company key... timestamp and message Of course, if M also needs confidentiality protection, then it is necessary to use encryption; however, the use of encryption does not rule out the necessity of data-integrity protection Obviously, a timestamp mechanism can also be obtained by applying asymmetric cryptographic techniques: • Equation Table of Contents 11.4 .6 Modern Cryptography: Theory and Practice ByWenbo Mao Hewlett-Packard . Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13- 066 943-1 Pages : 64 8 Many cryptographic. Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13- 066 943-1 Pages : 64 8 Many cryptographic. Table of Contents Modern Cryptography: Theory and Practice By Wenbo Mao Hewlett-Packard Company Publisher : Prentice Hall PTR Pub Date : July 25, 2003 ISBN : 0-13- 066 943-1 Pages : 64 8 Many cryptographic