Question: What could be an example?
This is a fairness property:
Eventually something good will happenAll the other properties seen before were, in contrast, safety properties:
Nothing bad will ever happenThe distinction between the two is rather subtle and requires a formal model of computation. We mention this distinction here only to point out that the formal treatment of security properties can require very different techniques. Proving fairness properties is in general much more difficult than proving safety properties.
To encipher a pair of letters we first situate them in the table, then we take the pair of letters at the opposite corners.
In the example represented in the table below, the rule for scrambling is the placement of the world DISLEXIA at the beginning of the table, and consequent shift of all other letters.
For example, the pair PL is encrypted as QS.
+---+ D Y|S L|E | | X I|A B|C | | F G|H K|M | | N O|P Q|R +---+ T U V W ZThe Playfair cipher is simple, in the sense that the function AxA -> AxA remains constant
Obviously the security can be made greater by working with larger blocks.
PK : Public key, publically knownWhoever wants to send a message M to A, it will encrypt it by using PK, then send the result of the encryption, { M }_{PK}, to A. A will then decrypt it by using SK. Let {{ M }_{PK}}_{SK} be the final result.
SK : Secret (or private) key, known only by the agent
The following property must hold:
(a) {{ M }_{PK}}_{SK} = MIn some scheme, like the RSA (Rivest, Shamir and Adleman), also the reverse holds:
(b) {{ M }_{SK}}_{PK} = MNote: (a) implies that { }_{PK} is injective and (b) implies that { }_{PK} is injective. In theory this works fine, but how to make it work in practice? In other words: if one knows how to encrypt messages, in principle he should be able to infer also how to decrypt them. How to make sure that SK is really secret?
Idea:
Use one-way functionsOne-way function are easy to calculate in one direction, but intractable in the other direction.
So, SK is not secret in an absolute sense, but it is secret in practice.
Idea:
Use a trap-door
Given a one-way function f, a trap-door is an information that makes it easy to calculate the inverse of f.
ed = 1 (mod (p-1)(q-1))Using Fermat's Little theorem, we know that
m^{ed} = m (mod n)Note: x = y (mod n) means that the integer division of x and of y by n give the same remainder.
c = m^{e}(mod n)
c^{d} = m^{ed} = m (mod n)
It is more straightforward and does not require a trap-door.
Note that Anne and Bob play a symmetric role in the generation of the key.
Deriving x from m_{1} (and y from m_{2}) is considered to be intractable.
Example: Given the RSA encryption scheme, consider the following protocol which Anne could use to send a message to Bob:
{{ M }_{PKAnne}}_{PKBob}
{{ M }_{PKAnne}}_{PKBob} = {{ M }_{PKBob}}_{PKAnne}Anne strips off her own encryption and computes { M }_{PKBob}
Answer: Various reasons: one is that for the commutative property the n's of the two public keys should be the same, and this mean that both Anne and Bob know the factorization and hence can guess the secret key of each other. Another reason is that the intruder could intercept the message sent from Anne, send it back to Anne as it is, and Anne will decript it. Finally, we have the following attack, which can be classified as an application of the man-in-the-middle strategy:
{{ M }_{PKAnne}}_{PKYves}
{ M }_{PKYves}
Example: Consider a variant of the NNSK protocol (Needham-Schroeder-Secret-Key) with the nonce from A removed:
However, next time Anne sends a request to Jeeves, Yves can incercept Jeeve's reply, and send back to Anne the message
{B.k_{AB}.{k_{AB}.A}_{ServerKey(B)}}_{ServerKey(A)}So Anne will think that k_{AB} is the key to be used in next conversation with Bob.
Question: Why this attack is not possible in the original NNSK protocol?
Example of an attack which combines oracle and interleaving techniques: Consider the Needham-Schroeder-Public-Key protocol:
At the end of the protocol, it seems reasonable to believe that:
Message a.1 A -> Y : { A.n_{A} }_{PKY}
Message b.1 Y(A) -> B : { A.n_{A} }_{PKB}
Message b.2 B -> Y(A) : { n_{A}.n_{B} }_{PKA}
Message a.2 Y -> A : { n_{A}.n_{B} }_{PKA}
Message a.3 A -> Y : { n_{B} }_{PKY}
Message b.3 Y(A) -> B : { n_{B} }_{PKB}
Initially, Anne starts a protocol run with Yves thinking that he is an honest agent.
At the end, Bob thinks that he and Anne share exclusively the knowledge of n_{A} and n_{B}, while this is not the case.