SECURITY and CRYPTOGRAPHY 15-827                  18 OCT 01
             Lecture #10                                 M.B.
                                                      4615 Wean


Recall Tuesday's PhonOID protocol (below). Does anyone have a good idea how
I might be generating these responses?

Challenge = a word or sentence having 5 or 6 characters.
Response  = a 4-digit vector.

    CHALLENGE= JUMP      DUMP      BUMP      HUMP           
    HIDDEN   =    5         8         6         2           
    RESPONSE = <2,2,4,6> <7,0,2,4> <1,0,4,6> <2,1,4,4>      
                                                            
    CHALLENGE= JUMPS     DUMPS     BUMPS     HUMPS          
    HIDDEN   =    0         3         1         7           
    RESPONSE = <6,1,2,7> <9,0,4,8> <2,0,4,2> <2,1,4,8>      
                                                            
    CHALLENGE= STUMP     LUMP      DREAM     REAM           
    HIDDEN   =    6         5         9         9           
    RESPONSE = <2,2,4,8> <2,2,4,4> <7,5,9,2> <8,8,0,2>      
                                                            
    CHALLENGE= STUMPS    LUMPS     SCREAM    CREAM          
    HIDDEN   =    1         0         0         5           
    RESPONSE = <2,2,4,2> <6,1,2,6> <7,8,9,4> <6,4,7,2>      




Recall: Our first (in-class) MIDTERM EXAM -- along the lines of the
homework problem below -- will be on THURSDAY 25 OCTOBER, just one week
from today. 
Like all my exams, that midterm will be closed book.




HOMEWORK (due Tue 23 October): Analyze some PART of the following CLASS of
PhonOID protocols, which I call "Blum's Plums."  For example, you might do
ONE of the following:
1. specify the class much more precisely, or
2. discuss how to teach a random mapping from characters to digits -- but
only if you have further insight to contribute :) or
3. discuss how a program for evaluating a person's private protocol might
work (the PhD thesis topic alluded to at the end of this assignment), or
4. suggest and analyze additions to this protocol. For example, what are
some simple ways for the user to make sure that the challenge has not been
generated in a chosen-challenge attack?

Note that while you have seen several INSTANCES of PhonOID protocols, this
is the first (general) class of such protocols.

Blum's Plums:

ASSUMPTION: It is assumed that the (human) user has memorized a PRIVATE
randomly chosen mapping f from characters to digits, and that she can
nearly instantly recall f(x) for any character x. For example, she might
map A->1, B->2, C->3, ... J->0, ... Z->6 but this would be *bad* if the
user had to run through all the characters up to J, say, to get the value
of f(J). (The mapping would also be bad because not random).

DEFINITION: In what follows, "add characters x1,...,xk" will be shorthand
for the phrase "compute f(x1)+...+f(xk)."

THE CHALLENGE: The user is allowed to prescribe what will constitute a
legitimate challenge. If nothing is said, the challenge can be any "short"
English phrase or sentence containing at least 3 words each at least 5
characters long.

There are several ways to accommodate "short" words, and the user must
specify how she intends to do so. For example, she could use "wraparound,"
in which a short word is treating like a longer one. Or she could use
"concatenation," in which short words are concatenated together. Or she
could demand that every word in the challenge have at least 6 characters.
Or she could use "deletion," in which she demands that the challenge phrase
or sentence have at least 5 words of at least 5 characters each, and words
having less than 5 characters are deleted.

 WRAPAROUND: "Now is the time for all good men...
becomes  "Nowno isisi theth timet forfo allal goodg ..  to make each word
at least 5 characters long.

 CONCATENATION: "Now is the time for all good men...
becomes        "Nowis thetime forall goodmen tocome tothe aidof ...
where short words are concatenated to form the at-least-5- characters words.

 DELETION: "Radio and television are truly marvelous devices..." becomes
"Radio television truly marvelous devices..."

The challenger supplies the challenge and makes sure that the human to be
authenticated can spell all the words of the challenge. 


THE RESPONSE: The user uses her personal private knowledge to generate a
PUBLIC response to the PUBLIC challenge.

In this class of protocols, the response to a challenge is a string of 5
digits, where each digit is obtained by adding a particular selection of 3
challenge characters mod 10.

Addition mod 10 is just an example. Addition mod 9 and mod 11 are also easy
to perform and should be considered. The user might also want to do (some
or only) multiplication, and for this, mod 11 is strongly recommended as
the integers mod 11 form a field.

The selection of the digits from the challenge is a second very important
PRIVATE part of the protocol. To give the hang of possible selections, we
supply several examples and give some of the plusses and minusses:

EXAMPLE of PRIVATE PROTOCOLS for SELECTING DIGITS:

1. To produce the ith digit, select the first 3 digits of the ith word --
and add them up.
CHALLENGE = Now is the time for all good men
RESPONSE  = <N+o+w, i+s+i, t+h+e, t+i+m, f+o+r> 

PRO: simple.
CON: the response to   "Now is the time for all good men"
is nearly identical to "Now is the day for all good men."

Better to select the 3 digits to be summed from 3 distinct words.

2. The challenge should have at least 3 words each having at least 5
characters.  For the 1st digit, use the 1st character from each of the
first 3 5-character words. For the 2st digit, use the 2nd character from
each such word, etc.

CHALLENGE = Radio is truly marvelous
RESPONSE  = <R+t+m, a+r+a, d+u+r, i+l+v, o+y+e>

3. The challenge should have at least 5 words each at least 5 characters
long.  Sum the first 3 digits of the first word to select a location in the
word. Sum the 3 digits starting at that location -- with wraparound -- for
the first response digit. Go on to the next at-least-5-character-long word
for the next digit, and so on.
CHALLENGE: Radio and television are truly marvelous devices.
HIDDEN:      8            3           8      6         9
RESPONSE:  d+i+o        l+e+v       u+l+y  l+o+u     e+v+i

CON: 3 digits are being summed 10 times to get 5 digits of response.

4. The challenge should have at least 5 words. Sum the first 3 digits of
the ith word to select a location in the phrase -- treating the 1st
character of that ith word as location 1. Then sum the three digits
starting at that location in the phrase for the ith response digit. Go on
to the next word for the next location digit, and so on.
CHALLENGE: The        man      in      the      moon
HIDDEN:     0          9        6       0        3
RESPONSE:   n+T+h    m+o+o    m+o+o   n+t+h    o+n+T


Instead of 3 characters in a row, one might sum 3 vowels. or 3 consonants. 

Note that all capital letters are made up of 4 types of simple curves:
<vertical lines, horizontal lines, diagonal lines, cup shaped curves>. For
example, A = <0,1,2,0>. B = <1,0,0,2>.  The only somewhat questionable ones
are G, J and Q, which I personally take to be G = <1,1,0,1>. J = <1,1,0,1>.
And 
Q = <0,0,1,2>.  This could be the basis of a whole host of other PRIVATE
protocols from this class.


Notice that Blum's Plums leaves a lot to the user to choose. In this
respect it is much like the way that PASSWORDS are commonly selected.
(Another approach would be to give the user a particular protocol and
mnemonics supporting that protocol. I am NOT doing that, though protocols 3
and 4 above have the potential to give that.


Finally, it should be clear that a program must be written to find
weaknesses in a private protocol, and to suggest improvements.  To my mind,
this is the single most important objective to make this or some class like
it usable (PhD thesis anyone?).