SECURITY and CRYPTOGRAPHY 15-827 18 OCT 01 Lecture #10 M.B. 4615 Wean Recall Tuesday's PhonOID protocol (below). Does anyone have a good idea how I might be generating these responses? Challenge = a word or sentence having 5 or 6 characters. Response = a 4-digit vector. CHALLENGE= JUMP DUMP BUMP HUMP HIDDEN = 5 8 6 2 RESPONSE = <2,2,4,6> <7,0,2,4> <1,0,4,6> <2,1,4,4> CHALLENGE= JUMPS DUMPS BUMPS HUMPS HIDDEN = 0 3 1 7 RESPONSE = <6,1,2,7> <9,0,4,8> <2,0,4,2> <2,1,4,8> CHALLENGE= STUMP LUMP DREAM REAM HIDDEN = 6 5 9 9 RESPONSE = <2,2,4,8> <2,2,4,4> <7,5,9,2> <8,8,0,2> CHALLENGE= STUMPS LUMPS SCREAM CREAM HIDDEN = 1 0 0 5 RESPONSE = <2,2,4,2> <6,1,2,6> <7,8,9,4> <6,4,7,2> Recall: Our first (in-class) MIDTERM EXAM -- along the lines of the homework problem below -- will be on THURSDAY 25 OCTOBER, just one week from today. Like all my exams, that midterm will be closed book. HOMEWORK (due Tue 23 October): Analyze some PART of the following CLASS of PhonOID protocols, which I call "Blum's Plums." For example, you might do ONE of the following: 1. specify the class much more precisely, or 2. discuss how to teach a random mapping from characters to digits -- but only if you have further insight to contribute :) or 3. discuss how a program for evaluating a person's private protocol might work (the PhD thesis topic alluded to at the end of this assignment), or 4. suggest and analyze additions to this protocol. For example, what are some simple ways for the user to make sure that the challenge has not been generated in a chosen-challenge attack? Note that while you have seen several INSTANCES of PhonOID protocols, this is the first (general) class of such protocols. Blum's Plums: ASSUMPTION: It is assumed that the (human) user has memorized a PRIVATE randomly chosen mapping f from characters to digits, and that she can nearly instantly recall f(x) for any character x. For example, she might map A->1, B->2, C->3, ... J->0, ... Z->6 but this would be *bad* if the user had to run through all the characters up to J, say, to get the value of f(J). (The mapping would also be bad because not random). DEFINITION: In what follows, "add characters x1,...,xk" will be shorthand for the phrase "compute f(x1)+...+f(xk)." THE CHALLENGE: The user is allowed to prescribe what will constitute a legitimate challenge. If nothing is said, the challenge can be any "short" English phrase or sentence containing at least 3 words each at least 5 characters long. There are several ways to accommodate "short" words, and the user must specify how she intends to do so. For example, she could use "wraparound," in which a short word is treating like a longer one. Or she could use "concatenation," in which short words are concatenated together. Or she could demand that every word in the challenge have at least 6 characters. Or she could use "deletion," in which she demands that the challenge phrase or sentence have at least 5 words of at least 5 characters each, and words having less than 5 characters are deleted. WRAPAROUND: "Now is the time for all good men... becomes "Nowno isisi theth timet forfo allal goodg .. to make each word at least 5 characters long. CONCATENATION: "Now is the time for all good men... becomes "Nowis thetime forall goodmen tocome tothe aidof ... where short words are concatenated to form the at-least-5- characters words. DELETION: "Radio and television are truly marvelous devices..." becomes "Radio television truly marvelous devices..." The challenger supplies the challenge and makes sure that the human to be authenticated can spell all the words of the challenge. THE RESPONSE: The user uses her personal private knowledge to generate a PUBLIC response to the PUBLIC challenge. In this class of protocols, the response to a challenge is a string of 5 digits, where each digit is obtained by adding a particular selection of 3 challenge characters mod 10. Addition mod 10 is just an example. Addition mod 9 and mod 11 are also easy to perform and should be considered. The user might also want to do (some or only) multiplication, and for this, mod 11 is strongly recommended as the integers mod 11 form a field. The selection of the digits from the challenge is a second very important PRIVATE part of the protocol. To give the hang of possible selections, we supply several examples and give some of the plusses and minusses: EXAMPLE of PRIVATE PROTOCOLS for SELECTING DIGITS: 1. To produce the ith digit, select the first 3 digits of the ith word -- and add them up. CHALLENGE = Now is the time for all good men RESPONSE = PRO: simple. CON: the response to "Now is the time for all good men" is nearly identical to "Now is the day for all good men." Better to select the 3 digits to be summed from 3 distinct words. 2. The challenge should have at least 3 words each having at least 5 characters. For the 1st digit, use the 1st character from each of the first 3 5-character words. For the 2st digit, use the 2nd character from each such word, etc. CHALLENGE = Radio is truly marvelous RESPONSE = 3. The challenge should have at least 5 words each at least 5 characters long. Sum the first 3 digits of the first word to select a location in the word. Sum the 3 digits starting at that location -- with wraparound -- for the first response digit. Go on to the next at-least-5-character-long word for the next digit, and so on. CHALLENGE: Radio and television are truly marvelous devices. HIDDEN: 8 3 8 6 9 RESPONSE: d+i+o l+e+v u+l+y l+o+u e+v+i CON: 3 digits are being summed 10 times to get 5 digits of response. 4. The challenge should have at least 5 words. Sum the first 3 digits of the ith word to select a location in the phrase -- treating the 1st character of that ith word as location 1. Then sum the three digits starting at that location in the phrase for the ith response digit. Go on to the next word for the next location digit, and so on. CHALLENGE: The man in the moon HIDDEN: 0 9 6 0 3 RESPONSE: n+T+h m+o+o m+o+o n+t+h o+n+T Instead of 3 characters in a row, one might sum 3 vowels. or 3 consonants. Note that all capital letters are made up of 4 types of simple curves: . For example, A = <0,1,2,0>. B = <1,0,0,2>. The only somewhat questionable ones are G, J and Q, which I personally take to be G = <1,1,0,1>. J = <1,1,0,1>. And Q = <0,0,1,2>. This could be the basis of a whole host of other PRIVATE protocols from this class. Notice that Blum's Plums leaves a lot to the user to choose. In this respect it is much like the way that PASSWORDS are commonly selected. (Another approach would be to give the user a particular protocol and mnemonics supporting that protocol. I am NOT doing that, though protocols 3 and 4 above have the potential to give that. Finally, it should be clear that a program must be written to find weaknesses in a private protocol, and to suggest improvements. To my mind, this is the single most important objective to make this or some class like it usable (PhD thesis anyone?).