SECURITY and CRYPTOGRAPHY 15-827 5 NOV 01 Lecture #14 M.B. 4615 Wean Last time, I started with an instance of a general CLASS of PHONOIDS, #80. That instance, and others like it, take me approximately 2 seconds per digit to generate a response: "If seven maids with seven mops swept it for half a year" 29 39224 12833 4229 39224 8350 39541 41 448 3131 3 1435 I personally happen to like that PHONOID CLASS a lot! Why were students less than enthusiastic about it? They didn't like that to create one's own personal PHONOID INSTANCE, an INSTANCE of the general class of PHONOIDS, the user must be guided to come up with certain of his own ideas, much as he must be guided to the choice of good passwords. I do NOT consider this to be a serious weakness. Programs can help one to generate good ideas, just like programs can help one to generate good passwords. There are at least two weaknesses with ordinary passwords: 1. Over-the-shoulder and Trojan-horse attacks. #80 helps a lot against these attacks! 2. A password can be badly chosen. Yes, this is a problem, but it's a problem only if there is no feedback to the user to modify and/or replace a bad password by a good one. I do believe that the two ideas that #80 asked people to come up with (a PRIVATE rule for generating the first response digit, x1; and a PRIVATE permutation of the CHALLENGE) can be brainstormed by anyone who has seen and understood enough examples. Students felt that by requiring people to come up with ideas, the protocol was thereby weakened, and that it made the protocol harder if not impossible to analyze. To my mind, user creativity is a STRENGTH not a WEAKNESS. It's up to us to find a way to analyze the protocol as well as possible. Having said that, I am today going to define a new class of PhonOIDS, #82, that solves ALL of the problems of #80 but one, and that one is the excessive amount of time that it takes to use #82 to produce a response. Since #82 does not require much arithmetic, it may be that the response time can be greatly shortened (or that the portocol can be modified to make the response time short). This is still open. ALL digits produced by #82 are equally random-looking. At the least, the user can use #82 to get ONE random looking digit x1, then switch to #80 (the PHONOID CLASS of lecture 13) to generate the remaining digits. This greatly reduces what the user of #80 must come up with himself to a private rule for an on-the-fly permutation of the challenge characters. ^?^G@n^C ^F^? PHONOID CLASS #82 is good in almost every respect. A USER has to learn a function, a permutation, and a password that are randomly chosen and given to him. The user does not choose anything. To run the protocol, the user has only to do some very simple arithmetic mod 10. The class appears to be enormously resistant to chosen challenge attack. CLASS #82 PHONOIDS DEFINED: CHALLENGE = A single word consisting of up to at least k=3 and at most k = 6 letters from the alphabetic characters A,..,Z. If k=3, the letters can be randomly chosen. For k>3, it would be better (for the user's memory) to choose a simple dictionary word. RESPONSE = a K-digit number for K in {1,..,9}. In general we can produce up to 9 digits, no matter what the length of the challenge. It is not necessary for the k of the challenge to be the same as the K of the response, though for simplicity of explanation, we take K=k. The ALGORITHM CLASS assumes that the human USER has memorized a PRIVATE RANDOM function f:{A,...,Z} -> {0,...,9}, a PRIVATE RANDOM permutation g:{0,...,9} -> {0,...,9}, and a private random K-tuple of DISTINCT digits , called the *initializing password*. The USER does not supply any PRIVATE rules. She has only to follow the general algorithm below. ALGORITHM: For i = 1..K, set xi = g(...g(g((di+f(a1)))+f(a2))+...+f(ak)) The RESPONSE to challenge is . EXAMPLE with d1=7 d2=5 d3=8 f: F->4 U->6 N->2 ... g: 0->0 1->7 2->5 3->8 4->4 5->2 6->9 7->1 8->3 9->6 CHALLENGE = FUN (F=4, U=6, N=2) HIDDEN: 7 -> 7+F = 1 -> 7 -> 7+U = 3 -> 8 -> 8+N = 0 -> 0 5 -> 5+F = 9 -> 6 -> 6+U = 2 -> 5 -> 5+N = 7 -> 1 8 -> 8+F = 2 -> 5 -> 5+U = 1 -> 7 -> 7+N = 9 -> 6 RESPONSE = 016 FNU 561 ^?^G@n^C ^F^? DEFINITION: Two alphabetic characters are EQUIVALENT if f maps both characters to the same digit. For example, A is equivalent to F since f(A) = f(F) = 4, but A is not equivalent to B since f(B)=8. Some OBSERVATIONS: * Each digit of the RESPONSE is a nontrivial function of ALL the CHALLENGE characters. So a single change in any CHALLENGE character to a nonequivalent character will change the RESPONSE. * In general, a permutation of the CHALLENGE characters will change the RESPONSE. FUN -> 016 UNF -> 408 UFN -> 162 NFU -> 930 NUF -> 628 FNU -> ? * In general, a change in any one letter of the CHALLENGE to a nonequivalent character will change all the RESPONSE digits: BUG -> 603 HUG -> 478 JUG -> 986 MUG -> 254 RUG -> 391 TUG -> ? * Here are my single-digit responses to single-digit challenges: CHALLENGE = A B C D E I J P Q S RESPONSE = 7 2 8 1 0 3 4 9 6 5 * My two-digit responses to single-digit challenges: CHALLENGE = A B C D E I J P Q S RESPONSE = 76 28 87 12 03 39 45 94 61 50 * My 3-digit responses to 1-digit challenges: CHALLENGE = A B C D E I J P Q S RESPONSE = 765 289 874 123 037 396 452 941 610 508 * Because addition mod 10 is an (algebraic) group, and because g is a permutation, the map di -> xi from the initializing password digit di to the corresponding response digit xi is 1:1. * For the above reasons, and because permutations are invertible, the map di -> xi from the initial digit di to the corresponding response digit xi can be inverted. This means that from knowledge of f,g, the challenge, and xi, one can determine di. It follows that di <> dj => xi <> xj. Since d1..dk are all DISTINCT, it follows that x1..xk are also all distinct -- even if some or all of the challenge characters are the same! Example: A=4 B=8 C=6 D=0 E=3 I=1 J=7 P=9 Q=2 S=5 CHALLENGE = AA BB CC DD EE II JJ PP QQ SS RESPONSE = 70 09 48 75 89 40 75 38 38 02 \ / note! ^?^G@n^C ^F^? * It follows that knowing the response (first row of the following table) to AA, AB, ... AQ enables one to construct the response 57 to AS (the last entry of the first row). How? Similarly for all other rows and all columns. A=4 B=8 C=6 D=0 E=3 I=1 J=7 P=9 Q=2 S=5 A B C D E I J P Q S A 70 24 85 19 06 31 48 92 63 57 B 95 09 34 53 27 86 62 71 40 18 C 57 92 48 31 70 63 24 19 06 85 D 29 60 13 75 42 58 36 07 84 91 E 41 37 96 08 89 74 10 65 52 23 I 18 71 62 86 95 40 09 53 27 34 J 36 58 07 42 13 29 75 84 91 60 P 83 15 20 64 51 02 97 38 79 46 Q 02 46 51 97 64 15 83 20 38 79 S 64 83 79 20 38 97 51 46 15 02 HOMEWORK: Toss 100 balls into 90 bins. a) How many bins are expected to be empty? to have just one ball? to have two balls? b) Compare to the table above. * The number of possible protocols of type #82, corresponding to the number of possible mappings f, permutations g, and initializing 3-digit passwords, is at least 10^10 * 10! * 10*9*8 = 2.6x10^19 It follows that an eavesdropper must on average see at least 19 digits to have the information necessary to specify the protocol.