Some security protocols

1. Security Protocols and Applications of Cryptography
By: Abhijit Mondal
Needham-Schroeder Protocol :
Suppose A wants to talk with B over the network. How will B know that he is really talking to A.
This protocol authenticates A to B at the same time allowing them to exchange session keys over
the network.
1. A sends a message to Trent( a trusted individual or a computer program over the network)
consisting of his name a, B's name b and a random number rA
2. Trent generates a random session key k .
Trent then computes c2 = (beA , keA , rA eA , keAeB , aeAeB , teAeB ) mod p , where eA and eB are the
secret keys that Trent shares with A and B respectively, and t is the current system time.
Trent sends c2 to A. The time t is sent to prevent replay attacks, i.e. an adversary pretending
to be A may sent an old message to Bob.
3. A decrypts the message with eA and extracts the session key k and confirms that rA is the
same value that he sent to Trent. Then A sends to B, c3 = ( keB , aeB , teB ) mod p.
4. B decrypts the message with eB and extracts the session key k, generates a random value rB ,
and sends to A the message c4 = rBk mod p.
5. A decrypts the message with k and computes rB -1 and send to B the message c5 = (rB -1)k
mod p.
6. B decrypts the message with k and verifies that it is rB -1 so A must have the same session
key and he is the real person.
Kerberos Protocol :
Suppose A wants some service from a server S. Then A must authenicate himself to the server
before using it's services. In this symmetric key cryptographic protocol (using DES as encryption
algorithm) , there are 2 doors that needs to be opened before getting access to the server. The first
door is guarded by Kerberos and the second is the Ticket Granting Service(TGS) of the server.
1. A sends a message to the Kerberos server with his identity/password 'a' and the identity of
the Ticket Granting Service(TGS) of the server 'tgs'.
2. The Kerberos server generates a timestamp t, a lifetime for the timestamp l, a random
session key Ka,tgs . It then computes Ta,tgs = {tgs, DES(a, N, l, Ka,tgs ) (etgs) } , where N is the
network address of A, and etgs is the secret key of the TGS shared with Kerberos.
The Kerberos then encrypts the following with A's secret key eA , c1 = DES(Ka,tgs)(eA) and the
following with the TGS's secret key etgs : c2 = DES(Ta,tgs)(etgs). It then sends c1 and c2 to A.
3. A decrypts c1 and extracts Ka,tgs and computes the following Aa,tgs = {DES(a, t, key) (Ka,tgs) },
where key is an additional session key . Then A computes c3 = DES(Aa,tgs)(Ka,tgs ) and sends
c2 and c3 to the TGS of the server.
4. The TGS then decrypts c2 using etgs and extracts Ta,tgs . Then uses Ta,tgs to extract Ka,tgs . The
TGS then decrypt c3 using Ka,tgs and extracts Aa,tgs . The TGS then decrypts Aa,tgs and
compares the information in Aa,tgs with the information in Ta,tgs . If they match then the TGS
sends the following to the client A: c4 = {DES( Ka,s) (Ka,tgs )} and c5 = {DES(Ta,s) ( es )},
where Ta,s = {s, DES(a, N, l, Ka,s ) (es) }, Ka,s is the secret session key for A and the server
and es is the secret key the TGS shares with the server.
5. A then decrypts c4 with Ka,tgs and computes the following Aa,s = {DES(a, t, key) (Ka,s) }and
then c6 = {DES(Aa,s ) (Ka,s )}. A then sends c5 and c6 to the server for communication.
Secret Sharing Protocol :
Handing over the control of a missile to one military general or handing over the key of the locker

2. at the Swiss bank to any one individual would be a risky issue since he may turn out to be crooked.
So to minimise risk of a missile disaster or a bankruptcy is to partition the single key into n parts
and give each part to a trusted individual responsible for the control of the missile or the locker at
Swiss Bank, such that no less than m individuals can recover the orginal key from their share of the
keys. e.g. If the key is K and n = 3, and m =3 then choose k1 and k2 and compute K⊕k1⊕k2 = k3 .
Then distribute k1 , k2 and k3 to three trusted individuals. To construct the original key K , they need
all three keys such that k1⊕k1⊕k3 = K.
Algorithm :
1. Construct a (m-1) degree polynomial f(x) = am-1xm-1 + am-2xm-2 +.....+ a1x + K, where K is the
original secret key and ai ∈Zp for prime p, ai 's are the secrets that must be destroyed.
2. Evaluate f(1), f(2),....., f(n) (mod p) and distribute these values to the n trusted officials
assigned for the execution of the task.
3. To find K atleast m officials must come together and disclose their values, then perform
Gaussian elimination to solve the linear system of equations for ai 's and K. Less than m
individual cannot find K without a brute force search over Zp .
Zero Knowledge Proofs :
How to prove someone your identity without revealing information about you? How do you prove
someone that you know the proof of a problem without showing him/her the actual proof ?
This is called Zero Knowledge Proofs since you are not revealing information about your secret to
the verifier at the same time convincing him/her that you are the authentic person. The verifier may
be a spy who is looking to know your secret and pass on that secret to his nation.
e.g. Proving Graph Isomorphism to a verifier V.
Problem : P wants to prove to V the isomorphism between graphs G1 and G2 .
1. P generates a random permutation H of G1 such that H is isomorphic to G1 . P knows the
isomorphism between H and G2 . Finding the isomorphism between G1 and H or G2 and H is
as hard as finding the isomorphism between G1 and G2 , hence nobody knows the relations
between them.
2. P sends H to V.
3. V flips a coin and if its a head then V asks P to prove that H and G1 are isomorphic, else if
its a tail then V asks P to prove that H and G2 are isomorphic.
4. P then complies and proves to V either H and G1 are isomorphic or H and G2 are isomorphic.
5. P then again generates a random permutation graph H' isomorphic to either G1 or G2 and
both of them then follows the steps through 1 to 4. They do these n times until V is
convinced that P knows the isomorphism between G1 and G2 .
Here is how it works:
If P knows the isomorphism between G1 and G2 :
Then whether V asks P to prove H and G1 are isomorphic or H and G2 are isomorphic, P will be able
to prove V everytime until V is convinced of P's identity.
If P does not know the isomorphism between G1 and G2 :
Then if V asks P to prove H and , the graph from which P generated H, are isomorphic then P will
be able to fool V else P will be caught as some false guy. The probability that P will be able to fool
V after n round is 1 in 2n because in one round P fools V with a chance of ½. For n large, the
chances of a false P passing the test is very small.
Here is another variant of Zero Knowledge Proof :
Suppose P wants to prove to V that he knows the solution to the DLP : my = x (mod p) without
telling V what is the value of y.
1. P sends to V the values m, x and p.
2. V generates a random number a and computes the four combinations{am, a-1m-1, a-1m, am-1}

3. (mod p) in any random order and sends the quadruple to P, but does not reveal to P what is
the ordering of the values. V only sends {u,v,w,z} ∈ {am, a-1m-1, a-1m, am-1} (mod p) and
asks P to compute {uy, vy, wy, zy} (mod p).
3. P computes {uy, vy, wy, zy} (mod p) and sends them to V.
4. V then sends a (mod p) to P and asks him to find ay (mod p).
5. P computes ay (mod p) and sends to V.
6. Now V checks : {uy, vy, wy, zy} (mod p) ∈{ayx, a-yx-1, a-yx, ayx-1} (mod p) expects to be in the
correct order as he sent it before.
7. If all of the above relations hold and are in the correct order then V starts another round of
computation from step 2 and continues until V is convinced that P truly knows the value of
y. If any of the above results does not match then P is an impostor.
If P knows the ordering of {am, a-1m-1, a-1m, am-1} (mod p), then P can compute a and P can
construct values such that they give the same relations as when V computes them, thus V has no
chance of knowing whether P really did the computation V desired or P just constructed values to
fool him. Thus an impostor P has a chance of 1 in 24 of correctly guessing the exact permutation
and thus fooling V. In n rounds the chances that an impostor P successfully passes the test is 1/(24)n,
which is extremely small for large n. For n=10, chances that P fools V is of the order of 10-14.
V can still decrease this probability by choosing s random numbers and sending a permutation of
2s+1 elements modulo p. In that case chances of P fooling V in n rounds is 1/(2s+1 !)n . But for large s
the computation performed on the part of V increases exponentially, so s = 2 and n = 10 will be a
good enough choice to catch even the most notorious masterminds.