Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I am new to cryptography and am going through the book Understanding Cryptograph

ID: 652564 • Letter: I

Question

I am new to cryptography and am going through the book Understanding Cryptography by Paar and Pelzl.

From what I understand Symmetric key distribution systems like Kerberos do not provide PFS because an attacker will be able to decrypt every session key ever encrypted with a compromised KEK.

In the book, on page 342, they say that Asymmetric ciphers like Diffie-Hellman or RSA, when used for key distribution, will provide FPS. I understand that Diffie-Hellman will provide PFS because each session key will have nothing to do with any other session key. However I've been stumped for a few days now trying to figure out how RSA will provide PFS. Am I missing something or just misunderstanding what they wrote?

Explanation / Answer

Forward Secrecy (that is, maintaining confidentiality of messages enciphered before compromise of the long term key) can be achieved in a protocol using a public-key signature scheme with a long-term public key, and a public-key encryption scheme with a per-session key; but in the case of RSA signature and encryption, that's inefficient, thus unusual.

As an example: Bob has a long-term RSA key pair (MpubB,MprivB) used for signature, with MpubB trusted by Alice (perhaps by way of some certificate). In order for Alice to send a confidential message to Bob:

+ Alice
draws a 256-bit random R
sends R to Bob
+ Bob
generates a new RSA key pair (TpubB,TprivB) used for encryption,
RSA-signs the (hash of the) message R?TpubB using MprivB giving signature S
sends TpubB?S to Alice
+ Alice
gets TpubB and S
verifies that S is a valid signature with respect to MprivB for R?TpubB, where R is from the recent first step
generates a random symmetric session key K
RSA-enciphers K using TpubB yielding X
enciphers the plaintext message M using key K by a symmetric algorithm (say, AES-CTR will implicit zero IV) yielding ciphertext C
forgets K
sends X?C to Bob
+ Bob
gets X and C
RSA-deciphers X using TprivB yielding K
forgets TprivB
deciphers ciphertext C with key K yielding plaintext message M
forgets K.

K allows M to be large, when RSA encryption only directly allows short messages. R protects against replay of an earlier TpubB.

The scheme is inefficient because generation of a new RSA key pair is relatively expensive (and normally rare, thus not optimized for speed). That's a good reason why (EC)DH is most used in practice.

It is possible to send several messages using the same K, or/and reuse (TpubB,TprivB) across multiple sessions, improving performance. But Forward Secrecy triggers only when K and TprivB are forgotten, and R is not longer accepted.

Note: the scheme provides confidentiality, but not integrity or proof of origin; that can be added.

Related Questions

I am mostly stumped with (c) and (d). You don\'t have to do it for all equilibri
Question #2964876
I am nearsighted (myopic), so instead of my far point being infinitely far away,
Question #1284499
I am need of assistance in making journal entries for these transactions Wally\'
Question #2587655
I am needed to be able to explain what is happening with code for each class. Th
Question #3828047
I am needing a timing diagram of the A output, B output, and Z output of the cir
Question #3601588
I am needing assistance with Programming Challenge number 12 in Chapter 15. I fo
Question #3773967
I am needing assistance with inputting the adjusted trial balance, financial sta
Question #2376643
I am needing help determining the : a. What is the profit if the traditional con
Question #390751

Navigate

Previous
I am new to coding so i really appreciate the help. Here is the problem. Have a
Next
I am new to e-commerce, so not sure if I am using the correct term. The applicat

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.