This preview shows page 1. Sign up to view the full content.
Unformatted text preview: and sends it to Bob. (2) Bob generates a random number, y. Using the DiffieHellman protocol he computes their shared key based on x and y: k. He signs x and y, and encrypts the signature using k. He then sends that, along with y, to Alice. y,Ek(SB(x,y)) (3) Alice also computes k. She decrypts the rest of Bob’s message and verifies his signature. Then she sends Bob a signed message consisting of x and y, encrypted in their shared key. Ek(SA(x,y)) (4) Bob decrypts the message and verifies Alice’s signature. 22.3 Shamir’s ThreePass Protocol
This protocol, invented by Adi Shamir but never published, enables Alice and Bob to communicate securely without any advance exchange of either secret keys or public keys [1008]. This assumes the existence of a symmetric cipher that is commutative, that is: EA(EB(P)) = EB(EA(P)) Alice’s secret key is A; Bob’s secret key is B. Alice wants to send a message, M, to Bob. Here’s the protocol. (1) Alice encrypts M with her key and sends Bob C1 = EA(M) (2) Bob encrypts C1 with his key and sends Alice C2 = EB(EA(M)) (3) Alice decrypts C2 with her key and sends Bob C3 = DA(EB(EA(M))) =DA(EA(EB(M))) = EB(M) (4) Bob decrypts C3 with his key to recover M. Onetime pads are commutative and have perfect secrecy, but they will not work with this protocol. With a onetime pad, the three ciphertext messages would be: C1 = P• A C2 = P• A• B C3 = P• B Eve, who can record the three messages as they pass between Alice and Bob, simply XORs them together to retrieve the message: C1 • C2 • C3 = (P • A) • (P • A • B) • (P • B) = P This clearly won’t work. Shamir (and independently, Jim Omura) described an encryption algorithm that will work with this protocol, one similar to RSA. Let p be a large prime for which p  1 has a large prime factor. Choose an encryption key, e, such that e is relatively prime to p  1. Calculate d such that de a 1 (mod p  1). To encrypt a message, calculate C = Me mod p To decrypt a message, calculate M = Cd mod p There seems to be no way for Eve to recover M without solving the discrete logarithm probl...
View
Full
Document
 Fall '10
 ALIULGER
 Cryptography

Click to edit the document details