Questions tagged as ['authentication']

My question is kind of related to this topic: Can we prove possession of an AES-256 key without showing it?

But I couldn't figure out how to apply it to my problem.

Description:
Lets say I have a hardware chip, and I want to prove it has not been copied. The chip can store a AES-128 key and can do some encryption with it - it can for example output a ciphered text and plain text. This key cannot be ...

Example:

1. I send an email from address@domain1.com to address@domain2.com
2. Using only the email I received in address@domain2.com, I'd like to prove to a 3rd party that I also own address@domain1.com

Edit: assume I don't own neither domain1 nor domain2, just have email addresses in both (gmail and hotmail, for example)

Are there established ways to achieve this?

I was looking through the S/MIME Message specification (RFC 8551) to find out what security services it offers. Section 2.4.4 of this document describing AuthEnvelopedData content type (which uses the CMS type of the same name) says:

This content type is used to apply data confidentiality and message integrity to a message. This content type does not provide authentication or non-repudiation.

Auth ...

Is there a reason why we can't combine private key MAC with digital signature to get a hybrid authentication scheme?

Is it because of the computational assumptions that digital signatures have?

Edit: (Clarification) I don't intend to combine them, it's a problem on a past final that I am doing as practice but I don't know how to explain why we can't combine them.

Can we encode with the set of $\{0,1\}$ and its Boolean operations any infinite domain that is subset of the real numbers $\mathbb{R}$ or the whole set of real numbers? For example can we encode the domain of a random variable $X$ that is a subset of the real numbers? Suppose that the random variable is normally distributed with mean $\mu_x\in \mathbb{R}$ and variance $\sigma_x^2>0$?

Lets say there is mutual authentication between a client which connects to a server on an otherwise unsecured TCP channel. Both parties create a random challenge and the other side answers with a keyd-hash, based on a pre-shared symmetric key.

$$C\rightarrow open \,\, connection \rightarrow S$$ $$C\rightarrow challenge_C \rightarrow S$$ $$C\leftarrow challenge_S \leftarrow S$$

$$C\rightarrow H_K(chall ...

The following is a real-world problem. In a standardized protocol clients can connect to a server using mutual 4-pass authentication on an otherwise unsecured TCP channel:

• pass-1: Client send random Challenge C to server
• pass-2: Server answers by sending random challenge S to client
• pass-3: Client prepares res(S, K) and send it to S
• pass-4: Server answers to client with res(C, K)

res(.) is GCM-GMAC  ...

I have a web API with a custom API authentication system that users each have a SecretKey and a public ApiKey. Using these two keys client(or user) can generate a token for the authentication on the server.

Consider this function generating an authentication token

public string GetToken(string apiKey, string secretKey, string expireTimestamp)
{
    using var hashAlgorithm = SHA256.Create();
    va ...

Alice wants to store key:value pairs with Bob. The goal of the exercise is for Alice to be able to use Bob as a reliable data storage service, even if Bob were untrustworthy. A (correctly implemented) MAC/AEAD/Signature means Bob cannot tamper with records. But basic authentication is not sufficient to ensure that Bob returns the correct record, because it does not stop Bob from replaying old records ...

Anonymous credentials are used to prove certain properties of a specific user without revealing any other information, and transactional pseudonyms are used to authenticate a user as the rightful owner of a specific transaction without revealing any other information. Are transactional pseudonyms a form of anonymous credential, does anonymous credentials use transactional pseudonyms or are they distinct ...

STS Protocol is like this:

1. $A \rightarrow B:~ g^x$
2. $A \leftarrow B:~ g^y, E_K(S_B(g^y, g^x))$
3. $A \rightarrow B:~ E_K(S_A(g^x, g^y))$

My question is why do we say in STS we have mutual authentication? For example:

1. $A \rightarrow C: g^x$
2. $C \rightarrow B: g^x$
3. $C \leftarrow B: g^y, E_K(S_B(g^y, g^x))$
4. $A \leftarrow C: g^y, E_K(S_B(g^y, g^x))$

so A will authenticate C instead of B!

Imagine that we have a protocol like this:
B -> A: R_B
A -> B: {R_B,B}_K

Goal: authenticate A to B
K: a shared key between A and B
{}_K: encrypting by K

After receiving {R_B, B}_K by B, B is able to authenticate A. But what if we have something like:
A -> C: {R_B,B}_K
C -> B: {R_B,B}_K
so in this case B will authenticate C instead of A, isn't it?

I m studying for the Key Establishment Using a Key Distribution Center From my understanding, KDC contains all the users' private keys. For example, If Alice wants to talk with Bob, Alice requests to the KDC by using Request(IDAlice,IDBob) and KDC generates the random session key and encrypts the session key with Alice's Key and Bob's key. Alice receives the encryptwithAliceKey(SessionKey),encryptwithBo ...

Just for an example, let's say I downloaded "the adventures of tom sawyer" from gutenberg in .txt file format and saved it to my usb thumb drive.

And as you can see, usb drive is not an ideal device for long term data retention. But if I insist on using it, there's possibility any files in my storage would finally be corrupted after long time without powering it up.

So what I will do now is to save  ...

I am working on an E2E encrypted app. I am using OpenPGP.js and storing public and private keys on the server. The private key is encrypted with a BIP39 passphrase which is stored in browser LocalStorage so it's never sent to a server. But I also need some credentials for users to login.

My idea is to make SHA256 from BIP39 passphrase and split it to two strings. First can be used for "username"  ...

When I want to use encryption only for challenge-response exchange and not for hiding the contents of an encrypted message, is it still a threat to me not changing IV for new encryption?

For easier understanding why I ask this here is my situation:

I'm using two Arduinos with LoRa transceivers to communicate with each other. One is a bridge connected to the internet and the other is connected to servos ...

We are employing an AES-CCM 128-bit stream-cipher with 7-Byte Nonces and 12-Byte Authentication Tags in a communication protocol. Up until this point there was no need to use Additional Authenticated Data (AAD) in this protocol, as all transmitted data - apart from the Nonce - was encrypted.

In the meantime, some new networking-related requirements came up which may require one message-field to b ...

As I am fairly new to cryptography, I would like to understand how to, in a simple way, implement a system that would achieve the following: the user would have to setup a password, which would then be used to:

1.) encrypt the data provided by the user and save it in an encrypted form and 2.) to authenticate the user when using the system the next time and decrypt his data.

When searching for viable solut ...

I'm trying to understand how to perform authentication in an P2P network without a central server. Given a network with no central trusted unit and a PKI, how can one be sure of the authenticity of the public keys?

Usually the public keys would be signed by some central trusted authority which guarantees the authenticity of the keys. However, in a P2P network without a central server no such unit ...

I have read digital signature with Big Brother but don't understand the sequence.

One approach to digital signatures is to have a central authority that knows everything and whom everyone trusts, say Big Brother $(BB).$Each user then chooses a secret key and carries it by hand to $BB$'s office. Thus, only Alice and $BB$ know Alice's secret key, $K_A$, and so on.

When Alice wants to send a signed plaint ...

If $H(k, Μ) = τ$, in the context where $τ$ is an $n$-bit tag produced as a mac on a key, $k$, and a message, $M$, through a keyed-hash function, $H$, is there a function $F(τ) = T$ that transforms $τ$ into a group element, $Τ$, of some group, $G$, of order $2^{\frac{n}{2}}$, such that:

• The chance of producing any $T$ ( where $F(τ') = F(τ) = T$; and $τ' ≠ τ$ ) is given by $≈2^{\frac{-n ...

I've run into an small issue regarding authentication between 2 services (One way communication) using public and private key authentication (Elliptic Curve, secp256k1).

The services will communicate via an API REST via HTTPS, and the proposed implementation would be to have the client sign something with it's private key, send the signature along with the rest of the data, in the authentication  ...

Let's say I wish to setup a classic username & password authentication strategy on a server. All communication is encrypted via TLS. But ideally, I still do not want the server to be able to read the passwords in plain-text, even temporarily. To that end the client could send the password that is hashed and salted with some key (for simplicity let's assume it's the username). Let's call this a d ...

In speedrunning video games, one records a game being played and beaten in one continuous attempt. However, what can be done to cheat is to do multiple attempts, and splice together clips of the best segments to make one fast speedrun that wasn't done in a single continuous hop. This splicing isn't hard, as e.g. loading screens always look the same, so you can swap the video at those points witho ...

I have devices which need to communicate with a server over a mutually authenticated and encrypted channel. Authenticating the server is relatively easy, since I can embed the CA certificate in the device firmware and check the signature of the server's certificate. The problem is to authenticate the device to the server.

Normally I could sign the device's certificate as well, but there is no tru ...

We are currently designing a simple Challenge-Response Authentication Mechanism (CRAM) protocol based on symmetric cryptography that would be used on the constrained embedded devices that would operate in a closed short-range network.

Mutual authentication is desired. The security capabilities offered by the devices are for now unknown. Hence, we are focusing primarily on only using the AES proto ...

I understand that the password-based authorization check procedure requires that you enter a password that is correct, that is, does not allow even a single bit difference.

Suddenly I have this thought.

[System A] For password-based authorization system A, let's assume that the password is 256bit.

And it always asks for the correct password for permission verification.

The probability of successful autho ...

I have been involved in a discussion the other day regarding the implementation of backend-to-backend authentication. The communications between each backend happen via SOAP (XML) message protocol.

Objective:

Authenticate calls originating from Backend A <> Backend B. All communications can be considered to go through TLS tunneling first

Their proposed solution:

Append a Signature in a XML Heade ...

Thanks to reverse engineering papers on Mifare Classic, one can study the authentication protocol. However, I have a problem understanding how it works.

In the above document, after the reader responds with $\{n_R\}$ $\{a_R\}$, the tag can now calculate $b_{32}$ (keystream) to $b_{63}$ (thanks to $n_T$, $\text{uid}$ and the tag's key) so XOR it with $\{n_R\}$ to retrieve $n_R$. But how can we be sure t ...

According to the Bluetooth Specification, the pairing process starts with Slave sending a connectable advertising packet and then the Master initiates the connection. In LE Legacy OOB authentication a secret 128-bit Temporary Key (TK) is supposed to be shared via some other secure channel, e.g. NFC, to be used in a challenge-response authentication, which goes like this:

1. Master chooses random Mrand a ...