Posted by: jonkatz | March 6, 2012

Do I expect too much?

Disappointment in class today. (I am teaching an undergraduate class in computer and network security.)

I have covered the issue of malleable encryption in at least 4 lectures so far this semester: in the private-key setting (with examples of attacks against CBC mode and CTR mode), in the public-key setting (with examples of attacks against RSA and El Gamal encryption), in the half-lecture review of cryptography at the end of that the unit on cryptography, and when talking about the attacks on WEP. I have also mentioned that non-malleable encryption schemes are available and should be used, explaining authenticated encryption in the private-key setting and telling them about (but not giving them the details of) RSA-OAEP in the public-key setting.

Today I described the following protocol for password-based authentication in a setting where the client knows the server’s public key (in addition to a password they share):

  1. The server sends a nonce R
  2. The client responds with an encryption of (pw, R)

I then pointed out that if encryption is not done carefully, there is an attack. (An easy example is given if Enc(pw, R) = Enc(pw), Enc(R).) I noted that the reason this attack is possible is precisely because of malleability. I then asked what type of encryption scheme should be used instead.

Not a single student was able to give a correct answer (“a non-malleable encryption scheme”).

Do I expect too much? I keep resisting the idea of “dumbing down” the class too much, but faced with things like this I am not sure what to do.



  1. Students are risk-averse and fear traps. Also, they may have thought you were looking for something more specific. I suspect if you concluded your question with, “I mean just in general” or “this is not a trick question,” you’d have gotten the answer you’re looking for.

  2. How shy is your class usually?

  3. Almost everyone (outside the crypto community) that I ever talked to about encryption assumes that all good encryption schemes are non-malleable. The ones that are malleable are usually mentioned in a context of an attack on something, which creates the impression that the scheme itself is insecure (rather than just satisfying a weaker notion of security).

    Did you tell your students what the attack was? I suspect that they may have assumed that there’s something clever going on. So I agree with the trick question commenter above.

  4. Anon3, your question actually raises an interesting point that I thought about (and don’t have a solid answer for) this time around: how should encryption be taught to non-cryptographers? There are two natural possibilities:
    (1) Teach them that standard encryption schemes (CBC mode, CTR mode, El Gamal, etc.) give privacy but no “integrity”, and so if stronger properties are desired then one must be careful to choose an encryption scheme satisfying stronger security properties (OCB mode, RSA-OAEP, etc.).
    (2) Teach them that standard encryption schemes (OCB, RSA-OAEP, etc.) provide privacy and “integrity” just as they intuitively believe, anyway. Mention that there are weaker types of encryption out there (CBC mode, ECB mode, “textbook RSA”, etc.) but these should always be avoided.

    I’m starting to think the second approach might be better. There is less “understanding”, but perhaps such understanding belongs in a crypto class, not an applied class.

  5. I’m an undergrad whose done research in Security, taken a Crypto class and currently taking a general Security class.
    I think you expect too little of your students. The answer was logically too obvious and general, that’s why no one thought of it. You essentially said “X doesn’t work because of Y”. Then asked them how they can make X work. You expected them to say “not Y.” Someone with no knowledge of computers could answer that, just based on some basic common sense. They thought you were looking for a more specific answer.

  6. I agree with Sean. I used to fall in to this kind of “trap” all the time as student.

  7. I think malleability is the wrong concept to teach anyway.

    I’d suggest teaching about confidentiality and integrity. I explain that one of the most common mistakes is to use encryption without authentication, thinking that all you need is confidentiality but not integrity, and actually ending up with neither. Make sure to give some real-world examples.

    Then, I would explain about the concept of a secure channel.

    I actually think that we do our students a disservice by focusing so heavily on the low-level primitives like encryption and message authentication. Those are too low-level, and consequently get misused. For 95% of applications, the abstraction they need is either a secure channel (e.g., SSL/TLS), or secure storage (e.g., GPG).

  8. Jonathan Katz
    Could I have your opinion about one post “P versus UP” in:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: