Disappointment in class today. (I am teaching an undergraduate class in computer and network security.)
I have covered the issue of malleable encryption in at least 4 lectures so far this semester: in the private-key setting (with examples of attacks against CBC mode and CTR mode), in the public-key setting (with examples of attacks against RSA and El Gamal encryption), in the half-lecture review of cryptography at the end of that the unit on cryptography, and when talking about the attacks on WEP. I have also mentioned that non-malleable encryption schemes are available and should be used, explaining authenticated encryption in the private-key setting and telling them about (but not giving them the details of) RSA-OAEP in the public-key setting.
Today I described the following protocol for password-based authentication in a setting where the client knows the server’s public key (in addition to a password they share):
- The server sends a nonce R
- The client responds with an encryption of (pw, R)
I then pointed out that if encryption is not done carefully, there is an attack. (An easy example is given if Enc(pw, R) = Enc(pw), Enc(R).) I noted that the reason this attack is possible is precisely because of malleability. I then asked what type of encryption scheme should be used instead.
Not a single student was able to give a correct answer (“a non-malleable encryption scheme”).
Do I expect too much? I keep resisting the idea of “dumbing down” the class too much, but faced with things like this I am not sure what to do.