Hi, folks, Ed Amaroso again. And we're going to spend some time in this video, crypto-analyzing the Lamport S/Key Protocol. You remember from previous video. I hope you've watched it, if you hadn't, you've got to go back and watch it. But the idea is that, the server stores F the N of some seed. The client sends F to the N minus one is a challenge. The server encrypts it one more time, and then compares. Now, the first thing you notice in this protocol is that when Alice is challenged to prove who she is, there's no seed that sent over. So we always want to say, "Oh, if there's no seed then there's no hint. " Hence, it must be ciphertext only cryptonalysis. Because as you recall, ciphertext only has no hints, known plaintext is hints. So, you'd think that, but here's what kind of interesting. When you think about the definition of F to the N of lambda, it means, let's say, it's F to the three of lambda, F to the N of lambda, F to the three of lambda. That's F of F of F lambda, that means, encrypt it once, encrypt it twice, encrypt it three times. That's what F to the N of lambda means. Which means that if I give you F to the two of lambda, and then you encrypt it one more time, you get F to the three of lambda. So F to the three of lambda, is F of F to the two of lambda. Sorry about all these Fs, and you might be going crazy, we always rewind and listen again. But here's the point, when you're trying to break an encryption function, when I show you F of something, what you want to do is you want to know that something inside, right? That's what cryptonalysis is. If I encrypt something, it's the something that you'd like to know. But I don't want you to know that so I only let's you see F of that, the encryption of something. So F of plaintext is ciphertext. So think about this: F to the N of lambda is F of F to the N minus one of lambda. But in the Lamport protocol, each round reveals successively, the previous value that's being encrypted. Think about it. So in some round, I'm looking at F to the N of lambda, right? What Eve would see going from Alice to Bob, is F to the N minus one of lambda, which if you think about it is the plaintext 'sort of' to the next round. If you wait one round, you'll see the plaintext that was used in the successive rounds encryption. You might have to think about a little bit. In our chart, I sort of show you round one, two, three, and four. So these little puzzles that you have to just get in your mind, but when it clicks, it's really awesome. Because you can see that in spite of the fact that no hint, no plain text is provided as part of the challenge, it's still known plaintext. This is not ciphertext only, there are hints because each round reveals the hint from the previous round. I think that such an interesting sort of mathematical kind of artifact that comes out of some of these protocols when you study them. Now, is that why people don't use Lamport protocol? I don't know. I thought it was an awesome protocol. And I think, for things like firewalls and host that are Internet facing that are exposed to all the different problems that come from being internet facing. I like the fact that the S/Key protocol doesn't store a seed lambda value but, you know, again, as we've talked about in previous videos, most people are using secure I.D. or passwords or as you'll see in subsequent videos, Kerberos is popular, as is, obviously, public key cryptography, which has really overtaken just about everything. And in most applications use public key cryptography which we'll look at. But I like to see S/Key because it illustrates the beauty of how these interaction between client and services handshake. This back and forth of messages can reveal interesting patterns for cryptoanalysis. I hope you've enjoyed this, and we'll see you on the next video.