the Presence of Adversaries Sharon Goldberg David Xiao, Eran Tromer, Boaz Barak, Jennifer Rexford
|
|
- Phillip Waters
- 5 years ago
- Views:
Transcription
1 Internet Path-Quality Monitoring in the Presence of Adversaries Sharon Goldberg David Xiao, Eran Tromer, Boaz Barak, Jennifer Rexford Princeton University Penn State University CS Seminar November 29, 2007
2 Applications of path-quality monitoring Bob node = router or Autonomous System (AS) Flexible Routing Applications: Traffic Engineering, Load balancing, Security Routers need tools to detect unacceptably high packet loss rates for Source routing: ( chooses nodes on path to Bob) Intelligent route control: (Switch paths based on performance) Overlay routing SLA compliance monitoring Necessary to drive innovation! [LC06] 2/19
3 To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message Bar, and then click Enable external content. The presence of adversaries Does packet loss rate exceed 1%? Bob ping Knows monitoring protocol Wants to hide packet loss from Eve ack Covers active attack: Corrupted router Botnet Greedy ISP And all benign failures. Today, we use approaches that are not robust to active attack or abnormal failures (e.g. ping, traceroute, trajectory sampling). Can we have both? Strong threat model --- Eve can add/drop/delay/modify packets Efficient protocols for high-speed routers 3/19
4 Design Goals Secure path quality monitoring (PQM) alarms if end-end packet loss rate exceeds β, regardless of Eve s behavior will not alarm if packet loss rate is less than α Strong threat model Eve occupies node(s) on the path Only detect loss, Knows the measurement protocol not prevent loss! Can add, drop, delay, modify packets Can treat measurement packets preferentially Can collude with other nodes Efficient protocols for high-speed routers Limited storage, computation, communication overhead Avoid marking or encrypting regular traffic Can we have both? (Yes) 4/19
5 This talk 1. Overview 2. Secure Sketch PQM 3. Composing PQM to localize faulty links 4. Conclusion 5/19
6 Background: Secure Path Quality Monitoring (PQM) d Monitors all traffic from interface d ack Bob stores each packet. Trivial PQM: 100% communication overhead. Bob acks each packet. Not practical for network layer! detects loss if a packet is not ack d d Unforgability: Eve can t forge ack to a dropped packet 6/19
7 Secure Sketch PQM: Overview d d d Bob Applies techniques from L2-norm estimation: [AMS96] [Ach01] [CCF2004] [TZ2004] Sketch PQM: and Bob keep short sketch Each maps info for T data packets to sketch Bob sends his sketch in a report compares sketches, decides if loss rate > β Unforgability: Unpredictable Mapping: Eve can t forge report Eve can t mask packet drops with packet adds Coordinated Mapping: and Bob identically map packets to sketch 7/19
8 Secure Sketch PQM: Security (1) Use keyed cryptographic c hash function f k : packet [N] x {+1,-1} f k (d) = (3,+1) f k (d) = (3,+1) d d d Bob We can assume that the T packets sends are unique. Repeat for T packets report Unforgability: Eve Reports can t are forge cryptographically report authenticated Unpredictable Mapping: Eve cannot can t mask predict packet output drops of hash with packet without adds the key Coordinated Mapping: and Bob have identically the same map hash packets function to sketch + key 8/19
9 Secure Sketch PQM: Security (2) What happens if a packet is dropped and replaced with a new packet? f k (d) = (3,+1) f k (d ) = (7,-1) d A d Bob +1-1 d' d B Cryptographic hash h ensures that t w.h.p d maps to new position in sketch, regardless of what Eve does Use the difference sketch X = A-B to detect packet drops + packet adds Unforgability: Unpredictable Mapping: Coordinated Mapping: Reports are cryptographically authenticated Eve cannot predict output of hash without the key and Bob have the same hash function + key 9/19
10 Secure Sketch PQM: Decision Rule To decide Secure between path packet quality loss monitoring rate < α (PQM) and > β: Take the alarms difference end-end sketch packet X = loss A-Brate exceeds β, Compute the regardless estimator of Eve s ΣX 2 behavior i Raise an will alarm not alarm iff if packet ΣX loss 2 i2 rate > 2αβ is β less /( (α + than β) α Equality when # dropped pkts adds and drops We can show that E [ ΣX 2 i ] n d + n a are unique pkts # added pkts Histogram of Estimator. β=1%, α=0.5%, T=10 6 packets, N=300 bins in sketch. Decision threshold α β 2 β α % % % % % % Normalized Estimator ΣX i2 /T
11 Secure Sketch PQM: Sample Parameters (1) Our result uses the facts that 1. sends unique packets during interval. 2. The mapping function uses hash that is indistinguishable from a random function. Thm (Simplified): can use a secure sketch PQM protocol to decide between cases where packet loss rate is < α and > β, with 99% success probability bilit if the sketch has N > 25.5 (1/25 - (β-α)/(β+α) ) -2 bins and T > 867 N (ln N ) / α are monitored per interval. packets If α = 0.5%,, β=1% then for T=10 9 we need N=300 bins. 11/19
12 Secure Sketch PQM: Sample Parameters (2) From the Thm, if α =05% 0.5%, β=1% then for T=10 9 we need N=300 bins. Numerical experiments suggest that for T=10 6 or less, N=150 bins is enough. N, number of bins. T=10 6, β =1%, α=0.5% If N=150 T Sketch Size bytes bytes bytes bytes 12/19
13 Secure Sketch PQM Summary 1. Low storage overhead T Sketch Size 2. Low communication overhead bytes 1 report packet / T regular packets bytes Report contains sketch and authenticator bytes 3. No packet marking bytes Protocol is backward compatible. Can be implemented in a monitor off the router s critical path 4. One cryptographic hash computation per packet Online setting means we can use fast hash functions High-throughput Latency doesn t matter, Parallelizable 5. Shared keys at and Bob Can be derived from public key infrastructure via key exchange Thm [GXTBR08]: Any secure PQM protocol robust to adversarial nodes on the path that can add/drop packets, needs a key infrastructure and crypto. 13/19
14 This talk 1. Overview 2. Secure Sketch PQM 3. Composing PQM to localize faulty links 4. Conclusion 14/19
15 Fault Localization (FL) Bob We assume: 1. knows identity of nodes on path. 2. Paths are symmetric. 3. Eve occupies node(s) on the path, and can add, drop, modify packets. 4. doesn t know where Eve is. Secure fault localization (FL): If the packet loss rate on a link exceeds β, outputs that link (or a link adjacent to Eve) regardless of Eve s behavior will not alarm if packet loss rate on the path is less than α Thm [BGX08]: Any secure FL protocol robust to adversarial nodes on the path that can add and drop packets, requires keys and crypto at each node. 15/19
16 Composition of Sketch PQM to FL (1) k 1 1, k 2 2, k 3 3, k 4 4, k B k 1 k 2 k 3 k 4 k B Bob Secure fault localization (FL): If the packet loss rate on a link exceeds β, outputs that link (or a link adjacent to Eve) regardless of Eve s behavior will not alarm if packet loss rate on the path is less than α Composition Overview 1. shares a key with each node on the path. 2. runs secure sketch PQM with each node on the path. 3. After T packets have been sent, requests a report. 4. Each node responds with a report containing its sketch, and authenticated with an onion message authentication code. 16/19
17 Composition of Sketch PQM to FL (2) k 1 1, k 2 2, k 3 3, k 4 4, k B k 1 k 2 k 3 k 4 k B Bob [send sketches] σ B =[ sketch B ] B σ 4 =[ sketch 4, σ B ] 4 σ 3 =[ sketch 3, σ 4 ] 3 σ 2 =[ sketch 2, σ 3 ] 2 σ 1 =[ sketch 1, σ 2 ] 1 Onionizing the reports prevents Eve selectively dropping reports for an innocent node. 17/19
18 Summary of Contributions [G., Xiao., Tromer, Barak, Rexford, Path-Quality Monitoring in the Presence of Adversaries, SIGMETRICS 2008.] [Barak, G., Xiao., Protocols and Lower Bounds for Fault Localization in the Internet, EUROCRYPT 2008.] 1) Positive security definitions for PQM and FL, not attack taxonomies 2) Proof that Secure PQM needs keys and crypto 3) Efficient PQM is possible for very strong threat model a) Secure sketch protocol New bound on parameters. Uses uniqueness of traffic. b) Secure sampling protocol for symmetric + client-server settings Measure delay as well as loss 4) Proof that secure FL requires keys and crypto at each node Non-trivial proof using black-box separations and learning theory Secure FL requires participation from all nodes on path 5) Per-packet FL protocol 6) Composition of PQM protocols to statistical FL protocols. 18/19
19 Conclusions What security primitives can we have in future networks? What is the right balance between strength of threat model and efficiency of scheme? We showed here that: 1. Efficient PQM is possible for very strong threat model 2. Secure FL requires keys and crypto at each node,, Hard to get full participation in Internet May be better for highly-secure networks / special traffic 3. What about other areas? BGP security, secure availability, And that We can use theoretical cryptography to inform what we do in practice! 19/19
20 Thanks! [G., Xiao., Tromer, Barak, Rexford, Path-Quality Monitoring in the Presence of Adversaries, in submission.] [Barak, G., Xiao., Protocols and Lower Bounds for Fault Localization in the Internet, in submission.] Princeton University
21 Secure PQM needs keys Our protocol requires es a key infrastructure between ee and Bob. Thm: Any secure PQM protocol that is robust adversaries on the path that can add and drop packets requires a key infrastructure. Bob Proof: (In the contrapositive) Assume and Bob do not have a shared key All the packets that sends to Bob pass thru Eve Then Eve knows everything Bob knows Not necessarily pairwise keys! Eve drops all packets Eve impersonates Bob s reverse path messages (e.g. report) won t detect packet loss, so Eve breaks security. 21/22
22 Secure PQM needs crypto (1) Our protocol requires es a key infrastructure between ee and Bob. Thm: Any secure PQM protocol that is robust adversaries on the path that can add/drop packets must invoke cryptographic operations. Proof: (By reduction to keyed identification schemes (KIS) ) k Challenge k No alarm p Response: I m really Bob Bob y 22/22
23 Secure PQM needs crypto (2) Our protocol requires es a key infrastructure between ee and Bob. Thm: Any secure PQM protocol that is robust adversaries on the path that can add/drop packets must invoke cryptographic operations. Proof: (By reduction to keyed identification schemes (KIS) ) k Challenge k alarm Response: Trust me, I m Bob Eve Bob Eve 23/22
24 Secure PQM needs crypto (3) Our protocol requires es a key infrastructure between ee and Bob. Thm: Any secure PQM protocol that is robust adversaries on the path that can add/drop packets must invoke cryptographic operations. Proof: (By reduction to keyed identification schemes (KIS) ) k k Bob Bob Challenge: Traffic that sends on the forward path Response: KIS are Reverse at least path as computationally messages, ie i.e. report. complex as symmetric cryptographic primitives (e.g. encryption, MAC) Alarm if report is invalid. Secure PQM needs crypto 24/22
25 To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message Bar, and then click Enable external content. Fault Localization needs keys at each node Theorem: Each node needs a shared secret with Proof: Suppose node i does not a share secret with any upstream node: Keyless Bob Case (a): Node i+1 is unreachable Case (b): Eve drops packets and impersonates keyless node i Case (a) and case (b) are indistinguishable to In case (b) Eve drops packets while making innocent link (i, i+1) look guilty. The FL protocol cannot be secure. 25/22
26 To help protect your privacy, PowerPoint prevented this external picture from being automatically downloaded. To download and display this picture, click Options in the Message Bar, and then click Enable external content. Fault localization needs crypto at each node Theorem: Each node i needs to perform cryptographic operations Proof: Suppose node i has a shares key k i with but does not do crypto. Eve impersonates node i. he needs to learn k i! Case (b): Eve drops packets and impersonates crypto-less node i Since i doesn t do crypto, Eve can learn k i by observing case (a), which happens with constant probability due to congestion Case (a): Node i+1 is unreachable due to congestion Then Eve can impersonate node i in case (b) and FL protocol is not secure! 26/22
Failure Localization in the Internet
Failure Localization in the Internet Boaz Barak, Sharon Goldberg, David Xiao Princeton University Excerpts of talks presented at Stanford, U Maryland, NYU. Why use Internet path-quality monitoring? Internet:
More informationProtocols and Lower Bounds for Failure Localization in the Internet
Protocols and Lower Bounds for Failure Localization in the Internet Boaz Barak, Sharon Goldberg, and David Xiao Princeton University, Princeton, NJ 08544 Abstract. A secure failure-localization path-quality-monitoring
More informationMeasuring Path Quality in the Presence of Adversaries: The Role of Cryptography in Network Accountability
Measuring Path Quality in the Presence of Adversaries: The Role of Cryptography in Network Accountability Sharon Goldberg, David Xiao, Boaz Barak, and Jennifer Rexford Princeton University ABSTRACT Mechanisms
More informationPath-Quality Monitoring in the Presence of Adversaries
Path-Quality Monitoring in the Presence of Adversaries Sharon Goldberg 1, David Xiao 1, Eran Tromer, Boaz Barak 1, Jennifer Rexford 1 1 Princeton University, Princeton, NJ 08544 MIT, Cambridge, MA 0139
More informationPath-Quality Monitoring in the Presence of Adversaries
Path-Quality Monitoring in the Presence of Adversaries Full version from March 7, 8 Sharon Goldberg 1, David Xiao 1, Eran Tromer, Boaz Barak 1, Jennifer Rexford 1 1 Princeton University, Princeton, NJ
More informationWireless Network Security Spring 2015
Wireless Network Security Spring 2015 Patrick Tague Class #12 Forwarding Security 2015 Patrick Tague 1 SoW Presentation SoW Thursday in class I'll post a template Each team gets ~5-8 minutes Written SoW
More informationShortMAC: Efficient Data-plane Fault Localization. Xin Zhang, Zongwei Zhou, Hsu- Chun Hsiao, Tiffany Hyun- Jin Kim Adrian Perrig and Patrick Tague
ShortMAC: Efficient Data-plane Fault Localization Xin Zhang, Zongwei Zhou, Hsu- Chun Hsiao, Tiffany Hyun- Jin Kim Adrian Perrig and Patrick Tague What is Fault LocalizaDon? Problem defini-on Iden-fy faulty
More informationShortMAC: Efficient Data-Plane Fault Localization
ShortMAC: Efficient Data-Plane Fault Localization Xin Zhang, Zongwei Zhou, Hsu-Chun Hsiao, Tiffany Hyun-Jin Kim, Adrian Perrig and Patrick Tague CyLab / Carnegie Mellon University Abstract The rising demand
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lecture 18: Cryptographic hash functions, Message authentication codes Functions Definition Given two sets, X and Y, a function f : X Y (from set X to set Y), is
More informationShortMAC: Efficient Data-Plane Fault Localization
ShortMAC: Efficient Data-Plane Fault Localization Xin Zhang, Zongwei Zhou, Hsu-Chun Hsiao, Tiffany Kim, Patrick Tague, and Adrian Perrig January 30, 2011 CMU-CyLab-11-007 CyLab Carnegie Mellon University
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationPacket-dropping Adversary Identification for Data Plane Security
Packet-dropping Adversary Identification for Data Plane Security Xin Zhang Carnegie Mellon University xzhang1@cmu.edu Abhishek Jain UCLA abhishek@cs.ucla.edu Adrian Perrig Carnegie Mellon University perrig@cmu.edu
More informationWireless Network Security Spring 2016
Wireless Network Security Spring 2016 Patrick Tague Class #12 Routing Security; Forwarding Security 2016 Patrick Tague 1 SoW Presentation SoW Thursday in class I'll post a template Each team gets ~5 minutes
More informationSecure Multiparty Computation: Introduction. Ran Cohen (Tel Aviv University)
Secure Multiparty Computation: Introduction Ran Cohen (Tel Aviv University) Scenario 1: Private Dating Alice and Bob meet at a pub If both of them want to date together they will find out If Alice doesn
More informationSymmetric-Key Cryptography Part 1. Tom Shrimpton Portland State University
Symmetric-Key Cryptography Part 1 Tom Shrimpton Portland State University Building a privacy-providing primitive I want my communication with Bob to be private -- Alice What kind of communication? SMS?
More informationLecture 18 Message Integrity. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422
Lecture 18 Message Integrity Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides from Miller & Bailey s ECE 422 Cryptography is the study/practice of techniques for secure communication,
More informationSecurity Protections for Mobile Agents
Stephen R. Tate Dept. of Computer Science and Engineering University of North Texas Talk describes joint work with Ke Xu and Vandana Gunupudi Research supported by the National Science Foundation class
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 15 February 29, 2012 CPSC 467b, Lecture 15 1/65 Message Digest / Cryptographic Hash Functions Hash Function Constructions Extending
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationSecurity. Communication security. System Security
Security Communication security security of data channel typical assumption: adversary has access to the physical link over which data is transmitted cryptographic separation is necessary System Security
More informationCryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III
Cryptography III Public-Key Cryptography Digital Signatures 2/1/18 Cryptography III 1 Public Key Cryptography 2/1/18 Cryptography III 2 Key pair Public key: shared with everyone Secret key: kept secret,
More informationDaniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven
Goals of authenticated encryption Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven More details, credits: competitions.cr.yp.to /features.html Encryption sender
More informationUNIT - IV Cryptographic Hash Function 31.1
UNIT - IV Cryptographic Hash Function 31.1 31-11 SECURITY SERVICES Network security can provide five services. Four of these services are related to the message exchanged using the network. The fifth service
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationAn On-demand Secure Routing Protocol Resilient to Byzantine Failures. Routing: objective. Communication Vulnerabilities
An On-demand Secure Routing Protocol Resilient to Byzantine Failures Baruch Awerbuch Johns Hopkins University On-Demand vs. Proactive Routing Security Concerns On-Demand Source Authentication Caching presents
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationA SIMPLE INTRODUCTION TO TOR
A SIMPLE INTRODUCTION TO TOR The Onion Router Fabrizio d'amore May 2015 Tor 2 Privacy on Public Networks Internet is designed as a public network Wi-Fi access points, network routers see all traffic that
More informationAn On-demand Secure Routing Protocol Resilient to Byzantine Failures
An On-demand Secure Routing Protocol Resilient to Byzantine Failures Baruch Awerbuch Johns Hopkins University Joint work with David Holmer, Cristina Nita-Rotaru, and Herbert Rubens Based on paper at WiSe2002
More informationProtocols for Anonymous Communication
18734: Foundations of Privacy Protocols for Anonymous Communication Anupam Datta CMU Fall 2016 Privacy on Public Networks } Internet is designed as a public network } Machines on your LAN may see your
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationLecture 8 - Message Authentication Codes
Lecture 8 - Message Authentication Codes Benny Applebaum, Boaz Barak October 12, 2007 Data integrity Until now we ve only been interested in protecting secrecy of data. However, in many cases what we care
More informationCS 495 Cryptography Lecture 6
CS 495 Cryptography Lecture 6 Dr. Mohammad Nabil Alaggan malaggan@fci.helwan.edu.eg Helwan University Faculty of Computers and Information CS 495 Fall 2014 http://piazza.com/fci_helwan_university/fall2014/cs495
More informationENEE 459-C Computer Security. Security protocols (continued)
ENEE 459-C Computer Security Security protocols (continued) Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p
More informationAnnouncements. me your survey: See the Announcements page. Today. Reading. Take a break around 10:15am. Ack: Some figures are from Coulouris
Announcements Email me your survey: See the Announcements page Today Conceptual overview of distributed systems System models Reading Today: Chapter 2 of Coulouris Next topic: client-side processing (HTML,
More information0x1A Great Papers in Computer Security
CS 380S 0x1A Great Papers in Computer Security Vitaly Shmatikov http://www.cs.utexas.edu/~shmat/courses/cs380s/ Privacy on Public Networks Internet is designed as a public network Wi-Fi access points,
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationNetwork Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: Anonymity Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Anonymity and privacy 2. High-latency anonymous routing 3. Low-latency anonymous routing Tor
More informationCryptographic Primitives and Protocols for MANETs. Jonathan Katz University of Maryland
Cryptographic Primitives and Protocols for MANETs Jonathan Katz University of Maryland Fundamental problem(s) How to achieve secure message authentication / transmission in MANETs, when: Severe resource
More informationAnonymous communications: Crowds and Tor
Anonymous communications: Crowds and Tor Basic concepts What do we want to hide? sender anonymity attacker cannot determine who the sender of a particular message is receiver anonymity attacker cannot
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationDistributed ID-based Signature Using Tamper-Resistant Module
, pp.13-18 http://dx.doi.org/10.14257/astl.2013.29.03 Distributed ID-based Signature Using Tamper-Resistant Module Shinsaku Kiyomoto, Tsukasa Ishiguro, and Yutaka Miyake KDDI R & D Laboratories Inc., 2-1-15,
More informationENEE 459-C Computer Security. Security protocols
ENEE 459-C Computer Security Security protocols Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p and g public.
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationNotes for Lecture 21. From One-Time Signatures to Fully Secure Signatures
U.C. Berkeley CS276: Cryptography Handout N21 Luca Trevisan April 7, 2009 Notes for Lecture 21 Scribed by Anand Bhaskar, posted May 1, 2009 Summary Today we show how to construct an inefficient (but efficiently
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2017 Message Authentication Codes Syntax: Key space K λ Message space M Tag space T λ MAC(k,m) à σ Ver(k,m,σ) à 0/1 Correctness: m,k,
More informationSource Authentication in Group Communication Systems
Source Authentication in Group Communication Systems Xin Zhao University of Michigan 1301 Beal Ave, Ann Arbor, MI, 48105, USA zhaoxin@eecs.umich.edu Atul Prakash University of Michigan 1301 Beal Ave, Ann
More informationDetecting Denial of Service Attacks in Tor
Norman Danner Danny Krizanc Marc Liberatore Department of Mathematics and Computer Science Wesleyan University Middletown, CT 06459 USA Financial Cryptography and Data Security 2009 Outline 1 Background
More informationResearch Statement. Yehuda Lindell. Dept. of Computer Science Bar-Ilan University, Israel.
Research Statement Yehuda Lindell Dept. of Computer Science Bar-Ilan University, Israel. lindell@cs.biu.ac.il www.cs.biu.ac.il/ lindell July 11, 2005 The main focus of my research is the theoretical foundations
More informationAnonymous Connections and Onion Routing
Anonymous Connections and Onion Routing David Goldschlag, Michael Reed, and Paul Syverson Center for High Assurance Computer Systems Naval Research Laboratory Washington, D.C. 1 Who is Talking to Whom?
More informationDoS Attacks. Network Traceback. The Ultimate Goal. The Ultimate Goal. Overview of Traceback Ideas. Easy to launch. Hard to trace.
DoS Attacks Network Traceback Eric Stone Easy to launch Hard to trace Zombie machines Fake header info The Ultimate Goal Stopping attacks at the source To stop an attack at its source, you need to know
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationVerifiably Encrypted Signature Scheme with Threshold Adjudication
Verifiably Encrypted Signature Scheme with Threshold Adjudication M. Choudary Gorantla and Ashutosh Saxena Institute for Development and Research in Banking Technology Road No. 1, Castle Hills, Masab Tank,
More informationOnion Routing. Submitted By, Harikrishnan S Ramji Nagariya Sai Sambhu J
Onion Routing Submitted By, Harikrishnan S Ramji Nagariya Sai Sambhu J Motivation Public Network Encryption does not hide Routing Information Traffic Analysis Who is Talking to Whom? by analyzing the traffic
More informationFrom Routing to Traffic Engineering
1 From Routing to Traffic Engineering Robert Soulé Advanced Networking Fall 2016 2 In the beginning B Goal: pair-wise connectivity (get packets from A to B) Approach: configure static rules in routers
More informationConcrete cryptographic security in F*
Concrete cryptographic security in F* crypto hash (SHA3) INT-CMA encrypt then-mac Auth. encryption Secure RPC some some some adversary attack attack symmetric encryption (AES). IND-CMA, CCA2 secure channels
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationComputer Networks. Wenzhong Li. Nanjing University
Computer Networks Wenzhong Li Nanjing University 1 Chapter 7. Network Security Network Attacks Cryptographic Technologies Message Integrity and Authentication Key Distribution Firewalls Transport Layer
More informationLecture 6: Symmetric Cryptography. CS 5430 February 21, 2018
Lecture 6: Symmetric Cryptography CS 5430 February 21, 2018 The Big Picture Thus Far Attacks are perpetrated by threats that inflict harm by exploiting vulnerabilities which are controlled by countermeasures.
More informationLecture 1: Perfect Security
CS 290G (Fall 2014) Introduction to Cryptography Oct 2nd, 2014 Instructor: Rachel Lin 1 Recap Lecture 1: Perfect Security Scribe: John Retterer-Moore Last class, we introduced modern cryptography and gave
More informationCryptographic Primitives A brief introduction. Ragesh Jaiswal CSE, IIT Delhi
Cryptographic Primitives A brief introduction Ragesh Jaiswal CSE, IIT Delhi Cryptography: Introduction Throughout most of history: Cryptography = art of secret writing Secure communication M M = D K (C)
More informationCS Paul Krzyzanowski
Question 1 Explain why hypervisor rootkits are more difficult to detect than user-mode or kernel-mode rootkits. Computer Security 2018 Exam 2 Review Paul Krzyzanowski Rutgers University Spring 2018 The
More informationComputer Security Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 2018 Exam 2 Review Paul Krzyzanowski Rutgers University Spring 2018 April 16, 2018 CS 419 2018 Paul Krzyzanowski 1 Question 1 Explain why hypervisor rootkits are more difficult to detect
More informationSecurity and Anonymity
Security and Anonymity Distributed Systems need a network to send messages. Any message you send in a network can be looked at by any router or machine it goes through. Further if your machine is on the
More information2.1 Basic Cryptography Concepts
ENEE739B Fall 2005 Part 2 Secure Media Communications 2.1 Basic Cryptography Concepts Min Wu Electrical and Computer Engineering University of Maryland, College Park Outline: Basic Security/Crypto Concepts
More informationDesign and Analysis of Efficient Anonymous Communication Protocols
Design and Analysis of Efficient Anonymous Communication Protocols Thesis Defense Aaron Johnson Department of Computer Science Yale University 7/1/2009 1 Acknowledgements Joan Feigenbaum Paul Syverson
More informationNetwork Security. Tadayoshi Kohno
CSE 484 (Winter 2011) Network Security Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...
More informationIntroduction to Cryptography. Lecture 6
Introduction to Cryptography Lecture 6 Benny Pinkas page 1 1 Data Integrity, Message Authentication Risk: an active adversary might change messages exchanged between Alice and Bob M Alice M M M Bob Eve
More informationLecture 1 Applied Cryptography (Part 1)
Lecture 1 Applied Cryptography (Part 1) Patrick P. C. Lee Tsinghua Summer Course 2010 1-1 Roadmap Introduction to Security Introduction to Cryptography Symmetric key cryptography Hash and message authentication
More informationNetwork Security: Anonymity. Tuomas Aura T Network security Aalto University, Nov-Dec 2012
Network Security: Anonymity Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2012 Outline 1. Anonymity and privacy 2. High-latency anonymous routing 3. Low-latency anonymous routing Tor
More informationGoals of Modern Cryptography
Goals of Modern Cryptography Providing information security: Data Privacy Data Integrity and Authenticity in various computational settings. Data Privacy M Alice Bob The goal is to ensure that the adversary
More informationCryptography & Data Privacy Research in the NSRC
Cryptography & Data Privacy Research in the NSRC Adam Smith Assistant Professor Computer Science and Engineering 1 Cryptography & Data Privacy @ CSE NSRC SIIS Algorithms & Complexity Group Cryptography
More informationInternet Protocol and Transmission Control Protocol
Internet Protocol and Transmission Control Protocol CMSC 414 November 13, 2017 Internet Protcol Recall: 4-bit version 4-bit hdr len 8-bit type of service 16-bit total length (bytes) 8-bit TTL 16-bit identification
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationLecture 4: Authentication and Hashing
Lecture 4: Authentication and Hashing Introduction to Modern Cryptography 1 Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 1 These slides are based on Benny Chor s slides. Some Changes in Grading
More informationInformation Security CS526
Information CS 526 Topic 3 Ciphers and Cipher : Stream Ciphers, Block Ciphers, Perfect Secrecy, and IND-CPA 1 Announcements HW1 is out, due on Sept 10 Start early, late policy is 3 total late days for
More informationCryptographic Hash Functions
ECE458 Winter 2013 Cryptographic Hash Functions Dan Boneh (Mods by Vijay Ganesh) Previous Lectures: What we have covered so far in cryptography! One-time Pad! Definition of perfect security! Block and
More informationNetwork Forensics Prefix Hijacking Theory Prefix Hijacking Forensics Concluding Remarks. Network Forensics:
Network Forensics: Network OS Fingerprinting Prefix Hijacking Analysis Scott Hand September 30 th, 2011 Outline 1 Network Forensics Introduction OS Fingerprinting 2 Prefix Hijacking Theory BGP Background
More informationSecuring BGP. Geoff Huston November 2007
Securing BGP Geoff Huston November 2007 Agenda An Introduction to BGP BGP Security Questions Current Work Research Questions An Introduction to BGP Background to Internet Routing The routing architecture
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationLecture 7 - Applied Cryptography
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 7 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationConfiguring attack detection and prevention 1
Contents Configuring attack detection and prevention 1 Overview 1 Attacks that the device can prevent 1 Single-packet attacks 1 Scanning attacks 2 Flood attacks 3 TCP fragment attack 4 Login DoS attack
More informationSecurity & Privacy. Web Architecture and Information Management [./] Spring 2009 INFO (CCN 42509) Contents. Erik Wilde, UC Berkeley School of
Contents Security & Privacy Contents Web Architecture and Information Management [./] Spring 2009 INFO 190-02 (CCN 42509) Erik Wilde, UC Berkeley School of Information Abstract 1 Security Concepts Identification
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 1: Overview What is Cryptography? Cryptography is the study of
More informationCS526: Information security
Cristina Nita-Rotaru CS526: Information security Anonymity systems. Based on slides by Chi Bun Chan 1: Terminology. Anonymity Anonymity (``without name ) means that a person is not identifiable within
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationIntroduction to Security and User Authentication
Introduction to Security and User Authentication Brad Karp UCL Computer Science CS GZ03 / M030 14 th November 2016 Topics We ll Cover User login authentication (local and remote) Cryptographic primitives,
More informationKey Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings
Key Exchange References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings Outlines Primitives Root Discrete Logarithm Diffie-Hellman ElGamal Shamir s Three Pass
More informationCSC 5930/9010 Modern Cryptography: Cryptographic Hashing
CSC 5930/9010 Modern Cryptography: Cryptographic Hashing Professor Henry Carter Fall 2018 Recap Message integrity guarantees that a message has not been modified by an adversary Definition requires that
More informationRemote E-Voting System
Remote E-Voting System Crypto2-Spring 2013 Benjamin Kaiser Jacob Shedd Jeremy White Phases Initialization Registration Voting Verifying Activities Trusted Authority (TA) distributes 4 keys to Registrar,
More informationWireless Network Security Spring 2013
Wireless Network Security 14-814 Spring 2013 Patrick Tague Class #11 Control-Plane Routing Misbehavior Agenda Control-Plane Routing Misbehavior MANET Routing Misbehavior at the control-plane Toward secure
More informationInter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing
Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing Tsai, Hong-Bin Chiu, Yun-Peng Lei, Chin-Laung Dept. of Electrical Engineering National Taiwan University July 10,
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationComputer Science 461 Final Exam May 22, :30-3:30pm
NAME: Login name: Computer Science 461 Final Exam May 22, 2012 1:30-3:30pm This test has seven (7) questions, each worth ten points. Put your name on every page, and write out and sign the Honor Code pledge
More information