Final Exam 90 minutes Date: TOTAL: 90 points
|
|
- Coleen Webb
- 6 years ago
- Views:
Transcription
1 F.Autreau J. Dreier P.Lafourcade Y. Lakhnech JL. Roch Final Exam 90 minutes Date: TOTAL: 90 points Security models 1st Semester 2012/2013 J. Dreier P. Lafourcade Y. Lakhnech Notice: the number of points corresponds approximatively to the number of minutes needed for solving an exercise. Exercise 1 (Acces Control (10 points)) A computing system consists of 4 users and 4 files, which are labelled according to the following table: Labels Users Files high User1 File1 medium User2 File2 low User3 File3 normal User4 File4 Where the labels are ordered as follows: high > medium > low > normal. The system allows two operations: {read, write}; i.e. a user can either read from a file or write to a file. 1. (5 points) Let the labels be security clearances (for users) and classifications (for files). (1 point) Recall Bell-LaPadula Model. (4 points) Create an access control matrix of the system following the Bell- LaPadula Model. 2. (5 points) Let the labels be integrity levels (for users and files). (1 point) Recall Biba Model. (4 points) Create an access control matrix of the system following the Biba Model.
2 1. BLP File1 File2 File3 File4 User1 read, write read read read User2 write read, write read read User3 write write write, read read User4 write write write read, write 2. Biba File1 File2 File3 File4 User1 write, read write write write User2 read read, write write write User3 read read read,write write User4 read read read read,write Exercise 2 (Acces-Control (10 points)) Alice can read and write to the file filex.sys, can read the file filey.sys, and can execute the file filez.sys. Bob can read and write to filey.sys, and cannot access filez.sys or filex.sys. 1. (4 points) Write the associated acces control matrix? 2. (3 points) Write a set of access control lists for this situation. Which list is associated with which file? 3. (3 points) Write a set of capability lists for this situation. With what is each list associated? 1. Build an access control matrix, and then from there you can derive the ACL and capabilities. r: read; w: write; x: execute 2. ACL (filex.sys) = {(Alice, {r,w})}; filex.sys filey.sys filez.sys Alice r,w r x Bob r,w ACL (filey.sys) = {(Alice, {r}), (Bob, {r,w})}; ACL(filez.sys) = {(Alice, {x})} 3. CAP(Alice) = {(filex.sys,{r,w}), (filey.sys, {r}), (filez.sys, {x})}; CAP(Bob) = {(filey.sys,{r,w})}
3 Exercise 3 (Diffie-Hellman (15 points)) 1. (5 points) Recall the Diffie-Hellman key echange protocol. 2. (5 points) Explain the attack on this protocol. 3. (5 points) We consider the following modified version of Diffie-Hellman key echange protocol, where H is a public hash function: Alice and Bob agree on a finite cyclic group G and a generating element g in G. We will write the group G multiplicatively. Alice picks two random natural numbers a and N a. Alice sends the triple (g a, N a, H(N a, g a )) to Bob. Bob picks two random natural numbers b and N b. Bob sends the triple (g b, N b, H(N b, g b )) to Alice. Alice computes (g b ) a. Bob computes (g a ) b. This modified version is it secure? 1. Alice and Bob agree on a finite cyclic group G and a generating element g in G. We will write the group G multiplicatively. Alice picks a random natural number a and sends g a to Bob. Bob picks a random natural number b and sends g b to Alice. Alice computes (g b ) a. Bob computes (g a ) b. 2. Man in the middle attack is possible: Alice sends g a Mallory sneds g m to Bob Bob computes the key (g m ) b and send g b Mallory sends g m to Alice Alice has a key g am to talk with Bob but indead she is talking to Mallory. Bob has a key g bm to talk with Alice but indead she is talking to Mallory. Mallory can uncrypt messages sent by Alice and rencrypt them to Bob, and vice versa. 3. The same attack works, the hash does not improve the scheme. Alice sends g a, N a, H(N a, g a ) Mallory sneds g m, N m, H(N m, g m ) to Bob
4 Bob computes the key (g m ) b and send g b, N b, H(N b, g b ) Mallory sends g m, N m, H(N m, g m ) to Alice Alice has a key g am to talk with Bob but indead she is talking to Mallory. Bob has a key g bm to talk with Alice but indead she is talking to Mallory. Mallory can uncrypt messages sent by Alice and rencrypt them to Bob, and vice versa. Exercise 4 (Square CDH (15 points)) 1. (1 point) Compute (a + b) (3 points) Recall the Computational Diffie-Hellman (CDH) assumption. 3. (4 + 7 = 11 points ) We define the S-CDH problem as follows: on input g, g x, computing g (x2). Prove that S-CDH CDH. Prove that S-CDH CDH. 1. Computational Diffie-Hellman (CDH): On input g, g x, g y, computing g xy. 2. SCDH CDH. Given an adversary A who can breaks CDH (On input g, g x, g y, computing g xy ). Then A can break SCDH given g, g x, g x as input of CDH. 3. SCDH CDH. Given an adversary A who can breaks SCDH (On input g, g x, computing g x2 ). Then A can break CDH by the following way: Given g, g x, g y, can we compute g xy. With g x and g y we get α 1 = g x2 and α 2 = g y2 using SCDH. Knowing g x and g y we can give to A g x+y to obtain β = g (x+y)2. We can obtain g 2xy dividing β by the product of α 1 and α 2. Exercise 5 (Passive Dolev Yao (30 points)) We consider the classical Dolev-Yao deduction system. considering exclusive-or operator (xor), denoted by. We add the following rule for (Xor) T x T y T x y Of course we need to make all our deductions modulo the equational theory of the xor. Note that this operator is a binary operator. It means that all terms are in normal form, for example the term x y z y is reduced to x z.
5 1. (7 points) Consider the classical Dolev-Yao deduction system. We define the notion of simple proof: A proof P is simple if each node appears at most once in each branch of P. Prove that if P is a minimal proof of T u then P is a simple proof of T u. 2. (4 points) Give the 4 equations associated to the xor operator. 3. (4 points) We first extend naively the definition of syntactic subterm as follow. S(t) is the smallest set such that: t S(t) u, v S(t) u, v S(t) {u} v S(t) u, v S(t) u v S(t) u, v S(t) Compute the syntactic subterm of (a b) {b} c, {c} k 4. (7 points) Give an counter-example of a proof P of T w which is minimal and is not S-local (you can define T and w as you want). 5. (8 points) Propose an other definition of sub-term in order that your example is now S-local. Give the set of sub-term associated to T {w}. (Of course the proof of the S-locality is not asked) 1. Let us assume to the contrary that P is a non-simple proof of T u. Then there is a branch of P in which T v occurs twice. We can cut the derivation between these two occurrences and so get a smaller proof P, which is in contradiction to the minimality of P. 2. S( (a b) {b} c, {c} k ) = { (a b) {b} c, {c} k, (a b) {b} c, a b, a, b, {b} c, c, {c} k, k, } 3. T = {a b, b c, c d} and w = a d (Xor) (Xor) (A) a b T 0 T 0 a b T 0 a c (A) b c T 0 T 0 b c T 0 a d (A) c d T 0 T 0 c d a c S(T {w}) = T {w} {a, b, c, d} 4. You need to consider all possible xor of all elements of S(T {w}). Then from S(T {w}) = T {w} {a, b, c, d} you need to add the following subterms: a c and a d.
6 Exercise 6 (Tools (10 points) ONLY PRO) We consider the output of one tool studied during the lecture for a given protocol. 1. (1 points) Give the name of the tool used. 2. (4 points) Give the role of the two honest participants of this protocol. 3. (2 points) Explain the attack. 4. (3 points) Propose and explain a possible correction.
7
8 1. Scyther 2. const pk: Function; secret sk: Function; inversekeys (pk,sk); // Hash function: nobody knows the inverse const hash: Function; secret unhash: Function; inversekeys (hash,unhash); // User type declaration usertype Key; // Protocol description protocol protocol2(i,r) { role I { const ni: Nonce; var nr: Nonce; var kir: Key; send_1 (I,R, { ni,i }pk(r) ); read_2 (R,I, hash(ni),{nr }pk(i) ); send_3 (I,R, hash(nr,ni) ); claim_i2 (I, Nisynch ); claim_i3 (I, Secret, nr ); claim_i4 (I, Secret, ni ); } role R { var ni: Nonce; const nr: Nonce; const kir: Key; read_1 (I,R, { ni,i }pk(r) ); send_2 (R,I, hash(ni),{nr }pk(i) ); read_3 (I,R, hash(nr,ni) );
9 claim_r2 (R, Nisynch ); claim_r3 (R, Secret, nr ); claim_r4 (R, Secret, ni ); } } // An untrusted agent, with compromised key const e: Agent; untrusted e; compromised sk(e); 3. There is a problem of authentication, and secrecy. Intruder can learn the secret. 4. Correction: for instance add R in the encryption correct this attack. Exercise 7 (Tools (10 points) R ONLY) Here is the AVISPA code of a protocol role alice (A,B : agent, Ka,Kb : public_key, Snd,Rcv : channel (dy)) played_by A def= local State : nat, Na : message, Nb : text init State:=0 transition 1. State=0 /\ Rcv(start) = > State :=1 /\ Na :=new() /\ Snd({Na.A}_Kb) /\ witness(a,b,bob_alice_na,na ) /\ secret(na,na,{a,b}) 2. State=1 /\ Rcv({Nb.xor(Na,B)}_Ka) = > State :=2 /\ Snd({Nb }_Kb) /\ wrequest (A,B,alice_bob_nb,Nb ) end role role bob (B,A Kb,Ka : agent, : public_key,
10 Snd,Rcv : channel (dy)) played_by B def= local State : nat, Na : message, Nb : text init State:=0 transition 1. State=0 /\ Rcv({Na.A}_Kb) = > State :=1 /\ Nb :=new() /\ Snd({Nb.xor(Na,B)}_Ka) /\ witness(b,a,alice_bob_nb,nb ) /\ secret(nb,nb,{a,b}) 2. State=1 /\ Rcv({Nb}_Kb) = > State :=2 /\ wrequest(b,a,bob_alice_na,na) end role role session (A,B: agent, Ka, Kb: public_key, SND, RCV: channel(dy) ) def= composition alice(a,b,ka,kb,snd,rcv) /\ bob(b,a,kb,ka,snd,rcv) end role role environment() def= local Snd, Rcv: channel(dy) const a, b, i: agent, ka, kb, ki: public_key, na, nb, alice_bob_nb, bob_alice_na: protocol_id intruder_knowledge = {a,b,i,ka,kb,ki,inv(ki)} composition session(a,b,ka,kb,snd,rcv) /\ session(a,i,ka,ki,snd,rcv) end role goal
11 weak_authentication_on alice_bob_nb weak_authentication_on bob_alice_na secrecy_of na, nb end goal environment() 1. (3 points) Give an Alice and Bob description of the protocol and propose a relevant name for this protocol. 2. (3 points) Explain the properties that are verified. 3. (4 points) Give an attack on the protocol and explain it. 1. The protocol works has follows A B : {N A, A} KB B A : {N B, N A B} KP A A B : {N B } KP A 2. We have the following 4 properties encoded in the file: Secrecy of Na, Nb Authentication of Alice to Bob using N b Authentication of Bob to Alice using N a 3. The attack is the following: A I : {N A, A} KI I B : {N A B I, A} KB B I : {N B, N A I} KA I B : {N B, N A I} KA A I : {N B } KI I B : {N B } KB
Hello World in HLPSL. Turning ASCII protocol specifications into HLPSL
Hello World in HLPSL Turning ASCII protocol specifications into HLPSL Modeling with HLPSL HLPSL is a higher-level protocol specification language we can transform ASCII protocol specifications into HLPSL
More informationAnalysis of Verification Tools for Security Protocols
Analysis of Verification Tools for Security Protocols Sergey Reznick, Igor Kotenko Computer Security Research Group, St. Petersburg Institute for Informatics and Automation of Russian Academy of Sciences
More informationProtocols. Protocols. Pascal Lafourcade. Université Joseph Fourier, Verimag. October 6th / 63
Protocols Pascal Lafourcade Université Joseph Fourier, Verimag October 6th 2008 1 / 63 Last Time Historic and Motivation 2 / 63 General Schedule 1 Lundi 15 septembre Historique de la cryptographie 2 Lundi
More informationA Short SPAN+AVISPA Tutorial
A Short SPAN+AVISPA Tutorial Thomas Genet IRISA/Université de Rennes 1 genet@irisa.fr November 6, 2015 Abstract The objective of this short tutorial is to show how to use SPAN to understand and debug HLPSL
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationThe AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications
The AVISPA Tool for the Automated Validation of Internet Security Protocols and Applications Alessandro Armando AI-Lab, DIST, Università di Genova Università di Genova INRIA-Lorraine ETH Zurich Siemens
More informationSome Remarks on Security Protocols Verification Tools
Some Remarks on Security Protocols Verification Tools Mirosław Kurkowski 1, Adam Kozakiewicz 2 and Olga Siedlecka-Lamch 3 1 Institute of Computer Sciences, Cardinal Stefan Wyszynski University Warsaw,
More informationA Short SPAN+AVISPA Tutorial
A Short SPAN+AVISPA Tutorial Thomas Genet To cite this version: Thomas Genet. A Short SPAN+AVISPA Tutorial. [Research Report] IRISA. 2015. HAL Id: hal-01213074 https://hal.inria.fr/hal-01213074v1
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationDeliverable D2.1: The High Level Protocol Specification Language
www.avispa-project.org Automated Validation of Internet Security Protocols and Applications Deliverable D2.1: The High Level Protocol Specification Language Abstract In this deliverable we provide the
More informationComputer Networks & Security 2016/2017
Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationLecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin
Lecture 6.2: Protocols - Authentication and Key II CS 436/636/736 Spring 2012 Nitesh Saxena Mid-Term Grading Course Admin Will be done over the break Scores will be posted online and graded exams distribute
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationVerification of Security Protocols
Verification of Security Protocols Chapter 12: The JFK Protocol and an Analysis in Applied Pi Christian Haack June 16, 2008 Exam When? Monday, 30/06, 14:00. Where? TUE, Matrix 1.44. Scheduled for 3 hours,
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values
More informationKey Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10
Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If sends a
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationChapter 10 : Private-Key Management and the Public-Key Revolution
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 10 : Private-Key Management and the Public-Key Revolution 1 Chapter 10 Private-Key Management
More informationInter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing
Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing Tsai, Hong-Bin Chiu, Yun-Peng Lei, Chin-Laung Dept. of Electrical Engineering National Taiwan University July 10,
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationPublic Key Algorithms
Public Key Algorithms CS 472 Spring 13 Lecture 6 Mohammad Almalag 2/19/2013 Public Key Algorithms - Introduction Public key algorithms are a motley crew, how? All hash algorithms do the same thing: Take
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationSolution of Exercise Sheet 10
Foundations of Cybersecurity (Winter 16/17) Prof. Dr. Michael Backes CISPA / Saarland University saarland university computer science Solution of Exercise Sheet 10 1 Diffie-Hellman Key Exchange Alice and
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationFORMAL VALIDATION OF SECURITY PROPERTIES OF AMT S THREE-WAY HANDSHAKE
FORMAL VALIDATION OF SECURITY PROPERTIES OF AMT S THREE-WAY HANDSHAKE Ali Salem A thesis in The Department of Computer Science and Software Engineering Presented in Partial Fulfillment of the Requirements
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationKEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington
KEY AGREEMENT PROTOCOLS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 13 of Trappe and Washington DIFFIE-HELLMAN KEY EXCHANGE Alice & want to exchange a ton of data using
More informationCS3235 Seventh set of lecture slides
CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationfor Compound Authentication
Verified Contributive Channel Bindings for Compound Authentication Antoine Delignat-Lavaud, Inria Paris Joint work with Karthikeyan Bhargavan and Alfredo Pironti Motivation: Authentication Composition
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationAnalysis of Attacks to Multi-Protocols
Università degli Studi di Catania Corso di Laurea in Informatica Casimiro Greco Analysis of Attacks to Multi-Protocols mwsf05 Catania, 16 Dicembre 2005 The 2005 miniworkshop on 1 Security Frameworks INTRODUCTION
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationDigital Signatures. KG November 3, Introduction 1. 2 Digital Signatures 2
Digital Signatures KG November 3, 2017 Contents 1 Introduction 1 2 Digital Signatures 2 3 Hash Functions 3 3.1 Attacks.................................... 4 3.2 Compression Functions............................
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationLecture 7 - Applied Cryptography
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 7 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationLecture 2 Applied Cryptography (Part 2)
Lecture 2 Applied Cryptography (Part 2) Patrick P. C. Lee Tsinghua Summer Course 2010 2-1 Roadmap Number theory Public key cryptography RSA Diffie-Hellman DSA Certificates Tsinghua Summer Course 2010 2-2
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationNetwork Security (NetSec)
Chair of Network Architectures and Services Department of Informatics Technical University of Munich Network Security (NetSec) IN2101 WS 16/17 Prof. Dr.-Ing. Georg Carle Dr. Heiko Niedermayer Cornelius
More informationFormal Verification of a Key Establishment Protocol for EPC Gen2 RFID Systems: Work in Progress
Formal Verification of a Key Establishment Protocol for EPC Gen2 RFID Systems: Work in Progress Wiem Tounsi, Nora Cuppens-Boulahia, Frédéric Cuppens, Joaquin Garcia-Alfaro Institut Télécom, Télécom Bretagne,
More informationAuthentication and Key Distribution
1 Alice and Bob share a key How do they determine that they do? Challenge-response protocols 2 How do they establish the shared secret in the first place? Key distribution PKI, Kerberos, Other key distribution
More informationMaude-NPA, Version 1.0
Maude-NPA, Version 1.0 Santiago Escobar sescobar@dsic.upv.es Technical University of Valencia Valencia, Spain Catherine Meadows meadows@itd.nrl.navy.mil Naval Research Laboratory Washington, DC, USA José
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationEncryption as an Abstract Datatype:
June 2003 1/18 Outline Encryption as an Abstract Datatype: an extended abstract Dale Miller INRIA/Futurs/Saclay and École polytechnique 1. Security protocols specified using multisets rewriting. 2. Eigenvariables
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 3 January 13, 2012 CPSC 467b, Lecture 3 1/36 Perfect secrecy Caesar cipher Loss of perfection Classical ciphers One-time pad Affine
More informationMaude-NPA, Version 3.0
Maude-NPA, Version 3.0 Santiago Escobar sescobar@dsic.upv.es DSIC-ELP, Universitat Politècnica de València Valencia, Spain Catherine Meadows meadows@itd.nrl.navy.mil Naval Research Laboratory Washington,
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 January 30, 2012 CPSC 467b, Lecture 7 1/44 Public-key cryptography RSA Factoring Assumption Computing with Big Numbers Fast Exponentiation
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationAccess Control. Discretionary Access Control
Access Control Discretionary Access Control 1 Outlines Access Control Discretionary Access Control (DAC) Mandatory Access Control (MAC) Role-Based Access Control (RBAC) 2 Access Control Access control
More informationLecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption
Lecture 20: & Hybrid Encryption Lecture 20: & Hybrid Encryption Overview Suppose there is a 2-round Key-Agreement protocol. This means that there exists a protocol where Bob sends the first message m B
More informationSymmetric Encryption
Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding
More informationLecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures
More informationLecture 4: Authentication Protocols
Graduate Course on Computer Security Lecture 4: Authentication Protocols Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationPrinciples of Security Part 4: Authentication protocols Sections 1 and 2
Principles of Security Part 4: protocols Sections 1 and 2 Oxford Michaelmas Term 2008 Outline Basic ideas of authentication Challenge-Response Attacks What did we learn? Outline Basic ideas of authentication
More informationElements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted
More informationCryptography and Network Security
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown Chapter 10 Key Management; Other Public Key Cryptosystems No Singhalese, whether man or woman, would
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationKey Management and Distribution
CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Chapter 10 Key Management; Other Public Key Cryptosystems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan
More informationCSC 774 Advanced Network Security
CSC 774 Advanced Network Security Topic 5 Group Key Management Dr. Peng Ning CSC 774 Adv. Net. Security 1 Group Communication A group consists of multiple members Messages sent by one sender are received
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More informationINFSCI 2935: Introduction of Computer Security 1. Courtesy of Professors Chris Clifton & Matt Bishop. INFSCI 2935: Introduction to Computer Security 2
Digital Signature Introduction to Computer Security Lecture 7 Digital Signature October 9, 2003 Construct that authenticates origin, contents of message in a manner provable to a disinterested third party
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationPassword Authenticated Key Exchange by Juggling
A key exchange protocol without PKI Feng Hao Centre for Computational Science University College London Security Protocols Workshop 08 Outline 1 Introduction 2 Related work 3 Our Solution 4 Evaluation
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More information1. Out of the 3 types of attacks an adversary can mount on a cryptographic algorithm, which ones does differential cryptanalysis utilize?
Introduction Answer the following questions. When a word count restriction is given for a question, exceeding it will result in marks being deducted. If your answer is more than twice the maximum length,
More informationUsing Animation to Improve Formal Specifications of Security Protocols
Using Animation to Improve Formal Specifications of Security Protocols Yohan Boichut 1, Thomas Genet 1, Yann Glouche 1 and Olivier Heen 2 1 IRISA, Rennes, France, yohan.boichut@irisa.fr, thomas.genet@irisa.fr,
More informationMTAT Cryptology II. Entity Authentication. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Entity Authentication Sven Laur University of Tartu Formal Syntax Entity authentication pk (sk, pk) Gen α 1 β 1 β i V pk (α 1,...,α i 1 ) α i P sk (β 1,...,β i 1 ) Is it Charlie?
More informationLecture Note 6 Date:
P.Lafourcade Lecture Note 6 Date: 18.10.2010 Security models 1st Semester 2010/2011 Jeremy BRUN-NOUVION Hicham HOSSAYNI Contents 1 Logical Attacks 3 1.1 Perfect Encryption Hypothesis.............................
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationPlaintext Awareness via Key Registration
Plaintext Awareness via Key Registration Jonathan Herzog CIS, TOC, CSAIL, MIT Plaintext Awareness via Key Registration p.1/38 Context of this work Originates from work on Dolev-Yao (DY) model Symbolic
More informationVerifying Real-World Security Protocols from finding attacks to proving security theorems
Verifying Real-World Security Protocols from finding attacks to proving security theorems Karthik Bhargavan http://prosecco.inria.fr + many co-authors at INRIA, Microsoft Research, Formal security analysis
More informationCSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring and 6 February 2018
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong, Spring 2018 5 and 6 February 2018 Identification schemes are mechanisms for Alice to prove her identity to Bob They comprise a setup
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationComputationally Sound Mechanized Proof of PKINIT for Kerberos
Computationally Sound Mechanized Proof of PKINIT for Kerberos B. Blanchet 1, A. D. Jaggard 2, J. Rao 3, A. Scedrov 3, J.-K. Tsay 4 Protocol exchange Meeting 02 October 2008 1 ENS 2 Rutgers University 3
More informationStrong Password Protocols
Strong Password Protocols Strong Password Protocols Password authentication over a network Transmit password in the clear. Open to password sniffing. Open to impersonation of server. Do Diffie-Hellman
More informationDiffie-Hellman. Part 1 Cryptography 136
Diffie-Hellman Part 1 Cryptography 136 Diffie-Hellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm o Used to establish a shared symmetric key Not for
More informationExercises with solutions, Set 3
Exercises with solutions, Set 3 EDA625 Security, 2017 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More informationAn Executable Model for JFKr
An Executable Model for JFKr An ACL2 approach to key-establishment protocol verification Presented by: David Rager Outline Derivation of JFKr Books developed for JFKr reasoning Demonstrate the JFKr executable
More informationCS 395T. JFK Protocol in Applied Pi Calculus
CS 395T JFK Protocol in Applied Pi Calculus Proving Security Real protocol Process-calculus specification of the actual protocol Ideal protocol Achieves the same goal as the real protocol, but is secure
More informationApplied Cryptography Basic Protocols
Applied Cryptography Basic Protocols Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Session keys It is prudent practice to use a different key for each session. This
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More information