Lightweight Signatures for (A Defense Against Phishing)
|
|
- Logan Benson
- 6 years ago
- Views:
Transcription
1
2 Lightweight Signatures for (A Defense Against Phishing) Ben Adida Cryptography and Information Security Group CSAIL, MIT December 7th, 2005 (joint with David Chau, Susan Hohenberger and Ronald L. Rivest)
3 This Talk The evolution of phishing Privacy concerns Some Cool Crypto The authentication problem Building an authentication architecture Assembling Techniques into Security Solutions
4
5
6
7
8
9
10 Fax Attack
11
12 Cost of Phishing Some say > $1B/year Others say < $200M/year But the real cost of phishing is...
13 We cannot trust Never click on a link provided in an asking for personal information. American Banking Association (Dec. 2004) Do be wary of clicking on links in messages. Microsoft (Feb. 2005) Don't automatically assume that any is from the From address. Bruce Schneier (Dec. 2004)
14 Wall Street Journal August 29th, 2005 Fear of phishing corrodes trust [...] in as a vehicle Don't click on links in s from financial institutions and other organizations that have your personal information Don't trust phone numbers in s. These can be faked, too. We hate to say that, because such communications are supposed to make life easier.
15 Phishing Everywhere!
16
17 Phishing reveals a serious problem with We need to fix the platform
18 SMTP Today 2 MX DNS foo.com MX Record mail.foo.com wonderland.com outgoing mail server 3 mail.foo.com incoming mail server 1 4 Alice Bob
19 No Proof of Origin phish.com wonderland.com outgoing mail server? mail.foo.com incoming mail server Alice Bob
20 Many Proposals Web-based solutions: checking links, better passwords, DSS,... Spam-like filtering identify bad s by content Sender ID / Sender Policy Framework declaring authorized outgoing mail servers DomainKeys outgoing mail server signs all s
21 A Platform of Trust User Interface Indicators Reputation Management Automatic Filtering Reputation Management SSL Light Sigs We want to provide Just Enough Trust
22 Raising the Bar Spoof Outgoing connect to port 25 of Bob s mail server, send data. Intercept Incoming crack Bob s IMAP/POP authentication or sniff Bob s network consistently Alice Bob
23 Building Lightweight Signatures
24 Basic Signatures Authority Wonderland SK wonderland PK wonderland PK alice SK alice Alice sign wonderland (PK alice, )
25 DNS to distribute Component Domain-Level Keys DNS Publish wonderland.com PK wonderland.com foo.com PK foo.com wonderland.com SK wonderland.com [DomainKeys]
26 Scenario Authentication Authority wonderland SK wonderland DNS wonderland.com PK wonderland PK alice From: Alice To: Bob Subject: I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... SK alice Alice alice@wonderland.com Alice sign alice (message) PK alice sign wonderland (PK alice, alice@wonderland.com ) Bob bob@foo.com
27 Scenario Authentication Authority wonderland SK wonderland PK alice certifying a user s public key can add significant overhead. distributing the secret key to all user access points is tricky. SK alice Alice alice@wonderland.com... unless we rethink the security requirements a bit.
28 -Based Component Authentication [Gar2003] wonderland.com keyserver SK wonderland.com SK SK SK SK certificate(pk ) wonderland.com incoming mail server Alice
29 Server-Managed User Keys Scenario wonderland.com incoming mail server Authority wonderland SK wonderland SK alice PK alice From: Alice To: Bob Subject: DNS wonderland.com PK wonderland I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... Alice Alice alice@wonderland.com sign alice (message) PK alice sign wonderland (PK alice, alice@wonderland.com ) Bob bob@foo.com
30 Scenario DomainKeys Authority wonderland SK wonderland DNS wonderland.com PK wonderland From: Alice To: Bob Subject: I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... Alice From: Alice To: Bob Subject: I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... Alice Alice alice@wonderland.com Bob bob@foo.com
31 Scenario DomainKeys From: Alice To: Bob Subject: I can't wait for lecture today! That TA Chris is so cute! Too bad he's taken... Authority wonderland SK wonderland intra-domain authentication? SK must be online mail forwarding services? Alice Alice alice@wonderland.com... can we do better?
32 Can we get the benefits of both user keys and domain keys?
33 Component ID-Based Crypto P K bob MP K keyserver MSK SK bob Alice Bob
34 Component ID-based Domains MP K wonderland.com MP K foo.com wonderland.com keyserver MSK wonderland.com foo.com keyserver MSK foo.com SK alice@wonderland.com SK bob@foo.com Alice Bob
35 DNS to distribute Master Public Keys DNS Publish wonderland.com MP K wonderland.com foo.com MP K foo.com wonderland.com key server MSK wonderland.com
36 -Based Authentication for User Secret Keys wonderland.com keyserver MSK wonderland.com wonderland.com incoming mail server Alice
37 Our Scenario Lightweight Signatures DNS 1 PUBLISH PUBLISH 1 wonderland.com MP K wonderland wonderland.com key server SK A 2 From: Alice To: Bob Subject: 6.857! I've decided Matt is cooler. foo.com MPK foo 4 5 MP K wonderland alice@wonderland.com foo.com key server Alice Wonderland.com Network Signed: Alice 3 6 Bob foo.com Network
38 Realistic Deployment Incremental Protection Each domain can implement Lightweight Sigs when it wants to protect its users from spoofing. Minimized User Intervention With domain policies, there is no grey area: s are either good or bad and require no user judgment.
39 Deployment Flexibility Upgrade the Mail Client & Deploy an Internal Keyserver mail client performs sign & verify keyserver distributes user secret keys Upgrade the Mail Server sign at outgoing mail server verify at incoming mail server
40 Origin of Lightweight Sigs Classic PGP or S/MIME Domain-Managed User Keys Domain-Level Key Lightweight Signatures
41 Privacy Concern! Every is now publicly verifiable.
42 So What? Alice likes Bob Eve likes Bob Alice Bob Bob likes to gloat. bob.blogspot.com Eve December 7th, 2005 Check out what Alice sent me! Who knew!... This changes the nature of .
43 Ring Signatures From: Alice To: Bob Subject: Coffee? Hey Bob, Wanna meet for coffee? I'd love to get to know you better. Signed: Alice or Bob [RiShTa2001]
44 Identity-Based Sigs, again Public Keys are available before user has generated them. Public Keys are available using only the domain-based master public key in the DNS. If a domain has an MPK, then it can be used for repudiation.
45 A Bit of Crypto
46 Schnorr ID Protocol Z p, generator g Prover x c t = g r R Z p Verifier y = g x s = xc + r g s? = y c t
47 Schnorr is a PoK Proof of Knowledge: Extraction t = g r c 1 c 2 s 1 = xc 1 + r s 2 = xc 2 + r x = s 1 s 2 c 1 c 2
48 Schnorr Zero-Knowledge c t = g r R Z p s = xc + r g s? = y c t t = gs y c 1) Pick a random c 2) Pick a random s 3) compute t to solve the above equation (t,c,s) is correctly distributed.
49 Prover Fiat-Shamir Building a Signature Scheme from a Proof of Knowledge t c c = H(t m) s Verifier If the protocol is a PoK of a secret key, then (t,c,s) = sign(m)
50 Guillou-Quisquater Signatures MP K = (n, e) MSK = d P K ID = H(ID) Z n SK ID = H(ID) d Z n Prover t = r e Verifier SK ID c R Z n P K ID s = rsk c ID s e? = tp K c ID
51 GQ Properties (I) Zero-Knowledge: Simulation s e? = tp K c ID 1) Pick a random c 2) Pick a random s 3) compute t to solve the above equation (t,c,s) is correctly distributed.
52 GQ Properties (II) Proof of Knowledge: Extraction t = r e c 1 c 2 s 1 = rsk c 1 ID s 2 = rsk c 2 ID SK ID = ( ) s1 (c1 c2) 1 s 2
53 Bilinear Maps G 1, G 2, both of order q e : G 1 G 1 G 2 g, h generate G 1 Z = e(g, h) generates G 2 h b e(g a, h b ) = e(g, h) ab G 1 G 2 e(ug, h) = e(u, h)e(g, h) g a e Z ab
54 Boneh-Franklin Keys Public Parameters: G 1, G 2, q, g, H MSK = s Z q MP K = g s G 1 P K ID = H(ID) SK ID = H(ID) s Note that: e(p K ID, MP K) = e(sk ID, g)
55 HVZK PoK of Bilinear Map Pre-Image given Q G 2, x G 1 α G 1, e(α, x) = Q x α? e Q G 1 G 2
56 Is that Interesting? g a g b e Q g, g a, g b G 1 Q = e(g a, g b ) g g ab G 1 G 2 What is the BM preimage of Q with respect to g? e(α, g) = Q α = g ab
57 HVZK PoK BMPI Prover(Q, α, x) Q = e(α, x) Verifier(Q, x) r R Z q t = e(g r, x) c c R Z q s = α c g r e(s, x)? = Q c t e(α c g r, x)? = e(α, x) c e(g r, x)
58 PoK: Extraction Prover(Q, α, x) r Q = e(α, x) R Z q t = e(g r, x) Verifier(Q, x) c 1 c 2 s 1 = α c 1 g r s 2 = α c 2 g r α = s 1 (c 1 c 2 ) 1 s 2
59 ZK: Simulation t = e(g r, x) c c R Z q s = α c g r s R G e(s, x) =? Q c t 1 t = e(s, x) Q c (t, c, s) is correctly distributed
60 Fiat-Shamir PoBMPI Prover(Q, α, x) r Q = e(α, x) R Z q t = e(g r, x) Verifier(Q, x) c c c= R H(t m) Z q s = α c g r e(s, x)? = Q c t e(α c g r, x)? = e(α, x) c e(g r, x)
61 Signing with BF Keys MSK = s Z q MP K = g s G 1 P K ID = H(ID) SK ID = H(ID) s Q = e(p K ID, MP K) Q = e(sk ID, g) [Hess2002] Prove knowledge of pre-image of Q with respect to g.
62 Applying CDS PoK of PK prove knowledge of SK ben or SK shafi generate (t 1, c 1, s 1 ) for SK shafi t 1 t 1, t 2 t 2 c 1 c c 2 s 1 s 1, s 2, c 1, c 2, s.t. c = c 1 c 2 s 2 (t 2, c 2, s 2 ) must have been generated correctly
63 Crypto Summary Identity-Based Signatures are well understood. Signatures can be thought of as Proofs of Knowledge of a Secret Key, made noninteractive with Fiat-Shamir. Proofs of Partial Knowledge: I know Alice s secret key OR I know Bob s secret key.
64 Implementation Working prototype using a web-based key distribution, simple DNS server, and Emacs Rmail client. More involved usability study in the next few months, multiple domains, real mail client.
65 Summary Phishing reveals an trust problem Lightweight Signatures is one interesting approach end-to-end support of all apps Don t forget about privacy! client-side or server-side computation Assembling crypto tools to solve real problems is fun!
66 Questions?
Fighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed s
Fighting Phishing Attacks: A Lightweight Trust Architecture for Detecting Spoofed Emails Ben Adida Susan Hohenberger, Ronald L. Rivest Abstract We present a novel key distribution architecture and a novel
More informationLightweight Signatures for
Lightweight Signatures for Email Ben Adida David Chau Susan Hohenberger, Ronald L. Rivest June 24, 2005 Abstract We present the design and prototype implementation of a new public key infrastucture for
More informationLightweight Signatures (Extended Abstract)
Lightweight Email Signatures (Extended Abstract) The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation Adida, Ben, David Chau,
More informationSECURE SYSTEM USING S/MIME AND IB-PKC
SECURE E-MAIL SYSTEM USING S/MIME AND IB-PKC S. T. Faraj College of IT, Nahrain University, Al-Jaderiya, Baghdad, Iraq M. T. Ibrahem Dept. of Computer Engineering, University of Baghdad, Al-Jaderiya, Baghdad,
More informationCertificateless Public Key Cryptography
Certificateless Public Key Cryptography Mohsen Toorani Department of Informatics University of Bergen Norsk Kryptoseminar November 9, 2011 1 Public Key Cryptography (PKC) Also known as asymmetric cryptography.
More informationZero-Knowledge Proof and Authentication Protocols
Zero-Knowledge Proof and Authentication Protocols Ben Lipton April 26, 2016 Outline Background Zero-Knowledge Proofs Zero-Knowledge Authentication History Example Protocols Guillou-Quisquater Non-zero-knowledge
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationStructure-Preserving Certificateless Encryption and Its Application
SESSION ID: CRYP-T06 Structure-Preserving Certificateless Encryption and Its Application Prof. Sherman S. M. Chow Department of Information Engineering Chinese University of Hong Kong, Hong Kong @ShermanChow
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationAn IBE Scheme to Exchange Authenticated Secret Keys
An IBE Scheme to Exchange Authenticated Secret Keys Waldyr Dias Benits Júnior 1, Routo Terada (Advisor) 1 1 Instituto de Matemática e Estatística Universidade de São Paulo R. do Matão, 1010 Cidade Universitária
More informationHomomorphic encryption (whiteboard)
Crypto Tutorial Homomorphic encryption Proofs of retrievability/possession Attribute based encryption Hidden vector encryption, predicate encryption Identity based encryption Zero knowledge proofs, proofs
More informationCryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III
Cryptography III Public-Key Cryptography Digital Signatures 2/1/18 Cryptography III 1 Public Key Cryptography 2/1/18 Cryptography III 2 Key pair Public key: shared with everyone Secret key: kept secret,
More informationKey management. Pretty Good Privacy
ECE 646 - Lecture 4 Key management Pretty Good Privacy Using the same key for multiple messages M 1 M 2 M 3 M 4 M 5 time E K time C 1 C 2 C 3 C 4 C 5 1 Using Session Keys & Key Encryption Keys K 1 K 2
More informationECE 646 Lecture 3. Key management
ECE 646 Lecture 3 Key management Required Reading Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E Chapter 14 Key Management and Distribution Using the same key for multiple
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationDiffie-Hellman. Part 1 Cryptography 136
Diffie-Hellman Part 1 Cryptography 136 Diffie-Hellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm o Used to establish a shared symmetric key Not for
More informationLecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures
More informationIndistinguishable Proofs of Work or Knowledge
Indistinguishable Proofs of Work or Knowledge Foteini Baldimtsi, Aggelos Kiayias, Thomas Zacharias, Bingsheng Zhang ASIACRYPT 2016 8th December, Hanoi, Vietnam Motivation (ZK) Proofs of Knowledge - PoK
More informationActivity Guide - Public Key Cryptography
Unit 2 Lesson 19 Name(s) Period Date Activity Guide - Public Key Cryptography Introduction This activity is similar to the cups and beans encryption we did in a previous lesson. However, instead of using
More informationElements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Networking Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 2 Due: Friday, 10/28/2016 at 11:55pm PT Will be posted on
More informationCS 161 Authentication Protocols. Zero knowledge review
CS 161 Authentication Protocols 27 September 2006 2006 Doug Tygar 1 CS 161 27 September 2006 Zero knowledge review Goal: authenticate without leaking any information What you need to know about Rabin signatures:
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 11: Public Key Infrastructure Department of Computer Science and Engineering University at Buffalo 1 Lecture Outline Public key infrastructure Certificates Trust
More informationPublic-Key Infrastructure NETS E2008
Public-Key Infrastructure NETS E2008 Many slides from Vitaly Shmatikov, UT Austin slide 1 Authenticity of Public Keys? private key Alice Bob public key Problem: How does Alice know that the public key
More informationCryptography (Overview)
Cryptography (Overview) Some history Caesar cipher, rot13 substitution ciphers, etc. Enigma (Turing) Modern secret key cryptography DES, AES Public key cryptography RSA, digital signatures Cryptography
More informationZero Knowledge Protocol
Akash Patel (SJSU) Zero Knowledge Protocol Zero knowledge proof or protocol is method in which a party A can prove that given statement X is certainly true to party B without revealing any additional information
More information10 More on Signatures and the Public-Key Infrastructure
Leo Reyzin. Notes for BU CAS CS 538. 1 10 More on Signatures and the Public-Key Infrastructure 10.1 Random Oracle Model and Full-Domain-Hash Very efficient stateless signatures seem to come from the so-called
More informationKEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington
KEY AGREEMENT PROTOCOLS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 13 of Trappe and Washington DIFFIE-HELLMAN KEY EXCHANGE Alice & want to exchange a ton of data using
More informationHow to make Secure Easier to use
How to make Secure Email Easier to use Simson L. Garfinkel (MIT) Jeffrey I. Schiller (MIT) Erik Nordlander (MIT) David Margrave (Amazon) Robert C. Miller (MIT) http://www.simson.net/smime-survey.html/
More informationLecture 10, Zero Knowledge Proofs, Secure Computation
CS 4501-6501 Topics in Cryptography 30 Mar 2018 Lecture 10, Zero Knowledge Proofs, Secure Computation Lecturer: Mahmoody Scribe: Bella Vice-Van Heyde, Derrick Blakely, Bobby Andris 1 Introduction Last
More information14. Internet Security (J. Kurose)
14. Internet Security (J. Kurose) 1 Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer:
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationDesign of Secure VoIP using ID-Based Cryptosystem
All rights are reserved and copyright of this manuscript belongs to the authors. This manuscript has been published without reviewing and editing as received from the authors: posting the manuscript to
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationDigital Signatures. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 54
Digital Signatures Ali El Kaafarani Mathematical Institute Oxford University 1 of 54 Outline 1 Definitions 2 Factoring Based Signatures 3 Dlog Based Signatures 4 Hash-Based Signatures 5 Certificates 6
More informationA Protocol for Secure Public Instant Messaging
Financial Cryptography - Feb 27, 2006 A Protocol for Secure Public Instant Messaging Mohammad Mannan and Paul C. van Oorschot Digital Security Group Carleton University, Canada Mohammad Mannan Feb 27,
More informationZero-Knowledge Proofs
Zero-Knowledge Proofs Yevgeniy Dodis New York University Special thanks: Salil Vadhan Zero-Knowledge Proofs [GMR85] Interactive proofs that reveal nothing other than the validity of assertion being proven
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationEncryption. INST 346, Section 0201 April 3, 2018
Encryption INST 346, Section 0201 April 3, 2018 Goals for Today Symmetric Key Encryption Public Key Encryption Certificate Authorities Secure Sockets Layer Simple encryption scheme substitution cipher:
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationCSC 5930/9010 Modern Cryptography: Digital Signatures
CSC 5930/9010 Modern Cryptography: Digital Signatures Professor Henry Carter Fall 2018 Recap Implemented public key schemes in practice commonly encapsulate a symmetric key for the rest of encryption KEM/DEM
More informationIntroduction and Overview. Why CSCI 454/554?
Introduction and Overview CSCI 454/554 Why CSCI 454/554? Get Credits and Graduate Security is important More job opportunities More research funds 1 Workload Five homework assignments Two exams (open book
More informationCrypto meets Web Security: Certificates and SSL/TLS
CSE 484 / CSE M 584: Computer Security and Privacy Crypto meets Web Security: Certificates and SSL/TLS Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCryptography 4 Privacy
SuRI School of Computer and Communication Sciences EPFL Cryptography 4 Privacy Jan Camenisch Principle RSM; Member, IBM Academy of Technology IBM Research Zurich @JanCamenisch ibm.biz/jancamenisch Facts
More informationLecture 9. Authentication & Key Distribution
Lecture 9 Authentication & Key Distribution 1 Where are we now? We know a bit of the following: Conventional (symmetric) cryptography Hash functions and MACs Public key (asymmetric) cryptography Encryption
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David J. Wu Ankur Taly Asim Shankar Dan Boneh Stanford University Google Google Stanford University The Internet of Things (IoT) Lots of
More informationLecture 7 - Applied Cryptography
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 7 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationComputer Networking. What is network security? Chapter 7: Network security. Symmetric key cryptography. The language of cryptography
Chapter 7: Network security 15-441 Computer Networking Network Security: Cryptography, Authentication, Integrity Foundations: what is security? cryptography authentication message integrity key distribution
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationENEE 459-C Computer Security. Security protocols
ENEE 459-C Computer Security Security protocols Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p and g public.
More informationCSE 5852, Modern Cryptography: Foundations Fall Lecture 26. pk = (p,g,g x ) y. (p,g,g x ) xr + y Check g xr +y =(g x ) r.
CSE 5852, Modern Cryptography: Foundations Fall 2016 Lecture 26 Prof. enjamin Fuller Scribe: Tham Hoang 1 Last Class Last class we introduce the Schnorr identification scheme [Sch91]. The scheme is to
More informationFall 2005 Joseph/Tygar/Vazirani/Wagner Final
CS 161 Computer Security Fall 2005 Joseph/Tygar/Vazirani/Wagner Final PRINT your name:, (last) SIGN your name: (first) PRINT your Unix account name: PRINT your TA s name: You may consult any books, notes,
More informationSecurity and Privacy
E-mail Security and Privacy Department of Computer Science Montclair State University Course : CMPT 320 Internet/Intranet Security Semester : Fall 2008 Student Instructor : Alex Chen : Dr. Stefan Robila
More informationRef:
Cryptography & digital signature Dec. 2013 Ref: http://cis.poly.edu/~ross/ 2 Cryptography Overview Symmetric Key Cryptography Public Key Cryptography Message integrity and digital signatures References:
More informationENEE 459-C Computer Security. Security protocols (continued)
ENEE 459-C Computer Security Security protocols (continued) Key Agreement: Diffie-Hellman Protocol Key agreement protocol, both A and B contribute to the key Setup: p prime and g generator of Z p *, p
More informationCS155b: E-Commerce. Lecture 6: Jan. 25, Security and Privacy, Continued
CS155b: E-Commerce Lecture 6: Jan. 25, 2001 Security and Privacy, Continued FIREWALL A barrier between an internal network & the Internet Protects the internal network from outside attacks Executes administrator-defined
More informationComputer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ
Computer Networks 1 (Mạng Máy Tính 1) Lectured by: Dr. Phạm Trần Vũ Chapter 8 Network Security Computer Networking: A Top Down Approach, 5 th edition. Jim Kurose, Keith Ross Addison-Wesley, April 2009.
More informationLecture 30. Cryptography. Symmetric Key Cryptography. Key Exchange. Advanced Encryption Standard (AES) DES. Security April 11, 2005
Lecture 30 Security April 11, 2005 Cryptography K A ciphertext Figure 7.3 goes here K B symmetric-key crypto: sender, receiver keys identical public-key crypto: encrypt key public, decrypt key secret Symmetric
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationComputer Communication Networks Network Security
Computer Communication Networks Network Security ICEN/ICSI 416 Fall 2016 Prof. Dola Saha 1 Network Security Goals: understand principles of network security: cryptography and its many uses beyond confidentiality
More information1/11/11. o Syllabus o Assignments o News o Lecture notes (also on Blackboard)
Dr. Jelena Mirkovic (Y-Ellen-a) University of Southern California Information Sciences Institute If you wish to enroll and do not have D clearance yet, send an email to CSci530@usc.edu with: o Your name
More informationCHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE
68 CHAPTER 4 VERIFIABLE ENCRYPTION OF AN ELLIPTIC CURVE DIGITAL SIGNATURE 4.1 INTRODUCTION This chapter addresses the Verifiable Encryption of Elliptic Curve Digital Signature. The protocol presented is
More informationCS 425 / ECE 428 Distributed Systems Fall 2017
CS 425 / ECE 428 Distributed Systems Fall 2017 Indranil Gupta (Indy) Dec 5, 2017 Lecture 27: Security All slides IG Security Threats Leakage Unauthorized access to service or data E.g., Someone knows your
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Identification (User Authentication) Fiat-Shamir Scheme Lecture 12 Tel-Aviv University 4 January 2010 Model and Major Issues Alice wishes to prove to Bob
More informationModern cryptography 2. CSCI 470: Web Science Keith Vertanen
Modern cryptography 2 CSCI 470: Web Science Keith Vertanen Modern cryptography Overview Asymmetric cryptography Diffie-Hellman key exchange (last time) Pubic key: RSA Pretty Good Privacy (PGP) Digital
More informationChapter 8 Security. Computer Networking: A Top Down Approach. 6 th edition Jim Kurose, Keith Ross Addison-Wesley March 2012
Chapter 8 Security A note on the use of these ppt slides: We re making these slides freely available to all (faculty, students, readers). They re in PowerPoint form so you see the animations; and can add,
More informationPassword Authenticated Key Exchange by Juggling
A key exchange protocol without PKI Feng Hao Centre for Computational Science University College London Security Protocols Workshop 08 Outline 1 Introduction 2 Related work 3 Our Solution 4 Evaluation
More informationSequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations
Sequential Aggregate Signatures with Lazy Verification from Trapdoor Permutations Kyle Brogle 1 Sharon Goldberg 2 Leo Reyzin 2 1 Stanford University; work done while at Boston University 2 Boston University
More informationCS 332 Computer Networks Security
CS 332 Computer Networks Security Professor Szajda Last Time We talked about mobility as a matter of context: How is mobility handled as you move around a room? Between rooms in the same building? As your
More informationFall 2010/Lecture 32 1
CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol
More informationRemote E-Voting System
Remote E-Voting System Crypto2-Spring 2013 Benjamin Kaiser Jacob Shedd Jeremy White Phases Initialization Registration Voting Verifying Activities Trusted Authority (TA) distributes 4 keys to Registrar,
More information1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class
1.264 Lecture 27 Security protocols Symmetric cryptography Next class: Anderson chapter 10. Exercise due after class 1 Exercise: hotel keys What is the protocol? What attacks are possible? Copy Cut and
More informationPrivacy, Discovery, and Authentication for the Internet of Things
Privacy, Discovery, and Authentication for the Internet of Things David J. Wu Ankur Taly Asim Shankar Dan Boneh Stanford University Google Google Stanford University The Internet of Things (IoT) Lots of
More informationCrypto Background & Concepts SGX Software Attestation
CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 Lecture 4b Slide deck extracted from Kamran s tutorial on SGX, presented during ECE 6095 Spring 2017 on Secure Computation and Storage, a precursor to this course
More informationMore crypto and security
More crypto and security CSE 199, Projects/Research Individual enrollment Projects / research, individual or small group Implementation or theoretical Weekly one-on-one meetings, no lectures Course grade
More informationCryptographic protocols
Cryptographic protocols Lecture 3: Zero-knowledge protocols for identification 6/16/03 (c) Jussipekka Leiwo www.ialan.com Overview of ZK Asymmetric identification techniques that do not rely on digital
More informationSecurity and Anonymity
Security and Anonymity Distributed Systems need a network to send messages. Any message you send in a network can be looked at by any router or machine it goes through. Further if your machine is on the
More informationIntroduction to Cryptography (cont.)
CSE 484 / CSE M 584 (Autumn 2011) Introduction to Cryptography (cont.) Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee,
More informationTest 2 Review. 1. (10 points) Timestamps and nonces are both used in security protocols to prevent replay attacks.
Test 2 Review Name Student ID number Notation: {X} Bob Apply Bob s public key to X [Y ] Bob Apply Bob s private key to Y E(P, K) Encrypt P with symmetric key K D(C, K) Decrypt C with symmetric key K h(x)
More information1 A Tale of Two Lovers
CS 120/ E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Dec. 12, 2006 Lecture Notes 19 (expanded): Secure Two-Party Computation Recommended Reading. Goldreich Volume II 7.2.2, 7.3.2, 7.3.3.
More informationCS3235 Seventh set of lecture slides
CS3235 Seventh set of lecture slides Hugh Anderson National University of Singapore School of Computing October, 2007 Hugh Anderson CS3235 Seventh set of lecture slides 1 Warp 9... Outline 1 Public Key
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationPublic Key Cryptography and the RSA Cryptosystem
Public Key Cryptography and the RSA Cryptosystem Two people, say Alice and Bob, would like to exchange secret messages; however, Eve is eavesdropping: One technique would be to use an encryption technique
More informationAdvanced Crypto. 2. Public key, private key and key exchange. Author: Prof Bill Buchanan
Advanced Crypto 2. Public key, private key and key exchange. Bob Alice Key Entropy. Key generators. Private key (AES, Twofish, CAST, IDEA, Blowfish, DES, 3DES, RC2, RC4/RC5, Skipjack, Camellia, Affine).
More informationkey distribution requirements for public key algorithms asymmetric (or public) key algorithms
topics: cis3.2 electronic commerce 24 april 2006 lecture # 22 internet security (part 2) finish from last time: symmetric (single key) and asymmetric (public key) methods different cryptographic systems
More informationSchool of Computer Science
se permitted in this examination School of Computer Science Undergraduate Occasional Computer Science/Software Engineering Degree of MSc Advanced Computer Science Computer Security Intelligent Systems
More informationDawn Song
1 Secret-Sharing & Zero-knowledge Proof Dawn Song dawnsong@cs.berkeley.edu Review DH key exchange protocol Password authentication protocol Random number generation 2 Lessons Learned Seeds must be unpredictable
More informationKey Protection for Endpoint, Cloud and Data Center
Key Protection for Endpoint, Cloud and Data Center ENCRYPTION IS ONLY AS SECURE AS ITS LEAST SECURE KEY Encryption is undoubtedly one of the pillars of information security. It is used everywhere today:
More informationECE 646 Lecture 3. Key management. Required Reading. Using the same key for multiple messages
ECE 646 Lecture 3 Key management Required Reading Stallings, Cryptography and Network Security: Principles and Practice, 5/E or 6/E Chapter 14 Key Management and Distribution Using the same key for multiple
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationThe Network Security Model. What can an adversary do? Who might Bob and Alice be? Computer Networks 12/2/2009. CSC 257/457 - Fall
The Network Security Model Bob and lice want to communicate securely. Trudy (the adversary) has access to the channel. Kai Shen lice data channel secure sender data, control s secure receiver Bob data
More informationDelegatability of an Identity Based Strong Designated Verifier Signature Scheme
INFORMATICA, 2010, Vol. 21, No. 1, 117 122 117 2010 Institute of Mathematics and Informatics, Vilnius Delegatability of an Identity Based Strong Designated Verifier Signature Scheme Xun SUN 1,2, Jianhua
More information