Part III TLS 1.3 and other Protocols
|
|
- Iris Wiggins
- 5 years ago
- Views:
Transcription
1 Part III TLS 1.3 and other Protocols 8th BIU Winter School on Key Exchange, 2018 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1
2 Marc Fischlin BIU Winter School TLS 1.3
3 Development of SSL/TLS SSL=Secure Socket Layer TLS=Transport Layer Security SSL 2.0 (Netscape) SSL 3.0 TLS 1.0 SSL 3.1 TLS 1.1 TLS 1.2 TLS ? SSL1.0 never published (security problems) non-proprietary branch new crypto algorithms SSL 2.0 dropped because of security problems small improvements completely revised protocol Marc Fischlin BIU Winter School
4 The Path to TLS Marc Fischlin BIU Winter School
5 TLS 1.3: (EC)DHE-Handshake Overview ClientHello ClientKeyShare handshake key ServerHello ServerKeyShare {ServerConfiguration*} {ServerCertificate*} {ServerCertificateVerify*} {ServerFinished} handshake key channel key {ClientCertificate*} {ClientCertificateVerify*} {ClientFinished} channel key Marc Fischlin BIU Winter School
6 TLS 1.3: (EC)DHE-Handshake (Crypto Details) CH CKS handshake key SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key channel key {Client} CCert* {ClientC} CCertV* {Cl} CF derived from handshake key channel key Marc Fischlin BIU Winter School
7 TLS 1.3: (EC)DHE-Handshake (Crypto Details) CH CKS handshake key client hs traffic key server hs traffic key client MAC key server MAC key exporter EMS resumption RMS client app traffic key server app traffic key channel key (master secret) {Client} CCert* {ClientC} CCertV* {Cl} CF SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key client hs traffic key server hs traffic key client MAC key server MAC key exporter EMS resumption RMS client app traffic key server app traffic key channel key (master secret) Marc Fischlin BIU Winter School
8 Pre-Shared Key (PSK) Variant PSK ClientHello ClientKeyShare* early_data psk_key_exchange_modes pre_shared_key PSK ServerHello ServerKeyShare* pre_shared_key {EncryptedExtensions} {ServerFinished} externally or from RMS Marc Fischlin Presentation Deutsche Bank March 14th,
9 Analysis of Unilateral DH Case Dowling, Fischlin, Günther, Stebila: A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates, CCS 2015 (eprint) simplification here: no encryption in handshake and ignore finished MACs (Warning: full analysis much more complicated and needs PRF-ODH assumption) Marc Fischlin BIU Winter School
10 Analysis of Unilateral DH Case: Strategy Analysis according to case distinction: 1. Adversary tests client session without partner 2. Adversary tests server session without partner 3. Adversary tests session with partner Marc Fischlin BIU Winter School
11 Analysis of Unilateral DH Case: Case 1 TEST session client w/o partner no partner session by assumption Marc Fischlin BIU Winter School S has never signed sid + authenticated partner S must not be corrupt adversary must have forged signature for S to make client accept
12 Analysis of Unilateral DH Case: Case 2 server w/o partner TEST session not allowed by definition of unilaterally authenticated protocols Marc Fischlin BIU Winter School
13 Analysis of Unilateral DH Case: Case 3 TEST session test with partner TEST session two honest parties have chosen g x resp. g y in test session adversary must compute g xy from g x and g y Marc Fischlin BIU Winter School
14 Other Security Properties (and Other Protocols) Marc Fischlin BIU Winter School
15 How to (not) Authenticate Anonymous Protocols Unauthenticated Key Exchange Authentication pid =certificate Marc Fischlin BIU Winter School
16 Key Secrecy TEST session Unauthenticated Key Exchange Authentication partner C must not be corrupt Sig scheme secure can only have been created by C for its g x and my g y Adversary cannot compute g xy pid =certificate Marc Fischlin BIU Winter School
17 Unknown-Key-Share (UKS) Attack Blake-Wilson, Menezes: Unknown Key-Share Attacks on the Station-to-Station (STS) Protocol, PKC 99 Believes to share key K with E Believes to share key K with C Marc Fischlin BIU Winter School
18 Secure and Insecure??? Security guarantees of authenticated key exchange: At most one other party ( 1) holds the session key (and for authenticated cases, if intended partner is honest then it is that party) Believes to share key K with E Also true: only S knows key (but not E), and intended partner E is corrupt Believes to share key K with C Obviously true Marc Fischlin BIU Winter School
19 Thwarting UKS Attacks Bind intended partner identity into authentication Bind intended partner identity into key derivation (or via MACs) (and sid = entire transcript) Examples: ISO/IEC (KE version) IKEv2 in IPSec TLS 1.3 Example: TLS 1.3 Marc Fischlin BIU Winter School
20 ISO/IEC (augmented by KE / SIG-DH) pid =certificate Marc Fischlin BIU Winter School
21 ISO/IEC Resistance against UKS E would need forgery pid =certificate Marc Fischlin BIU Winter School
22 TLS 1.3 and UKS-Resistance CH CKS handshake key Uses MAC over derived key SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key channel key {Client} CCert* {ClientC} CCertV* {Cl} CF Uses identities in key derivation channel key Marc Fischlin BIU Winter School
23 Key Compromise Impersonation (KCI) Attack Blake-Wilson, Johnson, Menezes: Key Agreement Protocols and Their Security Analysis, IMA Corrupt client s long-term secret 2. Impersonate towards client as server Can be mounted in real life (here: specific TLS 1.2 sub protocol) Marc Fischlin BIU Winter School
24 TLS 1.2 (static DH) and KCIs Adversary knowing x can compute (g y ) x from server s public key g y Marc Fischlin BIU Winter School
25 TLS 1.3 and KCI-Resistance CH CKS handshake key Knowledge of client s signing key does not help to forge server signature channel key {Client} CCert* {ClientC} CCertV* {Cl} CF SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key channel key Marc Fischlin BIU Winter School
26 Attacks on the State {pk uid } (id, msg) next-msg SEND id a K b id K id uid TEST b REVEAL What if adversary breaks into computer and also finds ephemeral keys or randomness? sk uid COR- RUPT Marc Fischlin BIU Winter School
27 Canetti, Krawczyk: Analysis of Key-Exchange Protocols and Their Use for Building, Eurocrypt 2001 CK and eck Security LaMacchia, Lauter, Mityagin: Stronger security of authenticated key exchange. ProvSec 2007 {pk uid } (id, msg) next-msg id SEND CK model: session state reveals (but not in TEST session) K b id TEST b CK/HMQV model: CK+KCI a K id uid sk uid REVEAL COR- RUPT extended CK (eck): ephemeral key reveal +KCI id r id Session STATE REVEAL or Eph. Key REVEAL example: NAXOS protocol Marc Fischlin BIU Winter School
28 TLS 1.3 and eck-vulnerability CH CKS handshake key Knowledge of ephemeral key breaks security channel key {Client} CCert* {ClientC} CCertV* {Cl} CF SH SKS {ation*} SConf* {icate*} SCert* {Verify*} SCertV* {ed} SF handshake key channel key Marc Fischlin BIU Winter School
29 Teaser for the Break Explain why KCI attacks are, per se, not covered by BR key secrecy. Marc Fischlin BIU Winter School
Felix Günther. Technische Universität Darmstadt, Germany. joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates The main modes, 0-RTT, and replays Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin,
More informationPart II Bellare-Rogaway Model (Active Adversaries)
Part II Bellare-Rogaway Model (Active Adversaries) 8th BIU Winter School on Key Exchange, 2018 Marc Fischlin 13. Oktober 2010 Dr.Marc Fischlin Kryptosicherheit 1 Active Attacks Adversary may tamper, drop,
More informationA Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates. Felix Günther. Technische Universität Darmstadt, Germany
A Cryptographic Analysis of the TLS 1.3 Handshake Protocol Candidates Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin, and Douglas Stebila April
More informationA Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol. Felix Günther. Technische Universität Darmstadt, Germany
A Cryptographic Analysis of the TLS 1.3 draft-10 Full and Pre-shared Key Handshake Protocol Felix Günther Technische Universität Darmstadt, Germany joint work with Benjamin Dowling, Marc Fischlin, and
More informationModelling the Security of Key Exchange
Modelling the Security of Key Exchange Colin Boyd including joint work with Janaka Alawatugoda, Juan Gonzalez Nieto Department of Telematics, NTNU Workshop on Tools and Techniques for Security Analysis
More informationA modified eck model with stronger security for tripartite authenticated key exchange
A modified eck model with stronger security for tripartite authenticated key exchange Qingfeng Cheng, Chuangui Ma, Fushan Wei Zhengzhou Information Science and Technology Institute, Zhengzhou, 450002,
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationTLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key
TLS 1.3 Extension for Certificate-based Authentication with an External Pre-Shared Key draft-housley-tls-tls13-cert-with-extern-psk Russ Housley TLS WG at IETF 102 July 2018 TLS 1.3 Authentication and
More informationOverview of TLS v1.3 What s new, what s removed and what s changed?
Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Solution Architect / Principal Design Engineer. On Worldpay ecommerce Payment Gateways. Based in Cambridge, UK.
More informationTLS 1.3. Eric Rescorla Mozilla IETF 92 TLS 1
TLS 1.3 Eric Rescorla Mozilla ekr@rtfm.com IETF 92 TLS 1 Changes since -03 draft-05 Prohibit SSL negotiation for backwards compatibility. Fix which MS is used for exporters. draft-04 Modify key computations
More informationTLS 1.3: A Collision of Implementation, Standards, and Cryptography
TLS 1.3: A Collision of Implementation, Standards, and Cryptography Eric Rescorla Mozilla ekr@rtfm.com TLS 1.3 1 TLS 1.3 Objectives Clean up: Remove unused or unsafe features Security: Improve security
More informationfor Compound Authentication
Verified Contributive Channel Bindings for Compound Authentication Antoine Delignat-Lavaud, Inria Paris Joint work with Karthikeyan Bhargavan and Alfredo Pironti Motivation: Authentication Composition
More informationOn Robust Key Agreement Based on Public Key Authentication
On Robust Key Agreement Based on Public Key Authentication (Short Paper) Feng Hao Thales E-Security, Cambridge, UK feng.hao@thales-esecurity.com Abstract. We describe two new attacks on the HMQV protocol.
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationKey Establishment. Colin Boyd. May Department of Telematics NTNU
1 / 57 Key Establishment Colin Boyd Department of Telematics NTNU May 2014 2 / 57 Designing a Protocol Outline 1 Designing a Protocol 2 Some Protocol Goals 3 Some Key Agreement Protocols MTI Protocols
More informationON THE SECURITY OF TLS RENEGOTIATION
ON THE SECURITY OF TLS RENEGOTIATION 2012/11/02 QUT Douglas Stebila European Network of Excellence in Cryptology II (ECRYPT II) Australian Technology Network German Academic Exchange Service (ATN-DAAD)
More informationNetwork Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2014
Network Security: TLS/SSL Tuomas Aura T-110.5241 Network security Aalto University, Nov-Dec 2014 Outline 1. Diffie-Hellman key exchange (recall from earlier) 2. Key exchange using public-key encryption
More informationTransport Layer Security
Cryptography and Security in Communication Networks Transport Layer Security ETTI - Master - Advanced Wireless Telecommunications Secure channels Secure data delivery on insecure networks Create a secure
More informationBeyond eck: Perfect Forward Secrecy under Actor Compromise and Ephemeral-Key Reveal
Beyond eck: Perfect Forward Secrecy under Actor Compromise and Ephemeral-Key Reveal Cas Cremers and Michèle Feltz Institute of Information Security ETH Zurich, Switzerland Abstract. We show that it is
More informationSecurity Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents
Security Analysis of the Extended Access Control Protocol for Machine Readable Travel Documents Özgür Dagdelen 1 and Marc Fischlin 2 1 Center for Advanced Security Research Darmstadt - CASED oezguer.dagdelen@cased.de
More informationGeneric Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model
Generic Transformation of a CCA2-Secure Public-Key Encryption Scheme to an eck-secure Key Exchange Protocol in the Standard Model Janaka Alawatugoda Department of Computer Engineering University of Peradeniya,
More informationSecurity Analysis of the Authentication Modules of Chinese WLAN Standard and Its Implementation Plan*
Security Analysis of the Authentication Modules of Chinese WLAN Standard and Its Implementation Plan* Xinghua Li 1,2, Jianfeng Ma 1, and SangJae Moon 2 1 Key Laboratory of Computer Networks and Information
More informationUniversität Hamburg. SSL & Company. Fachbereich Informatik SVS Sicherheit in Verteilten Systemen. Security in TCP/IP. UH, FB Inf, SVS, 18-Okt-04 2
Universität Hamburg SSL & Company Fachbereich Informatik SVS Sicherheit in Verteilten Systemen Security in TCP/IP UH, FB Inf, SVS, 18-Okt-04 2 SSL/TLS Overview SSL/TLS provides security at TCP layer. Uses
More informationKey Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2. Cas Cremers, ETH Zurich
Key Exchange in IPsec revisited: Formal Analysis of IKEv1 and IKEv2 Cas Cremers, ETH Zurich Overview What is IKE? Internet Key Exchange, part of IPsec Formal analysis of IKE Previously considered infeasible
More informationOPTLS and TLS 1.3. Hugo Krawczyk, Hoeteck Wee. TRON Workshop 2/21/2016
OPTLS and TLS 1.3 Hugo Krawczyk, Hoeteck Wee TRON Workshop 2/21/2016 1 Plan Explain OPTLS approach and modes (handshake only) Highlight protocol concept and simplicity Common logic to all protocol modes
More informationSecurity Analysis of KEA Authenticated Key Exchange Protocol
Security Analysis of KEA Authenticated Key Exchange Protocol Kristin Lauter 1 and Anton Mityagin 2 1 Microsoft Research, One Microsoft Way, Redmond, WA 98052 klauter@microsoft.com 2 Department of Computer
More informationPAijpam.eu A STUDY ON DIFFIE-HELLMAN KEY EXCHANGE PROTOCOLS Manoj Ranjan Mishra 1, Jayaprakash Kar 2
International Journal of Pure and Applied Mathematics Volume 114 No. 2 2017, 179-189 ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu doi: 10.12732/ijpam.v114i2.2
More informationHistory. TLS 1.3 Draft 26 Supported in TMOS v14.0.0
PRESENTED BY: History SSL developed by Netscape SSLv1.0 Never released SSLv2.0 1995 SSLv3.0 1996 Moved governance to the IETF and renamed TLS TLSv1.0 1999 TLSv1.1 2006 TLSv1.2 2008 TLSv1.3 2018 TLS 1.3
More informationSecurity Arguments for the UM Key Agreement Protocol in the NIST SP A Standard
Security Arguments for the UM Key Agreement Protocol in the NIST SP 800-56A Standard Alfred Menezes Department of Combinatorics & Optimization University of Waterloo, Canada ajmeneze@uwaterloo.ca Berkant
More informationComing of Age: A Longitudinal Study of TLS Deployment
Coming of Age: A Longitudinal Study of TLS Deployment Accepted at ACM Internet Measurement Conference (IMC) 2018, Boston, MA, USA Platon Kotzias, Abbas Razaghpanah, Johanna Amann, Kenneth G. Paterson,
More informationFormally Analyzing the TLS 1.3 proposal
Bachelor Thesis Formally Analyzing the TLS 1.3 proposal Student: Vincent Stettler Student ID: 12-932-661 Supervisor: Ralf Sasse Professor: David Basin Submission date: 03.07.2016 Abstract The goal of this
More informationSecurely Deploying TLS 1.3. September 2017
Securely Deploying TLS 1.3 September 2017 Agenda Why TLS 1.3? Zero Round Trip Time (0-RTT) requests Forward secrecy Resumption key management Why TLS 1.3? Speed TLS impacts latency, not thoroughput Protocol
More informationUnderstand the TLS handshake Understand client/server authentication in TLS. Understand session resumption Understand the limitations of TLS
Last Updated: Oct 31, 2017 Understand the TLS handshake Understand client/server authentication in TLS RSA key exchange DHE key exchange Explain certificate ownership proofs in detail What cryptographic
More informationMTAT Applied Cryptography
MTAT.07.017 Applied Cryptography Transport Layer Security (TLS) Advanced Features University of Tartu Spring 2016 1 / 16 Client Server Authenticated TLS ClientHello ServerHello, Certificate, ServerHelloDone
More informationOn Robust Key Agreement Based on Public Key Authentication
1 On Robust Key Agreement Based on Public Key Authentication Feng Hao School of Computing Science Newcastle University, UK feng.hao@ncl.ac.uk Abstract This paper discusses public-key authenticated key
More informationStrongly Secure Authenticated Key Exchange without NAXOS approach
Strongly Secure Authenticated Key Exchange without NAXOS approach Minkyu Kim, Atsushi Fujioka 2, and Berkant Ustaoğlu 2 ISaC and Department of Mathematical Sciences Seoul National University, Seoul 5-747,
More informationOverview of TLS v1.3. What s new, what s removed and what s changed?
Overview of TLS v1.3 What s new, what s removed and what s changed? About Me Andy Brodie Worldpay Principal Design Engineer. Based in Cambridge, UK. andy.brodie@owasp.org Neither a cryptographer nor a
More informationBilateral Unknown Key-Share Attacks in Key Agreement Protocols
Bilateral Unknown Key-Share Attacks in Key Agreement Protocols Liqun Chen Hewlett-Packard Laboratories Filton Road, Bristol BS34 8QZ, UK liqun.chen@hp.com Qiang Tang Département d Informatique, École Normale
More informationReplay Attacks on Zero Round-Trip Time: The Case of the TLS 1.3 Handshake Candidates
A preliminary version of this paper appears in the proceedings of the 2nd IEEE European Symposium on Security and Privacy (EuroS&P 2017). This is the full version. Replay Attacks on Zero Round-Trip Time:
More informationInternet security and privacy
Internet security and privacy SSL/TLS 1 Application layer App. TCP/UDP IP L2 L1 2 Application layer App. SSL/TLS TCP/UDP IP L2 L1 3 History of SSL/TLS Originally, SSL Secure Socket Layer, was developed
More informationSecurity Protocols. Professor Patrick McDaniel CSE545 - Advanced Network Security Spring CSE545 - Advanced Network Security - Professor McDaniel
Security Protocols Professor Patrick McDaniel CSE545 - Advanced Network Security Spring 2011 CSE545 - Advanced Network Security - Professor McDaniel 1 Case Study: Host Access The first systems used telnet
More informationA Modular Security Analysis of the TLS Handshake Protocol
A Modular Security Analysis of the TLS Handshake Protocol P. Morrissey, N.P. Smart and B. Warinschi Abstract We study the security of the widely deployed Secure Session Layer/Transport Layer Security (TLS)
More informationNetwork Security: TLS/SSL. Tuomas Aura T Network security Aalto University, Nov-Dec 2010
Network Security: TLS/SSL Tuomas Aura T-110.5240 Network security Aalto University, Nov-Dec 2010 Outline 1. Diffie-Hellman 2. Key exchange using public-key encryption 3. Goals of authenticated key exchange
More informationChapter 4: Securing TCP connections
Managing and Securing Computer Networks Guy Leduc Chapter 5: Securing TCP connections Computer Networking: A Top Down Approach, 6 th edition. Jim Kurose, Keith Ross Addison-Wesley, March 2012. (section
More informationSECURITY & PRIVACY IN 3G/4G/ 5G NETWORKS: THE AKA PROTOCOL WITH S.ALT, P.-A. FOUQUE, G. MACARIO-RAT, B. RICHARD
SECURITY & PRIVACY IN 3G/4G/ 5G NETWORKS: THE AKA PROTOCOL WITH S.ALT, P.-A. FOUQUE, G. MACARIO-RAT, B. RICHARD ME, MYSELF, AND EMSEC Ø BSc. & MSc. Mathematics, TU Eindhoven Master thesis on multiparty
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationTLS1.2 IS DEAD BE READY FOR TLS1.3
TLS1.2 IS DEAD BE READY FOR TLS1.3 28 March 2017 Enterprise Architecture Technology & Operations Presenter Photo Motaz Alturayef Jubial Cyber Security Conference 70% Privacy and security concerns are
More informationRandomness Extractors. Secure Communication in Practice. Lecture 17
Randomness Extractors. Secure Communication in Practice Lecture 17 11:00-12:30 What is MPC? Manoj Monday 2:00-3:00 Zero Knowledge Muthu 3:30-5:00 Garbled Circuits Arpita Yuval Ishai Technion & UCLA 9:00-10:30
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationCSCE 715: Network Systems Security
CSCE 715: Network Systems Security Chin-Tser Huang huangct@cse.sc.edu University of South Carolina Web Security Web is now widely used by business, government, and individuals But Internet and Web are
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationTransport Layer Security
CEN585 Computer and Network Security Transport Layer Security Dr. Mostafa Dahshan Department of Computer Engineering College of Computer and Information Sciences King Saud University mdahshan@ksu.edu.sa
More informationAnonymity and one-way authentication in key exchange protocols
Designs, Codes and Cryptography manuscript No. (will be inserted by the editor) Anonymity and one-way authentication in key exchange protocols Ian Goldberg Douglas Stebila Berkant Ustaoglu January 5, 2012
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationStation-to-Station Protocol
Station-to-Station Protocol U V b U = α a U b U b V,y V b V = α a V y V = sig V (U b V b U ) y U = sig U (V b U b V ) y U Lecture 13, Oct. 22, 2003 1 Security Properties of STS the scheme is secure against
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationE-commerce security: SSL/TLS, SET and others. 4.1
E-commerce security: SSL/TLS, SET and others. 4.1 1 Electronic payment systems Purpose: facilitate the safe and secure transfer of monetary value electronically between multiple parties Participating parties:
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1415/ Chapter 16: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1415/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec
More informationTHE WORLD OF TLS. Security, Attacks, TLS 1.3
THE WORLD OF TLS Security, Attacks, TLS 1.3 HTTPS:// AND FTPS:// AND. Have you done any of the following today? E-shopping: Amazon, Ebay, Audible, Checked your Email Visited a social networking site: Facebook,
More informationGroup Key Establishment Protocols
Group Key Establishment Protocols Ruxandra F. Olimid EBSIS Summer School on Distributed Event Based Systems and Related Topics 2016 July 14, 2016 Sinaia, Romania Outline 1. Context and Motivation 2. Classifications
More informationLecture 15 PKI & Authenticated Key Exchange. COSC-260 Codes and Ciphers Adam O Neill Adapted from
Lecture 15 PKI & Authenticated Key Exchange COSC-260 Codes and Ciphers Adam O Neill Adapted from http://cseweb.ucsd.edu/~mihir/cse107/ Today We will see how signatures are used to create public-key infrastructures
More informationAttacks on re-keying and renegotiation in Key Exchange Protocols
Eidgenössische Technische Hochschule Zürich Ecole polytechnique fédérale de Zurich Politecnico federale di Zurigo Federal Institute of Technology at Zurich Attacks on re-keying and renegotiation in Key
More informationMessage Authentication with MD5 *
Message Authentication with MD5 * Burt Kaliski and Matt Robshaw RSA Laboratories 100 Marine Parkway, Suite 500 Redwood City, CA 94065 USA burt@rsa.com matt@rsa.com Message authentication is playing an
More informationSession-state Reveal is stronger than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange protocol. (extended version)
Session-state Reveal is stronger than Ephemeral Key Reveal: Attacking the NAXOS Authenticated Key Exchange protocol (extended version) Cas J.F. Cremers Department of Computer Science, ETH Zurich 8092 Zurich,
More informationSSL Server Rating Guide
SSL Server Rating Guide version 2009k (14 October 2015) Copyright 2009-2015 Qualys SSL Labs (www.ssllabs.com) Abstract The Secure Sockets Layer (SSL) protocol is a standard for encrypted network communication.
More informationCS 6324: Information Security More Info on Key Establishment: RSA, DH & QKD
ERIK JONSSON SCHOOL OF ENGINEERING & COMPUTER SCIENCE Cyber Security Research and Education Institute CS 6324: Information Security Dr. Junia Valente Department of Computer Science The University of Texas
More informationHash Proof Systems and Password Protocols
Hash Proof Systems and Password Protocols II Password-Authenticated Key Exchange David Pointcheval CNRS, Ecole normale supe rieure/psl & INRIA 8th BIU Winter School Key Exchange February 2018 CNRS/ENS/PSL/INRIA
More informationProtecting TLS from Legacy Crypto
Protecting TLS from Legacy Crypto http://mitls.org Karthikeyan Bhargavan + many, many others. (INRIA, Microsoft Research, LORIA, IMDEA, Univ of Pennsylvania, Univ of Michigan, JHU) Popular cryptographic
More informationSSL/TLS CONT Lecture 9a
SSL/TLS CONT Lecture 9a COMPSCI 726 Network Defence and Countermeasures Muhammad Rizwan Asghar August 11, 2017 Source of some slides: University of Twente 2 HANDSHAKE PROTOCOL: KEY EXCHANGE AND AUTHENTICATION
More informationLehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München. ilab. Lab 8 SSL/TLS and IPSec
Lehrstuhl für Netzarchitekturen und Netzdienste Fakultät für Informatik Technische Universität München ilab Lab 8 SSL/TLS and IPSec Outlook: On Layer 4: Goal: Provide security for one specific port SSL
More informationTightly-Secure Authenticated Key Exchange without NAXOS Approach Based on Decision Linear Problem
Open Access Library Journal 016, Volume 3, e3033 ISSN Online: 333-971 ISSN Print: 333-9705 Tightly-Secure Authenticated Key Exchange without NAXOS Approach Based on Decision Linear Problem Mojahed Mohamed
More informationSecurity Association Creation
1 Security Association Creation David L. Black November 2006 2 The Big Picture: Three Proposals Framework: 06-369 specifies Security Associations (SAs) Connect key generation to key usage (and identify
More informationProtocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE i, IEEE 802.1X P2.
P2 Protocols, Technologies and Standards Secure network protocols for the OSI stack P2.1 WLAN Security WPA, WPA2, IEEE 802.11i, IEEE 802.1X P2.2 IP Security IPsec transport mode (host-to-host), ESP and
More informationFSU: Identity-based Authenticated Key Exchange
FSU: Identity-based Authenticated Key Exchange draft-kato-fsu-key-exchange-00.txt draft-kato-optimal-ate-pairings-00.txt draft-kasamatsu-bncurves-01.txt KATO, Akihiro NTT Software Corp CFRG, IETF 94, Yokohama
More informationPreventing Attackers From Using Verifiers: A-PAKE With PK-Id
Preventing Attackers From Using Verifiers: A-PAKE With PK-Id Sean Parkinson (sean.parkinson@rsa.com) RSA, The Security Division of EMC Session ID: ARCH R02 Session Classification: Advanced Outline Introduction
More informationWAP Security. Helsinki University of Technology S Security of Communication Protocols
WAP Security Helsinki University of Technology S-38.153 Security of Communication Protocols Mikko.Kerava@iki.fi 15.4.2003 Contents 1. Introduction to WAP 2. Wireless Transport Layer Security 3. Other WAP
More informationA Standard- Model Security Analysis of TLS- DHE
A Standard- Model Security Analysis of TLS- DHE Tibor Jager 1, Florian Kohlar 2, Sven Schäge 3, and Jörg Schwenk 2 1 Karlsruhe Ins-tute of Technology 2 Horst Görtz Ins-tute for IT Security, Bochum 3 University
More informationExpires: September 10, 2015 Inria Paris-Rocquencourt A. Langley Google Inc. M. Ray Microsoft Corp. March 9, 2015
Network Working Group Internet-Draft Expires: September 10, 2015 K. Bhargavan A. Delignat-Lavaud A. Pironti Inria Paris-Rocquencourt A. Langley Google Inc. M. Ray Microsoft Corp. March 9, 2015 Transport
More informationInternet Security. - IPSec, SSL/TLS, SRTP - 29th. Oct Lee, Choongho
Internet Security - IPSec, SSL/TLS, SRTP - 29th. Oct. 2007 Lee, Choongho chlee@mmlab.snu.ac.kr Contents Introduction IPSec SSL / TLS SRTP Conclusion 2/27 Introduction (1/2) Security Goals Confidentiality
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationTransport Level Security
2 Transport Level Security : Security and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l12, Steve/Courses/2013/s2/css322/lectures/transport.tex,
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationIntroduction to cryptology (GBIN8U16) Introduction
Introduction to cryptology (GBIN8U16) Introduction Pierre Karpman pierre.karpman@univ-grenoble-alpes.fr https://www-ljk.imag.fr/membres/pierre.karpman/tea.html 2018 01 24 Introduction 2018 01 24 1/27 First
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationSecurity Protocols and Infrastructures. Winter Term 2010/2011
Winter Term 2010/2011 Chapter 4: Transport Layer Security Protocol Contents Overview Record Protocol Cipher Suites in TLS 1.2 Handshaking Protocols Final Discussion 2 Contents Overview Record Protocol
More informationsymmetric cryptography s642 computer security adam everspaugh
symmetric cryptography s642 adam everspaugh ace@cs.wisc.edu computer security Announcement Midterm next week: Monday, March 7 (in-class) Midterm Review session Friday: March 4 (here, normal class time)
More informationContinuous After-the-fact Leakage-Resilient Key Exchange (full version)
Continuous After-the-fact Leakage-Resilient Key Exchange (full version) Janaka Alawatugoda 1 Colin Boyd 3 Douglas Stebila 1,2 1 School of Electrical Engineering and Computer Science, Queensland University
More informationNoise Protocol Framework. Trevor Perrin
Noise Protocol Framework Trevor Perrin Cryptography Public Key (DH, RSA, ECC etc) Symmetric Key (AES etc) AKE Authenticated Key Exchange (or Agreement) Goals Shared symmetric key Authentication Forward
More informationBilateral Unknown Key-Share Attacks in Key Agreement Protocols
Journal of Universal Computer Science, vol. 14, no. 3 (2008), 416-440 submitted: 2/6/07, accepted: 1/11/07, appeared: 1/2/08 J.UCS Bilateral Unknown Key-Share Attacks in Key Agreement Protocols Liqun Chen
More informationRefining Computationally Sound Mech. Proofs for Kerberos
Refining Computationally Sound Mechanized Proofs for Kerberos Bruno Blanchet Aaron D. Jaggard Jesse Rao Andre Scedrov Joe-Kai Tsay 07 October 2009 Protocol exchange Meeting Partially supported by ANR,
More informationComputer Security 3e. Dieter Gollmann. Security.di.unimi.it/sicurezza1516/ Chapter 16: 1
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 16: 1 Chapter 16: Communications Security Chapter 16: 2 Agenda Threat model Secure tunnels Protocol design principles IPsec
More informationMulti-Stage Key Exchange and the Case of Google s QUIC Protocol
A preliminary version of this paper appears in the proceedings of the 21st ACM Conference on Computer and Communications Security (CCS 2014), DOI: 10.1145/2660267.2660308. This is the full version. Multi-Stage
More informationA messy state of the union:
A messy state of the union: Taming the Composite State Machines of TLS http://smacktls.com Benjamin Beurdouche, Karthikeyan Bhargavan, Antoine Delignat-Lavaud, Cédric Fournet, Markulf Kohlweiss, Alfredo
More informationSummary on Crypto Primitives and Protocols
Summary on Crypto Primitives and Protocols Levente Buttyán CrySyS Lab, BME www.crysys.hu 2015 Levente Buttyán Basic model of cryptography sender key data ENCODING attacker e.g.: message spatial distance
More informationPractical Issues with TLS Client Certificate Authentication
Practical Issues with TLS Client Certificate Authentication Arnis Parsovs February 26, 2014 1 / 10 Motivation 2 / 10 Motivation Problems with password authentication: 2 / 10 Motivation Problems with password
More informationSecure Socket Layer. Security Threat Classifications
Secure Socket Layer 1 Security Threat Classifications One way to classify Web security threats in terms of the type of the threat: Passive threats Active threats Another way to classify Web security threats
More information