Simple Security Protocols
|
|
- Sara Malone
- 5 years ago
- Views:
Transcription
1 What is a Protocol? Monday, December 4, 2012 eading: S&M Ch. 9; Schneier Chs. 2-4; Kaufman, Perlman, & Speciner, Ch. 11; Anderson, Ch 3 CS342 Computer Security Department of Computer Science Wellesley College Schneier s definition: A protocol is a series of steps, involving two or more parties, designed to accomplish a task. Computational examples: o low-level network protocols (UDP, TCP, IP) o higher-level communication protocols (HTTP, SMTP, SSL, FTP) o authentication (SSH, Kerberos) o public key infrastructure (PKI) o electronic voting o electronic money 24-2 Simple Noncomputational Protocol Examples Exchanging names when meeting for the first time: (holding out hand to ): Hi, I m. (shakes s hand): I m. Pleased to meet you. Conversation ensues. Establishing a phone conversation: dials s phone number. (answering ringing phone): Hello. : May I please speak to? : This is. Who s calling? : This is. Probabilistic Protocol for Pot-Luck Dinner is planning a pot-luck dinner party with a large group of friends. When is it? Who brings what? (Don t want only desserts!) o Many protocols for this problem involve a large number of messages. o Here s a simple protocol in which broadcasts a single message to all friends and need no responses: I m holding a pot-luck dinner party at my house on Sat. Oct. 16 at 7pm. Please come if you can make it. In order determine what kind of dish to bring, please flip two coins: if both are heads, bring an appetizer or salad; if both are tails, bring a dessert; otherwise (one head, one tail), bring a main dish
2 Bicycle Transfer Protocol and both work at Wellesley, but are never on campus at the same time. wants to transfer her bicycle to at Wellesley. How can she accomplish this in the following scenarios? o Both and have keyed bicycle locks. o has a keyed bicycle lock. o Neither nor has a bicycle lock. Computational Protocol Building Blocks Symmetric-key encryption/decryption with key K: D(K, E(K, M)) = M One-way hash function H (can be combined with key for signature). Public-key cryptography: D(Kpriv, E(Kpub, M)) = M Some public key systems (e.g. SA) even have commutativity, a la two-lock bicycle transfer protocol: D(Kpriv1, E(Kpub2, E(Kpub1, M))) = E(Kpub2, M) if the two key pairs share the same n (bad idea!) Public-key signatures: E(Kpub, D(Kpriv, M)) = M (not all PK systems, but SA has) Timestamps Sequence Numbers Nonces Timestamps, Sequence Numbers, and Nonces Protocol messages often contain numbers that distinguish messages or serve to foil various attacks: o Timestamps: Include the current time in a message to foil replay attacks. equires participants have synchronized clocks, which can be challenging (maintained by other protocols). Subject to clock-resetting attacks. Protocol Example: Electronic Coin Flip and are in separate locations but want to flip a coin fairly. I.e., both of and win/lose a flip with 50% probability. How can they do this? Note: In this protocol, we aren t worried about Eve or. o Sequence Numbers: Include a sequence number to foil replay attacks. Problem: attacker can determine next number from previous. o Nonces = values used once (e.g., for unique IDs, challenges) Typically a large random number, since hard for attacker to guess. Timestamps and sequence numbers are often inappropriate, since easy for attackers to guess
3 Coin Flipping with Simple Encryption Coin Flipping with Simple Encryption: Discussion 1. sends nonce to. 2. generates random bit b and random key K and sends E(K, <, b>) to. 3. guesses that s bit is b and sends this to. (He wins if b = b and loses otherwise.) 4. now knows whether she won or lost; she sends K to. 5. calculates D(K, E(K, <, b>)) = <, b> and now knows whether he won or lost. E(K, <,b>) b K o commits to b before guesses. She cannot change her mind after guesses. o does not know b choice before he guesses, but can verify b after he guesses. o We assume both and play by the rules. If not: If loses, she can: 1. claim sent her the wrong bit b 2. refuse to send him K or send him the wrong K, so he can t verify he won. If loses, he can: 1. claim he sent the winning bit instead; or E(K, <,b>) b K 2. claim that the he finds in the last step is not the one he sent Coin Flipping with Hashing 1. chooses nonce and sends H() to. 2. guesses whether is even or odd, and sends guess (b) to. 3. now knows whether she won or lost; she sends to. 4. verifies H() = h and now knows whether he won or lost. Notes: This depends on and H() having uncorrelated even/oddness. Again, commits to a choice () before guesses; she cannot change her mind after guesses. Again, does not know s choice before he guesses, but can verify her choice after the guess. Again, both and have to play by the rules. H() b Zero-Knowledge Protocol Idea: Convince someone that you know a secret without telling them what you know. Afterwards, they are convinced you know the secret, but they have no knowledge of what the secret actually is! 24-12
4 Zero-Knowledge Protocol: Ali Baba s Cave* Passage in cave splits into two-dead end paths. Thief claims to know magic words to get from one dead end to other. Test this probabilistically: 1. Thief randomly chooses path and enters it. (You don t see which.) 2. You flip coin, and ask him to come out of path determined by flip. If after a large number of trials he always succeeds, you are convinced he knows magic without learning the magic. * Quisquater and Guillou, How to Explain Zero-Knowledge Protocols to your Children, Zero-Knowledge Protocol in Practice Idea: convince someone that you have the solution to a computationally intractable problem without telling them the solution. E.g. Graph Isomorphism: claims to know isomorphism π between two large graphs G 1 and G 2. Easy to verify, but extremely hard to find. convinces she knows π without revealing it as follows: 1. generate a new graph G 3 that s isomorphic to G 1 and G 2. π G 1 G 2 2. Ask to pick which of π 1 and π 2 he wants to see. π 1 π 2 3. repeats this many times (generating a new graph each time). G 3 is convinced she knows π without gaining any knowledge about π itself One-Way vs. Two-Way (Mutual) Authentication One-Way Authentication: Plaintext Passwords One-Way Authentication In one-way authentication needs to be convinced that a conversation request from is really from. ( is often a remote server to which is logging in from a local computer.) < I m, password > Two-Way (Mutual) Authentication Both and need to be convinced about the authenticity of the other party. Attackers In both of these authentication situations, we do need to worry about Eve and, who might try to impersonate or. sends password in the clear to. FTP, telnet, and HTTP passwords actually work this way!. Attacks? Game Plan We ll first study one-way authentication and associated attacks. Then we ll move on to mutual authentication
5 One-Way Authentication: Hashed Passwords Password Interception < I m, H(password) > password < I m, H(password) > sends hash of password to, who compares it to his database of hashed passwords for all users. Benefits? Attacks? Man-in-the-Middle /Chess Grandmaster Attacks eplay Attack Many password interception techniques are examples of man-in-the-middle (MITM) attacks: impersonates to and to. message to message to message to message to < I m, H(password) > Eve < I m, H(password) > Eve can record encrypted password and later replay it. This is also known as the chess grandmaster attack: can play remote chess against grandmasters (white) and (black) at the same time and will win one game or draw both. How to foil replay attack?
6 Foiling eplay Attack One-Way Authentication: Encrypted Passwords o Timestamps/Sequence Numbers/Nonces but, as we ll see in more detail later, these have problems: timestamps require synchronization and might be guessable consecutive sequence numbers are obviously related < I m, E(K AB, password) > nonces must be remembered by. o Password Aging bad social properties; people try to circumvent. sends password encrypted with key K AB she shares with. how frequent to be effective deterrent? Note: E(K AB, password) is often written {password} K AB o One-time Passwords (OTP): has a sequence of passwords and uses each only once (they re nonreusable!). Benefits? how to generate password sequence? o how to synchronize and? Challenge-esponse: responds to new challenge from on each login. Attacks? OTP: Tokens (e.g., SA SecurID) SA SecurID token displays number determined from seed and time. User enters displayed number and PIN/password (two factors!), and info sent to central server (which also knows seed and time). OTP: Iterated Hashing (e.g., S/Key) One-way hash function H is used to generate sequence of n passwords from seed p 0 ; passwords p i = H(p i-1 ) are used in order p n-1, p n-2, Problems? Hardware tokens Software tokens Initialization p 0 < I m, n, H n (p 0 )> <n, H n (p 0 )> Authentication I m i p 0 P i-1 = H i-1 (p 0 ) <i, h i = H i (p 0 )> checks that h i = H(h i-1 ) I believe you re <i-1, h i-1 = H i-1 (p 0 )> Also known as Lamport s hash after its inventor, Leslie Lamport
7 Man-in-the-Middle (Small n) Attack on S/Key If can impersonate, she can present a challenge k i and then impersonate for (k i)+1 steps. One-Way Authentication: Challenge-esponse responds to nonce challenge from by encrypting or hashing with shared key K AB. p 0 I m k P k-1 = H k-1 (p 0 ) I m i k P i-1 = H i-k (p k-1 ) = H i-1 (p 0 ) <i, H i (p 0 )> I m E(K AB, ) or H( <K AB, > ) I believe you re <i-1, H i-1 (p 0 )> MITM Attack on Challenge-esponse I m E(K AB, ) or H( <K AB, > ) I m E(K AB, ) or H( <K AB, > ) Other Challenge-esponse Attacks Violated assumptions can lead to many attacks: Impersonation: Nothing authenticates, so can impersonate. Known Plaintext: Plaintext can help Eve figure out key K AB. Chosen Plaintext: As, can get to encrypt any M. MIG-in-the-Middle attack. described by Anderson: SAAF radar in Namibia E(K SAAF, ) Cuban MIG over Namibia E(K SAAF, ) Cuban radar in Angola E(K SAAF, ) SAAF jet over Angola Session Hijacking: hijacks conversation after initial handshake. Server Database Attack: may be able to find K AB (and thereby impersonate ) by attacking s database. Predictable Nonce: If nonce is a sequence number or coarse-grained timestamp, can replace by a later, obtain E(K AB, ) from, and use this to impersonate for later nonce. (This is impractical for fine-grained timestamp.) Moral: Cryptography not enough by itself must consider system in which it s used. (adia Perlman s talk on How to Build an Insecure System out of Perfectly Good Cryptography.) 24-28
8 Encrypted Challenge-esponse One-Message Encrypted Challenge-esponse I m E(K AB, ) More efficient, but: < I m, E(K AB, timestamp) > can t impersonate for unreplayable nonce (e.g., includes fine-grained timestamp) since she doesn t know K AB (unless she s MITM). If includes fine-grained timestamp, is authenticated too! Must use encryption rather than hash. Why? Solves chosen plaintext problem. As with regular challenge-response, this suffers from MITM attack, known-plaintext attack, session hijacking, server database attack, and predictable nonce attack. Predictable nonce attack even worse here, since needn t be involved for to impersonate her by guessing later is no longer authenticated if timestamp is course-grained, Eve can replay message to impersonate (unless keeps records of timestamps already used) if convinces to set his clock back, can replay old messages One-Way Authentication with Public Key Crypto Foiling Predictable Nonce & Known Plaintext I m E(K Apub, ) I m D(K Apriv, ) I m E(K AB, ) E(K AB +1, ) No shared secrets in s database, so addresses server database attack. Still suffers from impersonation, man-in-the-middle, session hijacking, known plaintext, and predictable nonce attacks. Nonce is always sent encrypted, so it s safe to use a predictable one. If nonce is unpredictable, foils known-plaintext attack. By impersonating, can get to encrypt or sign arbitrary messages! How to address this? How can these protocls be modified so that is authenticated?
9 Mutual Authentication Mutual Authentication as Two One-Ways o Many one-way authentication problems due to unauthenticated. o In practice, mutual authentication very important: are you ordering from Amazon or an Amazon impersonator? are you giving your personal info to Citibank or a phisher? are you sending embarrassing messages to friend or blackmailer? Mutual 1 Mutual 2 <, 1 > <E(K AB, 1 ), 2 > or <H(<K AB, 1 >), 2 > E(K AB, 2 ) or H(<K AB, 2 >) <, E(K AB, 1 ) > < 1, E(K AB, 2 )> 2 Vulnerable to same attacks for one-way protocols except impersonation Attempted Optimization of Mutual 1 Asymmetry Foils eplay Attack <, 2 > <, 1, E(K AB, 2 )> E(K AB, 1 ) <, 2 > < 1, E(K AB, 2 )> E(K AB +1, 1 ) Chosen Plaintext Attack eflection Attack <, M> <, 1, E(K AB, M)> Moral: Beware changing or designing protocols! Best to stick with well-studied ones. <, 2 > (session 1) <, 1, E(K AB, 2 )> (session 1) <, 1 > (session 2) E(K AB, 1 ) (session 1) <, 3, E(K AB, 1 )> (session 2) <, 2 0> < 1 1, E(K AB, 2 0)> E(K AB, 1 1)
10 ISO SC27 Mutual Authentication Protocol (S&M) < I m, 1 > <E(K AB, 1 ), E(K AB, 2 )> 2 Attacks? 24-37
Ideal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More information0/41. Alice Who? Authentication Protocols. Andreas Zeller/Stephan Neuhaus. Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken
0/41 Alice Who? Authentication Protocols Andreas Zeller/Stephan Neuhaus Lehrstuhl Softwaretechnik Universität des Saarlandes, Saarbrücken The Menu 1/41 Simple Authentication Protocols The Menu 1/41 Simple
More informationSecurity Handshake Pitfalls
Cryptographic Authentication Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationOutline More Security Protocols CS 239 Computer Security February 4, 2004
Outline More Security Protocols CS 239 Computer Security February 4, 2004 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationSecurity Handshake Pitfalls
Hello Challenge R f(k, R f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone can send the challenge R. f(k, R Problems: 1. Authentication is not mutual only authenticates Anyone
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Security Handshake Pitfalls Login only Mutual
More informationOutline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange
Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationDistributed Systems. 25. Authentication Paul Krzyzanowski. Rutgers University. Fall 2018
Distributed Systems 25. Authentication Paul Krzyzanowski Rutgers University Fall 2018 2018 Paul Krzyzanowski 1 Authentication For a user (or process): Establish & verify identity Then decide whether to
More informationCS November 2018
Authentication Distributed Systems 25. Authentication For a user (or process): Establish & verify identity Then decide whether to allow access to resources (= authorization) Paul Krzyzanowski Rutgers University
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationOther Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?
ryptography Goals Protect private communication in the public world and are shouting messages over a crowded room no one can understand what they are saying 1 Other Uses of ryptography Authentication should
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr 1 Cryptographic Authentication Password authentication is subject to eavesdropping Alternative: Cryptographic challenge-response
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationCIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols
CIS 6930/4930 Computer and Network Security Topic 6.2 Authentication Protocols 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate
More information6. Security Handshake Pitfalls Contents
Contents 1 / 45 6.1 Introduction 6.2 Log-in Only 6.3 Mutual Authentication 6.4 Integrity/Encryption of Data 6.5 Mediated Authentication (with KDC) 6.6 Bellovin-Merrit 6.7 Network Log-in and Password Guessing
More informationElements of Security
Elements of Security Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 8, 2015 at 12:47 Slideset 7: 1 Car Talk Puzzler You have a friend in a police state
More informationNetwork Security CHAPTER 31. Solutions to Review Questions and Exercises. Review Questions
CHAPTER 3 Network Security Solutions to Review Questions and Exercises Review Questions. A nonce is a large random number that is used only once to help distinguish a fresh authentication request from
More informationCPSC 467b: Cryptography and Computer Security
Outline ZKIP Other IP CPSC 467b: Cryptography and Computer Security Lecture 19 Michael J. Fischer Department of Computer Science Yale University March 31, 2010 Michael J. Fischer CPSC 467b, Lecture 19
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationReal-time protocol. Chapter 16: Real-Time Communication Security
Chapter 16: Real-Time Communication Security Mohammad Almalag Dept. of Computer Science Old Dominion University Spring 2013 1 Real-time protocol Parties negotiate interactively (Mutual) Authentication
More informationComputer Security. 08. Authentication. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08. Authentication Paul Krzyzanowski Rutgers University Spring 2018 1 Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Protocols such
More information1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class
1.264 Lecture 27 Security protocols Symmetric cryptography Next class: Anderson chapter 10. Exercise due after class 1 Exercise: hotel keys What is the protocol? What attacks are possible? Copy Cut and
More informationSecurity and Anonymity
Security and Anonymity Distributed Systems need a network to send messages. Any message you send in a network can be looked at by any router or machine it goes through. Further if your machine is on the
More information10/1/2015. Authentication. Outline. Authentication. Authentication Mechanisms. Authentication Mechanisms. Authentication Mechanisms
Authentication IT443 Network Security Administration Instructor: Bo Sheng Authentication Mechanisms Key Distribution Center and Certificate Authorities Session Key 1 2 Authentication Authentication is
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be
More informationLecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.
15-441 Lecture Nov. 21 st 2006 Dan Wendlandt Worms & Viruses Phishing End-host impersonation Denial-of-Service Route Hijacks Traffic modification Spyware Trojan Horse Password Cracking IP Spoofing DNS
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationCSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni
CSCI 667: Concepts of Computer Security Lecture 9 Prof. Adwait Nadkarni 1 Derived from slides by William Enck, Micah Sherr, Patrick McDaniel, Peng Ning, and Vitaly Shmatikov Authentication Alice? Bob?
More informationComputer Security 3/20/18
Authentication Identification: who are you? Authentication: prove it Computer Security 08. Authentication Authorization: you can do it Protocols such as Kerberos combine all three Paul Krzyzanowski Rutgers
More informationStrong Password Protocols
Strong Password Protocols Strong Password Protocols Password authentication over a network Transmit password in the clear. Open to password sniffing. Open to impersonation of server. Do Diffie-Hellman
More informationUser Authentication Protocols
User Authentication Protocols Class 5 Stallings: Ch 15 CIS-5370: 26.September.2016 1 Announcement Homework 1 is due today by end of class CIS-5370: 26.September.2016 2 User Authentication The process of
More informationCryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology
Cryptography & Key Exchange Protocols Faculty of Computer Science & Engineering HCMC University of Technology Outline 1 Cryptography-related concepts 2 3 4 5 6 7 Key channel for symmetric cryptosystems
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 6 Week of March 6, 2017 Question 1 Password Hashing (10 min) When storing a password p for user u, a website randomly generates a string s (called
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More informationIdentification Schemes
Identification Schemes Lecture Outline Identification schemes passwords one-time passwords challenge-response zero knowledge proof protocols Authentication Data source authentication (message authentication):
More informationCS 494/594 Computer and Network Security
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Real-Time Communication Security Network layers
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationPassword. authentication through passwords
Password authentication through passwords Human beings Short keys; possibly used to generate longer keys Dictionary attack: adversary tries more common keys (easy with a large set of users) Trojan horse
More informationStudy Guide for the Final Exam
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #22 Professor M. J. Fischer April 30, 2005 1 Exam Coverage Study Guide for the Final Exam The final
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationComputer Security 4/12/19
Authentication Computer Security 09. Authentication Identification: who are you? Authentication: prove it Authorization: you can do it Paul Krzyzanowski Protocols such as Kerberos combine all three Rutgers
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Problem 1 True or False (10 points) Circle True or False. Do not justify your answer. (a) True or False : It is safe (IND-CPA-secure) to encrypt
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More informationCryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationSEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security
SEEM4540 Open Systems for E-Commerce Lecture 03 Internet Security Consider 2. Based on DNS, identified the IP address of www.cuhk.edu.hk is 137.189.11.73. 1. Go to http://www.cuhk.edu.hk 3. Forward the
More informationExercises with solutions, Set 3
Exercises with solutions, Set 3 EDA625 Security, 2017 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationAuthentication. Luke Anderson. 28 th April University Of Sydney.
Authentication Luke Anderson luke@lukeanderson.com.au 28 th April 2017 University Of Sydney Overview 1. Authentication 1.1 Background 2. Attacks on Authentication 3. Passwords 4. One Time Passwords 5.
More informationCOMPUTER & NETWORK SECURITY
COMPUTER & NETWORK SECURITY Lecture 12: Authentication CRYPTO BULLETIN Taking Down Fraud Sites is Whac a Mole http://krebsonsecurity.com/2015/04/taking down fraud sites is whac a mole/ 'Massive vulnerability'
More informationMore Attacks on Cryptography 3/12/2010
More Attacks on Cryptography 3/12/2010 MS Point-to-Point Encryption (MPPE) If both endpoints support 128-bit crypto: I support 128-bit crypto So do I. Here s a nonce: R M RC4(K) where K = hash(password
More informationLecture 7 - Applied Cryptography
CSE497b Introduction to Computer and Network Security - Spring 2007 - Professor Jaeger Lecture 7 - Applied Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger
More informationAuthentication. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Authentication Murat Kantarcioglu Authentication Overview Basics Passwords Challenge-Response Biometrics Location Multiple Methods Basics
More informationSecuring Internet Communication: TLS
Securing Internet Communication: TLS CS 161: Computer Security Prof. David Wagner March 11, 2016 Today s Lecture Applying crypto technology in practice Two simple abstractions cover 80% of the use cases
More informationCSE 127: Computer Security Cryptography. Kirill Levchenko
CSE 127: Computer Security Cryptography Kirill Levchenko October 24, 2017 Motivation Two parties want to communicate securely Secrecy: No one else can read messages Integrity: messages cannot be modified
More informationCS 161 Computer Security. Week of September 11, 2017: Cryptography I
Weaver Fall 2017 CS 161 Computer Security Discussion 3 Week of September 11, 2017: Cryptography I Question 1 Activity: Cryptographic security levels (20 min) Say Alice has a randomly-chosen symmetric key
More informationDawn Song
1 Secret-Sharing & Zero-knowledge Proof Dawn Song dawnsong@cs.berkeley.edu Review DH key exchange protocol Password authentication protocol Random number generation 2 Lessons Learned Seeds must be unpredictable
More informationAuthentication. Strong Password Protocol. IT352 Network Security Najwa AlGhamdi
Authentication Strong Password Protocol 1 Strong Password Protocol Scenario : Alice uses any workstation to log to the server B, using a password to authenticate her self. Various way to do that? Use Ur
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationECEN 5022 Cryptography
Introduction University of Colorado Spring 2008 Historically, cryptography is the science and study of secret writing (Greek: kryptos = hidden, graphein = to write). Modern cryptography also includes such
More informationCS Protocol Design. Prof. Clarkson Spring 2017
CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationSSL/TLS & 3D Secure. CS 470 Introduction to Applied Cryptography. Ali Aydın Selçuk. CS470, A.A.Selçuk SSL/TLS & 3DSec 1
SSL/TLS & 3D Secure CS 470 Introduction to Applied Cryptography Ali Aydın Selçuk CS470, A.A.Selçuk SSL/TLS & 3DSec 1 SSLv2 Brief History of SSL/TLS Released in 1995 with Netscape 1.1 Key generation algorithm
More informationProofs for Key Establishment Protocols
Information Security Institute Queensland University of Technology December 2007 Outline Key Establishment 1 Key Establishment 2 3 4 Purpose of key establishment Two or more networked parties wish to establish
More informationSecure Sockets Layer (SSL) / Transport Layer Security (TLS)
Secure Sockets Layer (SSL) / Transport Layer Security (TLS) Brad Karp UCL Computer Science CS GZ03 / M030 20 th November 2017 What Problems Do SSL/TLS Solve? Two parties, client and server, not previously
More informationAuthentication Part IV NOTE: Part IV includes all of Part III!
Authentication Part IV NOTE: Part IV includes all of Part III! ECE 3894 Hardware-Oriented Security and Trust Spring 2018 Assoc. Prof. Vincent John Mooney III Georgia Institute of Technology NOTE: THE FOLLOWING
More informationLecture 6 - Cryptography
Lecture 6 - Cryptography CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12 Question Setup: Assume you and I donʼt know anything about
More informationSIP and VoIP What is SIP? What s a Control Channel? History of Signaling Channels
Network Security - ISA 656 Voice Over IP (VoIP) Security Simple SIP ing Alice s Bob Session Initiation Protocol Control channel for Voice over IP (Other control channel protocols exist, notably H.323 and
More informationPersistent key, value storage
Persistent key, value storage In programs, often use hash tables - E.g., Buckets are an array of pointers, collision chaining For persistant data, minimize # disk accesses - Traversing linked lists is
More informationCT30A8800 Secured communications
CT30A8800 Secured communications Pekka Jäppinen October 31, 2007 Pekka Jäppinen, Lappeenranta University of Technology: October 31, 2007 Authentication Three basic models 1. Something you know Password,
More informationCSC 482/582: Computer Security. Security Protocols
Security Protocols Topics 1. Basic Concepts of Cryptography 2. Security Protocols 3. Authentication Protocols 4. Key Exchange Protocols 5. Kerberos 6. Public Key Infrastructure Encryption and Decryption
More informationCryptography III Want to make a billion dollars? Just factor this one number!
Cryptography III Want to make a billion dollars? Just factor this one number! 3082010a0282010100a3d56cf0bf8418d66f400be31c3f22036ca9f5cf01ef614de2eb9a1cd74a0c344b5a20d5f80df9a23c89 10c354821aa693432a61bd265ca70f309d56535a679d68d7ab89f9d32c47c1182e8a14203c050afd5f1831e5550e8700e008f2
More information===============================================================================
We have looked at how to use public key crypto (mixed with just the right amount of trust) for a website to authenticate itself to a user's browser. What about when Alice needs to authenticate herself
More informationA SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS
ISSN 1392 124X INFORMATION TECHNOLOGY AND CONTROL, 2012, Vol.41, No.1 A SECURE PASSWORD-BASED REMOTE USER AUTHENTICATION SCHEME WITHOUT SMART CARDS Bae-Ling Chen 1, Wen-Chung Kuo 2*, Lih-Chyau Wuu 3 1
More informationFrom Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design. Edition 4 Pearson Education 2005
Chapter 7: Security From Coulouris, Dollimore and Kindberg Distributed Systems: Concepts and Design Edition 4 Introduction Security policies Provide for the sharing of resources within specified limits
More informationApplied Cryptography Basic Protocols
Applied Cryptography Basic Protocols Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Session keys It is prudent practice to use a different key for each session. This
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationComputer Security. 10r. Recitation assignment & concept review. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 10r. Recitation assignment & concept review Paul Krzyzanowski Rutgers University Spring 2018 April 3, 2018 CS 419 2018 Paul Krzyzanowski 1 1. What is a necessary condition for perfect
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationNotes for Lecture 24
U.C. Berkeley CS276: Cryptography Handout N24 Luca Trevisan April 21, 2009 Notes for Lecture 24 Scribed by Milosh Drezgich, posted May 11, 2009 Summary Today we introduce the notion of zero knowledge proof
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationWeb Security 2 https://www.xkcd.com/177/ http://xkcd.com/1323/ Encryption basics Plaintext message key secret Encryp)on Func)on Ciphertext Insecure network Decryp)on Func)on Curses! Foiled again! key Plaintext
More informationRemote E-Voting System
Remote E-Voting System Crypto2-Spring 2013 Benjamin Kaiser Jacob Shedd Jeremy White Phases Initialization Registration Voting Verifying Activities Trusted Authority (TA) distributes 4 keys to Registrar,
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor Identification (User Authentication) Fiat-Shamir Scheme Lecture 12 Tel-Aviv University 4 January 2010 Model and Major Issues Alice wishes to prove to Bob
More informationAuthentication in real world: Kerberos, SSH and SSL. Zheng Ma Apr 19, 2005
Authentication in real world: Kerberos, SSH and SSL Zheng Ma Apr 19, 2005 Where are we? After learning all the foundation of modern cryptography, we are ready to see some real world applications based
More information