Key Establishment. Chester Rebeiro IIT Madras. Stinson : Chapter 10
|
|
- Piers Golden
- 5 years ago
- Views:
Transcription
1 Key Establishment Chester Rebeiro IIT Madras CR Stinson : Chapter 10
2 Multi Party secure communication C D A B E F N parties want to communicate securely with each other (N=6 in this figure) If sends a message to V ( V and,v Ɛ {a,b,c,d,e,f}) Only V should be able to read the message No other parties (even if they cooperate) should be able to read the message CR 2
3 Adversary Assumptions C attacker A B Passive Attacker (evesdropper) Active Attacker Aim : fool A and B into accepting an invalid key ( invalid key : expired key, a key chosen by the attacker) fool A / B into believing that they have exchanged a key with the other get partial information about the key exchanged between A and B Modus-Operandi : alter messages save messages and replay later masquerade CR 3
4 Adversary Assumptions c d 2-party colluding attackers a b Attackers can collude to get the secrets k-party colluding attacks K attackers collude CR 4
5 Types of Keys Long lived keys Generally used for authentication, setting up session keys Could be either a key corresponding to a symmetric cipher Or a private key corresponding to a public key cipher Session keys sed for a brief period of time such as a single session. Typically session key corresponds to a symmetric key cipher and requires to be changed periodically Derived from LL keys CR 5
6 Example (the keys in GSM) Long lived (LL) keys SIM contains a individual subscriber authentication key (k i ) It is never transmitted or the network. A copy of k i is also stored in databases in the base station k i is used to authenticate the SIM using an algorithm called A3 Session keys (k c ) Created at the time of a call changed periodically during the call It is created using k i and an algorithm A8 Voice and Signals are encrypted using the session key kiusing a cipher A5 CR 6
7 Why use Session Keys? Limit the amount of ciphertext an attacker sees. Limit exposure when device is compromised. Limits the amount of long term information that needs to be stored on device. CR 7
8 Distributing LL Keys Non-interactively LL keys are stored in the device (such as TPMs) Or computed from stored secrets (such as PFs) Interactively Could also be sent to the device by a trusted authority (TA) Trusted Authority Verifies identities of users Issues certificates Has a secure link with each user Distribution schemes from TA sing public key constructs ser s store private keys ser certificates stored by TA contains the public keys sing symmetric key constructs TA has a secure channel to distribute secret keys to pairs of users A B TA C D E F CR 8
9 Key Predistribution Defining Feature: Key Pre-distribution affects all users CR slide borrowed from Hossein Hajiabolhassan(SB) 9
10 Key Predistribution Scheme CR Slide borrowed from Hossein Hajiabolhassan(SB) 10
11 TA Solution using symmetric key cryptography (Naïve Scheme) C D K AB A B K AB E F TA generates a key and sends it securely to A and B. Storage in each user : N 1 Maximum secure links : N Network Overheads : N transfers 2 can we reduce the overheads? CR 11
12 Trading Security for reduced Overheads C E F D K AB A B K AB The naïve scheme protects against N-2 colluding users What if we reduce this assumption to say k (< N-2) colluding users? Security reduces But overheads may also reduce. CR 12
13 Blom s Key PreDistribution Scheme Aim : each pair of users require a unique key nconditionally secure key distribution in a k-party colluding network (k < N 2) At-most k parties can collude (k parties acting together will not be able to determine the key for anyone else) Maximum secure links N (no change here) Network Transfers : N(k+1) N 2 (reduced from ) Storage : Each user stores (k+1) elements (reduced from N-1 ) CR 13
14 Blom s Key Distribution Scheme (for k=1) Public parameters: (1) prime p (> N)and (2) for each user a distinct value r u Ɛ Z p Trusted Authority 1. Choose secreta, b, c Ɛ Z p and forms the polynomial f(x,y) = (a + b(x + y) + cxy) mod p = (a + by) + (b + cy)x mod p 2. For each user u, the TA computes f(x, r u )and transmitstwo elements(k+1) to user over a secure channel a = (a + br ) mod p and b = (b + cr )x mod p sage : if and V want to communicate : has f(x, r ), computes K V = f(r V, r ) V :has f(x, r V ), computes K V = f(r, r V ) = f(r V, r ) = K V CR 14
15 Blom s Key Distribution Scheme (for k=1) Why it works? Public parameters: (1) prime p (> N)and (2) for each user a distinct value r u Ɛ Z p a,b, c are the only secrets. If an attacker can compute these, then the Trusted system is broken! Authority 1. Choose secreta, b, c Ɛ Z p and forms the polynomial f(x,y) = (a + b(x + y) + cxy) mod p = (a + by) + (b + cy)x mod p sage : if and V want to communicate : has f(x, r ), computes K V = f(r V, r ) f(x,y) is symmetric. Interchanging x and y values will not alter results. 2. For each user u, the TTP computes f(x, r u )and transmitstwo elements (k+1) to user over a secure channel a = (a + br ) mod p and b = (b + cr )x mod p This is an Affine transformation. There are three unknowns (a, b, c). Therefore requires 3 equations to solve. However, each user has only a and b. Needs more information!! V :has f(x, r V ), computes K V = f(r, r V ) = f(r V, r ) = K V CR 15
16 Blom s scheme is unconditionally secure What does this means? Any other user W (not or V) cannot get any information about K V aprioriprobability of K V = aposterioriprobability of K V =1/ Z p Given all of Blom spublic parameters and f(x, r W ) What W has? a W = a + br W b W = b + cr W Two equations; three unknowns (a, b, c) This is an underdetermined system therefore number of solutions possible is Zp. Aposterioriprobability of K V = 1/ Z p CR 16
17 2-party Colluding Attackers If two attackers (say W and X) collude, then 4 equations present and 3 unknowns This will result in a unique solution for a,b,c system broken!!! What W and X have? a W = a + br W b W = b + cr W a X = a + br X b X = b + cr X W X 2-party coalition attackers Thus, the scheme is not secure against 2 (or more) party colluding attacks CR 17
18 Generalizing Blom s Scheme More complex polynomial so that secret coefficients cannot be retrieved For a k-party colluding network f( x, y) wherea i, j k i= 0 j= 0 Z k = p a i, j x i y (0 i, j mod j k) p and a i, j = a j, i for all i, j CR 18
19 Limits of Blom s Scheme Pairwise keys cannot be changed i.e. and V cannot change their keys To change keys, all users need to be reconfigured Thus, it is difficult to implement this scheme for session keys CR 19
20 Key Distribution Patterns (This is a secret operation). CR 20
21 Key Distribution Patterns (Trivial Example) Suppose There are n users (n = 4) and v keys (v = 6) k k has keys k1, k2, k3 k3 2 has keys k1, k4, k M = 5 k has keys k2, k4, k k 5 4 has keys k3, k5, k 6 k keys users CR 21
22 Group Keys Consider that a subset of users P ( P 2) want to communicate together Define, keys ( 1) = { k1, k2, k3} keys ) = { k, k, } ( k5 keys ( P ) = keys ( ) keys ( ) = k 1 2) 1 Each user in P can compute keys(p) independently because M is public In this case, k P = keys(p) = k 1 can be used as the key If keys( P) > 2, then define k P = k i i keys( P) modk CR 22
23 Security of Group Keys Consider another subset of users F, who want to collaborate to determine the group key k P 1 If F P φ, then there exists some F who can compute j k P 2 Assume F P = φ If keys( P) keys j ( ) j F then there exists asubsetinf who can cooperateto compute k P If such a subset does not exist, then the system in unconditionally secure CR 23
24 Another Example M: n=7, v=7 Storage in each user is k 1 k 7 No other user has both k 1 and k 7. 3 has k 1 but not k 7 4 has k 7 but not k 1 Therefore the scheme is secure against single party attackers The scheme is not secure against two (or more) party attackers If 3 and 4 collaborate, they can compute k 1 + k 7 CR 24
25 Key Distribution Pattern (Trivial Example) If there are n users, For each pair to communicate securely, the matrix size is Each user must store n 1 keys n n 2 Security Guarantee: The system is secure against a coalition of size n 2. i.e. to get the key between Alice and Bob, everyone remaining must cooperate Maximum security guarantees, but huge of storage requirements. CR Can we trade security for lower storage? 25
26 Fiat-Naor Key Distribution Patterns Consider nusers : = { 1, 2,., n }. How do we construct a key pattern matrix Mwhich can resist attacks from wcollating users (1 w n) (w is called the security parameter) w n 1. Compute: v= i= 0 i 2. Computethe matrix M (v x n) The columns are the users( 1, 2,.., n ) Each row corresponds incidence vector of a subset of users with cardinality at-least n-w CR 26
27 Example Number of users is 6 Security Parameter w = 1 v = 7 Subsets of having at-least n-w elements CR 27 },,,, { },,,, { },,,, { },,,, { },,,, { },,,,, {
28 Example Number of users is 6 Security Parameter w = 1 v = 7 Note that no other user (individually) has access to all keys k 1, k 2, k 3, and k 6 Thus the system is secure against non-cooperating attackers CR 28
29 Session Keys Are between pairs of users (e.g. Alice and Bob) Distribution of Session Keys Makes use of the TA TA tells Alice and Bob the secret key TA k ab k ab CR 29
30 Setting : (shared keys with TA) TA K A, K B, K C, K D K A a b K B c K C d K D TA shares a secret key with each user. This key is used to securely communicate between TA and a user. CR 30
31 Needham Schroeder Scheme TA K A, K B Randomly Choose session key K Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) 1 Alice Need to talk to Bob securely Pick a random number r A r A, ID(B) 2 y 1 K A Bob K B Such random number often called Nonce (numbers used once) ID(B) is a unique identifier for Bob ID(A) is a unique identifier for Alice t B, is called Bob s ticket Note t B is embedded in y 1 CR 31
32 Needham Schroeder Scheme K A, K B TA Alice Bob Randomly Choose session key K 1 K,K A Need to talk to B securely Pick a random number r A K B Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) y 1 2 Decrypt y 1 using K A Check if ID(B), r A matches If they match, then send t B to Bob Alice now has the secret session key K CR 32
33 Needham Schroeder Scheme TA K A, K B Randomly Choose session key K 1 Alice Need to talk to B securely Pick a random number r A K, K A K,K Bob B Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) y 1 2 Decrypt y 1 using K A Check if ID(B), r A matches If they match, then send t B to Bob t B 3 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) Bob too now has the secret K, He also has ID(A), so he knows it s a session key with Alice CR K is used for encrypting r B 33
34 Needham Schroeder Scheme K A, K B TA Alice Bob Randomly Choose session key K 1 Need to talk to B securely Pick a random number r A K, K A K, K B Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) y 1 2 Decrypt y 1 using K A Check if ID(B), r A matches If they match, then send t B to Bob 3 t B 4 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) Decrypt y 2 using K to get r B Compute y 3 =E K (r B -1) y 2 5 y 3 CR 34
35 Needham Schroeder Scheme TA K A, K B Randomly Choose session key K 1 Alice K A Need to talk to B securely Pick a random number r A Bob K B Compute t B = E K B(K ID(A)) y 1 = E K A(r A K ID(B) t B ) y 1 2 Decrypt y 1 using K A Check if ID(B), r u matches If they match, then send t B to Bob t B 3 4 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) This step tell Bob that K is indeed correct CR 35 Decrypt y 2 using K to get r B Compute y 3 =E K (r B -1) y 2 5 y 3 Decrypt y 3 and verify the correctness of r B -1. If incorrect, reject
36 Denning-Sacco Attack on the NS Scheme This is a known session key attack / replay attack, where the attacker has a previously used session key between and V, and can convinces V to use this old session key Input is a previously used session key K, which was used between A and B Attacker Bob Has a previously used t B = E K B(K ID()) and K Decrypt y 2 using K to get r B Compute y 3 =E K (r B -1) 3 t B 4 y 2 5 y 3 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) Decrypt y 3 and verify the correctness of r B -1. If incorrect, reject CR 36
37 Denning-Sacco Attack on the NS Scheme What is the flaw in the NS scheme? Bob has no way to know if t B has been used previously. Attacker Bob Input is a previously used session key K, which was used between A and B Has a previously used t B = E K B(K ID()) and K t B 3 Decrypt t B using K B Pick a random number r B Compute y 2 = E K (r B ) 4 Fixed in Kerberos by adding a timestamp Decrypt y 2 using K to get r B Compute y 3 =E K (r B -1) y 2 5 y 3 Decrypt y 3 and verify the correctness of r B -1. If incorrect, reject CR 37
38 Kerberos (setup a session key K between Alice and Bob) TA Alice Bob Randomly Choose secret key K; Set Lifetime L compute K A, K B m 1 = E K A(R A, K, L, ID(B)) m 2 = E K B(K, L, ID(A)) 1 K A Need to talk to Bob securely. Generate R A K is the session key chosen by the TTP It is valid only for the until time L. The timestamps are added to prevent replay attacks ID(B) is a unique identifier for Bob ID(A) is a unique identifier for Alice These are use to authenticate the parties K B CR 38
39 Kerberos (setup a session key K between Alice and Bob) TA K A, K B Randomly Choose secret key K; Set Lifetime L 1 Alice Need to talk to Bob securely. Generate R A K, K A K Bob B compute m 1 = E K A(R A,K, L, ID(B)) m 2 = E K B(K, L, ID(A)) 2 (R A, K, L, ID(B)) D K A(m 1 ) m 3 = E K (T, ID(A)) Only Alice can decrypt message m 1 Alice will verify * the current time to check for validity * if R A matches * If ID(B) is correct T is the current timestamp CR 39
40 Kerberos (setup a session key K between Alice and Bob) TA K A, K B Randomly Choose secret key K; set Lifetime L compute m 1 = E K A(R A,K, L, ID(B)) m 2 = E K B(K, L, ID(A)) 1 2 Alice Need to talk to Bob securely. Generate R A K, K A K, K Bob B Only Bob can decrypt message m 2 After decrypting m 2, he can decrypt m 3 using K (R A, K, L, ID(B))D K A(m 1 ) m 3 = E K (T, ID(A)) 3 (K, L, ID(A))D K B(m 2 ) (T, ID(A)) D K (m 3 ) Check lifetime; check ID(A) is the same in both decryptions check if ID matches, and T <= L T = T + 1; m 4 = e K (T+1) CR 40
41 Kerberos (setup a session key K between Alice and Bob) TA K A, K B Randomly Choose secret key K; Lifetime L 1 Alice Need to talk to Bob securely. Generate R A K, K A K, K B Bob compute m 1 = E K A(R A,K, L, ID(B)) m 2 = E K B(K, L, ID(A)) 2 (R A, K, L, ID(B))= D K A(m 1 ) m 3 = E K (T, ID(A)) 3 This ensures that Bob has successfully received the correct key K (K, L, ID(A))= D K B(m 2 ) (T, ID(A)) = D K (m 3 ) Alice and Bob can now communicate using session key K (T )= D K (m 4 ) Verify timestamp is indeed T = T check if ID matches, and T <= L T = T + 1; m 4 = e K (T+1) CR 41
42 Limitations of Kerberos Requires all users and the TA to be synchronized due to the timestamp requirements. Not easily done Does not completely prevent replay attacks Replay attacks can still occur within the lifetime (L) of a key Is key confirmation (step 4) actually needed? Nobody else can decrypted the encrypted message anyways. CR 42
43 Bellare-Rogaway Scheme K A, K B TA Alice Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B 2 Notice that Alice contacts Bob first. This is crucial to eliminate replay attacks CR 43
44 Bellare-Rogaway Scheme K A, K B TA Alice Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K B (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B ses MAC, prevents double encryption. No timestamps present CR 44
45 Bellare-Rogaway Scheme K A, K B TA Alice Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K B (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B Decrypt K; Compute MAC. Verify ID(B), ID(A), R A, K Decrypt K; Compute MAC. Verify ID(B), ID(A), R B, K Replay attacks prevented. As Alice and Bob expect a key K corresponding to R A and R B No key confirmation phase. Alice / Bob does not know if the other person has received the key. CR 45
46 Security of Bellare-Rogaway Session Key Distribution Scheme The Bellare-Rogaway scheme is secure under the assumptions A, B, and TA are honest MACs generated are secure Secret keys are not known to anyone other than the required parties Random numbers are generated perfectly CR 46
47 BR Scheme Analysis : When Attacker is Passive Attacker Knows r A, r B, ID(A), ID(B), y A, y B Attacker cannot get the K because she doesn t have K A or K B that decrypts Y A, Y B respectively K A, K B TA Alice Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K B (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B Decrypt K; Compute MAC. Verify ID(B), ID(A), R A, K Decrypt K; Compute MAC. Verify ID(B), ID(A), R B, K CR 47
48 BR Scheme Analysis : When Attacker is Active and Impersonates Bob Attacker Sends ID(M) instead of ID(B) to TA Alice finds that the MAC she computes does not match the MAC sent by the TA K A, K B TA Alice Attacker(M) K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K M (K), MAC M(ID(A), ID(M), R B, E K M (K)) y A =(E K A (K), MAC A(ID(A), ID(M), R A, E K A (K)) 2 y A 3 y B Decrypt K; Compute MAC (ID(A), ID(B), R A, E KA (K)) Finds that MACs do not match Aborts the communication Decrypt K; Compute MAC. Verify ID(B), ID(A), R B, K CR 48
49 BR Scheme Analysis : When Attacker is Active and Impersonates Bob Attacker Sends ID(B) as usual Attacker cannot decrypt y B because she does not have the decryption key KB Messages sent from Alice encrypted with K, cannot be decrypted by the attacker K A, K B TA Alice Attacker(M) K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K M (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B Decrypt K; Compute MAC (ID(A), ID(B), RA, E KB (K)) MACs match Cannot decrypt y B Because Attacker has no decryption key K B CR 49
50 BR Scheme Analysis : When Attacker is Active and Impersonates Alice Attacker sends ID(A), r A to Bob Attacker cannot decrypt y A because she does not have the decryption key K A Messages sent from Bob encrypted with K, cannot be decrypted by the attacker K A, K B TA Attacker Bob K A Need to talk to Bob securely. Generate R A 1 K B Generate R B y B =(E K B (K), MAC B(ID(A), ID(B), R B, E K B (K)) y A =(E K A (K), MAC A(ID(A), ID(B), R A, E K A (K)) 2 y A 3 y B Cannot decrypt y A Because Attacker has no decryption key K A Decrypt K; Compute MAC. Verify ID(B), ID(A), R B, K CR 50
51 Key Agreement Schemes How does Alice and Bob agree upon a secret key without active use of a TA? sers use a public key algorithm The secret key agreed on is a function of Alices public and private keys Bob s public and private keys CR 51
52 Recall Diffie Hellman Key Exchange Alice and Bob agree upon a prime pand a generator g. This is public information choose a secret a compute A = g a mod p choose a secret b compute B = g b mod p Compute K = B a mod p B A Compute K = A b mod p A b mod p = (g a ) b mod p = (g b ) a mod p = B a mod p CR 52
53 Diffie Hellman (Man in the Middle Attack) choose a secret a compute A = g a mod p A For some m compute M = g m mod p B choose a secret b compute B = g b mod p M M Compute K a = M a mod p Compute K a = A m mod p K b = B m mod p Compute K b = M b mod p CR 53
54 Diffie Hellman (Man in the Middle Attack) choose a secret a compute A = g a mod p What s missing is Authentication! Alice and Bob need to authenticate each other before exchanging messages A For some m compute M = g m mod p B choose a secret b compute B = g b mod p M M Compute K a = M a mod p Compute K a = A m mod p K b = B m mod p Compute K b = M b mod p CR 54
Cryptography CS 555. Topic 16: Key Management and The Need for Public Key Cryptography. CS555 Spring 2012/Topic 16 1
Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography CS555 Spring 2012/Topic 16 1 Outline and Readings Outline Private key management between two parties Key management
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationApplied Cryptography and Computer Security CSE 664 Spring 2017
Applied Cryptography and Computer Security Lecture 18: Key Distribution and Agreement Department of Computer Science and Engineering University at Buffalo 1 Key Distribution Mechanisms Secret-key encryption
More informationSession key establishment protocols
our task is to program a computer which gives answers which are subtly and maliciously wrong at the most inconvenient possible moment. -- Ross Anderson and Roger Needham, Programming Satan s computer Session
More informationT Cryptography and Data Security
T-79.4501 Cryptography and Data Security Lecture 10: 10.1 Random number generation 10.2 Key management - Distribution of symmetric keys - Management of public keys Stallings: Ch 7.4; 7.3; 10.1 1 The Use
More informationSession Key Distribution
Session Key Distribution The TA shares secret keys with network users. The TA chooses session keys and distributes them in encrypted form upon request of network users. We will need to define appropriate
More informationSpring 2010: CS419 Computer Security
Spring 2010: CS419 Computer Security Vinod Ganapathy Lecture 7 Topic: Key exchange protocols Material: Class handout (lecture7_handout.pdf) Chapter 2 in Anderson's book. Today s agenda Key exchange basics
More informationKEY AGREEMENT PROTOCOLS. CIS 400/628 Spring 2005 Introduction to Cryptography. This is based on Chapter 13 of Trappe and Washington
KEY AGREEMENT PROTOCOLS CIS 400/628 Spring 2005 Introduction to Cryptography This is based on Chapter 13 of Trappe and Washington DIFFIE-HELLMAN KEY EXCHANGE Alice & want to exchange a ton of data using
More informationElements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted
More informationProtocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh
Protocols II Computer Security Lecture 12 David Aspinall School of Informatics University of Edinburgh 17th February 2011 Outline Introduction Shared-key Authentication Asymmetric authentication protocols
More informationCryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 38 A Tutorial on Network Protocols
More informationData Security and Privacy. Topic 14: Authentication and Key Establishment
Data Security and Privacy Topic 14: Authentication and Key Establishment 1 Announcements Mid-term Exam Tuesday March 6, during class 2 Need for Key Establishment Encrypt K (M) C = Encrypt K (M) M = Decrypt
More informationElements of Security
Elements of Security Dr. Bill Young Department of Computer Sciences University of Texas at Austin Last updated: April 8, 2015 at 12:47 Slideset 7: 1 Car Talk Puzzler You have a friend in a police state
More informationCristina Nita-Rotaru. CS355: Cryptography. Lecture 17: X509. PGP. Authentication protocols. Key establishment.
CS355: Cryptography Lecture 17: X509. PGP. Authentication protocols. Key establishment. Public Keys and Trust Public Key:P A Secret key: S A Public Key:P B Secret key: S B How are public keys stored How
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 3.3: Security Handshake Pitfalls CSC 474/574 Dr. Peng Ning 1 Authentication Handshakes Secure communication almost always includes an initial authentication
More informationLecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 5: Protocols - Authentication and Key Exchange* CS 392/6813: Computer Security Fall 2009 Nitesh Saxena *Adopted from a previous lecture by Gene Tsudik Course Admin HW3 Problem 3 due Friday midnight
More informationAuthentication Handshakes
AIT 682: Network and Systems Security Topic 6.2 Authentication Protocols Instructor: Dr. Kun Sun Authentication Handshakes Secure communication almost always includes an initial authentication handshake.
More informationComputer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 08r. Pre-exam 2 Last-minute Review Cryptography Paul Krzyzanowski Rutgers University Spring 2018 March 26, 2018 CS 419 2018 Paul Krzyzanowski 1 Cryptographic Systems March 26, 2018 CS
More informationStation-to-Station Protocol
Station-to-Station Protocol U V b U = α a U b U b V,y V b V = α a V y V = sig V (U b V b U ) y U = sig U (V b U b V ) y U Lecture 13, Oct. 22, 2003 1 Security Properties of STS the scheme is secure against
More informationL7: Key Distributions. Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806
L7: Key Distributions Hui Chen, Ph.D. Dept. of Engineering & Computer Science Virginia State University Petersburg, VA 23806 9/16/2015 CSCI 451 - Fall 2015 1 Acknowledgement Many slides are from or are
More informationElements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy
Elements of Cryptography and Computer and Network Security Computer Science 134 (COMPSCI 134) Fall 2016 Instructor: Karim ElDefrawy Homework 3 Due: Monday, 11/28/2016 at 11:55pm PT Solution: Will be posted
More informationKey establishment in sensor networks
Security and Cooperation in Wireless Networks http://secowinet.epfl.ch/ key types; establishment of link keys using a shortterm master key; random key predistribution: - the basic scheme, and - some improvements;
More informationBAN Logic. Logic of Authentication 1. BAN Logic. Source. The language of BAN. The language of BAN. Protocol 1 (Needham-Schroeder Shared-Key) [NS78]
Logic of Authentication 1. BAN Logic Ravi Sandhu BAN Logic BAN is a logic of belief. In an analysis, the protocol is first idealized into messages containing assertions, then assumptions are stated, and
More informationOther Uses of Cryptography. Cryptography Goals. Basic Problem and Terminology. Other Uses of Cryptography. What Can Go Wrong? Why Do We Need a Key?
ryptography Goals Protect private communication in the public world and are shouting messages over a crowded room no one can understand what they are saying 1 Other Uses of ryptography Authentication should
More informationCryptographic Checksums
Cryptographic Checksums Mathematical function to generate a set of k bits from a set of n bits (where k n). k is smaller then n except in unusual circumstances Example: ASCII parity bit ASCII has 7 bits;
More informationFall 2010/Lecture 32 1
CS 426 (Fall 2010) Key Distribution & Agreement Fall 2010/Lecture 32 1 Outline Key agreement without t using public keys Distribution of public keys, with public key certificates Diffie-Hellman Protocol
More informationKey Agreement. Guilin Wang. School of Computer Science, University of Birmingham
Key Agreement Guilin Wang School of Computer Science, University of Birmingham G.Wang@cs.bham.ac.uk 1 Motivations As we know, symmetric key encryptions are usually much more efficient than public key encryptions,
More informationChapter 9: Key Management
Chapter 9: Key Management Session and Interchange Keys Key Exchange Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #9-1 Overview Key exchange Session vs. interchange
More informationKey Establishment and Authentication Protocols EECE 412
Key Establishment and Authentication Protocols EECE 412 1 where we are Protection Authorization Accountability Availability Access Control Data Protection Audit Non- Repudiation Authentication Cryptography
More informationECE596C: Handout #9. Authentication Using Shared Secrets. Electrical and Computer Engineering, University of Arizona, Loukas Lazos
ECE596C: Handout #9 Authentication Using Shared Secrets Electrical and Computer Engineering, University of Arizona, Loukas Lazos Abstract. In this lecture we introduce the concept of authentication and
More informationCSCI 667: Concepts of Computer Security. Lecture 9. Prof. Adwait Nadkarni
CSCI 667: Concepts of Computer Security Lecture 9 Prof. Adwait Nadkarni 1 Derived from slides by William Enck, Micah Sherr, Patrick McDaniel, Peng Ning, and Vitaly Shmatikov Authentication Alice? Bob?
More informationKey Management. Digital signatures: classical and public key Classic and Public Key exchange. Handwritten Signature
Key Management Digital signatures: classical and public key Classic and Public Key exchange 1 Handwritten Signature Used everyday in a letter, on a check, sign a contract A signature on a signed paper
More informationIssues. Separation of. Distributed system security. Security services. Security policies. Security mechanism
Module 9 - Security Issues Separation of Security policies Precise definition of which entities in the system can take what actions Security mechanism Means of enforcing that policy Distributed system
More informationLecture 6.2: Protocols - Authentication and Key Exchange II. CS 436/636/736 Spring Nitesh Saxena. Course Admin
Lecture 6.2: Protocols - Authentication and Key II CS 436/636/736 Spring 2012 Nitesh Saxena Mid-Term Grading Course Admin Will be done over the break Scores will be posted online and graded exams distribute
More informationCryptographic Protocols 1
Cryptographic Protocols 1 Luke Anderson luke@lukeanderson.com.au 5 th May 2017 University Of Sydney Overview 1. Crypto-Bulletin 2. Problem with Diffie-Hellman 2.1 Session Hijacking 2.2 Encrypted Key Exchange
More information1 Identification protocols
ISA 562: Information Security, Theory and Practice Lecture 4 1 Identification protocols Now that we know how to authenticate messages using MACs, a natural question is, how can we use MACs to prove that
More informationSecurity Handshake Pitfalls
Security Handshake Pitfalls 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake: Authenticate each other Establish sessions keys This process may
More informationCS 161 Computer Security
Raluca Popa Spring 2018 CS 161 Computer Security Homework 2 Due: Wednesday, February 14, at 11:59pm Instructions. This homework is due Wednesday, February 14, at 11:59pm. No late homeworks will be accepted.
More informationGrenzen der Kryptographie
Microsoft Research Grenzen der Kryptographie Dieter Gollmann Microsoft Research 1 Summary Crypto does not solve security problems Crypto transforms security problems Typically, the new problems relate
More information22-security.txt Tue Nov 27 09:13: Notes on Security Protocols , Fall 2012 Carnegie Mellon University Randal E.
22-security.txt Tue Nov 27 09:13:37 2012 1 Notes on Security Protocols 15-440, Fall 2012 Carnegie Mellon University Randal E. Bryant References: Tannenbaum: 9.1, 9.2 (skip 9.2.3), 9.4.1 BASICS Desired
More informationLecture 1: Course Introduction
Lecture 1: Course Introduction Thomas Johansson T. Johansson (Lund University) 1 / 37 Chapter 9: Symmetric Key Distribution To understand the problems associated with managing and distributing secret keys.
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Midterm 2 Print your name:, (last) (first) I am aware of the Berkeley Campus Code of Student Conduct and acknowledge that academic misconduct will be
More informationCS Computer Networks 1: Authentication
CS 3251- Computer Networks 1: Authentication Professor Patrick Traynor 4/14/11 Lecture 25 Announcements Homework 3 is due next class. Submit via T-Square or in person. Project 3 has been graded. Scores
More informationAuth. Key Exchange. Dan Boneh
Auth. Key Exchange Review: key exchange Alice and want to generate a secret key Saw key exchange secure against eavesdropping Alice k eavesdropper?? k This lecture: Authenticated Key Exchange (AKE) key
More informationOutline. Login w/ Shared Secret: Variant 1. Login With Shared Secret: Variant 2. Login Only Authentication (One Way) Mutual Authentication
Outline Security Handshake Pitfalls (Chapter 11 & 12.2) Login Only Authentication (One Way) Login i w/ Shared Secret One-way Public Key Lamport s Hash Mutual Authentication Shared Secret Public Keys Timestamps
More informationInformation Security CS 526
Information Security CS 526 Topic 14: Key Distribution & Agreement, Secure Communication Topic 14: Secure Communication 1 Readings for This Lecture On Wikipedia Needham-Schroeder protocol (only the symmetric
More informationIdeal Security Protocol. Identify Friend or Foe (IFF) MIG in the Middle 4/2/2012
Ideal Security Protocol Satisfies security requirements Requirements must be precise Efficient Small computational requirement Small bandwidth usage, network delays Not fragile Works when attacker tries
More information1. Diffie-Hellman Key Exchange
e-pgpathshala Subject : Computer Science Paper: Cryptography and Network Security Module: Diffie-Hellman Key Exchange Module No: CS/CNS/26 Quadrant 1 e-text Cryptography and Network Security Objectives
More informationICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification
ICT 6541 Applied Cryptography Lecture 8 Entity Authentication/Identification Hossen Asiful Mustafa Introduction Entity Authentication is a technique designed to let one party prove the identity of another
More informationCS 161 Computer Security
Popa & Wagner Spring 2016 CS 161 Computer Security Discussion 5 Week of February 19, 2017 Question 1 Diffie Hellman key exchange (15 min) Recall that in a Diffie-Hellman key exchange, there are values
More informationCIS 6930/4930 Computer and Network Security. Topic 6.2 Authentication Protocols
CIS 6930/4930 Computer and Network Security Topic 6.2 Authentication Protocols 1 Authentication Handshakes Secure communication almost always includes an initial authentication handshake. Authenticate
More information18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange. Dan Boneh
18733: Applied Cryptography Anupam Datta (CMU) Basic key exchange Online Cryptography Course Basic key exchange Trusted 3 rd parties Key management Problem: n users. Storing mutual secret keys is difficult
More informationWhat did we talk about last time? Public key cryptography A little number theory
Week 4 - Friday What did we talk about last time? Public key cryptography A little number theory If p is prime and a is a positive integer not divisible by p, then: a p 1 1 (mod p) Assume a is positive
More informationKey establishment in sensor networks
Key establishment in sensor networks -- introduction to wireless sensor networks -- needed key types -- LEAP -- random key pre-distribution (c) Levente Buttyán (buttyan@crysys.hu) Wireless sensor networks
More informationAuthentication in Distributed Systems
Authentication in Distributed Systems Introduction Crypto transforms (communications) security problems into key management problems. To use encryption, digital signatures, or MACs, the parties involved
More informationInter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing
Inter-Domain Identity-based Authenticated Key Agreement Protocol from the Weil Pairing Tsai, Hong-Bin Chiu, Yun-Peng Lei, Chin-Laung Dept. of Electrical Engineering National Taiwan University July 10,
More informationCS Protocol Design. Prof. Clarkson Spring 2017
CS 5430 Protocol Design Prof. Clarkson Spring 2017 Review Cryptography: Encryption, block ciphers, block cipher modes, MACs, cryptographic hash functions, digital signatures, authenticated encryption,
More informationL13. Reviews. Rocky K. C. Chang, April 10, 2015
L13. Reviews Rocky K. C. Chang, April 10, 2015 1 Foci of this course Understand the 3 fundamental cryptographic functions and how they are used in network security. Understand the main elements in securing
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 4, 2017 CPSC 467, Lecture 11 1/39 ElGamal Cryptosystem Message Integrity and Authenticity Message authentication codes
More informationModule: Cryptographic Protocols. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security
CMPSC443 - Introduction to Computer and Network Security Module: Cryptographic Protocols Professor Patrick McDaniel Spring 2009 1 Key Distribution/Agreement Key Distribution is the process where we assign
More informationOverview. Cryptographic key infrastructure Certificates. May 13, 2004 ECS 235 Slide #1. Notation
Overview Key exchange Session vs. interchange keys Classical, public key methods Key generation Cryptographic key infrastructure Certificates Key storage Key escrow Key revocation Digital signatures May
More informationCryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography
Cryptography Lecture 9 Key distribution and trust, Elliptic curve cryptography Key Management The first key in a new connection or association is always delivered via a courier Once you have a key, you
More informationCIS 4360 Secure Computer Systems Applied Cryptography
CIS 4360 Secure Computer Systems Applied Cryptography Professor Qiang Zeng Spring 2017 Symmetric vs. Asymmetric Cryptography Symmetric cipher is much faster With asymmetric ciphers, you can post your Public
More informationCS 395T. Formal Model for Secure Key Exchange
CS 395T Formal Model for Secure Key Exchange Main Idea: Compositionality Protocols don t run in a vacuum Security protocols are typically used as building blocks in a larger secure system For example,
More informationApplied Cryptography Basic Protocols
Applied Cryptography Basic Protocols Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Session keys It is prudent practice to use a different key for each session. This
More informationCSCE 813 Internet Security Kerberos
CSCE 813 Internet Security Kerberos Professor Lisa Luo Fall 2017 What is Kerberos? An authentication server system from MIT; versions 4 and 5 Provide authentication for a user that works on a workstation
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication
More informationOutline More Security Protocols CS 239 Computer Security February 6, 2006
Outline More Security Protocols CS 239 Computer Security February 6, 2006 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and Authentication
More informationKey Exchange. References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings
Key Exchange References: Applied Cryptography, Bruce Schneier Cryptography and Network Securiy, Willian Stallings Outlines Primitives Root Discrete Logarithm Diffie-Hellman ElGamal Shamir s Three Pass
More informationUser Authentication Protocols Week 7
User Authentication Protocols Week 7 CEN-5079: 2.October.2017 1 Announcement Homework 1 is posted on the class webpage Due in 2 weeks 10 points (out of 100) subtracted each late day CEN-5079: 2.October.2017
More information1.264 Lecture 27. Security protocols Symmetric cryptography. Next class: Anderson chapter 10. Exercise due after class
1.264 Lecture 27 Security protocols Symmetric cryptography Next class: Anderson chapter 10. Exercise due after class 1 Exercise: hotel keys What is the protocol? What attacks are possible? Copy Cut and
More informationCS Protocols. Prof. Clarkson Spring 2016
CS 5430 Protocols Prof. Clarkson Spring 2016 Review: Secure channel When we last left off, we were building a secure channel The channel does not reveal anything about messages except for their timing
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 9 March 30, 2011 Question 1 Another Use for Hash Functions (8 min) The traditional Unix system for password authentication works more or less like
More informationDiffie-Hellman. Part 1 Cryptography 136
Diffie-Hellman Part 1 Cryptography 136 Diffie-Hellman Invented by Williamson (GCHQ) and, independently, by D and H (Stanford) A key exchange algorithm o Used to establish a shared symmetric key Not for
More informationDigital Signatures. Public-Key Signatures. Arbitrated Signatures. Digital Signatures With Encryption. Terminology. Message Authentication Code (MAC)
Message Authentication Code (MAC) Key-dependent one-way hash function Only someone with a correct key can verify the hash value Easy way to turn one-way hash function into MAC is to encrypt hash value
More informationModelling and Analysing of Security Protocol: Lecture 1. Introductions to Modelling Protocols. Tom Chothia CWI
Modelling and Analysing of Security Protocol: Lecture 1 Introductions to Modelling Protocols Tom Chothia CWI This Course This course will primarily teaching you: How to design your own secure communication
More informationComputer Networks & Security 2016/2017
Computer Networks & Security 2016/2017 Network Security Protocols (10) Dr. Tanir Ozcelebi Courtesy: Jerry den Hartog Courtesy: Kurose and Ross TU/e Computer Science Security and Embedded Networked Systems
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationNotes for Lecture 14
COS 533: Advanced Cryptography Lecture 14 (November 6, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Fermi Ma Notes for Lecture 14 1 Applications of Pairings 1.1 Recap Consider a bilinear e
More informationUser Authentication Protocols
User Authentication Protocols Class 5 Stallings: Ch 15 CIS-5370: 26.September.2016 1 Announcement Homework 1 is due today by end of class CIS-5370: 26.September.2016 2 User Authentication The process of
More informationCIS 6930/4930 Computer and Network Security. Topic 7. Trusted Intermediaries
CIS 6930/4930 Computer and Network Security Topic 7. Trusted Intermediaries 1 Trusted Intermediaries Problem: authentication for large networks Solution #1 Key Distribution Center (KDC) Representative
More informationA robust smart card-based anonymous user authentication protocol for wireless communications
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 A robust smart card-based anonymous user authentication
More informationChapter 10 : Private-Key Management and the Public-Key Revolution
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 10 : Private-Key Management and the Public-Key Revolution 1 Chapter 10 Private-Key Management
More informationSecurity protocols and their verification. Mark Ryan University of Birmingham
Security protocols and their verification Mark Ryan University of Birmingham Contents 1. Authentication protocols (this lecture) 2. Electronic voting protocols 3. Fair exchange protocols 4. Digital cash
More informationDatasäkerhetsmetoder föreläsning 7
Datasäkerhetsmetoder föreläsning 7 Nyckelhantering Jan-Åke Larsson Cryptography A security tool, not a general solution Cryptography usually converts a communication security problem into a key management
More informationKurose & Ross, Chapters (5 th ed.)
Kurose & Ross, Chapters 8.2-8.3 (5 th ed.) Slides adapted from: J. Kurose & K. Ross \ Computer Networking: A Top Down Approach (5 th ed.) Addison-Wesley, April 2009. Copyright 1996-2010, J.F Kurose and
More informationSymmetric Encryption
Symmetric Encryption Ahmed Y. Banihammd & Ihsan, ALTUNDAG Mon November 5, 2007 Advanced Cryptography 1st Semester 2007-2008 University Joseph Fourrier, Verimag Master Of Information Security And Coding
More informationAuthentication and Key Distribution
1 Alice and Bob share a key How do they determine that they do? Challenge-response protocols 2 How do they establish the shared secret in the first place? Key distribution PKI, Kerberos, Other key distribution
More informationKey Agreement Schemes
Key Agreement Schemes CSG 252 Lecture 9 November 25, 2008 Riccardo Pucella Key Establishment Problem PK cryptosystems have advantages over SK cryptosystems PKCs do not need a secure channel to establish
More informationComputer Security. 10. Exam 2 Review. Paul Krzyzanowski. Rutgers University. Spring 2017
Computer Security 10. Exam 2 Review Paul Krzyzanowski Rutgers University Spring 2017 March 23, 2018 CS 419 2017 Paul Krzyzanowski 1 Question 1(a) Suppose you come across some old text in the form GEPPQ
More informationLecture 4: Authentication Protocols
Graduate Course on Computer Security Lecture 4: Authentication Protocols Iliano Cervesato iliano@itd.nrl.navy.mil ITT Industries, Inc @ NRL Washington DC http://www.cs.stanford.edu/~iliano/ DIMI, Universita
More informationChapter 10: Key Management
Chapter 10: Key Management Session and Interchange Keys Key Exchange Key Generation Cryptographic Key Infrastructure Storing and Revoking Keys Digital Signatures Slide #10-1 Overview Key exchange Session
More informationOutline. More Security Protocols CS 239 Security for System Software April 22, Needham-Schroeder Key Exchange
Outline More Security Protocols CS 239 Security for System Software April 22, 2002 Combining key distribution and authentication Verifying security protocols Page 1 Page 2 Combined Key Distribution and
More informationCSC/ECE 774 Advanced Network Security
Computer Science CSC/ECE 774 Advanced Network Security Topic 2. Network Security Primitives CSC/ECE 774 Dr. Peng Ning 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange;
More informationPublic Key Algorithms
CSE597B: Special Topics in Network and Systems Security Public Key Cryptography Instructor: Sencun Zhu The Pennsylvania State University Public Key Algorithms Public key algorithms RSA: encryption and
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationExercises with solutions, Set 3
Exercises with solutions, Set 3 EDA625 Security, 2017 Dept. of Electrical and Information Technology, Lund University, Sweden Instructions These exercises are for self-assessment so you can check your
More informationThe Kerberos Authentication System Course Outline
The Kerberos Authentication System Course Outline Technical Underpinnings - authentication based on key sharing - Needham-Schroeder protocol - Denning and Sacco protocol Kerbeors V - Login and client-server
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 24 April 16, 2012 CPSC 467b, Lecture 24 1/33 Kerberos Secure Shell (SSH) Transport Layer Security (TLS) Digital Rights Management
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More information